diff --git a/packages/tychon/LICENSE.txt b/packages/tychon/LICENSE.txt new file mode 100644 index 00000000000..809108b857f --- /dev/null +++ b/packages/tychon/LICENSE.txt @@ -0,0 +1,93 @@ +Elastic License 2.0 + +URL: https://www.elastic.co/licensing/elastic-license + +## Acceptance + +By using the software, you agree to all of the terms and conditions below. + +## Copyright License + +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. + +## Limitations + +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. + +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. + +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. + +## Patents + +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. + +## Notices + +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. + +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. + +## No Other Rights + +These terms do not imply any licenses other than those expressly granted in +these terms. + +## Termination + +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. + +## No Liability + +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* + +## Definitions + +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. + +**you** refers to the individual or entity agreeing to these terms. + +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. + +**your licenses** are all the licenses granted to you for the software under +these terms. + +**use** means anything you do with the software requiring one of your licenses. + +**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/tychon/_dev/build/docs/README.md b/packages/tychon/_dev/build/docs/README.md index 704661a1c1e..b730419d870 100644 --- a/packages/tychon/_dev/build/docs/README.md +++ b/packages/tychon/_dev/build/docs/README.md @@ -1,12 +1,13 @@ # TYCHON Agentless -[TYCHON Agentless](https://tychon.io/products/tychon-agentless/) is an integration that lets you collect TYCHON's gold source vulnerability and STIG data from endpoints without heavy resource use or software installation. You can then investigate the TYCHON data using Elastic's analytics, visualizations, and dashboards. [Contact us to learn more.](https://tychon.io/start-a-free-trial/) +[TYCHON Agentless](https://tychon.io/products/tychon-agentless/) is an integration that lets you collect TYCHON's gold source Master Endpoint Record data from endpoints, including vulnerability and STIG results, without heavy resource use or software installation. You can then investigate the TYCHON data using Elastic's analytics, visualizations, and dashboards. [Contact us to learn more.](https://tychon.io/start-a-free-trial/) ## Compatibility -* This integration supports Windows 10 and Windows 11 Endpoint Operating Systems. +* This integration supports Windows and RedHat/CENTOS Endpoint Operating Systems. * This integration requires a TYCHON Agentless license. * This integration requires [TYCHON Vulnerability Definition](https://support.tychon.io/) files. +* The Linux Endpoint requires RedHat's [OpenScap](https://www.open-scap.org/tools/openscap-base/) to be installed for STIG and CVE to report data. * This integration supports Elastic 8.8+. ## Returned Data Fields diff --git a/packages/tychon/changelog.yml b/packages/tychon/changelog.yml index 5607c4b9acc..88fabe2c0c2 100644 --- a/packages/tychon/changelog.yml +++ b/packages/tychon/changelog.yml @@ -1,4 +1,4 @@ -- version: 0.0.33 +- version: 0.0.51 changes: - description: Fixed incorrect types in field.yml and cleaned up formatting type: enhancement diff --git a/packages/tychon/data_stream/tychon_arp/agent/stream/stream.yml.hbs b/packages/tychon/data_stream/tychon_arp/agent/stream/stream.yml.hbs index 4daf6354078..e39e88b253d 100644 --- a/packages/tychon/data_stream/tychon_arp/agent/stream/stream.yml.hbs +++ b/packages/tychon/data_stream/tychon_arp/agent/stream/stream.yml.hbs @@ -1,20 +1,20 @@ -paths: -{{#each paths as |path|}} - - {{path}} -{{/each}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -json: - keys_under_root: true +paths: +{{#each paths as |path|}} + - {{path}} +{{/each}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +json: + keys_under_root: true expand_keys: true \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_arp/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_arp/elasticsearch/ingest_pipeline/default.yml index f87ae5a84fe..b3256bbccb0 100644 --- a/packages/tychon/data_stream/tychon_arp/elasticsearch/ingest_pipeline/default.yml +++ b/packages/tychon/data_stream/tychon_arp/elasticsearch/ingest_pipeline/default.yml @@ -1,43 +1,51 @@ ---- -description: Pipeline for ARP -processors: - - dot_expander: - field: "*" - - set: - field: "@timestamp" - value: "{{_ingest.timestamp}}" - - set: - field: event.ingested - value: "{{_ingest.timestamp}}" - - set: - field: ecs.version - value: 8.8.0 - - set: - field: event.kind - value: state - - set: - field: event.module - value: tychon - - set: - field: event.category - value: arp - - split: - field: host.uptime - separator: "\\.+" - target_field: tempuptime - - set: - field: host.uptime - value: "{{tempuptime.0}}" - - remove: - field: tempuptime - - convert: - field: script.current_duration - type: float -on_failure: - - set: - field: event.kind - value: pipeline_error - - append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' - \ No newline at end of file +--- +description: Pipeline for TYCHON ARP Tables +processors: + - dot_expander: + field: "*" + - set: + field: "@timestamp" + value: "{{_ingest.timestamp}}" + - set: + field: event.ingested + value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: 8.8.0 + - set: + field: event.kind + value: state + - set: + field: event.module + value: tychon + - split: + field: host.ipv4 + separator: "," + ignore_missing: true + - set: + field: event.category + value: arp + - split: + field: host.uptime + separator: "\\.+" + target_field: tempuptime + ignore_failure: true + - set: + field: host.uptime + value: "{{tempuptime.0}}" + ignore_failure: true + - remove: + field: tempuptime + ignore_failure: true + ignore_missing: true + - convert: + field: script.current_duration + type: float + ignore_missing: true +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_arp/fields/agent.yml b/packages/tychon/data_stream/tychon_arp/fields/agent.yml index ec653c7199b..efacb477dd9 100644 --- a/packages/tychon/data_stream/tychon_arp/fields/agent.yml +++ b/packages/tychon/data_stream/tychon_arp/fields/agent.yml @@ -27,7 +27,7 @@ type: long - name: current_time description: Current datetime. - type: long + type: date - name: name description: Scanner Script Name. type: keyword diff --git a/packages/tychon/data_stream/tychon_arp/fields/fields.yml b/packages/tychon/data_stream/tychon_arp/fields/fields.yml index 6ee09956138..19998af0b2d 100644 --- a/packages/tychon/data_stream/tychon_arp/fields/fields.yml +++ b/packages/tychon/data_stream/tychon_arp/fields/fields.yml @@ -1,8 +1,17 @@ -- name: destination.hostname - type: keyword -- name: destination.name - type: keyword -- name: network.interface - type: keyword -- name: network.state - type: keyword +- name: destination + type: group + fields: + - name: hostname + type: keyword + description: The Translated Hostname of the IP in the ARP Table + - name: name + type: keyword +- name: network + type: group + fields: + - name: interface + type: keyword + description: The interface the ARP Table has associated the destination. + - name: state + type: keyword + description: Current state \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_arp/manifest.yml b/packages/tychon/data_stream/tychon_arp/manifest.yml index fa52f659f98..4c387a8bacc 100644 --- a/packages/tychon/data_stream/tychon_arp/manifest.yml +++ b/packages/tychon/data_stream/tychon_arp/manifest.yml @@ -1,19 +1,20 @@ -title: Windows arp Info +title: Endpoint Arp Table Information type: logs streams: - input: logfile - title: Windows arp Info - description: Windows arp Info + title: Endpoint Arp Table Information + description: TYCHON will report on the entire ARP table from an endpoint. template_path: stream.yml.hbs vars: - name: paths type: text - title: Windows arp Info + title: TYCHON Output Arp Location multi: true required: true show_user: true default: - C:\ProgramData\TYCHONCLOUD\eventlogs\tychon_arp_info.json + - /var/log/tychoncloud/eventlogs/tychon_arp_info.json - name: tags type: text title: Tags @@ -29,5 +30,4 @@ streams: required: false show_user: false description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_cpu/agent/stream/stream.yml.hbs b/packages/tychon/data_stream/tychon_cpu/agent/stream/stream.yml.hbs index 4daf6354078..e39e88b253d 100644 --- a/packages/tychon/data_stream/tychon_cpu/agent/stream/stream.yml.hbs +++ b/packages/tychon/data_stream/tychon_cpu/agent/stream/stream.yml.hbs @@ -1,20 +1,20 @@ -paths: -{{#each paths as |path|}} - - {{path}} -{{/each}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -json: - keys_under_root: true +paths: +{{#each paths as |path|}} + - {{path}} +{{/each}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +json: + keys_under_root: true expand_keys: true \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_cpu/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_cpu/elasticsearch/ingest_pipeline/default.yml index 7d5b3350c57..110bf6e21e0 100644 --- a/packages/tychon/data_stream/tychon_cpu/elasticsearch/ingest_pipeline/default.yml +++ b/packages/tychon/data_stream/tychon_cpu/elasticsearch/ingest_pipeline/default.yml @@ -1,43 +1,59 @@ ---- -description: Pipeline for CPU -processors: - - dot_expander: - field: "*" - - set: - field: "@timestamp" - value: "{{_ingest.timestamp}}" - - set: - field: event.ingested - value: "{{_ingest.timestamp}}" - - set: - field: ecs.version - value: 8.8.0 - - set: - field: event.kind - value: state - - set: - field: event.module - value: tychon - - set: - field: event.category - value: cpu - - split: - field: host.uptime - separator: "\\.+" - target_field: tempuptime - - set: - field: host.uptime - value: "{{tempuptime.0}}" - - remove: - field: tempuptime - - convert: - field: script.current_duration - type: float -on_failure: - - set: - field: event.kind - value: pipeline_error - - append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' - \ No newline at end of file +--- +description: Pipeline for TYCHON CPU Information +processors: + - dot_expander: + field: "*" + - set: + field: "@timestamp" + value: "{{_ingest.timestamp}}" + - set: + field: event.ingested + value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: 8.8.0 + - split: + field: host.ipv4 + separator: "," + ignore_missing: true + - set: + field: event.kind + value: state + - set: + field: event.module + value: tychon + - set: + field: event.category + value: cpu + - gsub: + field: host.cpu.speed + pattern: "[^0-9]" + replacement: "" + - gsub: + field: host.cpu.clockspeed + pattern: "[^0-9]" + replacement: "" + - split: + field: host.uptime + separator: "\\.+" + target_field: tempuptime + ignore_failure: true + - set: + field: host.uptime + value: "{{tempuptime.0}}" + ignore_failure: true + - remove: + field: tempuptime + ignore_failure: true + ignore_missing: true + - convert: + field: script.current_duration + type: float + ignore_missing: true +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_cpu/fields/agent.yml b/packages/tychon/data_stream/tychon_cpu/fields/agent.yml index ec653c7199b..efacb477dd9 100644 --- a/packages/tychon/data_stream/tychon_cpu/fields/agent.yml +++ b/packages/tychon/data_stream/tychon_cpu/fields/agent.yml @@ -27,7 +27,7 @@ type: long - name: current_time description: Current datetime. - type: long + type: date - name: name description: Scanner Script Name. type: keyword diff --git a/packages/tychon/data_stream/tychon_cpu/manifest.yml b/packages/tychon/data_stream/tychon_cpu/manifest.yml index 0cf790fa1c0..b4175c56c09 100644 --- a/packages/tychon/data_stream/tychon_cpu/manifest.yml +++ b/packages/tychon/data_stream/tychon_cpu/manifest.yml @@ -1,19 +1,20 @@ -title: Windows cpu Info +title: Endpoint CPU Info type: logs streams: - input: logfile - title: Windows cpu Info - description: Windows cpu Info + title: Endpoint CPU Info + description: Endpoint CPU Info template_path: stream.yml.hbs vars: - name: paths type: text - title: Windows cpu Info + title: TYCHON Endpoint CPU Output Location multi: true required: true show_user: true default: - C:\ProgramData\TYCHONCLOUD\eventlogs\tychon_cpu_info.json + - /var/log/tychoncloud/eventlogs/tychon_cpu_info.json - name: tags type: text title: Tags @@ -29,5 +30,4 @@ streams: required: false show_user: false description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_cve/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_cve/elasticsearch/ingest_pipeline/default.yml index 12dae9b84df..16286a38e4d 100644 --- a/packages/tychon/data_stream/tychon_cve/elasticsearch/ingest_pipeline/default.yml +++ b/packages/tychon/data_stream/tychon_cve/elasticsearch/ingest_pipeline/default.yml @@ -22,18 +22,23 @@ processors: - set: field: event.module value: tychon - - set: - field: host.uptime - value: "{{host.uptime}}" + - split: + field: host.ipv4 + separator: "," + ignore_missing: true - split: field: host.uptime separator: "\\.+" target_field: tempuptime + ignore_failure: true - set: field: host.uptime value: "{{tempuptime.0}}" + ignore_failure: true - remove: field: tempuptime + ignore_failure: true + ignore_missing: true - set: field: event.category value: vulnerability @@ -49,17 +54,18 @@ processors: - gsub: field: host.mac pattern: ":" - replacement: "-" + replacement: "-" - convert: field: script.current_duration type: float + ignore_missing: true - convert: field: vulnerability.score.base type: float - convert: field: vulnerability.year type: long - - set: + - set: field: vulnerability.scanner.vendor value: tychon - set: @@ -71,13 +77,19 @@ processors: - set: field: vulnerability.enumeration value: CVE - - set: - field: vulnerability.version - value: "{{vulnerability.version}}" + - date: + field: vulnerability.due_date + target_field: vulnerability.due_date + output_format: yyyy-MM-dd'T'HH:mm:ss.SSSXXX + formats: + - strict_date_optional_time + - epoch_millis + - date + - "MM/dd/yyyy" on_failure: - set: field: event.kind value: pipeline_error - append: field: error.message - value: '{{{ _ingest.on_failure_message }}}' + value: '{{{ _ingest.on_failure_message }}}' \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_cve/fields/agent.yml b/packages/tychon/data_stream/tychon_cve/fields/agent.yml index 9fd0c90e91c..45dccd05b24 100644 --- a/packages/tychon/data_stream/tychon_cve/fields/agent.yml +++ b/packages/tychon/data_stream/tychon_cve/fields/agent.yml @@ -27,7 +27,7 @@ type: long - name: current_time description: Current datetime. - type: long + type: date - name: name description: Scanner Script Name. type: keyword diff --git a/packages/tychon/data_stream/tychon_cve/fields/fields.yml b/packages/tychon/data_stream/tychon_cve/fields/fields.yml index 26b783e1349..925eab85d41 100644 --- a/packages/tychon/data_stream/tychon_cve/fields/fields.yml +++ b/packages/tychon/data_stream/tychon_cve/fields/fields.yml @@ -7,6 +7,7 @@ - name: due_date description: Vulnerability Due Date. type: date + format: "strict_date_optional_time||epoch_millis||date||\"MM/dd/yyyy\"" - name: due_date_reason description: Vulnerability Due Date Reason type: keyword @@ -18,7 +19,7 @@ type: keyword - name: result description: Pass/Fail Outcome of the Common Vulnerabilities and Exposures Scan. - type: keyword + type: keyword - name: title description: Common Vulnerabilities and Exposures Description and Title. type: keyword diff --git a/packages/tychon/data_stream/tychon_cve/manifest.yml b/packages/tychon/data_stream/tychon_cve/manifest.yml index 7afc8e18535..4c1d2258971 100644 --- a/packages/tychon/data_stream/tychon_cve/manifest.yml +++ b/packages/tychon/data_stream/tychon_cve/manifest.yml @@ -8,13 +8,13 @@ streams: vars: - name: paths type: text - title: Vulnerability Results + title: Vulnerability Results Location multi: true required: true show_user: true default: - #- /root/systemInfo/data/tychon_cve_info.json - C:\ProgramData\TYCHONCLOUD\eventlogs\tychon_cve_info.json + - /var/log/tychoncloud/eventlogs/tychon_cve_info.json - name: tags type: text title: Tags @@ -30,5 +30,4 @@ streams: required: false show_user: false description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_epp/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_epp/elasticsearch/ingest_pipeline/default.yml index aae86e5fd6b..1a31e66f028 100644 --- a/packages/tychon/data_stream/tychon_epp/elasticsearch/ingest_pipeline/default.yml +++ b/packages/tychon/data_stream/tychon_epp/elasticsearch/ingest_pipeline/default.yml @@ -1,5 +1,5 @@ --- -description: Pipeline for EPP +description: Pipeline for TYCHON Endpoint Protection Datasets processors: - dot_expander: field: "*" @@ -21,29 +21,44 @@ processors: - set: field: event.category value: epp + - split: + field: host.ipv4 + separator: "," + ignore_missing: true + - set: + field: host.uptime + value: "0" + if: ctx.host.uptime == '' - split: field: host.uptime separator: "\\.+" target_field: tempuptime + ignore_failure: true - set: field: host.uptime value: "{{tempuptime.0}}" + ignore_failure: true - remove: field: tempuptime + ignore_failure: true + ignore_missing: true - convert: field: host.uptime type: long + ignore_missing: true - gsub: field: host.mac pattern: ":" - replacement: "-" + replacement: "-" + ignore_missing: true - convert: field: script.current_duration type: float + ignore_missing: true on_failure: - set: field: event.kind value: pipeline_error - append: field: error.message - value: '{{{ _ingest.on_failure_message }}}' + value: '{{{ _ingest.on_failure_message }}}' \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_epp/manifest.yml b/packages/tychon/data_stream/tychon_epp/manifest.yml index 021373c406c..37d37c1eb63 100644 --- a/packages/tychon/data_stream/tychon_epp/manifest.yml +++ b/packages/tychon/data_stream/tychon_epp/manifest.yml @@ -1,19 +1,20 @@ -title: Windows EPP Info +title: Endpoint Protection Platform Info type: logs streams: - input: logfile - title: Windows EPP Info - description: Windows EPP Info + title: Endpoint Protection Platform Info + description: Endpoint Protection Platform Info template_path: stream.yml.hbs vars: - name: paths type: text - title: Windows EPP Info + title: TYCHON EPP Output Location multi: true required: true show_user: true default: - C:\ProgramData\TYCHONCLOUD\eventlogs\tychon_epp_info.json + - /var/log/tychoncloud/eventlogs/tychon_epp_info.json - name: tags type: text title: Tags @@ -29,5 +30,4 @@ streams: required: false show_user: false description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_exposedservice/agent/stream/stream.yml.hbs b/packages/tychon/data_stream/tychon_exposedservice/agent/stream/stream.yml.hbs index 4daf6354078..e39e88b253d 100644 --- a/packages/tychon/data_stream/tychon_exposedservice/agent/stream/stream.yml.hbs +++ b/packages/tychon/data_stream/tychon_exposedservice/agent/stream/stream.yml.hbs @@ -1,20 +1,20 @@ -paths: -{{#each paths as |path|}} - - {{path}} -{{/each}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -json: - keys_under_root: true +paths: +{{#each paths as |path|}} + - {{path}} +{{/each}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +json: + keys_under_root: true expand_keys: true \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_exposedservice/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_exposedservice/elasticsearch/ingest_pipeline/default.yml index 501df7f2480..0b1d21bc7e8 100644 --- a/packages/tychon/data_stream/tychon_exposedservice/elasticsearch/ingest_pipeline/default.yml +++ b/packages/tychon/data_stream/tychon_exposedservice/elasticsearch/ingest_pipeline/default.yml @@ -1,47 +1,64 @@ ---- -description: Pipeline for Exposed Services -processors: - - dot_expander: - field: "*" - - set: - field: "@timestamp" - value: "{{_ingest.timestamp}}" - - set: - field: event.ingested - value: "{{_ingest.timestamp}}" - - set: - field: source.ip - value: "0.0.0.0" - if: ctx.source.ip == '' - - set: - field: ecs.version - value: 8.8.0 - - set: - field: event.kind - value: state - - set: - field: event.module - value: tychon - - set: - field: event.category - value: exposed service - - split: - field: host.uptime - separator: "\\.