diff --git a/.ci/Jenkinsfile b/.ci/Jenkinsfile
index b16071e8c3c..fa13f663739 100644
--- a/.ci/Jenkinsfile
+++ b/.ci/Jenkinsfile
@@ -14,8 +14,8 @@ pipeline {
AWS_ACCOUNT_SECRET = "secret/observability-team/ci/elastic-observability-aws-account-auth"
HOME = "${env.WORKSPACE}"
DOCKER_COMPOSE_VERSION = "v2.17.2"
- KIND_VERSION = "v0.17.0"
- K8S_VERSION = "v1.26.0"
+ KIND_VERSION = "v0.20.0"
+ K8S_VERSION = "v1.27.3"
JOB_GCS_BUCKET = 'fleet-ci-temp'
JOB_GCS_BUCKET_INTERNAL = 'fleet-ci-temp-internal'
JOB_GCS_CREDENTIALS = 'fleet-ci-gcs-plugin'
@@ -46,9 +46,12 @@ pipeline {
ELASTIC_PACKAGE_COMPOSE_DISABLE_PULL_PROGRESS_INFORMATION = 'true'
// links definitions
ELASTIC_PACKAGE_LINKS_FILE_PATH = "${env.HOME}/${env.BASE_DIR}/links_table.yml"
+
+ // Default license to use by `elastic-package build`
+ ELASTIC_PACKAGE_REPOSITORY_LICENSE = "licenses/Elastic-2.0.txt"
}
options {
- timeout(time: 4, unit: 'HOURS')
+ timeout(time: 6, unit: 'HOURS')
buildDiscarder(logRotator(numToKeepStr: '20', artifactNumToKeepStr: '20', daysToKeepStr: '30'))
timestamps()
ansiColor('xterm')
diff --git a/.ci/schedule-daily.groovy b/.ci/schedule-daily.groovy
index 7a49bc6cbdc..7467de0d8c9 100644
--- a/.ci/schedule-daily.groovy
+++ b/.ci/schedule-daily.groovy
@@ -39,12 +39,12 @@ pipeline {
)
}
}
- stage('with stack v8.9') {
+ stage('with stack v8.10') {
steps {
build(
job: env.INTEGRATION_JOB,
parameters: [
- stringParam(name: 'stackVersion', value: '8.9-SNAPSHOT'),
+ stringParam(name: 'stackVersion', value: '8.10-SNAPSHOT'),
booleanParam(name: 'force_check_all', value: true),
booleanParam(name: 'skip_publishing', value: true),
],
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index d6fc289ff21..527d2988246 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -11,6 +11,7 @@
/packages/activemq @elastic/obs-infraobs-integrations
/packages/airflow @elastic/obs-infraobs-integrations
/packages/akamai @elastic/security-external-integrations
+/packages/amazon_security_lake @elastic/security-external-integrations
/packages/apache @elastic/obs-infraobs-integrations
/packages/apache_spark @elastic/obs-infraobs-integrations
/packages/apache_tomcat @elastic/obs-infraobs-integrations
@@ -22,13 +23,22 @@
/packages/auditd_manager @elastic/security-external-integrations
/packages/auth0 @elastic/security-external-integrations
/packages/aws @elastic/obs-cloud-monitoring
+/packages/aws/changelog.yml @elastic/obs-cloud-monitoring @elastic/security-external-integrations
+/packages/aws/data_stream/guardduty @elastic/security-external-integrations
+/packages/aws/data_stream/securityhub_findings @elastic/security-external-integrations
+/packages/aws/data_stream/securityhub_insights @elastic/security-external-integrations
/packages/aws/kibana @elastic/obs-cloud-monitoring @elastic/kibana-visualizations
+/packages/aws/manifest.yml @elastic/obs-cloud-monitoring @elastic/security-external-integrations
/packages/aws_logs @elastic/obs-cloud-monitoring
/packages/awsfargate @elastic/obs-cloud-monitoring
+/packages/awsfirehose @elastic/obs-cloud-monitoring
/packages/azure @elastic/obs-cloud-monitoring
+/packages/azure_app_service @elastic/obs-infraobs-integrations
/packages/azure_application_insights @elastic/obs-cloud-monitoring
/packages/azure_billing @elastic/obs-cloud-monitoring
/packages/azure_blob_storage @elastic/security-external-integrations
+/packages/azure @elastic/obs-cloud-monitoring
+/packages/azure_functions @elastic/obs-infraobs-integrations
/packages/azure_frontdoor @elastic/security-external-integrations
/packages/azure_metrics @elastic/obs-cloud-monitoring
/packages/barracuda @elastic/security-external-integrations
@@ -45,7 +55,6 @@
/packages/cel @elastic/security-external-integrations
/packages/ceph @elastic/obs-infraobs-integrations
/packages/checkpoint @elastic/security-external-integrations
-/packages/cisco @elastic/security-external-integrations
/packages/cisco_aironet @elastic/security-external-integrations
/packages/cisco_asa @elastic/security-external-integrations
/packages/cisco_duo @elastic/security-external-integrations
@@ -69,7 +78,6 @@
/packages/couchbase @elastic/obs-infraobs-integrations
/packages/couchdb @elastic/obs-infraobs-integrations
/packages/crowdstrike @elastic/security-external-integrations
-/packages/cyberark @elastic/security-external-integrations
/packages/cyberark_pta @elastic/security-external-integrations
/packages/cyberarkpas @elastic/security-external-integrations
/packages/cylance @elastic/security-external-integrations
@@ -81,6 +89,8 @@
/packages/elastic_package_registry @elastic/ecosystem
/packages/elasticsearch @elastic/infra-monitoring-ui
/packages/enterprisesearch @elastic/infra-monitoring-ui
+/packages/entityanalytics_entra_id @elastic/security-external-integrations
+/packages/entityanalytics_okta @elastic/security-external-integrations
/packages/etcd @elastic/obs-infraobs-integrations
/packages/f5 @elastic/security-external-integrations
/packages/f5_bigip @elastic/security-external-integrations
@@ -89,18 +99,23 @@
/packages/fleet_server @elastic/elastic-agent-control-plane
/packages/forcepoint_web @elastic/security-external-integrations
/packages/forgerock @elastic/security-external-integrations
-/packages/fortinet @elastic/security-external-integrations
/packages/fortinet_forticlient @elastic/security-external-integrations
/packages/fortinet_fortiedr @elastic/security-external-integrations
/packages/fortinet_fortigate @elastic/security-external-integrations
/packages/fortinet_fortimail @elastic/security-external-integrations
/packages/fortinet_fortimanager @elastic/security-external-integrations
/packages/gcp @elastic/security-external-integrations @elastic/obs-cloud-monitoring
+/packages/gcp/data_stream @elastic/obs-cloud-monitoring
+/packages/gcp/data_stream/audit @elastic/security-external-integrations
+/packages/gcp/data_stream/dns @elastic/security-external-integrations
+/packages/gcp/data_stream/firewall @elastic/security-external-integrations
+/packages/gcp/data_stream/vpcflow @elastic/security-external-integrations
/packages/gcp_metrics @elastic/obs-cloud-monitoring
/packages/gcp_pubsub @elastic/security-external-integrations
/packages/github @elastic/security-external-integrations
/packages/golang @elastic/obs-infraobs-integrations
/packages/google_cloud_storage @elastic/security-external-integrations
+/packages/google_scc @elastic/security-external-integrations
/packages/google_workspace @elastic/security-external-integrations
/packages/hadoop @elastic/obs-infraobs-integrations
/packages/haproxy @elastic/obs-infraobs-integrations
@@ -121,7 +136,6 @@
/packages/jolokia_input @elastic/obs-infraobs-integrations
/packages/journald @elastic/elastic-agent-data-plane
/packages/jumpcloud @elastic/security-external-integrations
-/packages/juniper @elastic/security-external-integrations
/packages/juniper_junos @elastic/security-external-integrations
/packages/juniper_netscreen @elastic/security-external-integrations
/packages/juniper_srx @elastic/security-external-integrations
@@ -140,7 +154,7 @@
/packages/m365_defender @elastic/security-external-integrations
/packages/mattermost @elastic/security-external-integrations
/packages/memcached @elastic/obs-infraobs-integrations
-/packages/microsoft @elastic/security-external-integrations
+/packages/microsoft_defender_cloud @elastic/security-external-integrations
/packages/microsoft_defender_endpoint @elastic/security-external-integrations
/packages/microsoft_dhcp @elastic/security-external-integrations
/packages/microsoft_exchange_online_message_trace @elastic/security-external-integrations
@@ -174,9 +188,9 @@
/packages/problemchild @elastic/ml-ui @elastic/sec-applied-ml
/packages/prometheus @elastic/obs-cloudnative-monitoring
/packages/prometheus_input @elastic/obs-infraobs-integrations
-/packages/proofpoint @elastic/security-external-integrations
/packages/proofpoint_tap @elastic/security-external-integrations
/packages/pulse_connect_secure @elastic/security-external-integrations
+/packages/qualys_vmdr @elastic/security-external-integrations
/packages/qnap_nas @elastic/security-external-integrations
/packages/rabbitmq @elastic/obs-infraobs-integrations
/packages/radware @elastic/security-external-integrations
@@ -191,7 +205,6 @@
/packages/slack @elastic/security-external-integrations
/packages/snort @elastic/security-external-integrations
/packages/snyk @elastic/security-external-integrations
-/packages/sonicwall @elastic/security-external-integrations
/packages/sonicwall_firewall @elastic/security-external-integrations
/packages/sophos @elastic/security-external-integrations
/packages/sophos_central @elastic/security-external-integrations
@@ -205,7 +218,11 @@
/packages/synthetics @elastic/uptime
/packages/sysmon_linux @elastic/security-external-integrations
/packages/system @elastic/obs-infraobs-integrations
+/packages/system/changelog.yml @elastic/obs-infraobs-integrations @elastic/security-external-integrations
+/packages/system/data_stream/auth @elastic/security-external-integrations
+/packages/system/data_stream/security @elastic/security-external-integrations
/packages/system/kibana @elastic/elastic-agent-data-plane @elastic/kibana-visualizations
+/packages/system/manifest.yml @elastic/obs-infraobs-integrations @elastic/security-external-integrations
/packages/system_audit @elastic/security-external-integrations
/packages/tanium @elastic/security-external-integrations
/packages/tcp @elastic/security-external-integrations
@@ -216,6 +233,7 @@
/packages/ti_anomali @elastic/security-external-integrations
/packages/ti_cif3 @elastic/security-external-integrations
/packages/ti_cybersixgill @elastic/security-external-integrations
+/packages/ti_maltiverse @elastic/security-external-integrations
/packages/ti_misp @elastic/security-external-integrations
/packages/ti_otx @elastic/security-external-integrations
/packages/ti_rapid7_threat_command @elastic/security-external-integrations
@@ -225,6 +243,7 @@
/packages/tines @elastic/security-external-integrations
/packages/tomcat @elastic/obs-infraobs-integrations
/packages/traefik @elastic/obs-infraobs-integrations
+/packages/trellix_edr_cloud @elastic/security-external-integrations
/packages/trellix_epo_cloud @elastic/security-external-integrations
/packages/trend_micro_vision_one @elastic/security-external-integrations
/packages/trendmicro @elastic/security-external-integrations
@@ -237,12 +256,21 @@
/packages/vsphere @elastic/obs-infraobs-integrations
/packages/websphere_application_server @elastic/obs-infraobs-integrations
/packages/windows @elastic/elastic-agent-data-plane @elastic/security-external-integrations
+/packages/windows/data_stream/applocker_exe_and_dll @elastic/security-external-integrations
+/packages/windows/data_stream/applocker_msi_and_script @elastic/security-external-integrations
+/packages/windows/data_stream/applocker_packaged_app_deployment @elastic/security-external-integrations
+/packages/windows/data_stream/applocker_packaged_app_execution @elastic/security-external-integrations
+/packages/windows/data_stream/forwarded @elastic/security-external-integrations
+/packages/windows/data_stream/perfmon @elastic/elastic-agent-data-plane
+/packages/windows/data_stream/powershell @elastic/security-external-integrations
+/packages/windows/data_stream/powershell_operational @elastic/security-external-integrations
+/packages/windows/data_stream/service @elastic/elastic-agent-data-plane
+/packages/windows/data_stream/sysmon_operational @elastic/security-external-integrations
/packages/winlog @elastic/security-external-integrations
/packages/zeek @elastic/security-external-integrations
/packages/zerofox @elastic/security-external-integrations
/packages/zeronetworks @elastic/security-external-integrations
/packages/zookeeper @elastic/obs-infraobs-integrations
/packages/zoom @elastic/security-external-integrations
-/packages/zscaler @elastic/security-external-integrations
/packages/zscaler_zia @elastic/security-external-integrations
/packages/zscaler_zpa @elastic/security-external-integrations
diff --git a/.go-version b/.go-version
index 66e2ae6c25c..2844977405c 100644
--- a/.go-version
+++ b/.go-version
@@ -1 +1 @@
-1.19.1
+1.21.1
diff --git a/LICENSE.txt b/LICENSE.txt
index 809108b857f..367352ffbd7 100644
--- a/LICENSE.txt
+++ b/LICENSE.txt
@@ -1,93 +1,9 @@
-Elastic License 2.0
+Source code in this repository is licensed under multiple licenses.
+Source code in a given file is licensed under the Elastic License
+Version 2.0, unless otherwise noted at the beginning of the file or
+a LICENSE.txt file present in the directory subtree declares another
+license.
-URL: https://www.elastic.co/licensing/elastic-license
+Built packages include a copy of the applicable license.
-## Acceptance
-
-By using the software, you agree to all of the terms and conditions below.
-
-## Copyright License
-
-The licensor grants you a non-exclusive, royalty-free, worldwide,
-non-sublicensable, non-transferable license to use, copy, distribute, make
-available, and prepare derivative works of the software, in each case subject to
-the limitations and conditions below.
-
-## Limitations
-
-You may not provide the software to third parties as a hosted or managed
-service, where the service provides users with access to any substantial set of
-the features or functionality of the software.
-
-You may not move, change, disable, or circumvent the license key functionality
-in the software, and you may not remove or obscure any functionality in the
-software that is protected by the license key.
-
-You may not alter, remove, or obscure any licensing, copyright, or other notices
-of the licensor in the software. Any use of the licensor’s trademarks is subject
-to applicable law.
-
-## Patents
-
-The licensor grants you a license, under any patent claims the licensor can
-license, or becomes able to license, to make, have made, use, sell, offer for
-sale, import and have imported the software, in each case subject to the
-limitations and conditions in this license. This license does not cover any
-patent claims that you cause to be infringed by modifications or additions to
-the software. If you or your company make any written claim that the software
-infringes or contributes to infringement of any patent, your patent license for
-the software granted under these terms ends immediately. If your company makes
-such a claim, your patent license ends immediately for work on behalf of your
-company.
-
-## Notices
-
-You must ensure that anyone who gets a copy of any part of the software from you
-also gets a copy of these terms.
-
-If you modify the software, you must include in any modified copies of the
-software prominent notices stating that you have modified the software.
-
-## No Other Rights
-
-These terms do not imply any licenses other than those expressly granted in
-these terms.
-
-## Termination
-
-If you use the software in violation of these terms, such use is not licensed,
-and your licenses will automatically terminate. If the licensor provides you
-with a notice of your violation, and you cease all violation of this license no
-later than 30 days after you receive that notice, your licenses will be
-reinstated retroactively. However, if you violate these terms after such
-reinstatement, any additional violation of these terms will cause your licenses
-to terminate automatically and permanently.