+" - target_field: tempuptime - - set: - field: host.uptime - value: "{{tempuptime.0}}" - - remove: - field: tempuptime - - convert: - field: script.current_duration - type: float -on_failure: - - set: - field: event.kind - value: pipeline_error - - append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' - +--- +description: Pipeline for Exposed Services +processors: + - dot_expander: + field: "*" + - set: + field: "@timestamp" + value: "{{_ingest.timestamp}}" + - set: + field: event.ingested + value: "{{_ingest.timestamp}}" + - set: + field: source.ip + value: "0.0.0.0" + if: ctx.source.ip == '' + - set: + field: service.name + value: "{{process.name}}" + if: "ctx.service?.name == null" + ignore_failure: true + - set: + field: ecs.version + value: 8.8.0 + - set: + field: event.kind + value: state + - split: + field: host.ipv4 + separator: "," + ignore_missing: true + - set: + field: event.module + value: tychon + - set: + field: event.category + value: exposed service + - split: + field: host.uptime + separator: "\\.+" + target_field: tempuptime + ignore_failure: true + - set: + field: host.uptime + value: "{{tempuptime.0}}" + ignore_failure: true + - set: + field: service.state + value: Running + if: ctx.service.state == '' + - remove: + field: tempuptime + ignore_failure: true + ignore_missing: true + - convert: + field: script.current_duration + type: float + ignore_missing: true +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_exposedservice/fields/fields.yml b/packages/tychon/data_stream/tychon_exposedservice/fields/fields.yml index eada49f31af..cc0dc08ce10 100644 --- a/packages/tychon/data_stream/tychon_exposedservice/fields/fields.yml +++ b/packages/tychon/data_stream/tychon_exposedservice/fields/fields.yml @@ -1,4 +1,9 @@ -- name: service.description - type: keyword -- name: service.display_name - type: keyword +- name: service + type: group + fields: + - name: description + type: keyword + description: The description text on the serivce. + - name: display_name + type: keyword + description: The human readable name of the service \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_exposedservice/manifest.yml b/packages/tychon/data_stream/tychon_exposedservice/manifest.yml index aaf504358a3..01937d88bd8 100644 --- a/packages/tychon/data_stream/tychon_exposedservice/manifest.yml +++ b/packages/tychon/data_stream/tychon_exposedservice/manifest.yml @@ -1,19 +1,20 @@ -title: Windows exposedservice Info +title: Endpoint Exposed Services type: logs streams: - input: logfile - title: Windows exposedservice Info - description: Windows exposedservice Info + title: Endpoint Exposed Services + description: TYCHON will detect open ports and their processes to help determine extrenal exposure for an endpoint. template_path: stream.yml.hbs vars: - name: paths type: text - title: Windows exposedservice Info + title: TYCHON Exposed Services Output Location multi: true required: true show_user: true default: - C:\ProgramData\TYCHONCLOUD\eventlogs\tychon_exposedservice_info.json + - /var/log/tychoncloud/eventlogs/tychon_exposedservice_info.json - name: tags type: text title: Tags @@ -29,5 +30,4 @@ streams: required: false show_user: false description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_harddrive/agent/stream/stream.yml.hbs b/packages/tychon/data_stream/tychon_harddrive/agent/stream/stream.yml.hbs index 4daf6354078..e39e88b253d 100644 --- a/packages/tychon/data_stream/tychon_harddrive/agent/stream/stream.yml.hbs +++ b/packages/tychon/data_stream/tychon_harddrive/agent/stream/stream.yml.hbs @@ -1,20 +1,20 @@ -paths: -{{#each paths as |path|}} - - {{path}} -{{/each}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -json: - keys_under_root: true +paths: +{{#each paths as |path|}} + - {{path}} +{{/each}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +json: + keys_under_root: true expand_keys: true \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_harddrive/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_harddrive/elasticsearch/ingest_pipeline/default.yml index 655a9dbb863..a0b8abf6fc5 100644 --- a/packages/tychon/data_stream/tychon_harddrive/elasticsearch/ingest_pipeline/default.yml +++ b/packages/tychon/data_stream/tychon_harddrive/elasticsearch/ingest_pipeline/default.yml @@ -1,156 +1,51 @@ ---- -description: Pipeline for Hard Drives -processors: - - dot_expander: - field: "*" - - set: - field: "@timestamp" - value: "{{_ingest.timestamp}}" - - set: - field: event.ingested - value: "{{_ingest.timestamp}}" - - set: - field: ecs.version - value: 8.8.0 - - set: - field: event.kind - value: state - - set: - field: event.module - value: tychon - - set: - field: event.category - value: hard drive - - split: - field: host.uptime - separator: "\\.+" - target_field: tempuptime - - set: - field: host.uptime - value: "{{tempuptime.0}}" - - remove: - field: tempuptime - - convert: - field: script.current_duration - type: float - - set: - field: disk.partition_style - value: '{{disk_partition_style}}' - - remove: - field: disk_partition_style - - set: - field: disk.number_of_partitions - value: '{{disk_NumberOfPartitions}}' - - remove: - field: disk_NumberOfPartitions - - set: - field: disk.operational_status - value: '{{disk_operational_status}}' - - remove: - field: disk_operational_status - - set: - field: disk.health_status - value: '{{disk_health_status}}' - - remove: - field: disk_health_status - - set: - field: disk.highly_available - value: '{{disk.is_highly_available}}' - - remove: - field: disk.is_highly_available - - set: - field: disk.offline - value: '{{disk.is_offline}}' - - remove: - field: disk.is_offline - - set: - field: disk.bus_type - value: '{{disk.bus_type}}' - - remove: - field: disk.bus_type - - set: - field: disk.adapter.serial_number - value: '{{disk_adapter_serialnumber}}' - - remove: - field: disk_adapter_serialnumber - - set: - field: disk.adapter.serial_number - value: '{{disk_adapter_serialnumber}}' - - remove: - field: disk_adapter_serialnumber - - set: - field: disk.size - value: '{{disk_size}}' - - remove: - field: disk_size - - set: - field: disk.system - value: '{{disk_system}}' - - remove: - field: disk_system - - set: - field: disk.manufacturer - value: '{{disk_manufacturer}}' - - remove: - field: disk_manufacturer - - set: - field: disk.clustered - value: '{{disk.is_clustered}}' - - remove: - field: disk.is_clustered - - set: - field: disk.model - value: '{{disk_model}}' - - remove: - field: disk_model - - set: - field: disk.number - value: '{{disk_number}}' - - remove: - field: disk_number - - set: - field: disk.location.function - value: '{{disk_location_function}}' - - remove: - field: disk_location_function - - set: - field: disk.location.device - value: '{{disk_location_device}}' - - remove: - field: disk_location_device - - set: - field: disk.location.bus - value: '{{disk_location_bus}}' - - remove: - field: disk_location_bus - - set: - field: disk.location.adapter - value: '{{disk_location_adapter}}' - - remove: - field: disk_location_adapter - - set: - field: disk.is_boot - value: '{{disk_is_boot}}' - - remove: - field: disk_is_boot - - set: - field: disk.guid - value: '{{disk_guid}}' - - remove: - field: disk_guid - - set: - field: disk.boot_from - value: '{{disk_boot_from}}' - - remove: - field: disk_boot_from - - convert: - field: script.current_duration - type: float -on_failure: - - set: - field: event.kind - value: pipeline_error - - append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' - \ No newline at end of file +--- +description: Pipeline for the TYCHON Hard Drive Dataset +processors: + - dot_expander: + field: "*" + - set: + field: "@timestamp" + value: "{{_ingest.timestamp}}" + - set: + field: event.ingested + value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: 8.8.0 + - set: + field: event.kind + value: state + - split: + field: host.ipv4 + separator: "," + ignore_missing: true + - set: + field: event.module + value: tychon + - set: + field: event.category + value: hard drive + - split: + field: host.uptime + separator: "\\.+" + target_field: tempuptime + ignore_failure: true + - set: + field: host.uptime + value: "{{tempuptime.0}}" + ignore_failure: true + - remove: + field: tempuptime + ignore_failure: true + ignore_missing: true + - convert: + field: script.current_duration + type: float + ignore_missing: true +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_harddrive/fields/fields.yml b/packages/tychon/data_stream/tychon_harddrive/fields/fields.yml index 89116cfd6ac..c8de5ee5041 100644 --- a/packages/tychon/data_stream/tychon_harddrive/fields/fields.yml +++ b/packages/tychon/data_stream/tychon_harddrive/fields/fields.yml @@ -1,50 +1,84 @@ -- name: disk.adapter.serial_number - type: keyword -- name: disk.boot_from - type: boolean -- name: disk.bus_type - type: keyword -- name: disk.clustered - type: boolean -- name: disk.firmware.version - type: keyword -- name: disk.firmware_version - type: keyword -- name: disk.guid - type: keyword -- name: disk.health_status - type: keyword -- name: disk.highly_available - type: boolean -- name: disk.is_boot - type: boolean -- name: disk.location.adapter - type: integer -- name: disk.location.bus - type: integer -- name: disk.location.device - type: integer -- name: disk.location.function - type: integer -- name: disk.manufacturer - type: keyword -- name: disk.model - type: keyword -- name: disk.name - type: keyword -- name: disk.number - type: integer -- name: disk.number_of_partitions - type: integer -- name: disk.offline - type: boolean -- name: disk.operational_status - type: keyword -- name: disk.partition_style - type: keyword -- name: disk.serial_number - type: keyword -- name: disk.size - type: long -- name: disk.system - type: boolean +- name: disk + type: group + fields: + - name: adapter + type: group + fields: + - name: serial_number + type: keyword + description: Disk Adatper Serial Number + - name: boot_from + type: boolean + description: OS booted from this disk + - name: bus_type + type: keyword + description: THe Disk Bus Type + - name: clustered + type: boolean + description: Is the Disk Clustered + - name: firmware + type: group + fields: + - name: version + type: keyword + description: Disk Firmware version + - name: guid + type: keyword + description: Disk UUID + - name: health_status + type: keyword + description: Health status of the disk + - name: highly_available + type: boolean + description: Disk is marked as highly available + - name: is_boot + type: boolean + description: Disk is a boot disk + - name: location + type: group + fields: + - name: adapter + type: integer + description: Zero index adapter location + - name: bus + type: integer + description: Disk Bus Location + - name: device + type: integer + descirption: Disk Device Location + - name: function + type: integer + description: Disk Function Location + - name: manufacturer + type: keyword + description: The manufacturer of the Disk + - name: model + type: keyword + description: The model of the disk + - name: name + type: keyword + description: The firendly name of the disk + - name: number + type: integer + description: The number assigned to the disk + - name: number_of_partitions + type: integer + description: Total number of partitions on the drive + - name: offline + type: boolean + description: Is the disk offline + - name: operational_status + type: keyword + description: Operational Status of the disk + - name: partition_style + type: keyword + description: Partition style + - name: serial_number + type: keyword + description: The unique serial number of the drive + - name: size + type: long + description: Total Size of the disk + - name: system + type: boolean + description: Is this a system drive diff --git a/packages/tychon/data_stream/tychon_harddrive/manifest.yml b/packages/tychon/data_stream/tychon_harddrive/manifest.yml index 05fd46993f5..c030df86e49 100644 --- a/packages/tychon/data_stream/tychon_harddrive/manifest.yml +++ b/packages/tychon/data_stream/tychon_harddrive/manifest.yml @@ -1,19 +1,20 @@ -title: Windows harddrive Info +title: Endpoint Harddrive Info type: logs streams: - input: logfile - title: Windows harddrive Info - description: Windows harddrive Info + title: Endpoint Harddrive Info + description: TYCHON reports all the physical Hard Drive's on an endpoint template_path: stream.yml.hbs vars: - name: paths type: text - title: Windows harddrive Info + title: TYCHON Harddrive Output Location multi: true required: true show_user: true default: - C:\ProgramData\TYCHONCLOUD\eventlogs\tychon_harddrive_info.json + - /var/log/tychoncloud/eventlogs/tychon_harddrive_info.json - name: tags type: text title: Tags diff --git a/packages/tychon/data_stream/tychon_hardware/agent/stream/stream.yml.hbs b/packages/tychon/data_stream/tychon_hardware/agent/stream/stream.yml.hbs index 4daf6354078..e39e88b253d 100644 --- a/packages/tychon/data_stream/tychon_hardware/agent/stream/stream.yml.hbs +++ b/packages/tychon/data_stream/tychon_hardware/agent/stream/stream.yml.hbs @@ -1,20 +1,20 @@ -paths: -{{#each paths as |path|}} - - {{path}} -{{/each}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -json: - keys_under_root: true +paths: +{{#each paths as |path|}} + - {{path}} +{{/each}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +json: + keys_under_root: true expand_keys: true \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_hardware/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_hardware/elasticsearch/ingest_pipeline/default.yml index c917d8d7797..8c6aee9e114 100644 --- a/packages/tychon/data_stream/tychon_hardware/elasticsearch/ingest_pipeline/default.yml +++ b/packages/tychon/data_stream/tychon_hardware/elasticsearch/ingest_pipeline/default.yml @@ -1,73 +1,54 @@ ---- -description: Pipeline for Hardware -processors: - - dot_expander: - field: "*" - - set: - field: "@timestamp" - value: "{{_ingest.timestamp}}" - - set: - field: event.ingested - value: "{{_ingest.timestamp}}" - - set: - field: ecs.version - value: 8.8.0 - - set: - field: event.kind - value: state - - set: - field: event.module - value: tychon - - set: - field: event.category - value: hardware - - split: - field: host.uptime - separator: "\\.+" - target_field: tempuptime - - set: - field: host.uptime - value: "{{tempuptime.0}}" - - remove: - field: tempuptime - - convert: - field: script.current_duration - type: float - - set: - field: device.id - value: '{{device_id}}' - - remove: - field: device_id - - set: - field: device.status - value: '{{status}}' - - remove: - field: status - - set: - field: device.present - value: '{{present}}' - - remove: - field: present - - set: - field: device.name - value: '{{name}}' - - remove: - field: name - - set: - field: device.manufacturer - value: '{{manufacturer}}' - - remove: - field: manufacturer - - set: - field: device.friendly_name - value: '{{friendly_name}}' - - remove: - field: friendly_name -on_failure: - - set: - field: event.kind - value: pipeline_error - - append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' - \ No newline at end of file +--- +description: Pipeline for Hardware +processors: + - dot_expander: + field: "*" + - set: + field: "@timestamp" + value: "{{_ingest.timestamp}}" + - set: + field: event.ingested + value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: 8.8.0 + - set: + field: event.kind + value: state + - lowercase: + field: device.present + ignore_missing: true + - set: + field: event.module + value: tychon + - split: + field: host.ipv4 + separator: "," + ignore_missing: true + - set: + field: event.category + value: hardware + - split: + field: host.uptime + separator: "\\.+" + target_field: tempuptime + ignore_failure: true + - set: + field: host.uptime + value: "{{tempuptime.0}}" + ignore_failure: true + - remove: + field: tempuptime + ignore_failure: true + ignore_missing: true + - convert: + field: script.current_duration + type: float + ignore_missing: true +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_hardware/manifest.yml b/packages/tychon/data_stream/tychon_hardware/manifest.yml index 435b60875cf..1daff5cba8c 100644 --- a/packages/tychon/data_stream/tychon_hardware/manifest.yml +++ b/packages/tychon/data_stream/tychon_hardware/manifest.yml @@ -1,19 +1,20 @@ -title: Windows hardware Info +title: Hardware Info type: logs streams: - input: logfile - title: Windows hardware Info - description: Windows hardware Info + title: Hardware Info + description: The physical hardware attached to a computer system. template_path: stream.yml.hbs vars: - name: paths type: text - title: Windows hardware Info + title: TYCHON Hardware Output Location multi: true required: true show_user: true default: - C:\ProgramData\TYCHONCLOUD\eventlogs\tychon_hardware_info.json + - /var/log/tychoncloud/eventlogs/tychon_hardware_info.json - name: tags type: text title: Tags diff --git a/packages/tychon/data_stream/tychon_host/agent/stream/stream.yml.hbs b/packages/tychon/data_stream/tychon_host/agent/stream/stream.yml.hbs index 4daf6354078..e39e88b253d 100644 --- a/packages/tychon/data_stream/tychon_host/agent/stream/stream.yml.hbs +++ b/packages/tychon/data_stream/tychon_host/agent/stream/stream.yml.hbs @@ -1,20 +1,20 @@ -paths: -{{#each paths as |path|}} - - {{path}} -{{/each}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -json: - keys_under_root: true +paths: +{{#each paths as |path|}} + - {{path}} +{{/each}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +json: + keys_under_root: true expand_keys: true \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_host/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_host/elasticsearch/ingest_pipeline/default.yml index fef9742e0c8..ca901abade7 100644 --- a/packages/tychon/data_stream/tychon_host/elasticsearch/ingest_pipeline/default.yml +++ b/packages/tychon/data_stream/tychon_host/elasticsearch/ingest_pipeline/default.yml @@ -1,54 +1,72 @@ ---- -description: Pipeline for TYCHON HOST OS -processors: - - dot_expander: - field: "*" - - set: - field: "@timestamp" - value: "{{_ingest.timestamp}}" - - set: - field: event.ingested - value: "{{_ingest.timestamp}}" - - set: - field: ecs.version - value: 8.8.0 - - set: - field: event.kind - value: state - - set: - field: event.module - value: tychon - - set: - field: event.category - value: host os - - convert: - field: script.current_duration - type: float - - lowercase: - field: host.security.antivirus.exists - - split: - field: host.security.antivirus.exists - separator: "," - target_field: tempav - - set: - field: host.security.antivirus.exists - value: "{{tempav.0}}" - - remove: - field: tempav - - split: - field: host.uptime - separator: "\\.