-
-## No Liability
-
-*As far as the law allows, the software comes as is, without any warranty or
-condition, and the licensor will not be liable to you for any damages arising
-out of these terms or the use or nature of the software, under any kind of
-legal claim.*
-
-## Definitions
-
-The **licensor** is the entity offering these terms, and the **software** is the
-software the licensor makes available under these terms, including any portion
-of it.
-
-**you** refers to the individual or entity agreeing to these terms.
-
-**your company** is any legal entity, sole proprietorship, or other kind of
-organization that you work for, plus all organizations that have control over,
-are under the control of, or are under common control with that
-organization. **control** means ownership of substantially all the assets of an
-entity, or the power to direct its management and policies by vote, contract, or
-otherwise. Control can be direct or indirect.
-
-**your licenses** are all the licenses granted to you for the software under
-these terms.
-
-**use** means anything you do with the software requiring one of your licenses.
-
-**trademark** means trademarks, service marks, and similar rights.
+Full text of licenses can be found in the licenses directory.
diff --git a/docs/developer_tsdb_migration_guidelines.md b/docs/developer_tsdb_migration_guidelines.md
index 1017a156227..21bcef9a1d4 100644
--- a/docs/developer_tsdb_migration_guidelines.md
+++ b/docs/developer_tsdb_migration_guidelines.md
@@ -1,12 +1,17 @@
# TSDB Guideline for Integration Developers
+Important related resources:
+
+- Meta [issue](https://github.com/elastic/integrations/issues/5233) with all migrated packages
+- TSDB [test](https://github.com/elastic/TSDB-migration-test-kit) migration kit.
+
+In this document you can find:
+
* [Background](#background)
* [Steps for migrating an existing package](#migration-steps)
* [Testing](#testing)
* [Best practices](#best-practices)
* [Troubleshooting](#troubleshooting)
-* [Known issues](#known-issues)
-* [Reference to existing package already migrated](#existing-migrated-packages)
# Background
@@ -19,94 +24,117 @@ Integration is one of the biggest sources of input data to elasticsearch. Enabli
# Steps for migrating an existing package
-1. **Datastream having type `logs` can be excluded from TSDB migration.**
-2. **Add the changes to the manifest.yml file of the datastream as below to enable the timeseries index mode**
- ```
- elasticsearch:
- index_mode: "time_series"
- ```
- If your datastream has more number of dimension fields, you can modify this limit by modifying index.mapping.dimension_fields.limit value as below
- ```
- elasticsearch:
- index_mode: "time_series"
- index_template:
- settings:
- # Defaults to 16
- index.mapping.dimension_fields.limit: 32
- ```
-3. **Identifying the dimensions in the datastream.**
-
- Read about dimension fields [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/tsds.html#time-series-dimension). It is important that dimensions or a set of dimensions that are part of a datastream uniquely identify a timeseries. Dimensions are used to form _tsid which then is used for routing and index sorting. Read about the ways to add field a dimension [here](https://github.com/elastic/integrations/blob/main/docs/generic_guidelines.md#specify-dimensions])
+> **Warning**: Datastream having type `logs` are excluded from TSDB migration.
- A field having type [flattened](https://www.elastic.co/guide/en/elasticsearch/reference/current/flattened.html) cannot be selected as a dimension field. If the field that you are choosing as a dimension is too long or is of type flattened , consider the option of hashing the value of this field, creating a new dimension field to hold this value . [Fingerprint processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/fingerprint-processor.html) can be used for this purpose.
- Reference : [Oracle Integration TSDB Enablement Example](https://github.com/elastic/integrations/blob/8a57d6ba96d391afc33da20c80ec51280d22f009/packages/oracle/data_stream/performance/elasticsearch/ingest_pipeline/default.yml#LL127C4-L131C29)
-
-3. **Annotating the ECS fields as dimension.**
-
- From the context of integrations that are related to products that are deployed on-premise, there exist certain fields that are part of every package and they are potential candidates of becoming dimension fields
-
- * host.ip
- * service.address
- * agent.id
+### Step 1: Set the dimension fields
+
+Each field belonging to the set of fields that uniquely identify a document is a dimension. You can read more details about dimensions [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/tsds.html#time-series-dimension).
+
+To set a field as dimension simply add `dimension: true` to its mapping:
+
+```yaml
+- name: ApiId
+ type: keyword
+ dimension: true
+```
+
+> **Note**: A field having type [flattened](https://www.elastic.co/guide/en/elasticsearch/reference/current/flattened.html) cannot be selected as a dimension field. If the field that you are choosing as a dimension is too long or is of type flattened, consider hashing the value of this field and using the result as a dimension. [Fingerprint processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/fingerprint-processor.html) can be used for this purpose.
+>
+> You can find an example in [Oracle Integration TSDB Enablement Example](https://github.com/elastic/integrations/blob/8a57d6ba96d391afc33da20c80ec51280d22f009/packages/oracle/data_stream/performance/elasticsearch/ingest_pipeline/default.yml#LL127C4-L131C29)
+
+Important considerations:
+- There is a limit on how many dimension fields a datastream can have. By default, this value is [21](https://github.com/elastic/elasticsearch/blob/6417a4f80f32ace48b8ad682ad46b19b57e49d60/server/src/main/java/org/elasticsearch/index/mapper/MapperService.java#L114)). You can adjust this restriction by altering the `index.mapping.dimension_fields.limit`:
+```yaml
+elasticsearch:
+ index_template:
+ settings:
+ index.mapping.dimension_fields.limit: 32 # Defaults to 21
+```
+- Dimension _keys_ have a hard limit of 512b. Documents are rejected if this limit is reached.
+- Dimension _values_ have a hard limit of 1024b. Documents are rejected if this limit is reached.
+
+#### ECS fiels
+There are fields that are part of every package, and they are potential candidates of becoming dimension fields:
+
+* `host.name`
+* `service.address`
+* `agent.id`
+* `container.id`
+
+For products that are capable of running both on-premise and in a public cloud environment (by being deployed on public cloud virtual machines), it is recommended to annotate the ECS fields listed below as dimension fields:
+* `host.name`
+* `service.address`
+* `container.id`
+* `cloud.account.id`
+* `cloud.provider`
+* `cloud.region`
+* `cloud.availability_zone`
+* `agent.id`
+* `cloud.instance.id`
+
+For products operating as managed services within cloud providers like AWS, Azure, and GCP, it is advised to label the fields listed below as dimension fields.
+* `cloud.account.id`
+* `cloud.region`
+* `cloud.availability_zone`
+* `cloud.provider`
+* `agent.id `
+
+Note that for some packages some of these fields do not hold any value, so make sure to only use the needed ones.
- When metrics are collected from a resource running in the cloud or in a container, certain fields are potential candidates of becoming dimension fields
-
- * host.ip
- * service.address
- * agent.id
- * cloud.project.id
- * cloud.instance.id
- * cloud.provider
- * container.id
-
- *Warning: Choosing an insufficient number of dimension fields may lead to data loss*
-
- *Hint: Fields having type [keyword](https://www.elastic.co/guide/en/elasticsearch/reference/current/keyword.html#keyword-field-type) in your datastream are very good candidates of becoming dimension fields*
+#### Integration specific fields
-4. **Annotating the integration specific fields as dimension**
+`files.yml` file has the field mappings specific to a datastream of an integration. Some of these fields might need to be set as dimension if the set of dimension fields in ECS is not enough to create a unique [_tsid](https://www.elastic.co/guide/en/elasticsearch/reference/current/tsds.html#tsid).
- `files.yml` file has the field mappings specific to a datastream of an integration. This step is needed when the dimension fields in ECS is not sufficient enough to create a unique [_tsid](https://www.elastic.co/guide/en/elasticsearch/reference/current/tsds.html#tsid) value for the documents stored in elasticsearch. Annotate the field with `dimension: true` to tag the field as dimension field.
+Adding an inline comment prior to the dimension annotation is advised, detailing the rationale behind the choice of a particular field as a dimension field.
```
- name: wait_class
type: keyword
- description: Every wait event belongs to a class of wait events.
+ # Multiple events are generated based on the values of wait_class. Hence, it is a dimension
dimension: true
+ description: Every wait event belongs to a class of wait events.
```
- *Notes:*
- * *There exists a limit on how many dimension fields can have. By default this value is 16. Out of this, 8 are reserved for ecs fields.*
- * *Dimension keys have a hard limit of 512b. Documents are rejected if this limit is reached.*
- * *Dimension values have a hard limit of 1024b. Documents are rejected if this limit is reached*
+### Step 2: Set type for metric fields
-5. **Annotating Metric Types values for all applicable fields**
+Metrics are fields that contain numeric measurements, as well as aggregations and/or down sampling values based off of those measurements. Annotate each metric with the correct metric type. The [currently supported](https://www.elastic.co/guide/en/elasticsearch/reference/current/tsds.html#time-series-metric) values are `gauge`, `counter` and `null`.
- Metrics are fields that contain numeric measurements, as well as aggregations and/or downsampling values based off of those measurements.
+Example of adding a metric type to a field:
- Annotate fields using appropriate metric_type wherever applicable. `counter` and `gauge` are the currently supported values for [metric_type](https://www.elastic.co/guide/en/elasticsearch/reference/master/mapping-field-meta.html).
+```yaml
+- name: compactions_failed
+ type: double
+ metric_type: counter
+ description: |
+ Counter of TSM compactions by level that have failed due to error.
+```
+> **Note**: Some of the aggregation functions are not supported for certain metric_type. In such a scenario, please revisit to see if the selection of metric_type you made is indeed correct for that field. If valid, please create an issue under elastic/elasticsearch explaining the use case.
- More details regarding metric_type can be found [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/tsds.html#time-series-metric)
+### Step 3: Update Kibana version
- Example on adding metric_type to field mapping.
+Modify the `kibana.version` to at least `8.8.0` within the `manifest.yml` file of the package:
+```yaml
+conditions:
+ kibana.version: "^8.8.0"
+```
- ```
- - name: compactions_failed
- type: double
- metric_type: counter
- description: |
- Counter of TSM compactions by level that have failed due to error.
- ```
- *Note: It may be possible that some of the aggregation functions are not supported for certain metric_type. In such a scenario, please revisit to see if the selection of metric_type you made is indeed correct for that field. If valid, please create an issue under elastic/elasticsearch explaining the use case.*
+### Step 4: Enable `time_series` index mode
-# Testing
-
-- After migration, verify if the dashboard is rendering the data properly. If certain visualisation do not work, consider migrating to [Lens](https://www.elastic.co/guide/en/kibana/current/lens.html)
+Add the changes to the `manifest.yml` file of the datastream as below to enable the timeseries index mode:
+```yaml
+elasticsearch:
+ index_mode: "time_series"
+```
- Certain aggregation functions are not supported when a field is having a metric_type ‘counter’. Example avg(). Replace such aggregation functions with a supported aggregation type such as max().
-- It is recommended to compare the number of documents within a certain time frame before enabling the TSDB and after enabling TSDB index mode. If the count differs, please check if there exists a field that is not annotated as dimension field.
+
+# Testing
+
+- If the number of dimensions is insufficient, we will have loss of data. Consider testing this using the [TSDB migration test kit](https://github.com/elastic/TSDB-migration-test-kit).
+
+- Verify the dashboard is rendering the data properly. If certain visualisation do not work, consider migrating to [Lens](https://www.elastic.co/guide/en/kibana/current/lens.html). Remember that certain aggregation functions are not supported when a field has metric type `counter`. Example `avg()`. Replace such aggregation functions with a supported aggregation type such as `max()` or `min()`.
# Best practices
@@ -115,33 +143,42 @@ Integration is one of the biggest sources of input data to elasticsearch. Enabli
- Always assess the number of unique values the field that is selected to be dimension would hold, especially if it is a numeric field.
A field that holds millions of unique values may not be an ideal candidate for becoming a dimension field.
+
- If the dimension field value length is very long (max limit is 1024B), consider transforming the value to hash value representation. [Fingerprint processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/fingerprint-processor.html) can be used for this purpose.
-- In the field mapping files above each dimension field, add in-line comments stating the reason for selecting the field as a dimension field, especially when the field description does not cover enough details that explains the reason why the field must be a dimension field.
-- As part of TSDB migration testing, you may discover other errors which may be un-related to TSDB migration. Keep the PR for TSDB migration free from such changes. This helps in obtaining quick PR approval.
+- In the field mapping files above each dimension field, add in-line comments stating the reason for selecting the field as a dimension field.
-# Troubleshooting
+- As part of TSDB migration testing, you may discover other errors which may be unrelated to TSDB migration. Keep the PR for TSDB migration free from such changes. This helps in obtaining quick PR approval.
-**Identification of Write Index**: When mappings are modified for a datastream, index rollover happens and a new index is created under the datastream. Even if there exists a new index, the data continues to go to the old index until the timestamp matches `index.time_series.start_time` of the newly created index.
-**Automatic Rollover**: Automatic datastream rollover does not happen when fields are tagged and untagged as dimensional fields. Also, automatic datastream rollover does not happen when the value of index.mapping.dimension_fields.limit is modified.
+# Troubleshooting
-When a package upgrade with the above mentiond change is applied, the changes are made only on the index template. This means, the user need to wait until `index.time_series.end_time` of the current write index before seeing the change, following a package upgrade.
+### Conflicting field type
-An enhancement [request](https://github.com/elastic/kibana/issues/150549) for Kibana is created to indicate the write index. Until then, refer to the index.time_series.start_time of indices and compare with the current time to identify the write index.
+Fields having conflicting field type will not be considered as dimension. Resolve the field type ambiguity before defining a field as dimension field.
-*Hint: In the Index Management UI, against a specific index, if the docs count column values regularly increase for an Index, it can be considered as the write index*
+### Identification of write index
-**Conflicting Field Type** : Fields having conflicting field type will not be considered as dimension. Resolve the field type ambiguity before defining a field as dimension field.
+When mappings are modified for a datastream, index rollover happens and a new index is created under the datastream. Even if there exists a new index, the data continues to go to the old index until the timestamp matches `index.time_series.start_time` of the newly created index.
-# Known issues
+An enhancement [request](https://github.com/elastic/kibana/issues/150549) for Kibana is created to indicate the write index. Until then, refer to the `index.time_series.start_time` of indices and compare with the current time to identify the write index.
-- Lens visualization fails if a field is having a metric_type value as ‘counter’ and certain aggregation functions are applied over it.
-Reference : https://github.com/elastic/elasticsearch/issues/93539
+If you find this error (references [this issue](https://github.com/elastic/integrations/issues/7345) and [this PR](https://github.com/elastic/elasticsearch/pull/98518)):
-- Currently, there are several limits around the number of dimensions.
- Reference : https://github.com/elastic/elasticsearch/issues/93564
+```console
+... (status=400): {"type":"illegal_argument_exception","reason":"the document timestamp [2023-08-07T00:00:00.000Z] is outside of ranges of currently writable indices [[2023-08-07T08:55:38.000Z,2023-08-07T12:55:38.000Z]]"}, dropping event!
+```
-# Reference to existing package already migrated
+Consider:
+1. Defining the `look_ahead` or `look_back_time` for each data stream. Example:
+```yaml
+elasticsearch:
+ index_mode: "time_series"
+ index_template:
+ settings:
+ index.look_ahead_time: "10h"
+```
+> **Note**: Updating the package with this does not cause an automatic rollover on the data stream. You have to do that manually.
+2. Updating the `timestamp` of the document being rejected.
+3. Finding a fix to receive the document without a delay.
-Oracle integration TSDB enablement: [PR Link](https://github.com/elastic/integrations/pull/5307)
diff --git a/docs/developer_workflow_bug_fix_older_package_version.md b/docs/developer_workflow_bug_fix_older_package_version.md
index f9fa85da2d4..7f9f97b9860 100644
--- a/docs/developer_workflow_bug_fix_older_package_version.md
+++ b/docs/developer_workflow_bug_fix_older_package_version.md
@@ -1,10 +1,10 @@
-# Developer workflow: release a bug fix for supporting older package version?
+# Developer workflow: release a bug fix for supporting older package version
In some cases, when we drop the support for an older version of the stack and later on find
out needing to add a bug fix to the some old package version, we have to make some manual changes
to release the bug fix to users. For example: in this [PR](https://github.com/elastic/integrations/pull/3688)
-(AWS package version 1.23.4), it was dropped support
-for Kibana version 7.x and bumped the AWS package version from 1.19.5 to 1.20.0. But we found
+(AWS package version 1.23.4), support for Kibana version 7.x was dropped
+and bumped the AWS package version from 1.19.5 to 1.20.0. But we found
a bug in the EC2 dashboard that needs to be fixed with Kibana version 7.x. So instead of
adding a new AWS package version 1.23.5, we need to fix it between 1.19.5 and 1.20.0.
@@ -60,9 +60,16 @@ Follow these detailed steps to release a fix for a given package version:
Create a branch out of the commit from the previous step (8cb321075afb9b77ea965e1373a03a603d9c9796) and name it following this pattern: `backport--.`.
For example: `backport-aws-1.19`.
+ This branch must be pushed to the upstream repository https://github.com/elastic/integrations.git in order to run the required CI pipelines.
+
3. **Create a PR for the bug fix**
- Apply bugfixes and open a PR against the `backport--.` branch created above.
+ Create a new branch in your own remote (it is advised **not using** a branch name starting with `backport-`), and apply bugfixes there.
+ Remember to update the version in the package manifest (update patch version like `1.19.`) and add a new changelog entry for this patch version.
+
+ Once ready, open a PR selecting as a base branch the one created above: `backport--.` (e.g. `backport-aws-1.19`).
+ Once this PR is merged, this new version of the package is going to be published automatically following the usual CI/CD jobs.
-Once this PR is merged, this new version of the package is going to be published automatically following the usual CI/CD jobs.
+ If it is needed to release a new fix for that version, there is no need to create a new branch. Just create a new PR to merge a
+ new branch onto the same backport branch created previously.
diff --git a/docs/developer_workflow_design_build_test_integration.md b/docs/developer_workflow_design_build_test_integration.md
index 91ddeba5777..6db228c5b5d 100644
--- a/docs/developer_workflow_design_build_test_integration.md
+++ b/docs/developer_workflow_design_build_test_integration.md
@@ -141,42 +141,50 @@ When you are ready for your changes in the integration to be released, remember
It is up to you, as the package developer, to decide how many changes you want to release in a single version.
For example, you could implement a change in a PR and bump up the package version in the same PR. Or you could
implement several changes across multiple PRs and then bump up the package version in the last of these PRs
-or in a separate follow up PR. As an example, it could be followed this procedure:
-
-1. Add a new version entry in the changelog with the prerelease tag `next`. Example: `2.6.0-next`
- ```yaml
- - version: "2.6.0-next"
- changes:
- - description: First PR
- type: enhancement
- link: https://github.com/elastic/integrations/pull/1
- - version: "2.5.0"
- ```
-2. Add the required Pull Requests under this entry:
- ```yaml
- - version: "2.6.0-next"
- changes:
- - description: First PR
- type: enhancement
- link: https://github.com/elastic/integrations/pull/1
- - description: Second PR
- type: enhancement
- link: https://github.com/elastic/integrations/pull/2
- - description: Third PR
- type: enhancement
- link: https://github.com/elastic/integrations/pull/3
- ```
+or in a separate follow up PR. For example, you can apply the following procedure for a package whose latest published version is `2.5.0`:
+
+1. Add a new version entry in the changelog with the prerelease tag `next`:
+ - Keep same version in package manifest: `2.5.0`
+ - Update changelog with a new entry with the prerelease tag (e.g. `2.6.0-next`):
+ ```yaml
+ - version: "2.6.0-next"
+ changes:
+ - description: First PR
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1
+ - version: "2.5.0"
+ ```
+2. Add the required Pull Requests under this new changelog entry:
+ - Keep same version in package manifest: `2.5.0`
+ - Changelog:
+ ```yaml
+ - version: "2.6.0-next"
+ changes:
+ - description: First PR
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1
+ - description: Second PR
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2
+ - description: Third PR
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/3
+ - version: "2.5.0"
+ ```
3. Once everything is merged, another PR is required to bump up the manifest version and replace the changelog entry to be `2.6.0`:
- ```yaml
- - version: "2.6.0"
- changes:
- - description: First PR
- type: enhancement
- link: https://github.com/elastic/integrations/pull/1
- - description: Second PR
- type: enhancement
- link: https://github.com/elastic/integrations/pull/2
- - description: Third PR
- type: enhancement
- link: https://github.com/elastic/integrations/pull/3
- ```
+ - Update version in package manifest: `2.6.0`
+ - Update changelog entry to `2.6.0`:
+ ```yaml
+ - version: "2.6.0"
+ changes:
+ - description: First PR
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1
+ - description: Second PR
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2
+ - description: Third PR
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/3
+ - version: "2.5.0"
+ ```
diff --git a/go.mod b/go.mod
index 5c8e9757050..344521e86e7 100644
--- a/go.mod
+++ b/go.mod
@@ -1,26 +1,26 @@
module github.com/elastic/integrations
-go 1.19
+go 1.21.0
require (
github.com/blang/semver v3.5.1+incompatible
- github.com/elastic/elastic-package v0.83.2
+ github.com/elastic/elastic-package v0.87.1
github.com/elastic/go-licenser v0.4.1
- github.com/elastic/package-registry v1.20.0
+ github.com/elastic/package-registry v1.21.0
github.com/magefile/mage v1.15.0
github.com/pkg/errors v0.9.1
github.com/stretchr/testify v1.8.4
- golang.org/x/tools v0.10.0
+ golang.org/x/tools v0.13.0
gopkg.in/yaml.v2 v2.4.0
)
require (
- cloud.google.com/go v0.110.0 // indirect
- cloud.google.com/go/compute v1.19.0 // indirect
+ cloud.google.com/go v0.110.4 // indirect
+ cloud.google.com/go/compute v1.20.1 // indirect
cloud.google.com/go/compute/metadata v0.2.3 // indirect
- cloud.google.com/go/iam v0.13.0 // indirect
- cloud.google.com/go/pubsub v1.30.0 // indirect
- cloud.google.com/go/storage v1.30.1 // indirect
+ cloud.google.com/go/iam v1.1.1 // indirect
+ cloud.google.com/go/pubsub v1.33.0 // indirect
+ cloud.google.com/go/storage v1.32.0 // indirect
github.com/AlecAivazis/survey/v2 v2.3.7 // indirect
github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
github.com/MakeNowJust/heredoc v1.0.0 // indirect
@@ -30,14 +30,15 @@ require (
github.com/PaesslerAG/gval v1.2.1 // indirect
github.com/PaesslerAG/jsonpath v0.1.1 // indirect
github.com/Pallinder/go-randomdata v1.2.0 // indirect
- github.com/ProtonMail/go-crypto v0.0.0-20230518184743-7afd39499903 // indirect
+ github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 // indirect
github.com/ProtonMail/go-mime v0.0.0-20230322103455-7d82a3887f2f // indirect
- github.com/ProtonMail/gopenpgp/v2 v2.7.1 // indirect
+ github.com/ProtonMail/gopenpgp/v2 v2.7.3 // indirect
github.com/andybalholm/brotli v1.0.4 // indirect
github.com/armon/go-radix v1.0.0 // indirect
github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
github.com/aymerick/raymond v2.0.2+incompatible // indirect
github.com/beorn7/perks v1.0.1 // indirect
+ github.com/cbroglie/mustache v1.4.0 // indirect
github.com/cespare/xxhash/v2 v2.2.0 // indirect
github.com/chai2010/gettext-go v1.0.2 // indirect
github.com/cloudflare/circl v1.3.3 // indirect
@@ -52,20 +53,20 @@ require (
github.com/elastic/go-ucfg v0.8.6 // indirect
github.com/elastic/go-windows v1.0.1 // indirect
github.com/elastic/gojsonschema v1.2.1 // indirect
- github.com/elastic/package-spec/v2 v2.9.0 // indirect
+ github.com/elastic/package-spec/v2 v2.11.0 // indirect
github.com/emicklei/go-restful/v3 v3.10.1 // indirect
github.com/evanphx/json-patch v5.6.0+incompatible // indirect
- github.com/evanphx/json-patch/v5 v5.6.0 // indirect
+ github.com/evanphx/json-patch/v5 v5.7.0 // indirect
github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect
github.com/fatih/color v1.15.0 // indirect
github.com/felixge/httpsnoop v1.0.3 // indirect
- github.com/fsouza/fake-gcs-server v1.44.2 // indirect
+ github.com/fsouza/fake-gcs-server v1.47.4 // indirect
github.com/go-errors/errors v1.4.2 // indirect
- github.com/go-logr/logr v1.2.3 // indirect
+ github.com/go-logr/logr v1.2.4 // indirect
github.com/go-ole/go-ole v1.2.6 // indirect
github.com/go-openapi/errors v0.20.3 // indirect
github.com/go-openapi/jsonpointer v0.19.6 // indirect
- github.com/go-openapi/jsonreference v0.20.1 // indirect
+ github.com/go-openapi/jsonreference v0.20.2 // indirect
github.com/go-openapi/strfmt v0.21.3 // indirect
github.com/go-openapi/swag v0.22.3 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
@@ -73,40 +74,40 @@ require (
github.com/golang/protobuf v1.5.3 // indirect
github.com/golang/snappy v0.0.4 // indirect
github.com/google/btree v1.1.2 // indirect
- github.com/google/gnostic v0.6.9 // indirect
+ github.com/google/gnostic-models v0.6.8 // indirect
github.com/google/go-cmp v0.5.9 // indirect
github.com/google/go-github/v32 v32.1.0 // indirect
github.com/google/go-querystring v1.1.0 // indirect
github.com/google/gofuzz v1.2.0 // indirect
github.com/google/renameio/v2 v2.0.0 // indirect
+ github.com/google/s2a-go v0.1.4 // indirect
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
- github.com/google/uuid v1.3.0 // indirect
- github.com/googleapis/enterprise-certificate-proxy v0.2.3 // indirect
- github.com/googleapis/gax-go/v2 v2.8.0 // indirect
+ github.com/google/uuid v1.3.1 // indirect
+ github.com/googleapis/enterprise-certificate-proxy v0.2.5 // indirect
+ github.com/googleapis/gax-go/v2 v2.12.0 // indirect
github.com/gorilla/handlers v1.5.1 // indirect
github.com/gorilla/mux v1.8.0 // indirect
github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
github.com/hashicorp/errwrap v1.1.0 // indirect
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
github.com/hashicorp/go-multierror v1.1.1 // indirect
- github.com/hashicorp/go-retryablehttp v0.7.2 // indirect
+ github.com/hashicorp/go-retryablehttp v0.7.4 // indirect
github.com/huandu/xstrings v1.4.0 // indirect
github.com/imdario/mergo v0.3.15 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
- github.com/jcchavezs/porto v0.3.0 // indirect
github.com/jedib0t/go-pretty v4.3.0+incompatible // indirect
github.com/joeshaw/multierror v0.0.0-20140124173710-69b34d4ec901 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
- github.com/klauspost/compress v1.16.0 // indirect
+ github.com/klauspost/compress v1.16.7 // indirect
github.com/klauspost/pgzip v1.2.5 // indirect
github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
github.com/lithammer/shortuuid/v3 v3.0.7 // indirect
github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
github.com/mailru/easyjson v0.7.7 // indirect
github.com/mattn/go-colorable v0.1.13 // indirect
- github.com/mattn/go-isatty v0.0.17 // indirect
+ github.com/mattn/go-isatty v0.0.19 // indirect
github.com/mattn/go-runewidth v0.0.14 // indirect
github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
@@ -129,71 +130,72 @@ require (
github.com/pkg/xattr v0.4.9 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
- github.com/prometheus/client_golang v1.15.1 // indirect
- github.com/prometheus/client_model v0.3.0 // indirect
- github.com/prometheus/common v0.42.0 // indirect
- github.com/prometheus/procfs v0.9.0 // indirect
+ github.com/prometheus/client_golang v1.16.0 // indirect
+ github.com/prometheus/client_model v0.4.0 // indirect
+ github.com/prometheus/common v0.44.0 // indirect
+ github.com/prometheus/procfs v0.10.1 // indirect
github.com/rivo/uniseg v0.4.3 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