+" - target_field: tempuptime - - set: - field: host.uptime - value: "{{tempuptime.0}}" - - remove: - field: tempuptime -on_failure: - - set: - field: event.kind - value: pipeline_error - - append: - field: error.message - value: "{{{ _ingest.on_failure_message }}}" - \ No newline at end of file +--- +description: Pipeline for TYCHON HOST OS +processors: + - dot_expander: + field: "*" + - set: + field: "@timestamp" + value: "{{_ingest.timestamp}}" + - set: + field: event.ingested + value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: 8.8.0 + - set: + field: event.kind + value: state + - set: + field: event.module + value: tychon + - split: + field: host.ipv4 + separator: "," + ignore_missing: true + - set: + field: event.category + value: host os + - remove: + field: tychon.definition.oval + if: ctx.tychon.definition.oval == '' + - remove: + field: tychon.definition.stig + if: ctx.tychon.definition.stig == '' + - convert: + field: script.current_duration + type: float + ignore_missing: true + - set: + field: host.security.antivirus.exists + value: "false" + if: ctx.host.security.antivirus.exists == '' + - lowercase: + field: host.security.antivirus.exists + - split: + field: host.security.antivirus.exists + separator: "," + target_field: tempav + - set: + field: host.security.antivirus.exists + value: "{{tempav.0}}" + - remove: + field: tempav + - split: + field: host.uptime + separator: "\\.+" + target_field: tempuptime + ignore_failure: true + - set: + field: host.uptime + value: "{{tempuptime.0}}" + ignore_failure: true + - remove: + field: tempuptime + ignore_failure: true + ignore_missing: true +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: "{{{ _ingest.on_failure_message }}}" \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_host/fields/fields.yml b/packages/tychon/data_stream/tychon_host/fields/fields.yml index 8a8e8a28231..a18a43e11b5 100644 --- a/packages/tychon/data_stream/tychon_host/fields/fields.yml +++ b/packages/tychon/data_stream/tychon_host/fields/fields.yml @@ -1,72 +1,169 @@ -- name: event.deviceguard.basevirtualizationsupport.available - type: boolean -- name: event.deviceguard.credentialguard.enabled - type: boolean -- name: event.deviceguard.credentialguard.running - type: boolean -- name: event.deviceguard.dmaprotection.available - type: boolean -- name: event.deviceguard.hypervisorenforcedcodeint.enabled - type: boolean -- name: event.deviceguard.hypervisorenforcedcodeint.running - type: boolean -- name: event.deviceguard.secureboot.available - type: boolean -- name: event.deviceguard.securememoverwrite.available - type: boolean -- name: event.deviceguard.smmsecuritymigrations.available - type: boolean -- name: event.deviceguard.systemguardsecurelaunch.enabled - type: boolean -- name: event.deviceguard.systemguardsecurelaunch.running - type: boolean -- name: event.deviceguard.ueficodereadonly.available - type: boolean -- name: event.deviceguard.usermodecodeintegrity.policyenforcement - type: keyword -- name: event.deviceguard.version - type: keyword -- name: event.deviceguard.virtualizationbasedsecurity.status - type: keyword -- name: event.ufi.enabled - type: boolean -- name: host.cpu.caption - type: keyword -- name: host.cpu.count - type: integer -- name: host.memory.size - type: long -- name: host.motherboard.chipset - type: keyword -- name: host.motherboard.serial_number - type: keyword -- name: host.os.edition - type: keyword -- name: host.os.vendor - type: keyword -- name: host.security.antivirus.exists - type: boolean -- name: host.security.antivirus.name - type: keyword -- name: host.security.antivirus.state - type: keyword -- name: host.security.antivirus.status - type: keyword -- name: host.tpm.compliant - type: boolean -- name: host.tpm.digest.id - type: keyword -- name: host.tpm.present - type: boolean -- name: host.tpm.version - type: keyword -- name: host.virtualization_status - type: keyword -- name: tychon.definition.oval - type: date -- name: tychon.definition.stig - type: date -- name: tychon.version.agent - type: version -- name: tychon.version.content - type: version +- name: event + type: group + fields: + - name: deviceguard + type: group + fields: + - name: basevirtualizationsupport + type: group + fields: + - name: available + type: boolean + - name: credentialguard + type: group + fields: + - name: enabled + type: boolean + - name: running + type: boolean + - name: dmaprotection + type: group + fields: + - name: available + type: boolean + - name: hypervisorenforcedcodeint + type: group + fields: + - name: enabled + type: boolean + - name: running + type: boolean + - name: secureboot + type: group + fields: + - name: available + type: boolean + - name: securememoverwrite + type: group + fields: + - name: available + type: boolean + - name: smmsecuritymigrations + type: group + fields: + - name: available + type: boolean + - name: systemguardsecurelaunch + type: group + fields: + - name: enabled + type: boolean + - name: running + type: boolean + - name: ueficodereadonly + type: group + fields: + - name: available + type: boolean + - name: usermodecodeintegrity + type: group + fields: + - name: policyenforcement + type: keyword + - name: version + type: keyword + - name: virtualizationbasedsecurity + type: group + fields: + - name: status + type: keyword + - name: ufi + type: group + fields: + - name: enabled + type: boolean +- name: host + type: group + fields: + - name: cpu + type: group + fields: + - name: caption + type: keyword + description: Description of the CPU + - name: count + type: integer + description: Total Number of CPUs on the system + - name: memory + type: group + fields: + - name: size + type: long + description: Total RAM Size + - name: motherboard + type: group + fields: + - name: chipset + type: keyword + description: Chipset of the Motherboard + - name: serial_number + type: keyword + description: Serial Number of the Motherboard + - name: os + type: group + fields: + - name: edition + type: keyword + description: The Edition of the Opearting System + - name: vendor + type: keyword + description: The vendor of the Operating System + - name: security + type: group + fields: + - name: antivirus + type: group + fields: + - name: exists + type: boolean + description: Does the OS state that an AV program is installed + - name: name + type: keyword + description: Product name the Operating System states is the AV program installed + - name: state + type: keyword + description: The Operating System state of the AV product + - name: status + type: keyword + description: The Operating System current status of the AV product it says is installed. + - name: tpm + type: group + fields: + - name: compliant + type: boolean + description: Is the endpoint compliant with TPM security settings + - name: digest + type: group + fields: + - name: id + type: keyword + description: What digest is being used by TPM + - name: present + type: boolean + description: Is TPM module present on the operating system + - name: version + type: keyword + description: What version of TPM is being used + - name: host.virtualization_status + type: keyword +- name: tychon + type: group + fields: + - name: definition + type: group + fields: + - name: oval + type: date + description: What version of the TYCHON oval defitnions are currently on this endpoint + - name: stig + type: date + description: What version of the Benchmark checks are on this endpoint + - name: version + type: group + fields: + - name: agent + type: version + description: The TYCHON Agent Version installed on the endpoint + - name: content + type: version + description: The TYCHON Agentless Version installed on the endpoint \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_host/manifest.yml b/packages/tychon/data_stream/tychon_host/manifest.yml index 6389f0f457d..fcc9e0e7793 100644 --- a/packages/tychon/data_stream/tychon_host/manifest.yml +++ b/packages/tychon/data_stream/tychon_host/manifest.yml @@ -1,19 +1,20 @@ -title: Windows host os Info +title: Host Operating System Info type: logs streams: - input: logfile - title: Windows host_os Info - description: Windows host_os Info + title: Host Operating System Info + description: TYCHON collects 1-1 information about an endpoint in this dataset template_path: stream.yml.hbs vars: - name: paths type: text - title: Windows host_os Info + title: TYCHON Host Operating System Location multi: true required: true show_user: true default: - C:\ProgramData\TYCHONCLOUD\eventlogs\tychon_host_info.json + - /var/log/tychoncloud/eventlogs/tychon_host_info.json - name: tags type: text title: Tags @@ -29,5 +30,4 @@ streams: required: false show_user: false description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_networkadapter/agent/stream/stream.yml.hbs b/packages/tychon/data_stream/tychon_networkadapter/agent/stream/stream.yml.hbs index 4daf6354078..e39e88b253d 100644 --- a/packages/tychon/data_stream/tychon_networkadapter/agent/stream/stream.yml.hbs +++ b/packages/tychon/data_stream/tychon_networkadapter/agent/stream/stream.yml.hbs @@ -1,20 +1,20 @@ -paths: -{{#each paths as |path|}} - - {{path}} -{{/each}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -json: - keys_under_root: true +paths: +{{#each paths as |path|}} + - {{path}} +{{/each}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +json: + keys_under_root: true expand_keys: true \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_networkadapter/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_networkadapter/elasticsearch/ingest_pipeline/default.yml index 6bd76506ab2..fef46ef0062 100644 --- a/packages/tychon/data_stream/tychon_networkadapter/elasticsearch/ingest_pipeline/default.yml +++ b/packages/tychon/data_stream/tychon_networkadapter/elasticsearch/ingest_pipeline/default.yml @@ -1,73 +1,74 @@ ---- -description: Pipeline for parsing TYCHON Network Adapters -processors: - - dot_expander: - field: "*" - - set: - field: "@timestamp" - value: "{{_ingest.timestamp}}" - - set: - field: event.ingested - value: "{{_ingest.timestamp}}" - - split: - field: host.ipv4 - separator: "," - - set: - field: ecs.version - value: 8.8.0 - - set: - field: event.kind - value: state - - set: - field: event.module - value: tychon - - set: - field: event.category - value: network adapter - - split: - field: host.uptime - separator: "\\.+" - target_field: tempuptime - - set: - field: host.uptime - value: "{{tempuptime.0}}" - - remove: - field: tempuptime - - script: - source: | - String[] ls; - float l; - if(ctx.host.adapter.link_speed != null && ctx.host.adapter.link_speed.splitOnToken(' ')){ - ls = ctx.host.adapter.link_speed.splitOnToken(' '); - l = Float.parseFloat(ls[0]); - if(ls[1] =='Mbps'){ - ctx.host.adapter.link_speed=(long) l*1048576; - }else if(ls[1] =='Gbps'){ - ctx.host.adapter.link_speed=(long) l*1073741824; - } - } - - remove: - field: host.adapter.ip - if: ctx.host.adapter.ip == '' - - remove: - field: host.adapter.gateway - if: ctx.host.adapter.gateway == '' - - remove: - field: host.adapter.dhcp.server - if: ctx.host.adapter.dhcp.server == '' - - remove: - field: host.adapter.dhcp.lease_obtained - if: ctx.host.adapter.dhcp.lease_obtained == '' - - remove: - field: host.adapter.dhcp.lease_expires - if: ctx.host.adapter.dhcp.lease_expires == '' - - convert: - field: script.current_duration - type: float -on_failure: - - set: - field: event.kind - value: pipeline_error - - append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' +--- +description: Pipeline for parsing TYCHON Network Adapters +processors: + - dot_expander: + field: "*" + - set: + field: "@timestamp" + value: "{{_ingest.timestamp}}" + - set: + field: event.ingested + value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: 8.8.0 + - set: + field: event.kind + value: state + - split: + field: host.ipv4 + separator: "," + ignore_missing: true + - set: + field: event.module + value: tychon + - set: + field: event.category + value: network adapter + - split: + field: host.uptime + separator: "\\.+" + target_field: tempuptime + ignore_failure: true + - set: + field: host.uptime + value: "{{tempuptime.0}}" + ignore_failure: true + - remove: + field: tempuptime + ignore_failure: true + ignore_missing: true + - remove: + field: host.adapter.ip + if: ctx.host.adapter.ip == '' + - remove: + field: host.adapter.gateway + if: ctx.host.adapter.gateway == '' + - remove: + field: host.adapter.dhcp.server + if: ctx.host.adapter.dhcp.server == '' + - remove: + field: host.adapter.dhcp.lease_obtained + if: ctx.host.adapter.dhcp.lease_obtained == '' + - remove: + field: host.adapter.dhcp.lease_expires + if: ctx.host.adapter.dhcp.lease_expires == '' + - remove: + field: host.adapter.driver.date + if: ctx.host.adapter.driver.date == '' + - gsub: + field: host.adapter.link_speed + pattern: "[^0-9]" + replacement: "" + - convert: + field: script.current_duration + type: float + ignore_missing: true + ignore_failure: true +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_networkadapter/fields/agent.yml b/packages/tychon/data_stream/tychon_networkadapter/fields/agent.yml index 2f024c089ab..f2a0c59b335 100644 --- a/packages/tychon/data_stream/tychon_networkadapter/fields/agent.yml +++ b/packages/tychon/data_stream/tychon_networkadapter/fields/agent.yml @@ -107,4 +107,4 @@ type: keyword - name: serial_number description: Host BIOS Serial Number. - type: keyword + type: keyword \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_networkadapter/fields/fields.yml b/packages/tychon/data_stream/tychon_networkadapter/fields/fields.yml index 5a69e18c631..dcc5cc72bc3 100644 --- a/packages/tychon/data_stream/tychon_networkadapter/fields/fields.yml +++ b/packages/tychon/data_stream/tychon_networkadapter/fields/fields.yml @@ -1,58 +1,135 @@ -- name: host.adapter.alias - type: keyword -- name: host.adapter.description - type: text -- name: host.adapter.dhcp.enabled - type: boolean -- name: host.adapter.dhcp.lease_expires - type: date -- name: host.adapter.dhcp.lease_obtained - type: date -- name: host.adapter.dhcp.server - type: ip -- name: host.adapter.domain - type: keyword -- name: host.adapter.driver.date - type: date -- name: host.adapter.driver.description - type: text -- name: host.adapter.driver.file_name - type: keyword -- name: host.adapter.driver.name - type: keyword -- name: host.adapter.driver.provider - type: keyword -- name: host.adapter.driver.version - type: keyword -- name: host.adapter.gateway - type: ip -- name: host.adapter.id - type: keyword -- name: host.adapter.ip - type: ip -- name: host.adapter.ip_filter.enabled - type: boolean -- name: host.adapter.wins_server - type: keyword -- name: host.adapter.link_speed - type: long -- name: host.adapter.mac - type: keyword -- name: host.adapter.media.connection_state - type: keyword -- name: host.adapter.media.type - type: keyword -- name: host.adapter.mtu - type: integer -- name: host.adapter.ndis.version - type: keyword -- name: host.adapter.subnet_bit - type: integer -- name: host.adapter.virtual - type: boolean -- name: host.adapter.vlan.id - type: keyword -- name: host.adapter.wifi.enabled - type: boolean -- name: host.adapter.wifi.signal_percent - type: integer +- name: host + type: group + fields: + - name: adapter + type: group + fields: + - name: alias + type: keyword + description: The Alias given to this adapter + - name: description + type: text + description: The network adatper description + - name: dhcp + type: group + fields: + - name: enabled + type: boolean + description: Is DHCP Enabled on this adatper + - name: lease_expires + type: date + description: When does this DHCP lease expire + - name: lease_obtained + type: date + description: When was the DHCP lease obtained + - name: server + type: ip + description: What IP Address was the DHCP IP obtained from. + - name: domain + type: keyword + description: What domain was assigned to this adatper + - name: driver + type: group + fields: + - name: date + type: date + description: Date the driver was installed + - name: description + type: text + description: Description of the driver + - name: file_name + type: keyword + description: Driver File name + - name: name + type: keyword + description: Name of the driver + - name: provider + type: keyword + description: Company that provided the driver + - name: version + type: keyword + description: Version of the driver + - name: gateway + type: ip + description: Gateway IP Address + - name: id + type: keyword + description: ID Of the adapter + - name: ip + type: ip + description: IP Addresses assigned to the adatper + - name: ip_filter + type: group + fields: + - name: enabled + type: boolean + description: Is IP Filtering Enabled + - name: wins_server + type: keyword + description: The WINS Server attached to this adatper + - name: link_speed + type: long + description: Link speed of the adatper + - name: mac + type: keyword + description: Hardware MAC Address + - name: media + type: group + fields: + - name: connection_state + type: keyword + description: Current Connection State + - name: type + type: keyword + description: Current Connection Media Type + - name: mtu + type: integer + description: MTU Size + - name: ndis + type: group + fields: + - name: version + type: keyword + description: NDIS Version + - name: subnet_bit + type: integer + description: Subnet BIT + - name: virtual + type: boolean + description: Is adapter virutal + - name: vlan + type: group + fields: + - name: id + type: keyword + description: The VLAN ID + - name: wifi + type: group + fields: + - name: enabled + type: boolean + description: Is WIFI Enabled + - name: signal_percent + type: integer + description: Signal strenth to connected WIFI Router + - name: ssid + type: keyword + description: The Connected WIFI Router SSID + - name: bssid + type: keyword + description: The Connected WIFI Router Hardware Address + - name: radio_type + type: keyword + description: The radio type of the connected WIFI Router + - name: authentication + type: keyword + description: The Authentication method used to connected to the WIFI Router + - name: cipher + type: keyword + description: The CIPHER used to connected to the WIFI Router + - name: band + type: keyword + description: The band used to connected to the WIFI Router + - name: channel + type: keyword + description: The channel used to connected to the WIFI Router \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_networkadapter/manifest.yml b/packages/tychon/data_stream/tychon_networkadapter/manifest.yml index 4834974691b..f4a01ab6495 100644 --- a/packages/tychon/data_stream/tychon_networkadapter/manifest.yml +++ b/packages/tychon/data_stream/tychon_networkadapter/manifest.yml @@ -8,13 +8,13 @@ streams: vars: - name: paths type: text - title: Host Network Adapters + title: Host Network Adapters Location multi: true required: true show_user: true default: - #- /root/systemInfo/data/tychon_networkadapter_info.json - C:\ProgramData\TYCHONCLOUD\eventlogs\tychon_networkadapter_info.json + - /var/log/tychoncloud/eventlogs/tychon_networkadapter_info.json - name: tags type: text title: Tags @@ -30,5 +30,4 @@ streams: required: false show_user: false description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_softwareinventory/agent/stream/stream.yml.hbs b/packages/tychon/data_stream/tychon_softwareinventory/agent/stream/stream.yml.hbs index 4daf6354078..e39e88b253d 100644 --- a/packages/tychon/data_stream/tychon_softwareinventory/agent/stream/stream.yml.hbs +++ b/packages/tychon/data_stream/tychon_softwareinventory/agent/stream/stream.yml.hbs @@ -1,20 +1,20 @@ -paths: -{{#each paths as |path|}} - - {{path}} -{{/each}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -json: - keys_under_root: true +paths: +{{#each paths as |path|}} + - {{path}} +{{/each}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +json: + keys_under_root: true expand_keys: true \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_softwareinventory/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_softwareinventory/elasticsearch/ingest_pipeline/default.yml index 6e5cafc76b2..690f552d220 100644 --- a/packages/tychon/data_stream/tychon_softwareinventory/elasticsearch/ingest_pipeline/default.yml +++ b/packages/tychon/data_stream/tychon_softwareinventory/elasticsearch/ingest_pipeline/default.yml @@ -1,55 +1,91 @@ ---- -description: Pipeline for Software Inventory -processors: - - dot_expander: - field: "*" - - set: - field: "@timestamp" - value: "{{_ingest.timestamp}}" - - set: - field: event.ingested - value: "{{_ingest.timestamp}}" - - set: - field: ecs.version - value: 8.8.0 - - set: - field: package.installed - value: "1970-01-01T00:00:01Z" - if: ctx.package.installed == '' - - gsub: - field: version.version_build - pattern: "[^0-9]" - replacement: "" - - gsub: - field: version.version_major - pattern: "[^0-9]" - replacement: "" - - set: - field: event.kind - value: state - - set: - field: event.module - value: tychon - - set: - field: event.category - value: software inventory - - convert: - field: script.current_duration - type: float - - split: - field: host.uptime - separator: "\\.+" - target_field: tempuptime - - set: - field: host.uptime - value: "{{tempuptime.0}}" - - remove: - field: tempuptime -on_failure: - - set: - field: event.kind - value: pipeline_error - - append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' - +--- +description: Pipeline for Software Inventory +processors: + - dot_expander: + field: "*" + - set: + field: "@timestamp" + value: "{{_ingest.timestamp}}" + - set: + field: event.ingested + value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: 8.8.0 + - set: + field: package.installed + value: "1970-01-01T00:00:01Z" + if: ctx.package.installed == 'installed' + - set: + field: package.installed + value: "1970-01-01T00:00:01Z" + if: ctx.package.installed == '' + - split: + field: host.ipv4 + separator: "," + ignore_missing: true + - gsub: + field: package.size + pattern: "[^0-9]" + replacement: "" + - gsub: + field: package.version_build + pattern: "[^0-9]" + replacement: "" + ignore_missing: true + - gsub: + field: package.version_major + pattern: "[^0-9]" + replacement: "" + ignore_missing: true + - gsub: + field: package.version_minor + pattern: "[^0-9]" + replacement: "" + ignore_missing: true + - gsub: + field: package.version_release + pattern: "[^0-9]" + replacement: "" + ignore_missing: true + - set: + field: event.kind + value: state + - set: + field: package.type + value: rpm + if: ctx.package.type == '' + - script: + source: ctx.package.cpe = "cpe:/a:" + ctx.package.name + ":" + ctx.package.version + if: ctx.package.cpe == '' + ignore_failure: true + - set: + field: event.module + value: tychon + - set: + field: event.category + value: software inventory + - convert: + field: script.current_duration + type: float + ignore_missing: true + - split: + field: host.uptime + separator: "\\.+" + target_field: tempuptime + ignore_failure: true + - set: + field: host.uptime + value: "{{tempuptime.0}}" + ignore_failure: true + - remove: + field: tempuptime + ignore_failure: true + ignore_missing: true +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_softwareinventory/manifest.yml b/packages/tychon/data_stream/tychon_softwareinventory/manifest.yml index b3a4e86c2ee..3d40f20614f 100644 --- a/packages/tychon/data_stream/tychon_softwareinventory/manifest.yml +++ b/packages/tychon/data_stream/tychon_softwareinventory/manifest.yml @@ -1,19 +1,20 @@ -title: Windows softwareinventory Info +title: Endpoint Software Inventory Info type: logs streams: - input: logfile - title: Windows softwareinventory Info - description: Windows softwareinventory Info + title: Endpoint Software Inventory Info + description: TYCHON will collect all installed software from the operating system. template_path: stream.yml.hbs vars: - name: paths type: text - title: Windows softwareinventory Info + title: TYCHON Software Inventory Output multi: true required: true show_user: true default: - C:\ProgramData\TYCHONCLOUD\eventlogs\tychon_softwareinventory_info.json + - /var/log/tychoncloud/eventlogs/tychon_softwareinventory_info.json - name: tags type: text title: Tags @@ -29,5 +30,4 @@ streams: required: false show_user: false description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_stig/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_stig/elasticsearch/ingest_pipeline/default.yml index 7fec6335c7d..814b9a47c3f 100644 --- a/packages/tychon/data_stream/tychon_stig/elasticsearch/ingest_pipeline/default.yml +++ b/packages/tychon/data_stream/tychon_stig/elasticsearch/ingest_pipeline/default.yml @@ -14,11 +14,15 @@ processors: field: rule.result value: '{{rule.test_result}}' - remove: - if: "ctx.containsKey('rule') && ctx.rule.containsKey('test_result')" + if: "ctx.containsKey('rule') && ctx.rule.containsKey('test_result')" field: rule.test_result - set: field: ecs.version value: '8.8.0' + - split: + field: host.ipv4 + separator: "," + ignore_missing: true - set: field: event.kind value: state @@ -32,14 +36,15 @@ processors: field: host.uptime separator: "\\.+" target_field: tempuptime + ignore_failure: true - set: field: host.uptime value: "{{tempuptime.0}}" + ignore_failure: true - remove: field: tempuptime - - convert: - field: host.uptime - type: long + ignore_failure: true + ignore_missing: true - gsub: field: host.mac pattern: ":" @@ -47,13 +52,15 @@ processors: - convert: field: script.current_duration type: float + ignore_missing: true - convert: field: rule.weight type: float + ignore_missing: true on_failure: - set: field: event.kind value: pipeline_error - append: field: error.message - value: '{{{ _ingest.on_failure_message }}}' + value: '{{{ _ingest.on_failure_message }}}' \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_stig/manifest.yml b/packages/tychon/data_stream/tychon_stig/manifest.yml index e4d2129d452..cf335ff8247 100644 --- a/packages/tychon/data_stream/tychon_stig/manifest.yml +++ b/packages/tychon/data_stream/tychon_stig/manifest.yml @@ -1,19 +1,20 @@ -title: Windows STIG Info +title: Endpoint STIG Results type: logs streams: - input: logfile - title: Windows STIG Info - description: Windows STIG Info + title: Endpoint STIG Results + description: Endpoint Benchmark SCAP/XCCDF Scan Results template_path: stream.yml.hbs vars: - name: paths type: text - title: Windows Patches Results + title: TYCHON STIG Results Output multi: true required: true show_user: true default: - C:\ProgramData\TYCHONCLOUD\eventlogs\tychon_stig_info.json + - /var/log/tychoncloud/eventlogs/tychon_stig_info.json - name: tags type: text title: Tags @@ -29,5 +30,4 @@ streams: required: false show_user: false description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_volume/agent/stream/stream.yml.hbs b/packages/tychon/data_stream/tychon_volume/agent/stream/stream.yml.hbs index 4daf6354078..e39e88b253d 100644 --- a/packages/tychon/data_stream/tychon_volume/agent/stream/stream.yml.hbs +++ b/packages/tychon/data_stream/tychon_volume/agent/stream/stream.yml.hbs @@ -1,20 +1,20 @@ -paths: -{{#each paths as |path|}} - - {{path}} -{{/each}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -json: - keys_under_root: true +paths: +{{#each paths as |path|}} + - {{path}} +{{/each}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +json: + keys_under_root: true expand_keys: true \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_volume/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_volume/elasticsearch/ingest_pipeline/default.yml index c01d85ae503..c49230cd122 100644 --- a/packages/tychon/data_stream/tychon_volume/elasticsearch/ingest_pipeline/default.yml +++ b/packages/tychon/data_stream/tychon_volume/elasticsearch/ingest_pipeline/default.yml @@ -1,51 +1,59 @@ ---- -description: Pipeline for TYCHON Volumes -processors: - - dot_expander: - field: "*" - - set: - field: "@timestamp" - value: "{{_ingest.timestamp}}" - - set: - field: event.ingested - value: "{{_ingest.timestamp}}" - - set: - field: ecs.version - value: 8.8.0 - - set: - field: event.kind - value: state - - set: - field: event.module - value: tychon - - set: - field: event.category - value: volumes - - set: - field: volume.percent_full - value: "0" - if: ctx.volume.percent_full == 'NaN' - - gsub: - field: volume.percent_full - pattern: "%" - replacement: "" - - split: - field: host.uptime - separator: "\\.+" - target_field: tempuptime - - set: - field: host.uptime - value: "{{tempuptime.0}}" - - remove: - field: tempuptime - - convert: - field: script.current_duration - type: float -on_failure: - - set: - field: event.kind - value: pipeline_error - - append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' - \ No newline at end of file +--- +description: Pipeline for TYCHON Volumes +processors: + - dot_expander: + field: "*" + - set: + field: "@timestamp" + value: "{{_ingest.timestamp}}" + - set: + field: event.ingested + value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: 8.8.0 + - set: + field: event.kind + value: state + - set: + field: event.module + value: tychon + - split: + field: host.ipv4 + separator: "," + ignore_missing: true + - set: + field: event.category + value: volumes + - set: + field: volume.percent_full + value: "0" + if: ctx.volume.percent_full == 'NaN' + - gsub: + field: volume.percent_full + pattern: "%" + replacement: "" + - convert: + field: script.current_duration + type: float + ignore_missing: true + - split: + field: host.uptime + separator: "\\.+" + target_field: tempuptime + ignore_failure: true + - set: + field: host.uptime + value: "{{tempuptime.0}}" + ignore_failure: true + - remove: + field: tempuptime + ignore_failure: true + ignore_missing: true +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_volume/fields/fields.yml b/packages/tychon/data_stream/tychon_volume/fields/fields.yml index 510274e1fba..1aa277c286f 100644 --- a/packages/tychon/data_stream/tychon_volume/fields/fields.yml +++ b/packages/tychon/data_stream/tychon_volume/fields/fields.yml @@ -1,34 +1,40 @@ -- name: volume.automount - type: boolean -- name: volume.block_size - type: long -- name: volume.dirty_bit_set - type: boolean -- name: volume.dos_device_path - type: text -- name: volume.drive.letter - type: keyword -- name: volume.drive.type - type: keyword -- name: volume.file_system - type: keyword -- name: volume.freespace - type: long -- name: volume.id - type: keyword -- name: volume.name - type: keyword -- name: volume.page_file_present - type: boolean -- name: volume.percent_full - type: float -- name: volume.power_management_supported - type: boolean -- name: volume.purpose - type: keyword -- name: volume.serial_number - type: keyword -- name: volume.size - type: long -- name: volume.system_volume - type: boolean +- name: volume + type: group + fields: + - name: automount + type: boolean + - name: block_size + type: long + - name: dirty_bit_set + type: boolean + - name: dos_device_path + type: text + - name: volume + type: group + fields: + - name: letter + type: keyword + - name: type + type: keyword + - name: file_system + type: keyword + - name: freespace + type: long + - name: id + type: keyword + - name: name + type: keyword + - name: page_file_present + type: boolean + - name: percent_full + type: float + - name: power_management_supported + type: boolean + - name: purpose + type: keyword + - name: serial_number + type: keyword + - name: size + type: long + - name: system_volume + type: boolean \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_volume/manifest.yml b/packages/tychon/data_stream/tychon_volume/manifest.yml index 02b43e2f359..16a2eb0985e 100644 --- a/packages/tychon/data_stream/tychon_volume/manifest.yml +++ b/packages/tychon/data_stream/tychon_volume/manifest.yml @@ -1,19 +1,20 @@ -title: Windows volumes Info +title: Endpoint Volumes Info type: logs streams: - input: logfile - title: Windows volumes Info - description: Windows volumes Info + title: Endpoint Volumes Info + description: Endpoint Volumes Info template_path: stream.yml.hbs vars: - name: paths type: text - title: Windows volumes Info + title: TYCHON Volumes Output multi: true required: true show_user: true default: - C:\ProgramData\TYCHONCLOUD\eventlogs\tychon_volume_info.json + - /var/log/tychoncloud/eventlogs/tychon_volume_info.json - name: tags type: text title: Tags @@ -29,5 +30,4 @@ streams: required: false show_user: false description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. \ No newline at end of file diff --git a/packages/tychon/docs/README.md b/packages/tychon/docs/README.md index 0da1468de39..1836d5bd952 100644 --- a/packages/tychon/docs/README.md +++ b/packages/tychon/docs/README.md @@ -4,10 +4,11 @@ ## Compatibility -* This integration supports Windows 10 and Windows 11 Endpoint Operating Systems. +* This integration supports Windows and RedHat/CENTOS Endpoint Operating Systems. * This integration requires a TYCHON Agentless license. * This integration requires [TYCHON Vulnerability Definition](https://support.tychon.io/) files. - +* The Linux Endpoint requires RedHat's [OpenScap](https://www.open-scap.org/tools/openscap-base/) to be installed for STIG and CVE to report data. +* This integration supports Elastic 8.8+. ## Returned Data Fields ### ARP Table Information @@ -36,11 +37,11 @@ TYCHON scans Endpoint ARP Tables and returns the results. | elastic_agent.id | Elastic Agent Id. | keyword | | elastic_agent.snapshot | Elastic Agent snapshot. | boolean | | elastic_agent.version | Elastic Agent Version. | keyword | -| error.message | | match_only_text | +| error.message | Error message. | match_only_text | | event.agent_id_status | Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. | keyword | | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.ingested | | date | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | | event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | | event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | @@ -63,7 +64,7 @@ TYCHON scans Endpoint ARP Tables and returns the results. | host.oem.manufacturer | Host OEM Manufacturer. | keyword | | host.oem.model | Host OEM Model. | keyword | | host.os.build | Host OS Build. | keyword | -| host.os.description | Host OS Description. | keyword | +| host.os.description | Host OS Description. | text | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | @@ -83,12 +84,12 @@ TYCHON scans Endpoint ARP Tables and returns the results. | network.interface | | keyword | | network.state | | keyword | | network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| script.current_duration | Scanner Script Duration. | float | -| script.current_time | Current datetime. | date | +| script.current_duration | Scanner Script Duration. | long | +| script.current_time | Current datetime. | long | | script.name | Scanner Script Name. | keyword | | script.start | Scanner Start datetime. | date | | script.type | Scanner Script Type. | keyword | -| script.version | Scanner Script Version. | keyword | +| script.version | Scanner Script Version. | version | | tags | List of keywords used to tag each event. | keyword | | tychon.id | TYCHON unique host identifier. | keyword | @@ -115,11 +116,11 @@ TYCHON scans for Endpoint CPU's and returns the results. | elastic_agent.id | Elastic Agent Id. | keyword | | elastic_agent.snapshot | Elastic Agent snapshot. | boolean | | elastic_agent.version | Elastic Agent Version. | keyword | -| error.message | | match_only_text | +| error.message | Error message. | match_only_text | | event.agent_id_status | Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. | keyword | | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.ingested | | date | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | | event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | | event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | @@ -151,7 +152,7 @@ TYCHON scans for Endpoint CPU's and returns the results. | host.oem.manufacturer | Host OEM Manufacturer. | keyword | | host.oem.model | Host OEM Model. | keyword | | host.os.build | Host OS Build. | keyword | -| host.os.description | Host OS Description. | keyword | +| host.os.description | Host OS Description. | text | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | @@ -167,12 +168,12 @@ TYCHON scans for Endpoint CPU's and returns the results. | input.type | Source file type. | keyword | | log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | | log.offset | Source file current offset. | long | -| script.current_duration | Scanner Script Duration. | float | -| script.current_time | Current datetime. | date | +| script.current_duration | Scanner Script Duration. | long | +| script.current_time | Current datetime. | long | | script.name | Scanner Script Name. | keyword | | script.start | Scanner Start datetime. | date | | script.type | Scanner Script Type. | keyword | -| script.version | Scanner Script Version. | keyword | +| script.version | Scanner Script Version. | version | | tags | List of keywords used to tag each event. | keyword | | tychon.id | TYCHON unique host identifier. | keyword | @@ -192,18 +193,6 @@ TYCHON scans for Endpoint vulenrabilites and returns the results. | agent.name | Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. | keyword | | agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword | | agent.version | Version of the agent. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | @@ -224,45 +213,36 @@ TYCHON scans for Endpoint vulenrabilites and returns the results. | event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | | host.architecture | Operating system architecture. | keyword | | host.biossn | Host BIOS Serial Number. | keyword | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | host.hardware.bios.name | Host BIOS Name. | keyword | -| host.hardware.bios.version | Host BIOS Version. | keyword | +| host.hardware.bios.version | Host BIOS Version. | version | | host.hardware.cpu.caption | Host CPU Caption. | keyword | | host.hardware.manufacturer | Host BIOS Manufacturer. | keyword | | host.hardware.owner | Host BIOS Owner. | keyword | | host.hardware.serial_number | Host BIOS Serial Number. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. | keyword | -| host.ip | Host ip addresses. | ip | -| host.ipv4 | Host ip v4 addresses. | keyword | -| host.ipv6 | Host ip v6 addresses. | keyword | -| host.mac | Host mac addresses. | keyword | +| host.ipv4 | Host IPv4 addresses. | ip | +| host.ipv6 | Host IPv6 addresses. | keyword | | host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | | host.oem.manufacturer | Host OEM Manufacturer. | keyword | | host.oem.model | Host OEM Model. | keyword | | host.os.build | Host OS Build. | keyword | -| host.os.description | Host OS Description. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.description | Host OS Description. | text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | | host.os.organization | Host OS Organization. | keyword | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| host.uptime | Seconds the host has been up. | long | | host.workgroup | Host Workgroup Network Name. | keyword | -| id | Tychon Unique Vulnerability Id. | keyword | +| id | TYCHON unique document identifier. | keyword | | input.type | Source file type. | keyword | | log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | | log.offset | Source file current offset. | long | -| script.current_duration | Scanner Script Duration. | float | -| script.current_time | Current datetime. | date | +| script.current_duration | Scanner Script Duration. | long | +| script.current_time | Current datetime. | long | | script.name | Scanner Script Name. | keyword | | script.start | Scanner Start datetime. | date | | script.type | Scanner Script Type. | keyword | | script.version | Scanner Script Version. | keyword | | tags | List of keywords used to tag each event. | keyword | +| tychon.id | TYCHON unique host identifier. | keyword | | vulnerability.category | The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) This field must be an array. | keyword | | vulnerability.classification | The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) | keyword | | vulnerability.definition | National Vulnerability Database Vulnerability Definition. | keyword | @@ -277,12 +257,12 @@ TYCHON scans for Endpoint vulenrabilites and returns the results. | vulnerability.reference | A resource that provides additional information, context, and mitigations for the identified vulnerability. | keyword | | vulnerability.result | Pass/Fail Outcome of the Common Vulnerabilities and Exposures Scan. | keyword | | vulnerability.scanner.vendor | The name of the vulnerability scanner vendor. | keyword | -| vulnerability.score.base | National Vulnerability Database Score of the Vulnerabilty. | float | +| vulnerability.score.base | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) | float | | vulnerability.score.version | The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword | | vulnerability.severity | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword | | vulnerability.title | Common Vulnerabilities and Exposures Description and Title. | keyword | | vulnerability.version | Version Number of the Scan. | keyword | -| vulnerability.year | Common Vulnerabilities and Exposures Year. | long | +| vulnerability.year | Common Vulnerabilities and Exposures Year. | integer | ### Endpoint Protection Platform @@ -396,7 +376,7 @@ TYCHON scans the Endpoint's Windows Defender and returns protection status and v ### Endpoint Exposed Services Information -The TYCHON benchmark script scans an endpoint's Windows configuration for STIG/XCCDF issues and returns information. +The TYCHON script to scan Endpoint Exposed Services and returns information. **Exported fields** **Exported fields** @@ -416,11 +396,11 @@ The TYCHON benchmark script scans an endpoint's Windows configuration for STIG/X | elastic_agent.id | Elastic Agent Id. | keyword | | elastic_agent.snapshot | Elastic Agent snapshot. | boolean | | elastic_agent.version | Elastic Agent Version. | keyword | -| error.message | | match_only_text | +| error.message | Error message. | match_only_text | | event.agent_id_status | Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. | keyword | | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.ingested | | date | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | | event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | | event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | @@ -468,7 +448,7 @@ The TYCHON benchmark script scans an endpoint's Windows configuration for STIG/X | process.name | Process name. Sometimes called program name or similar. | keyword | | process.name.text | Multi-field of `process.name`. | match_only_text | | process.pid | Process id. | long | -| process.start | | date | +| process.start | The time the process started. | date | | process.user.name | Short name or login of the user. | keyword | | process.user.name.text | Multi-field of `process.user.name`. | match_only_text | | script.current_duration | Scanner Script Duration. | float | @@ -489,7 +469,7 @@ The TYCHON benchmark script scans an endpoint's Windows configuration for STIG/X ### Endpoint Hard Drive Information -The TYCHON benchmark script scans an endpoint's Windows configuration for STIG/XCCDF issues and returns information. +The TYCHON script scans an endpoint's Hard Drive Configurations and returns information. **Exported fields** **Exported fields** @@ -534,11 +514,11 @@ The TYCHON benchmark script scans an endpoint's Windows configuration for STIG/X | elastic_agent.id | Elastic Agent Id. | keyword | | elastic_agent.snapshot | Elastic Agent snapshot. | boolean | | elastic_agent.version | Elastic Agent Version. | keyword | -| error.message | | match_only_text | +| error.message | Error message. | match_only_text | | event.agent_id_status | Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. | keyword | | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.ingested | | date | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | | event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | | event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | @@ -589,7 +569,7 @@ The TYCHON benchmark script scans an endpoint's Windows configuration for STIG/X ### Endpoint Hardware Information -The TYCHON benchmark script scans an endpoint's Windows configuration for STIG/XCCDF issues and returns information. +The TYCHON script scans an endpoint's Hardware Configurations and returns information. **Exported fields** **Exported fields** @@ -617,11 +597,11 @@ The TYCHON benchmark script scans an endpoint's Windows configuration for STIG/X | elastic_agent.id | Elastic Agent Id. | keyword | | elastic_agent.snapshot | Elastic Agent snapshot. | boolean | | elastic_agent.version | Elastic Agent Version. | keyword | -| error.message | | match_only_text | +| error.message | Error message. | match_only_text | | event.agent_id_status | Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. | keyword | | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.ingested | | date | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | | event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | | event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | @@ -672,7 +652,7 @@ The TYCHON benchmark script scans an endpoint's Windows configuration for STIG/X ### Endpoint Host OS Information -The TYCHON benchmark script scans an endpoint's Windows configuration for STIG/XCCDF issues and returns information. +The TYCHON script scans an endpoint's OS Configurations and returns information. **Exported fields** **Exported fields** @@ -687,6 +667,7 @@ The TYCHON benchmark script scans an endpoint's Windows configuration for STIG/X | elastic_agent.id | Elastic Agent Id. | keyword | | elastic_agent.snapshot | Elastic Agent snapshot. | boolean | | elastic_agent.version | Elastic Agent Version. | keyword | +| error.message | Error message. | match_only_text | | event.deviceguard.basevirtualizationsupport.available | | boolean | | event.deviceguard.credentialguard.enabled | | boolean | | event.deviceguard.credentialguard.running | | boolean | @@ -702,6 +683,7 @@ The TYCHON benchmark script scans an endpoint's Windows configuration for STIG/X | event.deviceguard.usermodecodeintegrity.policyenforcement | | keyword | | event.deviceguard.version | | keyword | | event.deviceguard.virtualizationbasedsecurity.status | | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | | event.ufi.enabled | | boolean | | host.architecture | Operating system architecture. | keyword | | host.biossn | Host BIOS Serial Number. | keyword | @@ -764,7 +746,7 @@ The TYCHON benchmark script scans an endpoint's Windows configuration for STIG/X ### Endpoint Network Adapters Information -The TYCHON benchmark script scans an endpoint's Windows configuration for STIG/XCCDF issues and returns information. +The TYCHON script scans an endpoint's Network Adapter Configurations and returns information. **Exported fields** **Exported fields** @@ -779,9 +761,9 @@ The TYCHON benchmark script scans an endpoint's Windows configuration for STIG/X | elastic_agent.id | Elastic Agent Id. | keyword | | elastic_agent.snapshot | Elastic Agent snapshot. | boolean | | elastic_agent.version | Elastic Agent Version. | keyword | -| error.message | | match_only_text | +| error.message | Error message. | match_only_text | | event.agent_id_status | Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. | keyword | -| event.ingested | | date | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | | host.adapter.alias | | keyword | | host.adapter.description | | text | | host.adapter.dhcp.enabled | | boolean | @@ -851,7 +833,7 @@ The TYCHON benchmark script scans an endpoint's Windows configuration for STIG/X ### Endpoint Software Inventory Information -The TYCHON benchmark script scans an endpoint's Windows configuration for STIG/XCCDF issues and returns information. +The TYCHON script scans an endpoint's Software Inventory and returns information. **Exported fields** **Exported fields** @@ -871,11 +853,11 @@ The TYCHON benchmark script scans an endpoint's Windows configuration for STIG/X | elastic_agent.id | Elastic Agent Id. | keyword | | elastic_agent.snapshot | Elastic Agent snapshot. | boolean | | elastic_agent.version | Elastic Agent Version. | keyword | -| error.message | | match_only_text | +| error.message | Error message. | match_only_text | | event.agent_id_status | Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. | keyword | | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.ingested | | date | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | | event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | | event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | @@ -1059,7 +1041,7 @@ The TYCHON benchmark script scans an endpoint's Windows configuration for STIG/X ### Endpoint Volume Information -The TYCHON benchmark script scans an endpoint's Windows configuration for STIG/XCCDF issues and returns information. +The TYCHON script scans an endpoint's Volume Configurations and returns information. **Exported fields** **Exported fields** @@ -1079,11 +1061,11 @@ The TYCHON benchmark script scans an endpoint's Windows configuration for STIG/X | elastic_agent.id | Elastic Agent Id. | keyword | | elastic_agent.snapshot | Elastic Agent snapshot. | boolean | | elastic_agent.version | Elastic Agent Version. | keyword | -| error.message | | match_only_text | +| error.message | Error message. | match_only_text | | event.agent_id_status | Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. | keyword | | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.ingested | | date | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | | event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | | event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | diff --git a/packages/tychon/elasticsearch/transform/cve_linux/fields/agent.yml b/packages/tychon/elasticsearch/transform/cve_linux/fields/agent.yml new file mode 100644 index 00000000000..6dd345cff24 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_linux/fields/agent.yml @@ -0,0 +1,192 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: id + description: Unique host id. As hostname is not always unique, use values that are meaningful in your environment. + type: keyword + - name: biossn + description: Host BIOS Serial Number. + type: keyword + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: ipv4 + level: core + type: keyword + description: Host ip v4 addresses. + - name: ipv6 + level: core + type: keyword + description: Host ip v6 addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: type + description: Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment. + type: keyword + - name: uptime + description: Seconds the host has been up. + type: long + - name: workgroup + description: Host Workgroup Network Name. + type: keyword + - name: oem + type: group + fields: + - name: manufacturer + description: Host OEM Manufacturer. + type: keyword + - name: model + description: Host OEM Model. + type: keyword + - name: os + type: group + fields: + - name: build + description: Host OS Build. + type: keyword + - name: description + description: Host OS Description. + type: keyword + - name: family + description: OS family (such as redhat, debian, freebsd, windows). + type: keyword + - name: name + description: Operating system name, without the version. + type: keyword + - name: organization + description: Host OS Organization. + type: keyword + - name: version + description: Operating system version as a raw string. + type: keyword + - name: hardware + type: group + fields: + - name: bios + type: group + fields: + - name: name + description: Host BIOS Name. + type: keyword + - name: version + description: Host BIOS Version. + type: keyword + - name: cpu + type: group + fields: + - name: caption + description: Host CPU Caption. + type: keyword + - name: manufacturer + description: Host BIOS Manufacturer. + type: keyword + - name: owner + description: Host BIOS Owner. + type: keyword + - name: serial_number + description: Host BIOS Serial Number. + type: keyword diff --git a/packages/tychon/elasticsearch/transform/cve_linux/fields/base-fields.yml b/packages/tychon/elasticsearch/transform/cve_linux/fields/base-fields.yml new file mode 100644 index 00000000000..44a26fd137a --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_linux/fields/base-fields.yml @@ -0,0 +1,21 @@ +- name: input.type + description: Source file type. + type: keyword +- name: log.offset + description: Source file current offset. + type: long +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: keyword + description: Event module. +- name: '@timestamp' + description: Event timestamp. + type: date diff --git a/packages/tychon/elasticsearch/transform/cve_linux/fields/ecs.yml b/packages/tychon/elasticsearch/transform/cve_linux/fields/ecs.yml new file mode 100644 index 00000000000..31ba2470b1f --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_linux/fields/ecs.yml @@ -0,0 +1,64 @@ +- external: ecs + name: agent.ephemeral_id +- external: ecs + name: agent.id +- external: ecs + name: agent.name +- external: ecs + name: agent.type +- external: ecs + name: agent.version +- external: ecs + name: ecs.version +- external: ecs + name: event.agent_id_status +- external: ecs + name: event.category +- external: ecs + name: event.created +- external: ecs + name: event.dataset +- external: ecs + name: event.id +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.outcome +- external: ecs + name: event.timezone +- external: ecs + name: error.message +- external: ecs + name: host.architecture +- external: ecs + name: host.name +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.platform +- external: ecs + name: host.os.type +- external: ecs + name: log.file.path +- external: ecs + name: tags +- external: ecs + name: vulnerability.category +- external: ecs + name: vulnerability.classification +- external: ecs + name: vulnerability.description +- external: ecs + name: vulnerability.enumeration +- external: ecs + name: vulnerability.id +- external: ecs + name: vulnerability.reference +- external: ecs + name: vulnerability.scanner.vendor +- external: ecs + name: vulnerability.score.version +- external: ecs + name: vulnerability.severity diff --git a/packages/tychon/elasticsearch/transform/cve_linux/fields/fields.yml b/packages/tychon/elasticsearch/transform/cve_linux/fields/fields.yml new file mode 100644 index 00000000000..e5104b41dff --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_linux/fields/fields.yml @@ -0,0 +1,70 @@ +- name: id + description: Tychon Unique Vulnerability Id. + type: keyword +- name: vulnerability + type: group + fields: + - name: definition + description: National Vulnerability Database Vulnerability Definition. + type: keyword + - name: due_date + description: Vulnerability Due Date. + type: date + format: "strict_date_optional_time||epoch_millis||date||\"MM/dd/yyyy\"" + - name: due_date_reason + description: Vulnerability Due Date Reason + type: keyword + - name: iava + description: Information Assurance Vulneraiblity Alert Identifier. + type: keyword + - name: iava_severity + description: Information Assurance Vulnerability Alert Severity. + type: keyword + - name: result + description: Pass/Fail Outcome of the Common Vulnerabilities and Exposures Scan. + type: keyword + - name: score.base + description: National Vulnerability Database Score of the Vulnerabilty. + type: float + - name: title + description: Common Vulnerabilities and Exposures Description and Title. + type: keyword + - name: version + description: Version Number of the Scan. + type: keyword + - name: year + description: Common Vulnerabilities and Exposures Year. + type: long +- name: script + type: group + fields: + - name: current_duration + description: Scanner Script Duration. + type: float + - name: current_time + description: Current datetime. + type: date + - name: name + description: Scanner Script Name. + type: keyword + - name: start + description: Scanner Start datetime. + type: date + - name: type + description: Scanner Script Type. + type: keyword + - name: version + description: Scanner Script Version. + type: keyword +- name: elastic_agent + type: group + fields: + - name: id + description: Elastic Agent Id. + type: keyword + - name: snapshot + description: Elastic Agent snapshot. + type: boolean + - name: version + description: Elastic Agent Version. + type: keyword diff --git a/packages/tychon/elasticsearch/transform/cve_linux/manifest.yml b/packages/tychon/elasticsearch/transform/cve_linux/manifest.yml new file mode 100644 index 00000000000..d2b4a81ca3c --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_linux/manifest.yml @@ -0,0 +1,12 @@ +start: true +destination_index_template: + mappings: + dynamic: true + _meta: {} + dynamic_templates: + - strings_as_keyword: + match_mapping_type: string + mapping: + ignore_above: 1024 + type: keyword + date_detection: true diff --git a/packages/tychon/elasticsearch/transform/cve_linux/transform.yml b/packages/tychon/elasticsearch/transform/cve_linux/transform.yml new file mode 100644 index 00000000000..ec804d02a8e --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_linux/transform.yml @@ -0,0 +1,26 @@ +source: + index: + - logs-tychon.tychon_cve-* + query: + bool: + must: + - match_phrase: + host.os.type: "linux" + - match_phrase: + event.kind: "state" +dest: + index: tychon_cve-linux +frequency: 30m +sync: + time: + field: 'event.ingested' + delay: 60s +latest: + unique_key: + - id + sort: '@timestamp' +_meta: + fleet_transform_version: 1.0.6 + run_as_kibana_system: false + managed: true +description: This transformation ensures there is a running configuration of what LINUX based vulnerablility results are from TYCHON. diff --git a/packages/tychon/elasticsearch/transform/network_adapter/transform.yml b/packages/tychon/elasticsearch/transform/network_adapter/transform.yml index d9649922621..71e2648cddd 100644 --- a/packages/tychon/elasticsearch/transform/network_adapter/transform.yml +++ b/packages/tychon/elasticsearch/transform/network_adapter/transform.yml @@ -1,6 +1,13 @@ source: index: - logs-tychon.tychon_networkadapter-* + query: + bool: + must: + - exists: + field: "host.adapter.ip" + - match_phrase: + event.kind: "state" dest: index: tychon_networkadapter frequency: 30m @@ -13,7 +20,7 @@ latest: - id sort: '@timestamp' _meta: - fleet_transform_version: 1.0.3 + fleet_transform_version: 1.0.5 run_as_kibana_system: false managed: true description: This transformation ensures there is a running configuration of endpoint Network Adapter Card information from TYCHON endpoints. diff --git a/packages/tychon/elasticsearch/transform/software_inventory_rpm/fields/agent.yml b/packages/tychon/elasticsearch/transform/software_inventory_rpm/fields/agent.yml new file mode 100644 index 00000000000..2f024c089ab --- /dev/null +++ b/packages/tychon/elasticsearch/transform/software_inventory_rpm/fields/agent.yml @@ -0,0 +1,110 @@ +- name: id + description: TYCHON unique document identifier. + type: keyword +- name: elastic_agent + type: group + fields: + - name: id + description: Elastic Agent Id. + type: keyword + - name: snapshot + description: Elastic Agent snapshot. + type: boolean + - name: version + description: Elastic Agent Version. + type: keyword +- name: script + type: group + fields: + - name: current_duration + description: Scanner Script Duration. + type: float + - name: current_time + description: Current datetime. + type: date + - name: name + description: Scanner Script Name. + type: keyword + - name: start + description: Scanner Start datetime. + type: date + - name: type + description: Scanner Script Type. + type: keyword + - name: version + description: Scanner Script Version. + type: keyword +- name: tychon + type: group + fields: + - name: id + description: TYCHON unique host identifier. + type: keyword +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: biossn + description: Host BIOS Serial Number. + type: keyword + - name: ipv4 + description: Host IPv4 addresses. + type: ip + - name: ipv6 + description: Host IPv6 addresses. + type: keyword + - name: workgroup + description: Host Workgroup Network Name. + type: keyword + - name: oem + type: group + fields: + - name: manufacturer + description: Host OEM Manufacturer. + type: keyword + - name: model + description: Host OEM Model. + type: keyword + - name: os + type: group + fields: + - name: build + description: Host OS Build. + type: keyword + - name: description + description: Host OS Description. + type: keyword + - name: organization + description: Host OS Organization. + type: keyword + - name: hardware + type: group + fields: + - name: bios + type: group + fields: + - name: name + description: Host BIOS Name. + type: keyword + - name: version + description: Host BIOS Version. + type: keyword + - name: cpu + type: group + fields: + - name: caption + description: Host CPU Caption. + type: keyword + - name: manufacturer + description: Host BIOS Manufacturer. + type: keyword + - name: owner + description: Host BIOS Owner. + type: keyword + - name: serial_number + description: Host BIOS Serial Number. + type: keyword diff --git a/packages/tychon/elasticsearch/transform/software_inventory_rpm/fields/base-fields.yml b/packages/tychon/elasticsearch/transform/software_inventory_rpm/fields/base-fields.yml new file mode 100644 index 00000000000..b1abf837fb0 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/software_inventory_rpm/fields/base-fields.yml @@ -0,0 +1,6 @@ +- name: input.type + description: Source file type. + type: keyword +- name: log.offset + description: Source file current offset. + type: long diff --git a/packages/tychon/elasticsearch/transform/software_inventory_rpm/fields/ecs.yml b/packages/tychon/elasticsearch/transform/software_inventory_rpm/fields/ecs.yml new file mode 100644 index 00000000000..c56cb240566 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/software_inventory_rpm/fields/ecs.yml @@ -0,0 +1,87 @@ +- external: ecs + name: '@timestamp' +- external: ecs + name: agent.ephemeral_id +- external: ecs + name: agent.id +- external: ecs + name: agent.name +- external: ecs + name: agent.type +- external: ecs + name: agent.version +- external: ecs + name: data_stream.dataset +- external: ecs + name: data_stream.namespace +- external: ecs + name: data_stream.type +- external: ecs + name: ecs.version +- external: ecs + name: event.agent_id_status +- external: ecs + name: event.category +- external: ecs + name: event.dataset +- external: ecs + name: event.kind +- external: ecs + name: event.module +- external: ecs + name: event.timezone +- external: ecs + name: host.architecture +- external: ecs + name: host.domain +- external: ecs + name: host.hostname +- external: ecs + name: host.id +- external: ecs + name: host.ip +- external: ecs + name: host.mac +- external: ecs + name: host.name +- external: ecs + name: host.os.family +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.name +- external: ecs + name: host.os.platform +- external: ecs + name: host.os.type +- external: ecs + name: host.os.version +- external: ecs + name: host.type +- external: ecs + name: host.uptime +- external: ecs + name: log.file.path +- external: ecs + name: package.architecture +- external: ecs + name: package.description +- external: ecs + name: package.installed + ignore_malformed: true +- external: ecs + name: package.name +- external: ecs + name: package.path +- external: ecs + name: package.size +- external: ecs + name: package.type +- external: ecs + name: package.version +- external: ecs + name: tags +- name: error.message + type: match_only_text +- name: event.ingested + type: date diff --git a/packages/tychon/elasticsearch/transform/software_inventory_rpm/fields/fields.yml b/packages/tychon/elasticsearch/transform/software_inventory_rpm/fields/fields.yml new file mode 100644 index 00000000000..fec6c53f2e3 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/software_inventory_rpm/fields/fields.yml @@ -0,0 +1,16 @@ +- name: package.uninstall + type: text +- name: package.cpe + type: keyword +- name: package.id + type: keyword +- name: package.publisher + type: keyword +- name: package.version_build + type: integer +- name: package.version_major + type: integer +- name: package.version_minor + type: integer +- name: package.version_release + type: integer diff --git a/packages/tychon/elasticsearch/transform/software_inventory_rpm/manifest.yml b/packages/tychon/elasticsearch/transform/software_inventory_rpm/manifest.yml new file mode 100644 index 00000000000..d2b4a81ca3c --- /dev/null +++ b/packages/tychon/elasticsearch/transform/software_inventory_rpm/manifest.yml @@ -0,0 +1,12 @@ +start: true +destination_index_template: + mappings: + dynamic: true + _meta: {} + dynamic_templates: + - strings_as_keyword: + match_mapping_type: string + mapping: + ignore_above: 1024 + type: keyword + date_detection: true diff --git a/packages/tychon/elasticsearch/transform/software_inventory_rpm/transform.yml b/packages/tychon/elasticsearch/transform/software_inventory_rpm/transform.yml new file mode 100644 index 00000000000..ceef8eeaae3 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/software_inventory_rpm/transform.yml @@ -0,0 +1,26 @@ +source: + index: + - logs-tychon.tychon_softwareinventory-* + query: + bool: + must: + - match_phrase: + package.type: "rpm" + - match_phrase: + event.kind: "state" +dest: + index: tychon_softwareinventory-rpm +frequency: 30m +sync: + time: + field: 'event.ingested' + delay: 60s +latest: + unique_key: + - id + sort: '@timestamp' +_meta: + fleet_transform_version: 1.0.5 + run_as_kibana_system: false + managed: true +description: This transformation ensures there is a running configuration of what ports are currently open an endpoint from TYCHON. diff --git a/packages/tychon/elasticsearch/transform/stig_linux/fields/agent.yml b/packages/tychon/elasticsearch/transform/stig_linux/fields/agent.yml new file mode 100644 index 00000000000..6dd345cff24 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/stig_linux/fields/agent.yml @@ -0,0 +1,192 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: id + description: Unique host id. As hostname is not always unique, use values that are meaningful in your environment. + type: keyword + - name: biossn + description: Host BIOS Serial Number. + type: keyword + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: ipv4 + level: core + type: keyword + description: Host ip v4 addresses. + - name: ipv6 + level: core + type: keyword + description: Host ip v6 addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: type + description: Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment. + type: keyword + - name: uptime + description: Seconds the host has been up. + type: long + - name: workgroup + description: Host Workgroup Network Name. + type: keyword + - name: oem + type: group + fields: + - name: manufacturer + description: Host OEM Manufacturer. + type: keyword + - name: model + description: Host OEM Model. + type: keyword + - name: os + type: group + fields: + - name: build + description: Host OS Build. + type: keyword + - name: description + description: Host OS Description. + type: keyword + - name: family + description: OS family (such as redhat, debian, freebsd, windows). + type: keyword + - name: name + description: Operating system name, without the version. + type: keyword + - name: organization + description: Host OS Organization. + type: keyword + - name: version + description: Operating system version as a raw string. + type: keyword + - name: hardware + type: group + fields: + - name: bios + type: group + fields: + - name: name + description: Host BIOS Name. + type: keyword + - name: version + description: Host BIOS Version. + type: keyword + - name: cpu + type: group + fields: + - name: caption + description: Host CPU Caption. + type: keyword + - name: manufacturer + description: Host BIOS Manufacturer. + type: keyword + - name: owner + description: Host BIOS Owner. + type: keyword + - name: serial_number + description: Host BIOS Serial Number. + type: keyword diff --git a/packages/tychon/elasticsearch/transform/stig_linux/fields/base-fields.yml b/packages/tychon/elasticsearch/transform/stig_linux/fields/base-fields.yml new file mode 100644 index 00000000000..44a26fd137a --- /dev/null +++ b/packages/tychon/elasticsearch/transform/stig_linux/fields/base-fields.yml @@ -0,0 +1,21 @@ +- name: input.type + description: Source file type. + type: keyword +- name: log.offset + description: Source file current offset. + type: long +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: keyword + description: Event module. +- name: '@timestamp' + description: Event timestamp. + type: date diff --git a/packages/tychon/elasticsearch/transform/stig_linux/fields/ecs.yml b/packages/tychon/elasticsearch/transform/stig_linux/fields/ecs.yml new file mode 100644 index 00000000000..7329d8fd21c --- /dev/null +++ b/packages/tychon/elasticsearch/transform/stig_linux/fields/ecs.yml @@ -0,0 +1,54 @@ +- external: ecs + name: package.description +- external: ecs + name: package.name +- external: ecs + name: package.reference +- external: ecs + name: package.type +- external: ecs + name: package.build_version +- external: ecs + name: rule.name +- external: ecs + name: event.kind +- external: ecs + name: ecs.version +- external: ecs + name: event.category +- external: ecs + name: event.created +- external: ecs + name: agent.ephemeral_id +- external: ecs + name: agent.id +- external: ecs + name: event.ingested +- external: ecs + name: agent.name +- external: ecs + name: agent.type +- external: ecs + name: agent.version +- external: ecs + name: event.agent_id_status +- external: ecs + name: event.dataset +- external: ecs + name: event.timezone +- external: ecs + name: error.message +- external: ecs + name: host.os.type +- external: ecs + name: log.file.path +- external: ecs + name: tags +- external: ecs + name: host.architecture +- external: ecs + name: host.name +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.platform diff --git a/packages/tychon/elasticsearch/transform/stig_linux/fields/fields.yml b/packages/tychon/elasticsearch/transform/stig_linux/fields/fields.yml new file mode 100644 index 00000000000..864e77b3f8f --- /dev/null +++ b/packages/tychon/elasticsearch/transform/stig_linux/fields/fields.yml @@ -0,0 +1,126 @@ +- name: id + description: Tychon Unique Stig Id. + type: keyword +- name: benchmark + type: group + fields: + - name: guid + description: Benchmark GUID. + type: keyword + - name: generated_utc + description: Benchmark UTC. + type: keyword + - name: hash + description: Benchmark SHA256 Hash + type: keyword + - name: name + description: Benchmark Name. + type: keyword + - name: title + description: Benchmark Title. + type: keyword + - name: version + description: Benchmark Version. + type: keyword + - name: list + description: Benchmark Summary Name List. + type: keyword + - name: count + description: Benchmark Summary Name List Item Count. + type: long +- name: oval + type: group + fields: + - name: id + description: Open Vulnerabilities and Assessment Language Identifier. + type: keyword + - name: class + description: Open Vulnerabilities and Assessment Language Class. + type: keyword + - name: refid + description: Open Vulnerabilities and Assessment Language Rule Reference Identifier. + type: keyword +- name: rule + type: group + fields: + - name: id + description: Benchmark Rule Identifier. + type: keyword + - name: finding_id + description: Benchmark Rule Finding Identifier. + type: keyword + - name: result + description: Benchmark Rule Results. + type: keyword + - name: severity + description: Benchmark Severity Status. + type: keyword + - name: stig_id + description: Stig rule id + type: keyword + - name: title + description: Benchmark Rule Title. + type: keyword + - name: vulnerability_id + description: Rule vulnerability id. + type: keyword + - name: weight + description: Benchmark Rule Weight. + type: float + - name: benchmark + type: group + fields: + - name: guid + description: Benchmark Rule GUID. + type: keyword + - name: profile.id + description: Benchmark Rule Profile Identifier. + type: keyword + - name: title + description: Benchmark Rule Title. + type: keyword + - name: oval + type: group + fields: + - name: id + description: Open Vulnerabilities and Assessment Language Identifier. + type: keyword + - name: class + description: Open Vulnerabilities and Assessment Language Class. + type: keyword + - name: refid + description: Open Vulnerabilities and Assessment Language Reference Identifier. + type: keyword +- name: script + type: group + fields: + - name: current_duration + description: Scanner Script Duration. + type: long + - name: current_time + description: Current datetime. + type: date + - name: name + description: Scanner Script Name. + type: keyword + - name: start + description: Scanner Start datetime. + type: date + - name: type + description: Scanner Script Type. + type: keyword + - name: version + description: Scanner Script Version. + type: keyword +- name: elastic_agent + type: group + fields: + - name: id + description: Elastic Agent Id. + type: keyword + - name: snapshot + description: Elastic Agent snapshot. + type: boolean + - name: version + description: Elastic Agent Version. + type: keyword diff --git a/packages/tychon/elasticsearch/transform/stig_linux/manifest.yml b/packages/tychon/elasticsearch/transform/stig_linux/manifest.yml new file mode 100644 index 00000000000..d2b4a81ca3c --- /dev/null +++ b/packages/tychon/elasticsearch/transform/stig_linux/manifest.yml @@ -0,0 +1,12 @@ +start: true +destination_index_template: + mappings: + dynamic: true + _meta: {} + dynamic_templates: + - strings_as_keyword: + match_mapping_type: string + mapping: + ignore_above: 1024 + type: keyword + date_detection: true diff --git a/packages/tychon/elasticsearch/transform/stig_linux/transform.yml b/packages/tychon/elasticsearch/transform/stig_linux/transform.yml new file mode 100644 index 00000000000..fa423d73d67 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/stig_linux/transform.yml @@ -0,0 +1,26 @@ +source: + index: + - logs-tychon.tychon_stig-* + query: + bool: + must: + - match_phrase: + host.os.type: "linux" + - match_phrase: + event.kind: "state" +dest: + index: tychon_stig-linux +frequency: 30m +sync: + time: + field: 'event.ingested' + delay: 60s +latest: + unique_key: + - id + sort: '@timestamp' +_meta: + fleet_transform_version: 1.0.5 + run_as_kibana_system: false + managed: true +description: This transformation ensures there is a running configuration of what Windows STIG SCAP results are from TYCHON. diff --git a/packages/tychon/kibana/security_rule/07dc1be0-4270-11ee-83e4-c92ed141b9e5_1.json b/packages/tychon/kibana/security_rule/07dc1be0-4270-11ee-83e4-c92ed141b9e5_1.json deleted file mode 100644 index 521485625af..00000000000 --- a/packages/tychon/kibana/security_rule/07dc1be0-4270-11ee-83e4-c92ed141b9e5_1.json +++ /dev/null @@ -1,48 +0,0 @@ -{ - "id": "07dc1be0-4270-11ee-83e4-c92ed141b9e5_1", - "name": "Weak WIFI Authentication in use", - "tags": [], - "interval": "5m", - "enabled": true, - "description": "An endpoint has reported it is connected to a WIFI SSID using a weak Authentication method.", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": "", - "author": [ - "TYCHON" - ], - "false_positives": [], - "from": "now-360s", - "rule_id": "bdf083c5-63cb-41ae-bb7a-563cc4e8719f", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "reference": "https://attack.mitre.org/tactics/TA0005", - "name": "Defense Evasion" - }, - "technique": [] - } - ], - "to": "now", - "references": [ - "https://www.techtarget.com/searchnetworking/feature/Wireless-encryption-basics-Understanding-WEP-WPA-and-WPA2" - ], - "version": 1, - "exceptions_list": [], - "related_integrations": [], - "required_fields": [], - "setup": "", - "type": "query", - "language": "kuery", - "data_view_id": "e886429e-9532-4f44-bb36-6465fe760866", - "query": "host.adapter.wifi.authentication : \"WEP\" or host.adapter.wifi.authentication : \"WPA\" or host.adapter.wifi.authentication : \"WPA-Personal\" or host.adapter.wifi.authentication : \"WPA-Enterprise\"", - "filters": [], - "throttle": "no_actions", - "actions": [] -} \ No newline at end of file diff --git a/packages/tychon/kibana/security_rule/10359860-1139-11ee-af86-538da1394f27_1.json b/packages/tychon/kibana/security_rule/10359860-1139-11ee-af86-538da1394f27_1.json deleted file mode 100644 index 13fc38ee5ad..00000000000 --- a/packages/tychon/kibana/security_rule/10359860-1139-11ee-af86-538da1394f27_1.