- github.com/shirou/gopsutil/v3 v3.23.5 // indirect
+ github.com/shirou/gopsutil/v3 v3.23.8 // indirect
github.com/shoenig/go-m1cpu v0.1.6 // indirect
github.com/shopspring/decimal v1.3.1 // indirect
- github.com/sirupsen/logrus v1.9.0 // indirect
+ github.com/sirupsen/logrus v1.9.3 // indirect
github.com/spf13/cast v1.5.0 // indirect
github.com/spf13/cobra v1.7.0 // indirect
github.com/spf13/pflag v1.0.5 // indirect
- github.com/tklauser/go-sysconf v0.3.11 // indirect
- github.com/tklauser/numcpus v0.6.0 // indirect
+ github.com/tklauser/go-sysconf v0.3.12 // indirect
+ github.com/tklauser/numcpus v0.6.1 // indirect
github.com/ulikunitz/xz v0.5.11 // indirect
github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect
- github.com/xlab/treeprint v1.1.0 // indirect
+ github.com/xlab/treeprint v1.2.0 // indirect
github.com/yusufpapurcu/wmi v1.2.3 // indirect
- go.elastic.co/apm/module/apmgorilla/v2 v2.4.1 // indirect
- go.elastic.co/apm/module/apmhttp/v2 v2.4.1 // indirect
- go.elastic.co/apm/module/apmzap/v2 v2.4.1 // indirect
- go.elastic.co/apm/v2 v2.4.1 // indirect
+ go.elastic.co/apm/module/apmgorilla/v2 v2.4.3 // indirect
+ go.elastic.co/apm/module/apmhttp/v2 v2.4.3 // indirect
+ go.elastic.co/apm/module/apmzap/v2 v2.4.3 // indirect
+ go.elastic.co/apm/v2 v2.4.3 // indirect
go.elastic.co/ecszap v1.0.1 // indirect
go.elastic.co/fastjson v1.1.0 // indirect
go.mongodb.org/mongo-driver v1.11.1 // indirect
go.opencensus.io v0.24.0 // indirect
- go.starlark.net v0.0.0-20221205180719-3fd0dac74452 // indirect
- go.uber.org/atomic v1.7.0 // indirect
- go.uber.org/multierr v1.10.0 // indirect
- go.uber.org/zap v1.24.0 // indirect
- golang.org/x/crypto v0.10.0 // indirect
- golang.org/x/mod v0.11.0 // indirect
- golang.org/x/net v0.11.0 // indirect
- golang.org/x/oauth2 v0.6.0 // indirect
+ go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
+ go.uber.org/multierr v1.11.0 // indirect
+ go.uber.org/zap v1.25.0 // indirect
+ golang.org/x/crypto v0.13.0 // indirect
+ golang.org/x/mod v0.12.0 // indirect
+ golang.org/x/net v0.15.0 // indirect
+ golang.org/x/oauth2 v0.10.0 // indirect
golang.org/x/sync v0.3.0 // indirect
- golang.org/x/sys v0.9.0 // indirect
- golang.org/x/term v0.9.0 // indirect
- golang.org/x/text v0.10.0 // indirect
+ golang.org/x/sys v0.12.0 // indirect
+ golang.org/x/term v0.12.0 // indirect
+ golang.org/x/text v0.13.0 // indirect
golang.org/x/time v0.3.0 // indirect
golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
- google.golang.org/api v0.116.0 // indirect
+ google.golang.org/api v0.134.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
- google.golang.org/genproto v0.0.0-20230331144136-dcfb400f0633 // indirect
- google.golang.org/grpc v1.54.0 // indirect
- google.golang.org/protobuf v1.30.0 // indirect
+ google.golang.org/genproto v0.0.0-20230706204954-ccb25ca9f130 // indirect
+ google.golang.org/genproto/googleapis/api v0.0.0-20230706204954-ccb25ca9f130 // indirect
+ google.golang.org/genproto/googleapis/rpc v0.0.0-20230720185612-659f7aaaa771 // indirect
+ google.golang.org/grpc v1.57.0 // indirect
+ google.golang.org/protobuf v1.31.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
- helm.sh/helm/v3 v3.12.1 // indirect
+ helm.sh/helm/v3 v3.12.3 // indirect
howett.net/plist v1.0.0 // indirect
- k8s.io/api v0.27.3 // indirect
- k8s.io/apiextensions-apiserver v0.27.2 // indirect
- k8s.io/apimachinery v0.27.3 // indirect
- k8s.io/cli-runtime v0.27.3 // indirect
- k8s.io/client-go v0.27.3 // indirect
- k8s.io/component-base v0.27.2 // indirect
- k8s.io/klog/v2 v2.90.1 // indirect
- k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect
- k8s.io/kubectl v0.27.2 // indirect
- k8s.io/utils v0.0.0-20230220204549-a5ecb0141aa5 // indirect
+ k8s.io/api v0.28.2 // indirect
+ k8s.io/apiextensions-apiserver v0.27.3 // indirect
+ k8s.io/apimachinery v0.28.2 // indirect
+ k8s.io/cli-runtime v0.28.2 // indirect
+ k8s.io/client-go v0.28.2 // indirect
+ k8s.io/component-base v0.28.0 // indirect
+ k8s.io/klog/v2 v2.100.1 // indirect
+ k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect
+ k8s.io/kubectl v0.28.0 // indirect
+ k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
- sigs.k8s.io/kustomize/api v0.13.2 // indirect
- sigs.k8s.io/kustomize/kyaml v0.14.1 // indirect
+ sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 // indirect
+ sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
sigs.k8s.io/yaml v1.3.0 // indirect
)
diff --git a/go.sum b/go.sum
index 11646ca44c8..1ebba04a789 100644
--- a/go.sum
+++ b/go.sum
@@ -1,19 +1,19 @@
cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.110.0 h1:Zc8gqp3+a9/Eyph2KDmcGaPtbKRIoqq4YTlL4NMD0Ys=
-cloud.google.com/go v0.110.0/go.mod h1:SJnCLqQ0FCFGSZMUNUf84MV3Aia54kn7pi8st7tMzaY=
-cloud.google.com/go/compute v1.19.0 h1:+9zda3WGgW1ZSTlVppLCYFIr48Pa35q1uG2N1itbCEQ=
-cloud.google.com/go/compute v1.19.0/go.mod h1:rikpw2y+UMidAe9tISo04EHNOIf42RLYF/q8Bs93scU=
+cloud.google.com/go v0.110.4 h1:1JYyxKMN9hd5dR2MYTPWkGUgcoxVVhg0LKNKEo0qvmk=
+cloud.google.com/go v0.110.4/go.mod h1:+EYjdK8e5RME/VY/qLCAtuyALQ9q67dvuum8i+H5xsI=
+cloud.google.com/go/compute v1.20.1 h1:6aKEtlUiwEpJzM001l0yFkpXmUVXaN8W+fbkb2AZNbg=
+cloud.google.com/go/compute v1.20.1/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM=
cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
-cloud.google.com/go/iam v0.13.0 h1:+CmB+K0J/33d0zSQ9SlFWUeCCEn5XJA0ZMZ3pHE9u8k=
-cloud.google.com/go/iam v0.13.0/go.mod h1:ljOg+rcNfzZ5d6f1nAUJ8ZIxOaZUVoS14bKCtaLZ/D0=
-cloud.google.com/go/kms v1.10.0 h1:Imrtp8792uqNP9bdfPrjtUkjjqOMBcAJ2bdFaAnLhnk=
-cloud.google.com/go/longrunning v0.4.1 h1:v+yFJOfKC3yZdY6ZUI933pIYdhyhV8S3NpWrXWmg7jM=
-cloud.google.com/go/pubsub v1.30.0 h1:vCge8m7aUKBJYOgrZp7EsNDf6QMd2CAlXZqWTn3yq6s=
-cloud.google.com/go/pubsub v1.30.0/go.mod h1:qWi1OPS0B+b5L+Sg6Gmc9zD1Y+HaM0MdUr7LsupY1P4=
-cloud.google.com/go/storage v1.30.1 h1:uOdMxAs8HExqBlnLtnQyP0YkvbiDpdGShGKtx6U/oNM=
-cloud.google.com/go/storage v1.30.1/go.mod h1:NfxhC0UJE1aXSx7CIIbCf7y9HKT7BiccwkR7+P7gN8E=
+cloud.google.com/go/iam v1.1.1 h1:lW7fzj15aVIXYHREOqjRBV9PsH0Z6u8Y46a1YGvQP4Y=
+cloud.google.com/go/iam v1.1.1/go.mod h1:A5avdyVL2tCppe4unb0951eI9jreack+RJ0/d+KUZOU=
+cloud.google.com/go/kms v1.12.1 h1:xZmZuwy2cwzsocmKDOPu4BL7umg8QXagQx6fKVmf45U=
+cloud.google.com/go/kms v1.12.1/go.mod h1:c9J991h5DTl+kg7gi3MYomh12YEENGrf48ee/N/2CDM=
+cloud.google.com/go/pubsub v1.33.0 h1:6SPCPvWav64tj0sVX/+npCBKhUi/UjJehy9op/V3p2g=
+cloud.google.com/go/pubsub v1.33.0/go.mod h1:f+w71I33OMyxf9VpMVcZbnG5KSUkCOUHYpFd5U1GdRc=
+cloud.google.com/go/storage v1.32.0 h1:5w6DxEGOnktmJHarxAOUywxVW9lbNWIzlzzUltG/3+o=
+cloud.google.com/go/storage v1.32.0/go.mod h1:Hhh/dogNRGca7IWv1RC2YqEn0c0G77ctA/OxflYkiD8=
github.com/AlecAivazis/survey/v2 v2.3.7 h1:6I/u8FvytdGsgonrYsVn2t8t4QiRnh6QSTqkkhIiSjQ=
github.com/AlecAivazis/survey/v2 v2.3.7/go.mod h1:xUTIdE4KCOIjsBAE1JYsUPoCqYdZ1reCfTwbto0Fduo=
github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=
@@ -30,7 +30,6 @@ github.com/Masterminds/sprig/v3 v3.2.3 h1:eL2fZNezLomi0uOLqjQoN6BfsDD+fyLtgbJMAj
github.com/Masterminds/sprig/v3 v3.2.3/go.mod h1:rXcFaZ2zZbLRJv/xSysmlgIM1u11eBaRMhvYXJNkGuM=
github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2 h1:+vx7roKuyA63nhn5WAunQHLTznkw5W8b1Xc0dNjp83s=
github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2/go.mod h1:HBCaDeC1lPdgDeDbhX8XFpy1jqjK0IBG8W5K+xYqA0w=
-github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
github.com/PaesslerAG/gval v1.0.0/go.mod h1:y/nm5yEyTeX6av0OfKJNp9rBNj2XrGhAf5+v24IBN1I=
github.com/PaesslerAG/gval v1.2.1 h1:Ggwtej1xCyt1994VuDCSjycybIDo3duDCDghK/xc/A0=
github.com/PaesslerAG/gval v1.2.1/go.mod h1:XRFLwvmkTEdYziLdaCeCa5ImcGVrfQbeNUbVR+C6xac=
@@ -39,13 +38,13 @@ github.com/PaesslerAG/jsonpath v0.1.1 h1:c1/AToHQMVsduPAa4Vh6xp2U0evy4t8SWp8imEs
github.com/PaesslerAG/jsonpath v0.1.1/go.mod h1:lVboNxFGal/VwW6d9JzIy56bUsYAP6tH/x80vjnCseY=
github.com/Pallinder/go-randomdata v1.2.0 h1:DZ41wBchNRb/0GfsePLiSwb0PHZmT67XY00lCDlaYPg=
github.com/Pallinder/go-randomdata v1.2.0/go.mod h1:yHmJgulpD2Nfrm0cR9tI/+oAgRqCQQixsA8HyRZfV9Y=
-github.com/ProtonMail/go-crypto v0.0.0-20230321155629-9a39f2531310/go.mod h1:8TI4H3IbrackdNgv+92dI+rhpCaLqM0IfpgCgenFvRE=
-github.com/ProtonMail/go-crypto v0.0.0-20230518184743-7afd39499903 h1:ZK3C5DtzV2nVAQTx5S5jQvMeDqWtD1By5mOoyY/xJek=
-github.com/ProtonMail/go-crypto v0.0.0-20230518184743-7afd39499903/go.mod h1:8TI4H3IbrackdNgv+92dI+rhpCaLqM0IfpgCgenFvRE=
+github.com/ProtonMail/go-crypto v0.0.0-20230717121422-5aa5874ade95/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
+github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 h1:kkhsdkhsCvIsutKu5zLMgWtgh9YxGCNAw8Ad8hjwfYg=
+github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
github.com/ProtonMail/go-mime v0.0.0-20230322103455-7d82a3887f2f h1:tCbYj7/299ekTTXpdwKYF8eBlsYsDVoggDAuAjoK66k=
github.com/ProtonMail/go-mime v0.0.0-20230322103455-7d82a3887f2f/go.mod h1:gcr0kNtGBqin9zDW9GOHcVntrwnjrK+qdJ06mWYBybw=
-github.com/ProtonMail/gopenpgp/v2 v2.7.1 h1:Awsg7MPc2gD3I7IFac2qE3Gdls0lZW8SzrFZ3k1oz0s=
-github.com/ProtonMail/gopenpgp/v2 v2.7.1/go.mod h1:/BU5gfAVwqyd8EfC3Eu7zmuhwYQpKs+cGD8M//iiaxs=
+github.com/ProtonMail/gopenpgp/v2 v2.7.3 h1:AJu1OI/1UWVYZl6QcCLKGu9OTngS2r52618uGlje84I=
+github.com/ProtonMail/gopenpgp/v2 v2.7.3/go.mod h1:IhkNEDaxec6NyzSI0PlxapinnwPVIESk8/76da3Ct3g=
github.com/andybalholm/brotli v1.0.1/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu3qAvBg8x/Y=
github.com/andybalholm/brotli v1.0.4 h1:V7DdXeJtZscaqfNuAdSRuRFzuiKlHSC/Zh3zl9qY3JY=
github.com/andybalholm/brotli v1.0.4/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
@@ -53,21 +52,24 @@ github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kd
github.com/armon/go-radix v1.0.0 h1:F4z6KzEeeQIMeLFa97iZU6vupzoecKdU5TX24SNppXI=
github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
+github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d h1:Byv0BzEl3/e6D5CLfI0j/7hiIEtvGVFPCZ7Ei2oq8iQ=
github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
github.com/aymerick/raymond v2.0.2+incompatible h1:VEp3GpgdAnv9B2GFyTvqgcKvY+mfKMjPOA3SbKLtnU0=
github.com/aymerick/raymond v2.0.2+incompatible/go.mod h1:osfaiScAUVup+UC9Nfq76eWqDhXlp+4UYaA8uhTBO6g=
-github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
+github.com/benbjohnson/clock v1.3.0 h1:ip6w0uFQkncKQ979AypyG0ER7mqUSBdKLOgAle/AT8A=
+github.com/benbjohnson/clock v1.3.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ=
github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
-github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0=
-github.com/bwesterb/go-ristretto v1.2.0/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
+github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
+github.com/cbroglie/mustache v1.4.0 h1:Azg0dVhxTml5me+7PsZ7WPrQq1Gkf3WApcHMjMprYoU=
+github.com/cbroglie/mustache v1.4.0/go.mod h1:SS1FTIghy0sjse4DUVGV1k/40B1qE1XkD9DtDsHo9iM=
github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
+github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
github.com/chai2010/gettext-go v1.0.2 h1:1Lwwip6Q2QGsAdl/ZKPCwTe9fe0CjlUbqj5bFNSjIRk=
@@ -76,22 +78,24 @@ github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWR
github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/cloudflare/circl v1.1.0/go.mod h1:prBCrKB9DV4poKZY1l9zBXg2QJY7mvgRvtMxxK7fi4I=
github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs=
github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
-github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI=
+github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
github.com/creack/pty v1.1.17/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
+github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
github.com/creasty/defaults v1.7.0 h1:eNdqZvc5B509z18lD8yc212CAqJNvfT1Jq6L8WowdBA=
github.com/creasty/defaults v1.7.0/go.mod h1:iGzKe6pbEHnpMPtfDXZEr0NVxWnPTjb1bbDy08fPzYM=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 h1:iFaUwBSo5Svw6L7HYpRu/0lE3e0BaElwnNO1qkNQxBY=
github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5/go.mod h1:qssHWj60/X5sZFNxpG4HBPDHVqxNm4DfnCKgrbZOT+s=
github.com/dsnet/golib v0.0.0-20171103203638-1ea166775780/go.mod h1:Lj+Z9rebOhdfkVLjJ8T6VcRQv3SXugXy999NBtR9aFY=
@@ -99,41 +103,38 @@ github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkp
github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
github.com/elastic/elastic-integration-corpus-generator-tool v0.5.0 h1:Me2T3/O4nASmdjmfaKYaiJaGq8zVhasjfZi3il5p/gs=
github.com/elastic/elastic-integration-corpus-generator-tool v0.5.0/go.mod h1:uf9N86y+UACGybdEhZLpwZ93XHWVhsYZAA4c2T2v6YM=
-github.com/elastic/elastic-package v0.83.2 h1:XEJZd6XeV1zds34gsFSZnwz06K8B/6k/NL58hBGnXuM=