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "id": "10359860-1139-11ee-af86-538da1394f27_1", - "type": "security-rule", - "attributes": { - "name": "CAT 1 IAVA Vulnerability Detected", - "tags": [ - "TYCHON", - "CVE", - "CCRI" - ], - "interval": "5m", - "enabled": true, - "description": "A category one IAVA has been detected as being vulnerable", - "risk_score": 90, - "severity": "high", - "note": "Investigator should work to patch this system for this IAVA as quickly as possible.", - "license": "", - "output_index": "", - "author": [ - "TYCHON" - ], - "false_positives": [], - "from": "now-360s", - "rule_id": "10359860-1139-11ee-af86-538da1394f27", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "reference": "https://attack.mitre.org/tactics/TA0001", - "name": "Initial Access" - }, - "technique": [] - } - ], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "related_integrations": [], - "required_fields": [], - "setup": "", - "type": "query", - "language": "kuery", - "data_view_id": "78931842-dc88-45d7-a6ee-d79fb9f615bd", - "query": "vulnerability.iava_severity : \"CAT I\" and vulnerability.result : \"fail\" ", - "filters": [], - "throttle": "no_actions", - "actions": [] - } -} \ No newline at end of file diff --git a/packages/tychon/kibana/security_rule/11481830-426d-11ee-83e4-c92ed141b9e5_1.json b/packages/tychon/kibana/security_rule/11481830-426d-11ee-83e4-c92ed141b9e5_1.json deleted file mode 100644 index 26c1c35adee..00000000000 --- a/packages/tychon/kibana/security_rule/11481830-426d-11ee-83e4-c92ed141b9e5_1.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "id": "11481830-426d-11ee-83e4-c92ed141b9e5_1", - "name": "Large number of failed Vulnerabilities ", - "tags": [ - "CVE", - "TYCHON" - ], - "interval": "1h", - "enabled": true, - "description": "This endpoint has been determined to have a high number of total vulnerabilities failed, this can indicate an extremely exposed endpoint.", - "risk_score": 73, - "severity": "high", - "note": "Due to the high number of failed CVE checks, it is recommended that the security administrator quarantine this system immediately and bring the machine up to date with all patches. ", - "license": "", - "output_index": "", - "author": [ - "TYCHON" - ], - "false_positives": [], - "from": "now-3900s", - "rule_id": "5be38411-3902-4686-8209-1ab75a6d3847", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "reference": "https://attack.mitre.org/tactics/TA0001", - "name": "Initial Access" - }, - "technique": [] - } - ], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "related_integrations": [], - "required_fields": [], - "setup": "", - "type": "threshold", - "language": "kuery", - "data_view_id": "78931842-dc88-45d7-a6ee-d79fb9f615bd", - "query": "vulnerability.result : \"fail\" ", - "filters": [], - "threshold": { - "field": [ - "tychon.id" - ], - "value": 30, - "cardinality": [] - }, - "throttle": "no_actions", - "actions": [] -} \ No newline at end of file diff --git a/packages/tychon/kibana/security_rule/17a4a660-4111-11ee-83e4-c92ed141b9e5_1.json b/packages/tychon/kibana/security_rule/17a4a660-4111-11ee-83e4-c92ed141b9e5_1.json deleted file mode 100644 index 95c753db703..00000000000 --- a/packages/tychon/kibana/security_rule/17a4a660-4111-11ee-83e4-c92ed141b9e5_1.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "id": "17a4a660-4111-11ee-83e4-c92ed141b9e5_1", - "name": "Past Due Vulnerability Failed", - "tags": [ - "TYCHON", - "CVE", - "CCRI" - ], - "interval": "5m", - "enabled": true, - "description": "TYCHON tracks when vulnerabilities are past expiration to ensure systems are patched before exploits are released or to reduce the attack surface of the endpoint. Due dates are generated from 3 rules:\n1. CISA - Exact CISA Due Date\n2. IAVA - 18 Days from when TYCHON records an IAVA is released\n3. NVD - If a Vulnerability is marked as critical, the due date is generated as 30 days after its release.", - "risk_score": 99, - "severity": "critical", - "note": "Analysts should quarantine hosts that have out-of-date vulnerabilities, these are normally weaknesses that have active exploits in the wild. ", - "license": "", - "output_index": "", - "author": [ - "TYCHON" - ], - "false_positives": [], - "from": "now-360s", - "rule_id": "beeea32f-31ba-4be8-9e2c-14de47280aac", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "reference": "https://attack.mitre.org/tactics/TA0001", - "name": "Initial Access" - }, - "technique": [] - } - ], - "to": "now", - "references": [ - "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" - ], - "version": 1, - "exceptions_list": [], - "related_integrations": [], - "required_fields": [], - "setup": "", - "type": "query", - "language": "kuery", - "data_view_id": "78931842-dc88-45d7-a6ee-d79fb9f615bd", - "query": "vulnerability.result : \"fail\" and vulnerability.due_date < now", - "filters": [], - "throttle": "no_actions", - "actions": [] -} \ No newline at end of file diff --git a/packages/tychon/kibana/security_rule/2e5a7e20-1137-11ee-af86-538da1394f27_1.json b/packages/tychon/kibana/security_rule/2e5a7e20-1137-11ee-af86-538da1394f27_1.json deleted file mode 100644 index 24d5cf80b8f..00000000000 --- a/packages/tychon/kibana/security_rule/2e5a7e20-1137-11ee-af86-538da1394f27_1.json +++ /dev/null @@ -1,61 +0,0 @@ -{ - "id": "2e5a7e20-1137-11ee-af86-538da1394f27_1", - "type": "security-rule", - "attributes": { - "name": "Windows Defender Feature Reported as Disabled", - "tags": [ - "TYCHON", - "EPP", - "CCRI" - ], - "interval": "5m", - "enabled": true, - "description": "A Feature in Windows Defender has been set to disabled in the latest report from the TYCHON Agentless Module", - "risk_score": 60, - "severity": "medium", - "note": "Analysts should look into the history of this endpoint to figure out when the feature was disabled and work to re-enable the feature.", - "license": "", - "output_index": "", - "author": [ - "TYCHON" - ], - "false_positives": [], - "from": "now-360s", - "rule_id": "2e5a7e20-1137-11ee-af86-538da1394f27", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0005", - "reference": "https://attack.mitre.org/tactics/TA0005", - "name": "Defense Evasion" - }, - "technique": [ - { - "id": "T1089", - "reference": "https://attack.mitre.org/techniques/T1089", - "name": "Disabling Security Tools", - "subtechnique": [] - } - ] - } - ], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "related_integrations": [], - "required_fields": [], - "setup": "", - "type": "query", - "language": "kuery", - "data_view_id": "6c3bf5e0-0feb-4113-a417-ac5e69cd6e00", - "query": "windows_defender.service.antimalware.status : \"Disabled\" or windows_defender.service.antispyware.status :\"Disabled\" or windows_defender.service.antivirus.status : \"Disabled\" or windows_defender.service.behavior_monitor.status : \"Disabled\" or windows_defender.service.ioav_protection.status : \"Disabled\" or windows_defender.service.nis.status : \"Disabled\" or windows_defender.service.on_access_protection.status : \"Disabled\" or windows_defender.service.real_time_protection.status : \"Disabled\" ", - "filters": [], - "throttle": "no_actions", - "actions": [] - } -} \ No newline at end of file diff --git a/packages/tychon/kibana/security_rule/2e9c9ac0-1138-11ee-af86-538da1394f27_1.json b/packages/tychon/kibana/security_rule/2e9c9ac0-1138-11ee-af86-538da1394f27_1.json deleted file mode 100644 index 64926bf7e5a..00000000000 --- a/packages/tychon/kibana/security_rule/2e9c9ac0-1138-11ee-af86-538da1394f27_1.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "id": "2e9c9ac0-1138-11ee-af86-538da1394f27_1", - "type": "security-rule", - "attributes": { - "name": "Critical Vulnerability Failed", - "tags": [ - "TYCHON", - "CCRI", - "CVE" - ], - "interval": "5m", - "enabled": true, - "description": "A vulnerability that has been categorized as Critical by NVD has been reported as failed.", - "risk_score": 90, - "severity": "high", - "note": "Investigators should get systems with critical vulnerabilities patched and ensure mitigations are in place while the system is vulenrable.", - "license": "", - "output_index": "", - "author": [ - "TYCHON" - ], - "false_positives": [], - "from": "now-360s", - "rule_id": "2e9c9ac0-1138-11ee-af86-538da1394f27", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "reference": "https://attack.mitre.org/tactics/TA0001", - "name": "Initial Access" - }, - "technique": [] - } - ], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "related_integrations": [], - "required_fields": [], - "setup": "", - "type": "query", - "language": "kuery", - "data_view_id": "78931842-dc88-45d7-a6ee-d79fb9f615bd", - "query": "vulnerability.severity :\"CRITICAL\" and vulnerability.result : \"fail\" ", - "filters": [], - "throttle": "no_actions", - "actions": [] - } -} \ No newline at end of file diff --git a/packages/tychon/kibana/security_rule/38a72d20-426e-11ee-83e4-c92ed141b9e5_1.json b/packages/tychon/kibana/security_rule/38a72d20-426e-11ee-83e4-c92ed141b9e5_1.json deleted file mode 100644 index 39c855a4d7b..00000000000 --- a/packages/tychon/kibana/security_rule/38a72d20-426e-11ee-83e4-c92ed141b9e5_1.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "id": "38a72d20-426e-11ee-83e4-c92ed141b9e5_1", - "name": "TPM Compliance Failed", - "tags": [ - "TYCHON", - "STIG" - ], - "interval": "5m", - "enabled": true, - "description": "This host has been determined by TYCHON to be non-compliant with the Trusted Platform Module (TPM), this is due to it being not present or at the wrong version.", - "risk_score": 47, - "severity": "medium", - "note": "Enable TPM 2.0 on this machine, if it is unable to be enabled because the host does not support it, determine the risk and take appropriate measures.", - "license": "", - "output_index": "", - "author": [ - "TYCHON" - ], - "false_positives": [], - "from": "now-360s", - "rule_id": "6d34f6dc-4a36-46cd-a4bb-ea2f1a01ab8a", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "reference": "https://attack.mitre.org/tactics/TA0006", - "name": "Credential Access" - }, - "technique": [] - } - ], - "to": "now", - "references": [ - "https://support.microsoft.com/en-us/windows/enable-tpm-2-0-on-your-pc-1fd5a332-360d-4f46-a1e7-ae6b0c90645c" - ], - "version": 1, - "exceptions_list": [], - "related_integrations": [], - "required_fields": [], - "setup": "", - "type": "query", - "language": "kuery", - "data_view_id": "9267bb1b-cf22-4417-8cfb-6606848140a7", - "query": "host.tpm.compliant : false ", - "filters": [], - "throttle": "no_actions", - "actions": [] -} \ No newline at end of file diff --git a/packages/tychon/kibana/security_rule/3a1028a0-4292-11ee-83e4-c92ed141b9e5_1.json b/packages/tychon/kibana/security_rule/3a1028a0-4292-11ee-83e4-c92ed141b9e5_1.json deleted file mode 100644 index 7d379786d15..00000000000 --- a/packages/tychon/kibana/security_rule/3a1028a0-4292-11ee-83e4-c92ed141b9e5_1.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "id": "3a1028a0-4292-11ee-83e4-c92ed141b9e5_1", - "name": "TYCHON Benchmark SCAP Definition File Out of Date", - "tags": [ - "TYCHON", - "SCAP" - ], - "interval": "24h", - "enabled": true, - "description": "TYCHON updates its SCAP definitions daily and should be no more than 120 days old to ensure you are working from the most up-to-date requirements and settings. ", - "risk_score": 47, - "severity": "medium", - "note": "TYCHON Definitions are updated daily, check the local host logs and see if there are issues with TYCHON definitions updating. You can obtain the latest version from the TYCHON support site.\n\nhttps://support.tychon.io", - "license": "", - "output_index": "", - "author": [ - "TYCHON" - ], - "false_positives": [], - "from": "now-86460s", - "rule_id": "6040cb5c-5e01-4f4d-af7f-9ca9c11dbdc7", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [ - "https://support.tychon.io" - ], - "version": 1, - "exceptions_list": [], - "related_integrations": [], - "required_fields": [], - "setup": "", - "type": "query", - "language": "kuery", - "data_view_id": "9267bb1b-cf22-4417-8cfb-6606848140a7", - "query": "tychon.definition.stig < \"now-120d\"", - "filters": [], - "throttle": "no_actions", - "actions": [] -} \ No newline at end of file diff --git a/packages/tychon/kibana/security_rule/75197a50-428d-11ee-83e4-c92ed141b9e5_1.json b/packages/tychon/kibana/security_rule/75197a50-428d-11ee-83e4-c92ed141b9e5_1.json deleted file mode 100644 index d77553fc873..00000000000 --- a/packages/tychon/kibana/security_rule/75197a50-428d-11ee-83e4-c92ed141b9e5_1.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "id": "75197a50-428d-11ee-83e4-c92ed141b9e5_1", - "name": "TYCHON Vulnerability Definitions Out of Date", - "tags": [ - "TYCHON", - "CVE" - ], - "interval": "5m", - "enabled": true, - "description": "TYCHON updates its definitions daily for vulnerability checks, if systems are too far out of date you are not getting the results for the most recent vulnerabilities further affecting your attack surface.", - "risk_score": 73, - "severity": "high", - "note": "Review the endpoint event logs and determine why TYCHON definitions are not being updated and pushed. Ensure you have downloaded the latest definition installers from the TYCHON support site.\n\nhttps://support.tychon.io", - "license": "", - "output_index": "", - "author": [ - "TYCHON" - ], - "false_positives": [], - "from": "now-360s", - "rule_id": "c40eaba1-7507-4fe7-aae5-78e59cd7b8f2", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [ - "https://support.tychon.io" - ], - "version": 1, - "exceptions_list": [], - "related_integrations": [], - "required_fields": [], - "setup": "", - "type": "query", - "language": "kuery", - "data_view_id": "9267bb1b-cf22-4417-8cfb-6606848140a7", - "query": "tychon.definition.oval < \"now-30d\"", - "filters": [], - "throttle": "no_actions", - "actions": [] -} \ No newline at end of file diff --git a/packages/tychon/kibana/security_rule/867e3450-1139-11ee-af86-538da1394f27_1.json b/packages/tychon/kibana/security_rule/867e3450-1139-11ee-af86-538da1394f27_1.json deleted file mode 100644 index 5e2befb15ae..00000000000 --- a/packages/tychon/kibana/security_rule/867e3450-1139-11ee-af86-538da1394f27_1.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "id": "867e3450-1139-11ee-af86-538da1394f27_1", - "type": "security-rule", - "attributes": { - "name": "High STIG/SCAP Check Failed", - "tags": [ - "TYCHON", - "CCRI", - "SCAP" - ], - "interval": "5m", - "enabled": true, - "description": "A High Severity STIG/SCAP Check failed on an endpoint.", - "risk_score": 60, - "severity": "medium", - "license": "", - "output_index": "", - "author": [ - "TYCHON" - ], - "false_positives": [], - "from": "now-360s", - "rule_id": "867e3450-1139-11ee-af86-538da1394f27", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "reference": "https://attack.mitre.org/tactics/TA0001", - "name": "Initial Access" - }, - "technique": [] - } - ], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "related_integrations": [], - "required_fields": [], - "setup": "", - "type": "query", - "language": "kuery", - "data_view_id": "ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a", - "query": "rule.result : \"fail\" and rule.severity : \"high\" ", - "filters": [], - "throttle": "no_actions", - "actions": [] - } -} \ No newline at end of file diff --git a/packages/tychon/kibana/security_rule/934a39a0-1138-11ee-af86-538da1394f27_1.json b/packages/tychon/kibana/security_rule/934a39a0-1138-11ee-af86-538da1394f27_1.json deleted file mode 100644 index d9dafd8ca1c..00000000000 --- a/packages/tychon/kibana/security_rule/934a39a0-1138-11ee-af86-538da1394f27_1.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "id": "934a39a0-1138-11ee-af86-538da1394f27_1", - "type": "security-rule", - "attributes": { - "name": "High Vulnerability Failed", - "tags": [ - "TYCHON", - "CVE", - "CCRI" - ], - "interval": "5m", - "enabled": true, - "description": "A host with a high-severity CVE was flagged as being vulnerable.", - "risk_score": 60, - "severity": "medium", - "note": "Investigator should work to resolve this patch and keep a close monitor on this endpoint.", - "license": "", - "output_index": "", - "author": [ - "TYCHON" - ], - "false_positives": [], - "from": "now-360s", - "rule_id": "934a39a0-1138-11ee-af86-538da1394f27", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [ - { - "framework": "MITRE ATT\u0026CK", - "tactic": { - "id": "TA0001", - "reference": "https://attack.mitre.org/tactics/TA0001", - "name": "Initial Access" - }, - "technique": [] - } - ], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "related_integrations": [], - "required_fields": [], - "setup": "", - "type": "query", - "language": "kuery", - "data_view_id": "78931842-dc88-45d7-a6ee-d79fb9f615bd", - "query": "vulnerability.severity :\"HIGH\" and vulnerability.result : \"fail\" ", - "filters": [], - "throttle": "no_actions", - "actions": [] - } -} \ No newline at end of file diff --git a/packages/tychon/kibana/security_rule/afdf3de0-4289-11ee-83e4-c92ed141b9e5_1.json b/packages/tychon/kibana/security_rule/afdf3de0-4289-11ee-83e4-c92ed141b9e5_1.json deleted file mode 100644 index e0f44eec534..00000000000 --- a/packages/tychon/kibana/security_rule/afdf3de0-4289-11ee-83e4-c92ed141b9e5_1.