-github.com/elastic/elastic-package v0.83.2/go.mod h1:gcJ1Gy2P4DY1ww4T4PHhlNIgUwMP+IPlqIbAhcm9ixo=
+github.com/elastic/elastic-package v0.87.1 h1:vU8vQ7Lz3qLiEldmrgkhbKvVbeXAzG9wTZZnHzvprBc=
+github.com/elastic/elastic-package v0.87.1/go.mod h1:R1tiLc38SNOvF6iVFk4C4S7kZX7s7BwxjDr+xJvqj84=
github.com/elastic/go-elasticsearch/v7 v7.17.10 h1:TCQ8i4PmIJuBunvBS6bwT2ybzVFxxUhhltAs3Gyu1yo=
github.com/elastic/go-elasticsearch/v7 v7.17.10/go.mod h1:OJ4wdbtDNk5g503kvlHLyErCgQwwzmDtaFC4XyOxXA4=
-github.com/elastic/go-licenser v0.4.0/go.mod h1:V56wHMpmdURfibNBggaSBfqgPxyT1Tldns1i87iTEvU=
github.com/elastic/go-licenser v0.4.1 h1:1xDURsc8pL5zYT9R29425J3vkHdt4RT5TNEMeRN48x4=
github.com/elastic/go-licenser v0.4.1/go.mod h1:V56wHMpmdURfibNBggaSBfqgPxyT1Tldns1i87iTEvU=
github.com/elastic/go-resource v0.1.1 h1:vM173uhPoaZ7C64rKrYbbBn5kxOhstE1+YcGFteAKh8=
github.com/elastic/go-resource v0.1.1/go.mod h1:7F1Wjs6eSFX0i/235yAK/x9bvPNd9/ML92AiULa4XYA=
-github.com/elastic/go-sysinfo v1.7.1/go.mod h1:i1ZYdU10oLNfRzq4vq62BEwD2fH8KaWh6eh0ikPT9F0=
github.com/elastic/go-sysinfo v1.9.0 h1:usICqY/Nw4Mpn9f4LdtpFrKxXroJDe81GaxxUlCckIo=
github.com/elastic/go-sysinfo v1.9.0/go.mod h1:eBD1wEGVaRnRLGecc9iG1z8eOv5HnEdz9+nWd8UAxcE=
github.com/elastic/go-ucfg v0.8.6 h1:stUeyh2goTgGX+/wb9gzKvTv0YB0231LTpKUgCKj4U0=
github.com/elastic/go-ucfg v0.8.6/go.mod h1:4E8mPOLSUV9hQ7sgLEJ4bvt0KhMuDJa8joDT2QGAEKA=
-github.com/elastic/go-windows v1.0.0/go.mod h1:TsU0Nrp7/y3+VwE82FoZF8gC/XFg/Elz6CcloAxnPgU=
github.com/elastic/go-windows v1.0.1 h1:AlYZOldA+UJ0/2nBuqWdo90GFCgG9xuyw9SYzGUtJm0=
github.com/elastic/go-windows v1.0.1/go.mod h1:FoVvqWSun28vaDQPbj2Elfc0JahhPB7WQEGa3c814Ss=
github.com/elastic/gojsonschema v1.2.1 h1:cUMbgsz0wyEB4x7xf3zUEvUVDl6WCz2RKcQPul8OsQc=
github.com/elastic/gojsonschema v1.2.1/go.mod h1:biw5eBS2Z4T02wjATMRSfecfjCmwaDPvuaqf844gLrg=
-github.com/elastic/package-registry v1.20.0 h1:zBK0EDEeXkIEVj/jKm+/LR7IyGYqu0TjJxD5qyeN0Uc=
-github.com/elastic/package-registry v1.20.0/go.mod h1:bfGHXtS6sTMHBOp5DKCMjf6koq1Gm3Mp+ysYS+IX7YU=
-github.com/elastic/package-spec/v2 v2.9.0 h1:B9Xxuxg3bWASr8nlYw9Srtyyz6aCANQ9GTgrE9FtNY8=
-github.com/elastic/package-spec/v2 v2.9.0/go.mod h1:6OP9m1tMTUNougppizuwKkr67blhGOHBrYwaAwVPaqI=
+github.com/elastic/package-registry v1.21.0 h1:yl2LCXVvRrUI5sOuBHKyZr0N1+8hwLCWEynmj91yQJw=
+github.com/elastic/package-registry v1.21.0/go.mod h1:KMaIWgFlxMKRd1I8W8NMCLrQLKOvYwDxp1F9KioneU4=
+github.com/elastic/package-spec/v2 v2.11.0 h1:lnK9pU1PA8YP22SxB7AVEqC57C4dUOnk85VMGAIYWcY=
+github.com/elastic/package-spec/v2 v2.11.0/go.mod h1:kpyMzRsaoFTSzV5C1clD0U/ek0FZ7imALGCYEZU8z24=
github.com/emicklei/go-restful/v3 v3.10.1 h1:rc42Y5YTp7Am7CS630D7JmhRjq4UlEUuEKfrDac4bSQ=
github.com/emicklei/go-restful/v3 v3.10.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
-github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ=
+github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0=
github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U=
github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
-github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww=
-github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4=
+github.com/evanphx/json-patch/v5 v5.7.0 h1:nJqP7uwL84RJInrohHfW0Fx3awjbm8qZeFv0nW9SYGc=
+github.com/evanphx/json-patch/v5 v5.7.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ=
github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f h1:Wl78ApPPB2Wvf/TIe2xdyJxTlb6obmF18d8QdkxNDu4=
github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f/go.mod h1:OSYXu++VVOHnXeitef/D8n/6y4QV8uLHSFXX4NeXMGc=
github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs=
@@ -141,16 +142,16 @@ github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBD
github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk=
github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/flowstack/go-jsonschema v0.1.1/go.mod h1:yL7fNggx1o8rm9RlgXv7hTBWxdBM0rVwpMwimd3F3N0=
github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE=
-github.com/fsouza/fake-gcs-server v1.44.2 h1:i0SFjrC3ALr5FmxWdUgeQQ5myXFY+VMCPGVDj25XXXo=
-github.com/fsouza/fake-gcs-server v1.44.2/go.mod h1:eKmKIfPvl24wxEWVng4Hsh/+BwUTMhrFtQkNJxLAgSI=
+github.com/frankban/quicktest v1.14.3/go.mod h1:mgiwOwqx65TmIk1wJ6Q7wvnVMocbUorkibMOrVTHZps=
+github.com/fsouza/fake-gcs-server v1.47.4 h1:gfBhBxEra20/Om02cvcyL8EnekV8KDb01Yffjat6AKQ=
+github.com/fsouza/fake-gcs-server v1.47.4/go.mod h1:vqUZbI12uy9IkRQ54Q4p5AniQsSiUq8alO9Nv2egMmA=
github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0=
-github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
+github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY=
github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
github.com/go-openapi/errors v0.20.2/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M=
@@ -158,13 +159,14 @@ github.com/go-openapi/errors v0.20.3 h1:rz6kiC84sqNQoqrtulzaL/VERgkoCyB6WdEkc2uj
github.com/go-openapi/errors v0.20.3/go.mod h1:Z3FlZ4I8jEGxjUK+bugx3on2mIAk4txuAOhlsB1FSgk=
github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE=
github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
-github.com/go-openapi/jsonreference v0.20.1 h1:FBLnyygC4/IZZr893oiomc9XaghoveYTrLC1F86HID8=
-github.com/go-openapi/jsonreference v0.20.1/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
+github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
+github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
github.com/go-openapi/strfmt v0.21.3 h1:xwhj5X6CjXEZZHMWy1zKJxvW9AfHC9pkyUjLvHtKG7o=
github.com/go-openapi/strfmt v0.21.3/go.mod h1:k+RzNO0Da+k3FrrynSNN8F7n/peCmQQqbbXjtDfvmGg=
github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g=
github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
-github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I=
+github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
+github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
@@ -176,7 +178,6 @@ github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y
github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
-github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk=
github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
@@ -195,8 +196,8 @@ github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
-github.com/google/gnostic v0.6.9 h1:ZK/5VhkoX835RikCHpSUJV9a+S3e1zLh59YnyWeBW+0=
-github.com/google/gnostic v0.6.9/go.mod h1:Nm8234We1lq6iB9OmlgNv3nH91XLLVZHCDayfA3xq+E=
+github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
+github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
@@ -205,7 +206,6 @@ github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
@@ -219,24 +219,26 @@ github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/
github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
github.com/google/martian/v3 v3.3.2 h1:IqNFLAmvJOgVlpdEBiQbDc2EwKW77amAycfTuWKdfvw=
+github.com/google/martian/v3 v3.3.2/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk=
github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec=
+github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
github.com/google/renameio/v2 v2.0.0 h1:UifI23ZTGY8Tt29JbYFiuyIU3eX+RNFtUwefq9qAhxg=
github.com/google/renameio/v2 v2.0.0/go.mod h1:BtmJXm5YlszgC+TD4HOEEUFgkJP3nLxehU6hfe7jRt4=
+github.com/google/s2a-go v0.1.4 h1:1kZ/sQM3srePvKs3tXAvQzo66XfcReoqFpIpIccE7Oc=
+github.com/google/s2a-go v0.1.4/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A=
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
-github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/enterprise-certificate-proxy v0.2.3 h1:yk9/cqRKtT9wXZSsRH9aurXEpJX+U6FLtpYTdC3R06k=
-github.com/googleapis/enterprise-certificate-proxy v0.2.3/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k=
-github.com/googleapis/gax-go/v2 v2.8.0 h1:UBtEZqx1bjXtOQ5BVTkuYghXrr3N4V123VKJK67vJZc=
-github.com/googleapis/gax-go/v2 v2.8.0/go.mod h1:4orTrqY6hXxxaUL4LHIPl6lGo8vAE38/qKbhSAKP6QI=
-github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
+github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4=
+github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/googleapis/enterprise-certificate-proxy v0.2.5 h1:UR4rDjcgpgEnqpIEvkiqTYKBCKLNmlge2eVjoZfySzM=
+github.com/googleapis/enterprise-certificate-proxy v0.2.5/go.mod h1:RxW0N9901Cko1VOCW3SXCpWP+mlIEkk2tP7jnHy9a3w=
+github.com/googleapis/gax-go/v2 v2.12.0 h1:A+gCJKdRfqXkr+BIRGtZLibNXf0m1f9E4HG56etFpas=
+github.com/googleapis/gax-go/v2 v2.12.0/go.mod h1:y+aIqrI5eb1YGMVJfuV3185Ts/D7qKpsEkdD5+I6QGU=
github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4=
github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q=
-github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
@@ -252,8 +254,8 @@ github.com/hashicorp/go-hclog v0.9.2 h1:CG6TE5H9/JXsFWJCfoIVpKFIkFe6ysEuHirp4DxC
github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
-github.com/hashicorp/go-retryablehttp v0.7.2 h1:AcYqCvkpalPnPF2pn0KamgwamS42TqUDDYFRKq/RAd0=
-github.com/hashicorp/go-retryablehttp v0.7.2/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8=
+github.com/hashicorp/go-retryablehttp v0.7.4 h1:ZQgVdpTdAL7WpMIwLzCfbalOcSUdkDZnpUv3/+BxzFA=
+github.com/hashicorp/go-retryablehttp v0.7.4/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8=
github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec h1:qv2VnGeEQHchGaZ/u7lxST/RaJw+cv273q79D81Xbog=
github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec/go.mod h1:Q48J4R4DvxnHolD5P8pOtXigYlRuPLGl6moFx3ulM68=
github.com/huandu/xstrings v1.3.3/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
@@ -264,9 +266,6 @@ github.com/imdario/mergo v0.3.15 h1:M8XP7IuFNsqUx6VPK2P9OSmsYsI/YFaGil0uD21V3dM=
github.com/imdario/mergo v0.3.15/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/jcchavezs/porto v0.1.0/go.mod h1:fESH0gzDHiutHRdX2hv27ojnOVFco37hg1W6E9EZF4A=
-github.com/jcchavezs/porto v0.3.0 h1:JSKeMsqexngzHUpiv4NPPADSNBF9bDyavGRDWedzNeM=
-github.com/jcchavezs/porto v0.3.0/go.mod h1:fESH0gzDHiutHRdX2hv27ojnOVFco37hg1W6E9EZF4A=
github.com/jedib0t/go-pretty v4.3.0+incompatible h1:CGs8AVhEKg/n9YbUenWmNStRW2PHJzaeDodcfvRAbIo=
github.com/jedib0t/go-pretty v4.3.0+incompatible/go.mod h1:XemHduiw8R651AF9Pt4FwCTKeG3oo7hrHJAoznj9nag=
github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
@@ -283,15 +282,18 @@ github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+o
github.com/klauspost/compress v1.4.1/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
github.com/klauspost/compress v1.11.4/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
-github.com/klauspost/compress v1.16.0 h1:iULayQNOReoYUe+1qtKOqw9CwJv3aNQu8ivo7lw1HU4=
-github.com/klauspost/compress v1.16.0/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
+github.com/klauspost/compress v1.16.7 h1:2mk3MPGNzKyxErAw8YaohYh69+pa4sIQSC0fPGCFR9I=
+github.com/klauspost/compress v1.16.7/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
+github.com/klauspost/cpuid v1.2.0 h1:NMpwD2G9JSFOE1/TJjGSo5zG7Yb2bTe7eq1jH+irmeE=
github.com/klauspost/cpuid v1.2.0/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
+github.com/klauspost/cpuid/v2 v2.2.5 h1:0E5MSMDEoAulmXNFquVs//DdoomxaoTY1kUhbc/qbZg=
+github.com/klauspost/cpuid/v2 v2.2.5/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
github.com/klauspost/pgzip v1.2.5 h1:qnWYvvKqedOF2ulHpMG72XQol4ILEJ8k2wwRl/Km8oE=
github.com/klauspost/pgzip v1.2.5/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs=
github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
-github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
@@ -312,8 +314,8 @@ github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxec
github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
-github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng=
-github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-isatty v0.0.19 h1:JITubQf0MOLdlGRuRq+jtsDlekdYPia9ZFsB8h/APPA=
+github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
github.com/mattn/go-runewidth v0.0.14 h1:+xnbZSEeDbOIg5/mE6JF0w6n9duR1l3/WmbinWVwUuU=
github.com/mattn/go-runewidth v0.0.14/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
@@ -324,6 +326,12 @@ github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d h1:5PJl274Y63IEHC+7izoQ
github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
github.com/mholt/archiver/v3 v3.5.1 h1:rDjOBX9JSF5BvoJGvjqK479aL70qh9DIpZCl+k7Clwo=
github.com/mholt/archiver/v3 v3.5.1/go.mod h1:e3dqJ7H78uzsRSEACH1joayhuSyhnonssnDhppzS1L4=
+github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34=
+github.com/minio/md5-simd v1.1.2/go.mod h1:MzdKDxYpY2BT9XQFocsiZf/NKVtR7nkE4RoEpN+20RM=
+github.com/minio/minio-go/v7 v7.0.61 h1:87c+x8J3jxQ5VUGimV9oHdpjsAvy3fhneEBKuoKEVUI=
+github.com/minio/minio-go/v7 v7.0.61/go.mod h1:BTu8FcrEw+HidY0zd/0eny43QnVNkXRPXrLXFuQBHXg=