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "id": "afdf3de0-4289-11ee-83e4-c92ed141b9e5_1", - "name": "New Device Discovered", - "tags": [ - "TYCHON", - "ARP" - ], - "interval": "8h", - "enabled": false, - "description": "TYCHON pulls the ARP tables from endpoints, when new devices are found they should be investigated and validated.", - "risk_score": 21, - "severity": "low", - "note": "New devices come online and offline constantly, the MAC address should be investigated and resolved.", - "license": "", - "output_index": "", - "author": [ - "TYCHON" - ], - "false_positives": [], - "from": "now-32400s", - "rule_id": "55faa99b-ce17-4a41-9f63-4a7439e3543a", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0007", - "reference": "https://attack.mitre.org/tactics/TA0007", - "name": "Discovery" - }, - "technique": [] - } - ], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "related_integrations": [], - "required_fields": [], - "setup": "", - "type": "new_terms", - "query": "not destination.mac : \"ff-ff-ff-ff-ff-ff\" ", - "new_terms_fields": [ - "destination.mac" - ], - "history_window_start": "now-7d", - "filters": [], - "language": "kuery", - "data_view_id": "8532a0b4-2a02-4dfa-b6aa-aabe01125b61", - "throttle": "no_actions", - "actions": [] -} \ No newline at end of file diff --git a/packages/tychon/kibana/security_rule/b85c2ad0-427c-11ee-83e4-c92ed141b9e5_1.json b/packages/tychon/kibana/security_rule/b85c2ad0-427c-11ee-83e4-c92ed141b9e5_1.json deleted file mode 100644 index d1f291155f6..00000000000 --- a/packages/tychon/kibana/security_rule/b85c2ad0-427c-11ee-83e4-c92ed141b9e5_1.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "id": "b85c2ad0-427c-11ee-83e4-c92ed141b9e5_1", - "name": "High number of SCAP Failures", - "tags": [ - "TYCHON", - "CCRI" - ], - "interval": "1h", - "enabled": true, - "description": "TYCHON has reported a high number of SCAP failures for an endpoint. This can indicate a very weak security posture for an endpoint.", - "risk_score": 47, - "severity": "medium", - "note": "The system may need to be isolated. Investigate the SCAP results for this system and perform fixes for all High and Medium checks. ", - "license": "", - "output_index": "", - "author": [ - "TYCHON" - ], - "false_positives": [], - "from": "now-3660s", - "rule_id": "2140f083-6e39-4df4-ba41-aa1f41cb81b8", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0007", - "reference": "https://attack.mitre.org/tactics/TA0007", - "name": "Discovery" - }, - "technique": [] - } - ], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "related_integrations": [], - "required_fields": [], - "setup": "", - "type": "threshold", - "language": "kuery", - "data_view_id": "ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a", - "query": "rule.result : \"fail\" and not rule.severity : \"low\" ", - "filters": [], - "threshold": { - "field": [ - "tychon.id" - ], - "value": 20, - "cardinality": [] - }, - "throttle": "no_actions", - "actions": [] -} \ No newline at end of file diff --git a/packages/tychon/kibana/security_rule/cb5715c0-426b-11ee-83e4-c92ed141b9e5_1.json b/packages/tychon/kibana/security_rule/cb5715c0-426b-11ee-83e4-c92ed141b9e5_1.json deleted file mode 100644 index 65864f9665a..00000000000 --- a/packages/tychon/kibana/security_rule/cb5715c0-426b-11ee-83e4-c92ed141b9e5_1.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "id": "cb5715c0-426b-11ee-83e4-c92ed141b9e5_1", - "name": "Endpoint Security Definitions are Out of Date", - "tags": [ - "EPP", - "TYCHON" - ], - "interval": "5m", - "enabled": true, - "description": "TYCHON has reported that the registered endpoint protection platform is out of date and needs to be updated.", - "risk_score": 73, - "severity": "high", - "note": "Depending on the Endpoint Protection Vendor, you will need to push new updated to this endpoint. See the vendor's user guides to determine how to install the most recent AV updates.", - "license": "", - "output_index": "", - "author": [ - "TYCHON" - ], - "false_positives": [], - "from": "now-360s", - "rule_id": "6839b82b-22bf-418f-a86b-7e7a4cd074d7", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "reference": "https://attack.mitre.org/tactics/TA0005", - "name": "Defense Evasion" - }, - "technique": [] - } - ], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "related_integrations": [], - "required_fields": [], - "setup": "", - "type": "query", - "language": "kuery", - "data_view_id": "9267bb1b-cf22-4417-8cfb-6606848140a7", - "query": "host.security.antivirus.status : *OutOfDate*", - "filters": [], - "throttle": "no_actions", - "actions": [] -} \ No newline at end of file diff --git a/packages/tychon/kibana/security_rule/edcdabf0-4275-11ee-83e4-c92ed141b9e5_1.json b/packages/tychon/kibana/security_rule/edcdabf0-4275-11ee-83e4-c92ed141b9e5_1.json deleted file mode 100644 index e2aa75c2a01..00000000000 --- a/packages/tychon/kibana/security_rule/edcdabf0-4275-11ee-83e4-c92ed141b9e5_1.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "id": "edcdabf0-4275-11ee-83e4-c92ed141b9e5_1", - "name": "System Volume Mounted to Drive", - "tags": [ - "TYCHON", - "Volume" - ], - "interval": "5m", - "enabled": true, - "description": "TYCHON has reported that the system volume has been mounted to a drive letter.", - "risk_score": 47, - "severity": "medium", - "note": "Investigate and determine how the drive was mounted and remove the mount if it was done maliciously.", - "license": "", - "output_index": "", - "author": [ - "TYCHON" - ], - "false_positives": [], - "from": "now-360s", - "rule_id": "d0d735ed-08fe-4393-9aa6-120236995152", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0004", - "reference": "https://attack.mitre.org/tactics/TA0004", - "name": "Privilege Escalation" - }, - "technique": [] - } - ], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "related_integrations": [], - "required_fields": [], - "setup": "", - "type": "query", - "language": "kuery", - "data_view_id": "62456a9a-bd4c-4b57-b6b5-5556b6869ce5", - "query": "volume.system_volume : true and not volume.drive.letter : \"\"", - "filters": [], - "throttle": "no_actions", - "actions": [] -} \ No newline at end of file diff --git a/packages/tychon/kibana/tag/026431f0-3de5-11ee-9610-15dee918f31a.json b/packages/tychon/kibana/tag/026431f0-3de5-11ee-9610-15dee918f31a.json deleted file mode 100644 index 5afd9afcbcc..00000000000 --- a/packages/tychon/kibana/tag/026431f0-3de5-11ee-9610-15dee918f31a.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "attributes": { - "color": "#13814a", - "description": "TYCHON reported TCP and UDP ports that are or were open and listening on endpoints.", - "name": "Open Ports" - }, - "coreMigrationVersion": "8.6.2", - "created_at": "2023-08-18T16:33:49.204Z", - "id": "026431f0-3de5-11ee-9610-15dee918f31a", - "migrationVersion": { - "tag": "8.0.0" - }, - "references": [], - "type": "tag", - "updated_at": "2023-08-18T16:33:49.204Z", - "version": "WzY4MDI0OCwxNl0=" -} \ No newline at end of file diff --git a/packages/tychon/kibana/tag/11990b80-41b6-11ee-83e4-c92ed141b9e5.json b/packages/tychon/kibana/tag/11990b80-41b6-11ee-83e4-c92ed141b9e5.json deleted file mode 100644 index 02f1818c36b..00000000000 --- a/packages/tychon/kibana/tag/11990b80-41b6-11ee-83e4-c92ed141b9e5.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "attributes": { - "color": "#9b2767", - "description": "TYCHON capture of Network adapters attached to endpoints.", - "name": "Network Adapter" - }, - "coreMigrationVersion": "8.6.2", - "created_at": "2023-08-23T13:07:53.023Z", - "id": "11990b80-41b6-11ee-83e4-c92ed141b9e5", - "migrationVersion": { - "tag": "8.0.0" - }, - "references": [], - "type": "tag", - "updated_at": "2023-08-23T13:07:53.023Z", - "version": "WzgwNjc5OSwyMl0=" -} \ No newline at end of file diff --git a/packages/tychon/kibana/tag/27edf330-3dfd-11ee-9610-15dee918f31a.json b/packages/tychon/kibana/tag/27edf330-3dfd-11ee-9610-15dee918f31a.json deleted file mode 100644 index 1966387148d..00000000000 --- a/packages/tychon/kibana/tag/27edf330-3dfd-11ee-9610-15dee918f31a.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "attributes": { - "color": "#c30936", - "description": "TYCHON installed software and apps found on an endpoint.", - "name": "Applications" - }, - "coreMigrationVersion": "8.6.2", - "created_at": "2023-08-18T19:26:40.105Z", - "id": "27edf330-3dfd-11ee-9610-15dee918f31a", - "migrationVersion": { - "tag": "8.0.0" - }, - "references": [], - "type": "tag", - "updated_at": "2023-08-18T19:26:40.105Z", - "version": "WzY4MzIzMiwxNl0=" -} \ No newline at end of file diff --git a/packages/tychon/kibana/tag/39b55820-10f2-11ee-af86-538da1394f27.json b/packages/tychon/kibana/tag/39b55820-10f2-11ee-af86-538da1394f27.json deleted file mode 100644 index 048fdbea840..00000000000 --- a/packages/tychon/kibana/tag/39b55820-10f2-11ee-af86-538da1394f27.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "attributes": { - "color": "#2075cf", - "description": "A Command Cyber Readiness Inspection Report", - "name": "CCRI" - }, - "coreMigrationVersion": "8.6.2", - "created_at": "2023-06-22T11:45:03.146Z", - "id": "39b55820-10f2-11ee-af86-538da1394f27", - "migrationVersion": { - "tag": "8.0.0" - }, - "references": [], - "type": "tag", - "updated_at": "2023-06-22T11:45:03.146Z", - "version": "WzI3Njg3MSwxM10=" -} \ No newline at end of file diff --git a/packages/tychon/kibana/tag/5a3ae0c0-3dbf-11ee-9610-15dee918f31a.json b/packages/tychon/kibana/tag/5a3ae0c0-3dbf-11ee-9610-15dee918f31a.json deleted file mode 100644 index f42c93f4b85..00000000000 --- a/packages/tychon/kibana/tag/5a3ae0c0-3dbf-11ee-9610-15dee918f31a.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "attributes": { - "color": "#75899c", - "description": "This tag indicates a \"Starting Point\" for dashboards that utulize drill downs.", - "name": "TYCHON Primary View" - }, - "coreMigrationVersion": "8.6.2", - "created_at": "2023-08-18T12:04:15.710Z", - "id": "5a3ae0c0-3dbf-11ee-9610-15dee918f31a", - "migrationVersion": { - "tag": "8.0.0" - }, - "references": [], - "type": "tag", - "updated_at": "2023-08-18T12:04:15.710Z", - "version": "WzY3MzY3MCwxNl0=" -} \ No newline at end of file diff --git a/packages/tychon/kibana/tag/7b7ab4c0-3e02-11ee-9610-15dee918f31a.json b/packages/tychon/kibana/tag/7b7ab4c0-3e02-11ee-9610-15dee918f31a.json deleted file mode 100644 index 0ae58cbedb9..00000000000 --- a/packages/tychon/kibana/tag/7b7ab4c0-3e02-11ee-9610-15dee918f31a.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "attributes": { - "color": "#154a15", - "description": "The hardware detected by TYCHON as attached to an endpoint", - "name": "Hardware" - }, - "coreMigrationVersion": "8.6.2", - "created_at": "2023-08-18T20:04:47.768Z", - "id": "7b7ab4c0-3e02-11ee-9610-15dee918f31a", - "migrationVersion": { - "tag": "8.0.0" - }, - "references": [], - "type": "tag", - "updated_at": "2023-08-18T20:04:47.768Z", - "version": "WzY4NDA2NCwxNl0=" -} \ No newline at end of file diff --git a/packages/tychon/kibana/tag/7f851220-3d41-11ee-9610-15dee918f31a.json b/packages/tychon/kibana/tag/7f851220-3d41-11ee-9610-15dee918f31a.json deleted file mode 100644 index 96242830e19..00000000000 --- a/packages/tychon/kibana/tag/7f851220-3d41-11ee-9610-15dee918f31a.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "attributes": { - "color": "#85ed08", - "description": "Hard Drives on Computers", - "name": "Drives" - }, - "coreMigrationVersion": "8.6.2", - "created_at": "2023-08-17T21:03:21.673Z", - "id": "7f851220-3d41-11ee-9610-15dee918f31a", - "migrationVersion": { - "tag": "8.0.0" - }, - "references": [], - "type": "tag", - "updated_at": "2023-08-17T21:03:21.673Z", - "version": "WzY2MTI0MSwxNl0=" -} \ No newline at end of file diff --git a/packages/tychon/kibana/tag/9c222660-1100-11ee-af86-538da1394f27.json b/packages/tychon/kibana/tag/9c222660-1100-11ee-af86-538da1394f27.json deleted file mode 100644 index 73bff95d68b..00000000000 --- a/packages/tychon/kibana/tag/9c222660-1100-11ee-af86-538da1394f27.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "attributes": { - "color": "#58b7ff", - "description": "Vulnerability Information", - "name": "CVE" - }, - "coreMigrationVersion": "8.6.2", - "created_at": "2023-06-22T13:28:01.234Z", - "id": "9c222660-1100-11ee-af86-538da1394f27", - "migrationVersion": { - "tag": "8.0.0" - }, - "references": [], - "type": "tag", - "updated_at": "2023-06-22T13:28:01.234Z", - "version": "WzI4MTM1OSwxM10=" -} \ No newline at end of file diff --git a/packages/tychon/kibana/tag/a3922360-3de6-11ee-9610-15dee918f31a.json b/packages/tychon/kibana/tag/a3922360-3de6-11ee-9610-15dee918f31a.json deleted file mode 100644 index b95776ef16b..00000000000 --- a/packages/tychon/kibana/tag/a3922360-3de6-11ee-9610-15dee918f31a.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "attributes": { - "color": "#efe009", - "description": "The TYCHON Endpoint Browser allows a user to see detailed Endpoint Reported data for a single host.", - "name": "Endpoint Browser" - }, - "coreMigrationVersion": "8.6.2", - "created_at": "2023-08-18T16:45:29.125Z", - "id": "a3922360-3de6-11ee-9610-15dee918f31a", - "migrationVersion": { - "tag": "8.0.0" - }, - "references": [], - "type": "tag", - "updated_at": "2023-08-18T16:45:29.125Z", - "version": "WzY4MDQ3NSwxNl0=" -} \ No newline at end of file diff --git a/packages/tychon/kibana/tag/bae88930-1133-11ee-af86-538da1394f27.json b/packages/tychon/kibana/tag/bae88930-1133-11ee-af86-538da1394f27.json deleted file mode 100644 index 73f480ee196..00000000000 --- a/packages/tychon/kibana/tag/bae88930-1133-11ee-af86-538da1394f27.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "attributes": { - "color": "#14d15e", - "description": "Endpoint Protection Statuses", - "name": "EPP" - }, - "coreMigrationVersion": "8.6.2", - "created_at": "2023-06-22T19:33:57.192Z", - "id": "bae88930-1133-11ee-af86-538da1394f27", - "migrationVersion": { - "tag": "8.0.0" - }, - "references": [], - "type": "tag", - "updated_at": "2023-06-22T19:33:57.192Z", - "version": "WzI4NTA4OSwxM10=" -} \ No newline at end of file diff --git a/packages/tychon/kibana/tag/c957d710-3d4c-11ee-9610-15dee918f31a.json b/packages/tychon/kibana/tag/c957d710-3d4c-11ee-9610-15dee918f31a.json deleted file mode 100644 index dddf54941d5..00000000000 --- a/packages/tychon/kibana/tag/c957d710-3d4c-11ee-9610-15dee918f31a.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "attributes": { - "color": "#AA6556", - "description": "Routing Tables from Systems", - "name": "ARP" - }, - "coreMigrationVersion": "8.6.2", - "created_at": "2023-08-17T22:24:09.990Z", - "id": "c957d710-3d4c-11ee-9610-15dee918f31a", - "migrationVersion": { - "tag": "8.0.0" - }, - "references": [], - "type": "tag", - "updated_at": "2023-08-17T22:24:09.990Z", - "version": "WzY2MzYyNiwxNl0=" -} \ No newline at end of file diff --git a/packages/tychon/kibana/tag/e18d6100-3c85-11ee-9610-15dee918f31a.json b/packages/tychon/kibana/tag/e18d6100-3c85-11ee-9610-15dee918f31a.json deleted file mode 100644 index 2bee4b97775..00000000000 --- a/packages/tychon/kibana/tag/e18d6100-3c85-11ee-9610-15dee918f31a.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "attributes": { - "color": "#afaddf", - "description": "Master Endpoint Record", - "name": "MER" - }, - "coreMigrationVersion": "8.6.2", - "created_at": "2023-08-16T22:40:20.761Z", - "id": "e18d6100-3c85-11ee-9610-15dee918f31a", - "migrationVersion": { - "tag": "8.0.0" - }, - "references": [], - "type": "tag", - "updated_at": "2023-08-16T22:40:20.761Z", - "version": "WzYzNTA3MSwxNl0=" -} \ No newline at end of file diff --git a/packages/tychon/kibana/tag/f26ce820-3d47-11ee-9610-15dee918f31a.json b/packages/tychon/kibana/tag/f26ce820-3d47-11ee-9610-15dee918f31a.json deleted file mode 100644 index 76f5c76268f..00000000000 --- a/packages/tychon/kibana/tag/f26ce820-3d47-11ee-9610-15dee918f31a.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "attributes": { - "color": "#bcbc9c", - "description": "Virtualization Based Security", - "name": "VBS" - }, - "coreMigrationVersion": "8.6.2", - "created_at": "2023-08-17T21:49:31.431Z", - "id": "f26ce820-3d47-11ee-9610-15dee918f31a", - "migrationVersion": { - "tag": "8.0.0" - }, - "references": [], - "type": "tag", - "updated_at": "2023-08-17T21:49:31.431Z", - "version": "WzY2MjY4NywxNl0=" -} \ No newline at end of file diff --git a/packages/tychon/kibana/visualization/ee4b44b0-40e6-11ee-8111-21f5f34f6dfc.json b/packages/tychon/kibana/visualization/ee4b44b0-40e6-11ee-8111-21f5f34f6dfc.json deleted file mode 100644 index a3878a8d2aa..00000000000 --- a/packages/tychon/kibana/visualization/ee4b44b0-40e6-11ee-8111-21f5f34f6dfc.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "TYCHON Browser is a series of dashbaords dirlling into indvidual datasets for a single computer.", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" - }, - "title": "[TYCHON] Endpoint Browser -Main Navigation", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"title\":\"[TYCHON] Endpoint Browser -Main Navigation\",\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Host Info](/app/dashboards#/view/6165bf50-3dbf-11ee-9610-15dee918f31a) | [Network Cards](/app/dashboards#/view/1af57010-41b6-11ee-83e4-c92ed141b9e5) | [Drives and Disks](/app/dashboards#/view/380b6c10-3dbd-11ee-9610-15dee918f31a) | [Apps and Software](/app/dashboards#/view/2bd4ca50-3dfd-11ee-9610-15dee918f31a) | [Hardware](/app/dashboards#/view/993e07a0-3e02-11ee-9610-15dee918f31a) | [Vulnerabilities](/app/dashboards#/view/2de7a3c0-3e08-11ee-9610-15dee918f31a) | [Benchmark Results](/app/dashboards#/view/e1c9c490-41a5-11ee-83e4-c92ed141b9e5) | [Services and Ports](/app/dashboards#/view/0c036be0-3de5-11ee-9610-15dee918f31a) | [Protections](/app/dashboards#/view/b85e87c0-41ab-11ee-83e4-c92ed141b9e5)\"}}" - }, - "coreMigrationVersion": "8.6.2", - "created_at": "2023-08-23T21:04:08.909Z", - "id": "ee4b44b0-40e6-11ee-8111-21f5f34f6dfc", - "migrationVersion": { - "visualization": "8.5.0" - }, - "references": [ - { - "id": "10af3800-10f3-11ee-af86-538da1394f27", - "name": "tag-ref-10af3800-10f3-11ee-af86-538da1394f27", - "type": "tag" - }, - { - "id": "e18d6100-3c85-11ee-9610-15dee918f31a", - "name": "tag-ref-e18d6100-3c85-11ee-9610-15dee918f31a", - "type": "tag" - } - ], - "type": "visualization", - "updated_at": "2023-08-23T21:04:08.909Z", - "version": "WzgyMjAyOSwyMl0=" -} \ No newline at end of file diff --git a/packages/tychon/manifest.yml b/packages/tychon/manifest.yml index 402c152bac5..191a8c4fe7c 100644 --- a/packages/tychon/manifest.yml +++ b/packages/tychon/manifest.yml @@ -2,7 +2,7 @@ format_version: 2.0.0 name: tychon release: beta title: "TYCHON Agentless" -version: 0.0.33 +version: 0.0.51 source: license: "Elastic-2.0" description: TYCHON Agentless delivers STIG, CVE/IAVA, and Endpoint Protection status without adding new server infrastructure or services to your endpoints. TYCHON datasets fully comply with vulnerability and STIG reporting standards and integrate into Comply-to-Connect for instant zero trust value.