+github.com/minio/sha256-simd v1.0.1 h1:6kaan5IFmwTNynnKKpDHe6FWHohJOHhCPchzK49dzMM=
+github.com/minio/sha256-simd v1.0.1/go.mod h1:Pz6AKMiUdngCLpeTL/RJY1M9rUuPMYujV5xJjtbRSN8=
github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw=
github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
@@ -357,9 +365,12 @@ github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4=
github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
-github.com/onsi/ginkgo/v2 v2.9.1 h1:zie5Ly042PD3bsCvsSOPvRnFwyo3rKe64TJlD6nu0mk=
-github.com/onsi/gomega v1.27.4 h1:Z2AnStgsdSayCMDiCU42qIz+HLqEPcgiOCXjAU/w+8E=
+github.com/onsi/ginkgo/v2 v2.9.4 h1:xR7vG4IXt5RWx6FfIjyAtsoMAtnc3C/rFXBBd2AjZwE=
+github.com/onsi/ginkgo/v2 v2.9.4/go.mod h1:gCQYp2Q+kSoIj7ykSVb9nskRSsR6PUj4AiLywzIhbKM=
+github.com/onsi/gomega v1.27.6 h1:ENqfyGeS5AX/rlXDd/ETokDz93u0YufY1Pgxuy/PvWE=
+github.com/onsi/gomega v1.27.6/go.mod h1:PIQNjfQwkP3aQAH7lf7j87O/5FiNr+ZR8+ipb+qQlhg=
github.com/otiai10/copy v1.12.0 h1:cLMgSQnXBs1eehF0Wy/FAGsgDTDmAqFR7rQylBb1nDY=
+github.com/otiai10/copy v1.12.0/go.mod h1:rSaLseMUsZFFbsFGc7wCJnnkTAvdc5L6VWxPE4308Ww=
github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI=
github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
github.com/pierrec/lz4/v4 v4.1.2/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
@@ -375,27 +386,29 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c h1:ncq/mPwQF4JjgDlrVEn3C11VoGHZN7m8qihwgMEtzYw=
github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
-github.com/prometheus/client_golang v1.15.1 h1:8tXpTmJbyH5lydzFPoxSIJ0J46jdh3tylbvM1xCv0LI=
-github.com/prometheus/client_golang v1.15.1/go.mod h1:e9yaBhRPU2pPNsZwE+JdQl0KEt1N9XgF6zxWmaC0xOk=
+github.com/prometheus/client_golang v1.16.0 h1:yk/hx9hDbrGHovbci4BY+pRMfSuuat626eFsHb7tmT8=
+github.com/prometheus/client_golang v1.16.0/go.mod h1:Zsulrv/L9oM40tJ7T815tM89lFEugiJ9HzIqaAx4LKc=
github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/client_model v0.3.0 h1:UBgGFHqYdG/TPFD1B1ogZywDqEkwp3fBMvqdiQ7Xew4=
-github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w=
-github.com/prometheus/common v0.42.0 h1:EKsfXEYo4JpWMHH5cg+KOUWeuJSov1Id8zGR8eeI1YM=
-github.com/prometheus/common v0.42.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr1yjz4b7Zbc=
-github.com/prometheus/procfs v0.0.0-20190425082905-87a4384529e0/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
-github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
-github.com/prometheus/procfs v0.9.0 h1:wzCHvIvM5SxWqYvwgVL7yJY8Lz3PKn49KQtpgMYJfhI=
-github.com/prometheus/procfs v0.9.0/go.mod h1:+pB4zwohETzFnmlpe6yd2lSc+0/46IYZRB/chUwxUZY=
+github.com/prometheus/client_model v0.4.0 h1:5lQXD3cAg1OXBf4Wq03gTrXHeaV0TQvGfUooCfx1yqY=
+github.com/prometheus/client_model v0.4.0/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU=
+github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdOOfY=
+github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY=
+github.com/prometheus/procfs v0.10.1 h1:kYK1Va/YMlutzCGazswoHKo//tZVlFpKYh+PymziUAg=
+github.com/prometheus/procfs v0.10.1/go.mod h1:nwNm2aOCAYw8uTR/9bWRREkZFxAUcWzPHWJq+XBB/FM=
github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
github.com/rivo/uniseg v0.4.3 h1:utMvzDsuh3suAEnhH0RdHmoPbU648o6CvXxTx4SBMOw=
github.com/rivo/uniseg v0.4.3/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
+github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
+github.com/rs/xid v1.5.0 h1:mKX4bl4iPYJtEIxp6CYiUuLQ/8DYMoz0PUdtGgMFRVc=
+github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ=
-github.com/shirou/gopsutil/v3 v3.23.5 h1:5SgDCeQ0KW0S4N0znjeM/eFHXXOKyv2dVNgRq/c9P6Y=
-github.com/shirou/gopsutil/v3 v3.23.5/go.mod h1:Ng3Maa27Q2KARVJ0SPZF5NdrQSC3XHKP8IIWrHgMeLY=
+github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
+github.com/shirou/gopsutil/v3 v3.23.8 h1:xnATPiybo6GgdRoC4YoGnxXZFRc3dqQTGi73oLvvBrE=
+github.com/shirou/gopsutil/v3 v3.23.8/go.mod h1:7hmCaBn+2ZwaZOr6jmPBZDfawwMGuo1id3C6aM8EDqQ=
github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFtM=
github.com/shoenig/go-m1cpu v0.1.6/go.mod h1:1JJMcUBvfNwpq05QDQVAnx3gUHr9IYF7GNg9SUEw2VQ=
github.com/shoenig/test v0.6.4 h1:kVTaSd7WLz5WZ2IaoM0RSzRsUD+m8wRR+5qvntpn4LU=
@@ -403,9 +416,8 @@ github.com/shoenig/test v0.6.4/go.mod h1:byHiCGXqrVaflBLAMq/srcZIHynQPQgeyvkvXnj
github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
github.com/shopspring/decimal v1.3.1 h1:2Usl1nmF/WZucqkFZhnfFYxxxu8LG21F6nPQBE5gKV8=
github.com/shopspring/decimal v1.3.1/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
-github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
-github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
+github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
+github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w=
github.com/spf13/cast v1.5.0/go.mod h1:SpXXQ5YoyJw6s3/6cMTQuxvgRl3PCJiyaX9p6b155UU=
@@ -413,7 +425,6 @@ github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
@@ -427,15 +438,14 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
github.com/tidwall/pretty v1.0.0 h1:HsD+QiTn7sK6flMKIvNmpqz1qrpP3Ps6jOKIKMooyg4=
github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
-github.com/tklauser/go-sysconf v0.3.11 h1:89WgdJhk5SNwJfu+GKyYveZ4IaJ7xAkecBo+KdJV0CM=
-github.com/tklauser/go-sysconf v0.3.11/go.mod h1:GqXfhXY3kiPa0nAXPDIQIWzJbMCB7AmcWpGR8lSZfqI=
-github.com/tklauser/numcpus v0.6.0 h1:kebhY2Qt+3U6RNK7UqpYNA+tJ23IBEGKkB7JQBfDYms=
-github.com/tklauser/numcpus v0.6.0/go.mod h1:FEZLMke0lhOUG6w2JadTzp0a+Nl8PF/GFkQ5UVIcaL4=
+github.com/tklauser/go-sysconf v0.3.12 h1:0QaGUFOdQaIVdPgfITYzaTegZvdCjmYO52cSFAEVmqU=
+github.com/tklauser/go-sysconf v0.3.12/go.mod h1:Ho14jnntGE1fpdOqQEEaiKRpvIavV0hSfmBq8nJbHYI=
+github.com/tklauser/numcpus v0.6.1 h1:ng9scYS7az0Bk4OZLvrNXNSAO2Pxr1XXRAPyjhIx+Fk=
+github.com/tklauser/numcpus v0.6.1/go.mod h1:1XfjsgE2zo8GVw7POkMbHENHzVg3GzmoZ9fESEdAacY=
github.com/ulikunitz/xz v0.5.8/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
github.com/ulikunitz/xz v0.5.9/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
github.com/ulikunitz/xz v0.5.11 h1:kpFauv27b6ynzBNT/Xy+1k+fK4WswhN/6PN5WhFAGw8=
@@ -448,28 +458,26 @@ github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMc
github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0=
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
-github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 h1:nIPpBwaJSVYIxUFsDv3M8ofmx9yWTog9BfvIu0q41lo=
github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8/go.mod h1:HUYIGzjTL3rfEspMxjDjgmT5uz5wzYJKVo23qUhYTos=
-github.com/xlab/treeprint v1.1.0 h1:G/1DjNkPpfZCFt9CSh6b5/nY4VimlbHF3Rh4obvtzDk=
-github.com/xlab/treeprint v1.1.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0=
+github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ=
+github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0=
github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7JulP+udvsHwJoVG1YGAP6VLg4y9I5dyZdqmA=
github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
-github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
github.com/yusufpapurcu/wmi v1.2.3 h1:E1ctvB7uKFMOJw3fdOW32DwGE9I7t++CRUEMKvFoFiw=
github.com/yusufpapurcu/wmi v1.2.3/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
-go.elastic.co/apm/module/apmgorilla/v2 v2.4.1 h1:oZV/B5LNJXp9PYVZYZT1+MRxDc7XirUGM2k1Z9JKp/c=
-go.elastic.co/apm/module/apmgorilla/v2 v2.4.1/go.mod h1:7UNkg3NsOwG7iPxI1zWAODQnCtu9KL85tEEaymxtr1w=
-go.elastic.co/apm/module/apmhttp/v2 v2.4.1 h1:4jIuTNh14opEIwf+zMru1jGW3MuNj6vtI0dsx+6QMt0=
-go.elastic.co/apm/module/apmhttp/v2 v2.4.1/go.mod h1:pJ2sd5b4YCX1YX9VzhvFO6AXpqCPiP3dP5U9qBD4s+8=
-go.elastic.co/apm/module/apmzap/v2 v2.4.1 h1:vv5ZbrDvBrF0H7D+tuhSQ+NOrqbCH7d+hZNxrP/omRM=
-go.elastic.co/apm/module/apmzap/v2 v2.4.1/go.mod h1:OZs/UznopxCb8Ax/P1va0AhReViu+61D84/4W5wj9Oc=
-go.elastic.co/apm/v2 v2.4.1 h1:tMxAtHh5TXTYdFG0pTmmUOn/PTI3k/1T1ptb+3O+hYI=
-go.elastic.co/apm/v2 v2.4.1/go.mod h1:HdwVuAeoJMmoqAZZBNN2YVzj3UVLebtqoRCCydyCP+Q=
+go.elastic.co/apm/module/apmgorilla/v2 v2.4.3 h1:Dpu57OU2Ao9EBlQ7cxszgUCGMz48LfEWDgoY45h46ic=
+go.elastic.co/apm/module/apmgorilla/v2 v2.4.3/go.mod h1:lwJCWmbuRSyrsCiQrQ0G4+7F+BjyyIf0MVdceyOvMJM=
+go.elastic.co/apm/module/apmhttp/v2 v2.4.3 h1:bBqbbtQSEL+uVpH5CS656E9x6pXha8kkZ468/G0T5Eo=
+go.elastic.co/apm/module/apmhttp/v2 v2.4.3/go.mod h1:PsafA29/iwRva1ouV+70Lfu6RyAJHh6Zcc+jL6eZ83E=
+go.elastic.co/apm/module/apmzap/v2 v2.4.3 h1:7jsuiJLP5BHQ9tpHRGu9oiiDqYdIBE24WF0P5te8sOk=
+go.elastic.co/apm/module/apmzap/v2 v2.4.3/go.mod h1:f9qtIFTU/dCnUqoDeuNrRevCR3fMJe6YMw9SelFjzbY=
+go.elastic.co/apm/v2 v2.4.3 h1:k6mj63O7IIyqqn3S52C2vBXvaSK9M5FHp0aZHpPH/as=
+go.elastic.co/apm/v2 v2.4.3/go.mod h1:+CiBUdrrAGnGCL9TNx7tQz3BrfYV23L8Ljvotoc87so=
go.elastic.co/ecszap v1.0.1 h1:mBxqEJAEXBlpi5+scXdzL7LTFGogbuxipJC0KTZicyA=
go.elastic.co/ecszap v1.0.1/go.mod h1:SVjazT+QgNeHSGOCUHvRgN+ZRj5FkB7IXQQsncdF57A=
go.elastic.co/fastjson v1.1.0 h1:3MrGBWWVIxe/xvsbpghtkFoPciPhOCmjsR/HfwEeQR4=
@@ -480,30 +488,29 @@ go.mongodb.org/mongo-driver v1.11.1/go.mod h1:s7p5vEtfbeR1gYi6pnj3c3/urpbLv2T5Sf
go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
-go.starlark.net v0.0.0-20221205180719-3fd0dac74452 h1:JZtNuL6LPB+scU5yaQ6hqRlJFRiddZm2FwRt2AQqtHA=
-go.starlark.net v0.0.0-20221205180719-3fd0dac74452/go.mod h1:kIVgS18CjmEC3PqMd5kaJSGEifyV/CeB9x506ZJ1Vbk=
-go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
-go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw=
+go.starlark.net v0.0.0-20230525235612-a134d8f9ddca h1:VdD38733bfYv5tUZwEIskMM93VanwNIi5bIKnDrJdEY=
+go.starlark.net v0.0.0-20230525235612-a134d8f9ddca/go.mod h1:jxU+3+j+71eXOW14274+SmmuW82qJzl6iZSeqEtTGds=
go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ=
go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A=
-go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
+go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4=
go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
-go.uber.org/multierr v1.10.0 h1:S0h4aNzvfcFsC3dRF1jLoaov7oRaKqRGC/pUEJ2yvPQ=
-go.uber.org/multierr v1.10.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
-go.uber.org/zap v1.9.1/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
+go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
+go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
go.uber.org/zap v1.21.0/go.mod h1:wjWOCqI0f2ZZrJF/UufIOkiC8ii6tm1iqIsLo76RfJw=
-go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60=
-go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg=
+go.uber.org/zap v1.25.0 h1:4Hvk6GtkucQ790dqmj7l1eEnRdKm3k3ZUrUMS2d5+5c=
+go.uber.org/zap v1.25.0/go.mod h1:JIAUzQIH94IC4fOJQm7gMmBJP5k7wQfdcnYdPoEXJYk=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.0.0-20220314234659-1baeb1ce4c0b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
+golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
-golang.org/x/crypto v0.10.0 h1:LKqV2xt9+kDzSTfOhx4FrkEBcMrAgHSYgzywV9zcGmM=
-golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I=
+golang.org/x/crypto v0.13.0 h1:mvySKfSWJ+UKUii46M40LOvyWfN0s2U+46/jDd0e6Ck=
+golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
@@ -517,8 +524,8 @@ golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.11.0 h1:bUO06HqtnRcc/7l71XBe4WcqTZ+3AH1J59zWDDwLKgU=
-golang.org/x/mod v0.11.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
+golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -534,25 +541,23 @@ golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwY
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
-golang.org/x/net v0.11.0 h1:Gi2tvZIJyBtO9SDr1q9h5hEQCp/4L2RQ+ar0qjx2oNU=
-golang.org/x/net v0.11.0/go.mod h1:2L/ixqYpgIVXmeoSA/4Lu7BzTG4KIyPIryS4IsOd1oQ=
+golang.org/x/net v0.15.0 h1:ugBLEUaxABaB5AJqW9enI0ACdci2RUd4eP51NTBvuJ8=
+golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.6.0 h1:Lh8GPgSKBfWSwFvtuWOfeI3aAAnbXTSutYxJiOJFgIw=
-golang.org/x/oauth2 v0.6.0/go.mod h1:ycmewcwgD4Rpr3eZJLSB4Kyyljb3qDh40vJ8STE5HKw=
+golang.org/x/oauth2 v0.10.0 h1:zHCpF2Khkwy4mMB4bv0U37YtJdTGW8jI0glAApi0Kh8=
+golang.org/x/oauth2 v0.10.0/go.mod h1:kTpgurOux7LqtuxjuyZa4Gj2gdezIt/jQtGnNFfypQI=
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -564,52 +569,49 @@ golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5h
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191025021431-6c3a3bfe00ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20211102192858-4dd72447c267/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220408201424-a24fb2fb8a0f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.9.0 h1:KS/R3tvhPqvJvwcKfnBHJwwthS11LRhmM5D59eEXa0s=
-golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/term v0.0.0-20220526004731-065cf7ba2467/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
-golang.org/x/term v0.9.0 h1:GRRCnKYhdQrD8kfRAdQ6Zcw1P0OcELxGLKJvtjVMZ28=
-golang.org/x/term v0.9.0/go.mod h1:M6DEAAIenWoTxdKrOltXcmDY3rSplQUkrvaDU5FcQyo=
+golang.org/x/term v0.12.0 h1:/ZfYdc3zq+q02Rv9vGqTeSItdzZTSNDmfTi0mBAuidU=
+golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.10.0 h1:UpjohKhiEgNc0CSauXmwYftY1+LlaC75SJwh0SgCX58=
-golang.org/x/text v0.10.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -624,19 +626,18 @@ golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roY
golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo=
-golang.org/x/tools v0.1.9/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU=
golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.10.0 h1:tvDr/iQoUqNdohiYm0LmmKcBk+q86lb9EprIUFhHHGg=
-golang.org/x/tools v0.10.0/go.mod h1:UJwyiVBsOA2uwvK/e5OY3GTpDUJriEd+/YlqAwLPmyM=
+golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ=
+golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 h1:H2TDz8ibqkAF6YGhCdN3jS9O0/s90v0rJh3X/OLHEUk=
golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
-google.golang.org/api v0.116.0 h1:09tOPVufPwfm5W4aA8EizGHJ7BcoRDsIareM2a15gO4=
-google.golang.org/api v0.116.0/go.mod h1:9cD4/t6uvd9naoEJFA+M96d0IuB6BqFuyhpw68+mRGg=
+google.golang.org/api v0.134.0 h1:ktL4Goua+UBgoP1eL1/60LwZJqa1sIzkLmvoR3hR6Gw=
+google.golang.org/api v0.134.0/go.mod h1:sjRL3UnjTx5UqNQS9EWr9N8p7xbHpy1k0XGRLCf3Spk=
google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
@@ -645,9 +646,12 @@ google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoA
google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20230331144136-dcfb400f0633 h1:0BOZf6qNozI3pkN3fJLwNubheHJYHhMh91GRFOWWK08=
-google.golang.org/genproto v0.0.0-20230331144136-dcfb400f0633/go.mod h1:UUQDJDOlWu4KYeJZffbWgBkS1YFobzKbLVfK69pe0Ak=
+google.golang.org/genproto v0.0.0-20230706204954-ccb25ca9f130 h1:Au6te5hbKUV8pIYWHqOUZ1pva5qK/rwbIhoXEUB9Lu8=
+google.golang.org/genproto v0.0.0-20230706204954-ccb25ca9f130/go.mod h1:O9kGHb51iE/nOGvQaDUuadVYqovW56s5emA88lQnj6Y=
+google.golang.org/genproto/googleapis/api v0.0.0-20230706204954-ccb25ca9f130 h1:XVeBY8d/FaK4848myy41HBqnDwvxeV3zMZhwN1TvAMU=
+google.golang.org/genproto/googleapis/api v0.0.0-20230706204954-ccb25ca9f130/go.mod h1:mPBs5jNgx2GuQGvFwUvVKqtn6HsUw9nP64BedgvqEsQ=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20230720185612-659f7aaaa771 h1:Z8qdAF9GFsmcUuWQ5KVYIpP3PCKydn/YKORnghIalu4=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20230720185612-659f7aaaa771/go.mod h1:TUfxEVdsvPg18p6AslUXFoLdpED4oBnGwyqk3dV1XzM=
google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
@@ -655,9 +659,9 @@ google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8
google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
-google.golang.org/grpc v1.54.0 h1:EhTqbhiYeixwWQtAEZAxmV9MGqcjEU2mFx52xCzNyag=
-google.golang.org/grpc v1.54.0/go.mod h1:PUSEXI6iWghWaB6lXM4knEgpJNu2qUcKfDtNci3EC2g=
+google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ=
+google.golang.org/grpc v1.57.0 h1:kfzNeI/klCGD2YPMUlaGNT3pxvYfga7smW3Vth8Zsiw=
+google.golang.org/grpc v1.57.0/go.mod h1:Sd+9RMTACXwmub0zcNY2c4arhtrbBYD1AUHI/dt16Mo=
google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -669,20 +673,19 @@ google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpAD
google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng=
-google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
+google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
gopkg.in/hjson/hjson-go.v3 v3.0.1/go.mod h1:X6zrTSVeImfwfZLfgQdInl9mWjqPqgH90jom9nym/lw=
gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
+gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0/go.mod h1:WDnlLJ4WF5VGsH/HVa3CI79GS0ol3YnhVnKP89i0kNg=
-gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
@@ -691,43 +694,41 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-helm.sh/helm/v3 v3.12.1 h1:lzU7etZX24A6BTMXYQF3bFq0ECfD8s+fKlNBBL8AbEc=
-helm.sh/helm/v3 v3.12.1/go.mod h1:qhmSY9kcX7yH1xebe+FDMZa7E5NAeZ+LvK5j1gSln48=
+helm.sh/helm/v3 v3.12.3 h1:5y1+Sbty12t48T/t/CGNYUIME5BJ0WKfmW/sobYqkFg=
+helm.sh/helm/v3 v3.12.3/go.mod h1:KPKQiX9IP5HX7o5YnnhViMnNuKiL/lJBVQ47GHe1R0k=
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-howett.net/plist v0.0.0-20181124034731-591f970eefbb/go.mod h1:vMygbs4qMhSZSc4lCUl2OEE+rDiIIJAIdR4m7MiMcm0=
howett.net/plist v1.0.0 h1:7CrbWYbPPO/PyNy38b2EB/+gYbjCe2DXBxgtOOZbSQM=
howett.net/plist v1.0.0/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g=
-k8s.io/api v0.27.3 h1:yR6oQXXnUEBWEWcvPWS0jQL575KoAboQPfJAuKNrw5Y=
-k8s.io/api v0.27.3/go.mod h1:C4BNvZnQOF7JA/0Xed2S+aUyJSfTGkGFxLXz9MnpIpg=
-k8s.io/apiextensions-apiserver v0.27.2 h1:iwhyoeS4xj9Y7v8YExhUwbVuBhMr3Q4bd/laClBV6Bo=
-k8s.io/apiextensions-apiserver v0.27.2/go.mod h1:Oz9UdvGguL3ULgRdY9QMUzL2RZImotgxvGjdWRq6ZXQ=
-k8s.io/apimachinery v0.27.3 h1:Ubye8oBufD04l9QnNtW05idcOe9Z3GQN8+7PqmuVcUM=
-k8s.io/apimachinery v0.27.3/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E=
-k8s.io/cli-runtime v0.27.3 h1:h592I+2eJfXj/4jVYM+tu9Rv8FEc/dyCoD80UJlMW2Y=
-k8s.io/cli-runtime v0.27.3/go.mod h1:LzXud3vFFuDFXn2LIrWnscPgUiEj7gQQcYZE2UPn9Kw=
-k8s.io/client-go v0.27.3 h1:7dnEGHZEJld3lYwxvLl7WoehK6lAq7GvgjxpA3nv1E8=
-k8s.io/client-go v0.27.3/go.mod h1:2MBEKuTo6V1lbKy3z1euEGnhPfGZLKTS9tiJ2xodM48=
-k8s.io/component-base v0.27.2 h1:neju+7s/r5O4x4/txeUONNTS9r1HsPbyoPBAtHsDCpo=
-k8s.io/component-base v0.27.2/go.mod h1:5UPk7EjfgrfgRIuDBFtsEFAe4DAvP3U+M8RTzoSJkpo=
-k8s.io/klog/v2 v2.90.1 h1:m4bYOKall2MmOiRaR1J+We67Do7vm9KiQVlT96lnHUw=
-k8s.io/klog/v2 v2.90.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
-k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5FJ2kxm1WrQFanWchyKuqGg=
-k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg=
-k8s.io/kubectl v0.27.2 h1:sSBM2j94MHBFRWfHIWtEXWCicViQzZsb177rNsKBhZg=
-k8s.io/kubectl v0.27.2/go.mod h1:GCOODtxPcrjh+EC611MqREkU8RjYBh10ldQCQ6zpFKw=
-k8s.io/utils v0.0.0-20230220204549-a5ecb0141aa5 h1:kmDqav+P+/5e1i9tFfHq1qcF3sOrDp+YEkVDAHu7Jwk=
-k8s.io/utils v0.0.0-20230220204549-a5ecb0141aa5/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/api v0.28.2 h1:9mpl5mOb6vXZvqbQmankOfPIGiudghwCoLl1EYfUZbw=
+k8s.io/api v0.28.2/go.mod h1:RVnJBsjU8tcMq7C3iaRSGMeaKt2TWEUXcpIt/90fjEg=
+k8s.io/apiextensions-apiserver v0.27.3 h1:xAwC1iYabi+TDfpRhxh4Eapl14Hs2OftM2DN5MpgKX4=
+k8s.io/apiextensions-apiserver v0.27.3/go.mod h1:BH3wJ5NsB9XE1w+R6SSVpKmYNyIiyIz9xAmBl8Mb+84=
+k8s.io/apimachinery v0.28.2 h1:KCOJLrc6gu+wV1BYgwik4AF4vXOlVJPdiqn0yAWWwXQ=
+k8s.io/apimachinery v0.28.2/go.mod h1:RdzF87y/ngqk9H4z3EL2Rppv5jj95vGS/HaFXrLDApU=
+k8s.io/cli-runtime v0.28.2 h1:64meB2fDj10/ThIMEJLO29a1oujSm0GQmKzh1RtA/uk=
+k8s.io/cli-runtime v0.28.2/go.mod h1:bTpGOvpdsPtDKoyfG4EG041WIyFZLV9qq4rPlkyYfDA=
+k8s.io/client-go v0.28.2 h1:DNoYI1vGq0slMBN/SWKMZMw0Rq+0EQW6/AK4v9+3VeY=
+k8s.io/client-go v0.28.2/go.mod h1:sMkApowspLuc7omj1FOSUxSoqjr+d5Q0Yc0LOFnYFJY=
+k8s.io/component-base v0.28.0 h1:HQKy1enJrOeJlTlN4a6dU09wtmXaUvThC0irImfqyxI=
+k8s.io/component-base v0.28.0/go.mod h1:Yyf3+ZypLfMydVzuLBqJ5V7Kx6WwDr/5cN+dFjw1FNk=
+k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg=
+k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
+k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 h1:LyMgNKD2P8Wn1iAwQU5OhxCKlKJy0sHc+PcDwFB24dQ=
+k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM=
+k8s.io/kubectl v0.28.0 h1:qhfju0OaU+JGeBlToPeeIg2UJUWP++QwTkpio6nlPKg=
+k8s.io/kubectl v0.28.0/go.mod h1:1We+E5nSX3/TVoSQ6y5Bzld5OhTBHZHlKEYl7g/NaTk=
+k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrCM8P2RJ0yroCyIk=
+k8s.io/utils v0.0.0-20230406110748-d93618cff8a2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
-sigs.k8s.io/kustomize/api v0.13.2 h1:kejWfLeJhUsTGioDoFNJET5LQe/ajzXhJGYoU+pJsiA=
-sigs.k8s.io/kustomize/api v0.13.2/go.mod h1:DUp325VVMFVcQSq+ZxyDisA8wtldwHxLZbr1g94UHsw=
-sigs.k8s.io/kustomize/kyaml v0.14.1 h1:c8iibius7l24G2wVAGZn/Va2wNys03GXLjYVIcFVxKA=
-sigs.k8s.io/kustomize/kyaml v0.14.1/go.mod h1:AN1/IpawKilWD7V+YvQwRGUvuUOOWpjsHu6uHwonSF4=
+sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 h1:XX3Ajgzov2RKUdc5jW3t5jwY7Bo7dcRm+tFxT+NfgY0=
+sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3/go.mod h1:9n16EZKMhXBNSiUC5kSdFQJkdH3zbxS/JoO619G1VAY=
+sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 h1:W6cLQc5pnqM7vh3b7HvGNfXrJ/xL6BDMS0v1V/HHg5U=
+sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3/go.mod h1:JWP1Fj0VWGHyw3YUPjXSQnRnrwezrZSrApfX5S0nIag=
sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE=
sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E=
sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
diff --git a/licenses/Elastic-2.0.txt b/licenses/Elastic-2.0.txt
new file mode 100644
index 00000000000..809108b857f
--- /dev/null
+++ b/licenses/Elastic-2.0.txt
@@ -0,0 +1,93 @@
+Elastic License 2.0
+
+URL: https://www.elastic.co/licensing/elastic-license
+
+## Acceptance
+
+By using the software, you agree to all of the terms and conditions below.
+
+## Copyright License
+
+The licensor grants you a non-exclusive, royalty-free, worldwide,
+non-sublicensable, non-transferable license to use, copy, distribute, make
+available, and prepare derivative works of the software, in each case subject to
+the limitations and conditions below.
+
+## Limitations
+
+You may not provide the software to third parties as a hosted or managed
+service, where the service provides users with access to any substantial set of
+the features or functionality of the software.
+
+You may not move, change, disable, or circumvent the license key functionality
+in the software, and you may not remove or obscure any functionality in the
+software that is protected by the license key.
+
+You may not alter, remove, or obscure any licensing, copyright, or other notices
+of the licensor in the software. Any use of the licensor’s trademarks is subject
+to applicable law.
+
+## Patents
+
+The licensor grants you a license, under any patent claims the licensor can
+license, or becomes able to license, to make, have made, use, sell, offer for
+sale, import and have imported the software, in each case subject to the
+limitations and conditions in this license. This license does not cover any
+patent claims that you cause to be infringed by modifications or additions to
+the software. If you or your company make any written claim that the software
+infringes or contributes to infringement of any patent, your patent license for
+the software granted under these terms ends immediately. If your company makes
+such a claim, your patent license ends immediately for work on behalf of your
+company.
+
+## Notices
+
+You must ensure that anyone who gets a copy of any part of the software from you
+also gets a copy of these terms.
+
+If you modify the software, you must include in any modified copies of the
+software prominent notices stating that you have modified the software.
+
+## No Other Rights
+
+These terms do not imply any licenses other than those expressly granted in
+these terms.
+
+## Termination
+
+If you use the software in violation of these terms, such use is not licensed,
+and your licenses will automatically terminate. If the licensor provides you
+with a notice of your violation, and you cease all violation of this license no
+later than 30 days after you receive that notice, your licenses will be
+reinstated retroactively. However, if you violate these terms after such
+reinstatement, any additional violation of these terms will cause your licenses
+to terminate automatically and permanently.
+
+## No Liability
+
+*As far as the law allows, the software comes as is, without any warranty or
+condition, and the licensor will not be liable to you for any damages arising
+out of these terms or the use or nature of the software, under any kind of
+legal claim.*
+
+## Definitions
+
+The **licensor** is the entity offering these terms, and the **software** is the
+software the licensor makes available under these terms, including any portion
+of it.
+
+**you** refers to the individual or entity agreeing to these terms.
+
+**your company** is any legal entity, sole proprietorship, or other kind of
+organization that you work for, plus all organizations that have control over,
+are under the control of, or are under common control with that
+organization. **control** means ownership of substantially all the assets of an
+entity, or the power to direct its management and policies by vote, contract, or
+otherwise. Control can be direct or indirect.
+
+**your licenses** are all the licenses granted to you for the software under
+these terms.
+
+**use** means anything you do with the software requiring one of your licenses.
+
+**trademark** means trademarks, service marks, and similar rights.
diff --git a/packages/1password/_dev/build/build.yml b/packages/1password/_dev/build/build.yml
index 074278e5b1f..c8eeec8cacf 100644
--- a/packages/1password/_dev/build/build.yml
+++ b/packages/1password/_dev/build/build.yml
@@ -1,3 +1,3 @@
dependencies:
ecs:
- reference: git@v8.8.0
+ reference: git@v8.9.0
diff --git a/packages/1password/changelog.yml b/packages/1password/changelog.yml
index 62fbcc6bc6a..44714e6cebf 100644
--- a/packages/1password/changelog.yml
+++ b/packages/1password/changelog.yml
@@ -1,4 +1,24 @@
# newer versions go on top
+- version: "1.19.0"
+ changes:
+ - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7789
+- version: "1.18.0"
+ changes:
+ - description: Add user detail fields to actor, object, and aux_info.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6851
+- version: "1.17.0"
+ changes:
+ - description: Update package to ECS 8.9.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7107
+- version: "1.16.0"
+ changes:
+ - description: Document duration units.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6992
- version: "1.15.0"
changes:
- description: Convert dashboard to lens.
diff --git a/packages/1password/data_stream/audit_events/_dev/test/pipeline/test-auditevents.json b/packages/1password/data_stream/audit_events/_dev/test/pipeline/test-auditevents.json
index 1b27c94392e..8fedde28219 100644
--- a/packages/1password/data_stream/audit_events/_dev/test/pipeline/test-auditevents.json
+++ b/packages/1password/data_stream/audit_events/_dev/test/pipeline/test-auditevents.json
@@ -2,11 +2,11 @@
"events": [
{
"@timestamp": "2022-10-24T21:16:62.827288935Z",
- "message": "{\"uuid\": \"3UQOGUC7DVOCN4OZP2MDKHFLSG\",\"timestamp\": \"2022-10-24T21:16:52.827288935Z\",\"actor_uuid\": \"GLF6WUEKS5CSNDJ2OG6TCZD3M4\",\"action\": \"suspend\",\"object_type\": \"user\",\"object_uuid\":\"ZRQCUD6A65AKHFETOUFO7NL4OM\",\"session\":{\"uuid\": \"ODOHXUYQCJBUJKRGZNNPBJURPE\",\"login_time\": \"2022-10-24T21:07:34.703106271Z\",\"device_uuid\":\"rqtd557fn2husnstp5nc66w2xa\",\"ip\":\"89.160.20.156\"},\"location\":{\"country\":\"Canada\",\"region\": \"Ontario\",\"city\": \"Toronto\",\"latitude\": 43.64,\"longitude\": -79.433}}"
+ "message": "{\"uuid\": \"3UQOGUC7DVOCN4OZP2MDKHFLSG\",\"timestamp\": \"2022-10-24T21:16:52.827288935Z\",\"actor_uuid\": \"GLF6WUEKS5CSNDJ2OG6TCZD3M4\",\"actor_details\":{\"uuid\":\"GLF6WUEKS5CSNDJ2OG6TCZD3M4\", \"name\":\"Test Actor\", \"email\":\"test.actor@domain.com\"},\"action\": \"suspend\",\"object_type\": \"user\",\"object_uuid\":\"ZRQCUD6A65AKHFETOUFO7NL4OM\",\"session\":{\"uuid\": \"ODOHXUYQCJBUJKRGZNNPBJURPE\",\"login_time\": \"2022-10-24T21:07:34.703106271Z\",\"device_uuid\":\"rqtd557fn2husnstp5nc66w2xa\",\"ip\":\"89.160.20.156\"},\"location\":{\"country\":\"Canada\",\"region\": \"Ontario\",\"city\": \"Toronto\",\"latitude\": 43.64,\"longitude\": -79.433}}"
},
{
"@timestamp": "2022-10-24T21:16:62.827288935Z",
- "message": "{\"uuid\": \"3UQOGUC7DVOCN4OZP2MDKHFLSG\",\"timestamp\": \"2022-10-24T21:16:52.827288935Z\",\"actor_uuid\": \"GLF6WUEKS5CSNDJ2OG6TCZD3M4\",\"action\": \"suspend\",\"object_type\": \"user\",\"object_uuid\":\"ZRQCUD6A65AKHFETOUFO7NL4OM\",\"session\":{\"uuid\": \"ODOHXUYQCJBUJKRGZNNPBJURPE\",\"login_time\": \"2022-10-24T21:07:34.703106271Z\",\"device_uuid\":\"rqtd557fn2husnstp5nc66w2xa\",\"ip\":\"89.160.20.156\"}}"
+ "message": "{\"uuid\": \"3UQOGUC7DVOCN4OZP2MDKHFLSG\",\"timestamp\": \"2022-10-24T21:16:52.827288935Z\",\"actor_uuid\": \"GLF6WUEKS5CSNDJ2OG6TCZD3M4\",\"actor_details\":{\"uuid\":\"GLF6WUEKS5CSNDJ2OG6TCZD3M4\", \"name\":\"Test Actor\", \"email\":\"test.actor@domain.com\"},\"action\": \"suspend\",\"object_type\": \"user\",\"object_uuid\":\"ZRQCUD6A65AKHFETOUFO7NL4OM\",\"session\":{\"uuid\": \"ODOHXUYQCJBUJKRGZNNPBJURPE\",\"login_time\": \"2022-10-24T21:07:34.703106271Z\",\"device_uuid\":\"rqtd557fn2husnstp5nc66w2xa\",\"ip\":\"89.160.20.156\"}}"
}
]
}
\ No newline at end of file
diff --git a/packages/1password/data_stream/audit_events/_dev/test/pipeline/test-auditevents.json-expected.json b/packages/1password/data_stream/audit_events/_dev/test/pipeline/test-auditevents.json-expected.json
index a240ab67eff..d2a9081a454 100644
--- a/packages/1password/data_stream/audit_events/_dev/test/pipeline/test-auditevents.json-expected.json
+++ b/packages/1password/data_stream/audit_events/_dev/test/pipeline/test-auditevents.json-expected.json
@@ -3,7 +3,7 @@
{
"@timestamp": "2022-10-24T21:16:52.827Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "suspend",
@@ -12,12 +12,15 @@
],
"created": "2022-10-24T21:16:62.827288935Z",
"kind": "event",
- "original": "{\"uuid\": \"3UQOGUC7DVOCN4OZP2MDKHFLSG\",\"timestamp\": \"2022-10-24T21:16:52.827288935Z\",\"actor_uuid\": \"GLF6WUEKS5CSNDJ2OG6TCZD3M4\",\"action\": \"suspend\",\"object_type\": \"user\",\"object_uuid\":\"ZRQCUD6A65AKHFETOUFO7NL4OM\",\"session\":{\"uuid\": \"ODOHXUYQCJBUJKRGZNNPBJURPE\",\"login_time\": \"2022-10-24T21:07:34.703106271Z\",\"device_uuid\":\"rqtd557fn2husnstp5nc66w2xa\",\"ip\":\"89.160.20.156\"},\"location\":{\"country\":\"Canada\",\"region\": \"Ontario\",\"city\": \"Toronto\",\"latitude\": 43.64,\"longitude\": -79.433}}",
+ "original": "{\"uuid\": \"3UQOGUC7DVOCN4OZP2MDKHFLSG\",\"timestamp\": \"2022-10-24T21:16:52.827288935Z\",\"actor_uuid\": \"GLF6WUEKS5CSNDJ2OG6TCZD3M4\",\"actor_details\":{\"uuid\":\"GLF6WUEKS5CSNDJ2OG6TCZD3M4\", \"name\":\"Test Actor\", \"email\":\"test.actor@domain.com\"},\"action\": \"suspend\",\"object_type\": \"user\",\"object_uuid\":\"ZRQCUD6A65AKHFETOUFO7NL4OM\",\"session\":{\"uuid\": \"ODOHXUYQCJBUJKRGZNNPBJURPE\",\"login_time\": \"2022-10-24T21:07:34.703106271Z\",\"device_uuid\":\"rqtd557fn2husnstp5nc66w2xa\",\"ip\":\"89.160.20.156\"},\"location\":{\"country\":\"Canada\",\"region\": \"Ontario\",\"city\": \"Toronto\",\"latitude\": 43.64,\"longitude\": -79.433}}",
"type": [
"access"
]
},
"onepassword": {
+ "actor_details": {
+ "uuid": "GLF6WUEKS5CSNDJ2OG6TCZD3M4"
+ },
"object_type": "user",
"object_uuid": "ZRQCUD6A65AKHFETOUFO7NL4OM",
"session": {
@@ -61,13 +64,15 @@
"preserve_original_event"
],
"user": {
- "id": "GLF6WUEKS5CSNDJ2OG6TCZD3M4"
+ "email": "test.actor@domain.com",
+ "id": "GLF6WUEKS5CSNDJ2OG6TCZD3M4",
+ "name": "Test Actor"
}
},
{
"@timestamp": "2022-10-24T21:16:52.827Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "suspend",
@@ -76,12 +81,15 @@
],
"created": "2022-10-24T21:16:62.827288935Z",
"kind": "event",
- "original": "{\"uuid\": \"3UQOGUC7DVOCN4OZP2MDKHFLSG\",\"timestamp\": \"2022-10-24T21:16:52.827288935Z\",\"actor_uuid\": \"GLF6WUEKS5CSNDJ2OG6TCZD3M4\",\"action\": \"suspend\",\"object_type\": \"user\",\"object_uuid\":\"ZRQCUD6A65AKHFETOUFO7NL4OM\",\"session\":{\"uuid\": \"ODOHXUYQCJBUJKRGZNNPBJURPE\",\"login_time\": \"2022-10-24T21:07:34.703106271Z\",\"device_uuid\":\"rqtd557fn2husnstp5nc66w2xa\",\"ip\":\"89.160.20.156\"}}",
+ "original": "{\"uuid\": \"3UQOGUC7DVOCN4OZP2MDKHFLSG\",\"timestamp\": \"2022-10-24T21:16:52.827288935Z\",\"actor_uuid\": \"GLF6WUEKS5CSNDJ2OG6TCZD3M4\",\"actor_details\":{\"uuid\":\"GLF6WUEKS5CSNDJ2OG6TCZD3M4\", \"name\":\"Test Actor\", \"email\":\"test.actor@domain.com\"},\"action\": \"suspend\",\"object_type\": \"user\",\"object_uuid\":\"ZRQCUD6A65AKHFETOUFO7NL4OM\",\"session\":{\"uuid\": \"ODOHXUYQCJBUJKRGZNNPBJURPE\",\"login_time\": \"2022-10-24T21:07:34.703106271Z\",\"device_uuid\":\"rqtd557fn2husnstp5nc66w2xa\",\"ip\":\"89.160.20.156\"}}",
"type": [
"access"
]
},
"onepassword": {
+ "actor_details": {
+ "uuid": "GLF6WUEKS5CSNDJ2OG6TCZD3M4"
+ },
"object_type": "user",
"object_uuid": "ZRQCUD6A65AKHFETOUFO7NL4OM",
"session": {
@@ -125,7 +133,9 @@
"preserve_original_event"
],
"user": {
- "id": "GLF6WUEKS5CSNDJ2OG6TCZD3M4"
+ "email": "test.actor@domain.com",
+ "id": "GLF6WUEKS5CSNDJ2OG6TCZD3M4",
+ "name": "Test Actor"
}
}
]
diff --git a/packages/1password/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml b/packages/1password/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml
index 1831bb1f72e..160a8c3867c 100644
--- a/packages/1password/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/1password/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml
@@ -16,7 +16,7 @@ processors:
#######################
- set:
field: ecs.version
- value: "8.8.0"
+ value: "8.9.0"
# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down
- set:
field: event.created
@@ -76,6 +76,14 @@ processors:
field: onepassword.actor_uuid
target_field: user.id
ignore_missing: true
+ - rename:
+ field: onepassword.actor_details.name
+ target_field: user.name
+ ignore_missing: true
+ - rename:
+ field: onepassword.actor_details.email
+ target_field: user.email
+ ignore_missing: true
########################
## ECS Source Mapping ##
diff --git a/packages/1password/data_stream/audit_events/fields/ecs.yml b/packages/1password/data_stream/audit_events/fields/ecs.yml
index ccb221d275b..c8cee87db6b 100644
--- a/packages/1password/data_stream/audit_events/fields/ecs.yml
+++ b/packages/1password/data_stream/audit_events/fields/ecs.yml
@@ -16,6 +16,10 @@
name: event.action
- external: ecs
name: user.id
+- external: ecs
+ name: user.name
+- external: ecs
+ name: user.email
- external: ecs
name: source.as.number
- external: ecs
diff --git a/packages/1password/data_stream/audit_events/fields/fields.yml b/packages/1password/data_stream/audit_events/fields/fields.yml
index 32d5fa60501..7ac1319e3c3 100644
--- a/packages/1password/data_stream/audit_events/fields/fields.yml
+++ b/packages/1password/data_stream/audit_events/fields/fields.yml
@@ -4,18 +4,57 @@
- name: uuid
type: keyword
description: The UUID of the event.
+ - name: actor_uuid
+ type: keyword
+ description: The UUID of the actor.
+ - name: actor_details
+ type: group
+ fields:
+ - name: uuid
+ type: keyword
+ description: The UUID of the actor.
+ - name: name
+ type: keyword
+ description: The name of the actor.
+ - name: email
+ type: keyword
+ description: The email of the actor.
- name: object_type
type: keyword
description: The type of object changed by the event.
- name: object_uuid
type: keyword
description: The UUID of the object changed by the event.
+ - name: object_details
+ type: group
+ fields:
+ - name: uuid
+ type: keyword
+ description: The UUID of the object.
+ - name: name
+ type: keyword
+ description: The name of the object.
+ - name: email
+ type: keyword
+ description: The email of the object.
- name: aux_id
type: long
description: Any auxilary id related to the event.
- name: aux_uuid
type: keyword
description: Any auxilary uuid related to the event.
+ - name: aux_details
+ type: group
+ fields:
+ - name: uuid
+ type: keyword
+ description: The UUID of the aux resource.
+ - name: name
+ type: keyword
+ description: The name of the aux resource.
+ - name: email
+ type: keyword
+ description: The email of the aux resource.
- name: aux_info
type: text
description: Any auxilary info related to the event.
diff --git a/packages/1password/data_stream/audit_events/sample_event.json b/packages/1password/data_stream/audit_events/sample_event.json
index 4ed12b45145..550c520344e 100644
--- a/packages/1password/data_stream/audit_events/sample_event.json
+++ b/packages/1password/data_stream/audit_events/sample_event.json
@@ -1,11 +1,11 @@
{
"@timestamp": "2022-10-24T21:16:52.827Z",
"agent": {
- "ephemeral_id": "26875e28-ac90-42f2-bcc9-5969510c2882",
- "id": "437fe922-4551-429d-a49f-0a4ad40bf297",
+ "ephemeral_id": "9bb571f6-a939-462a-8ade-8e81db645f4c",
+ "id": "d7b99bc0-ce95-4664-af6f-80d525d96e77",
"name": "docker-fleet-agent",
"type": "filebeat",
- "version": "8.8.0"
+ "version": "8.7.1"
},
"data_stream": {
"dataset": "1password.audit_events",
@@ -13,12 +13,12 @@
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
- "id": "437fe922-4551-429d-a49f-0a4ad40bf297",
+ "id": "d7b99bc0-ce95-4664-af6f-80d525d96e77",
"snapshot": false,
- "version": "8.8.0"
+ "version": "8.7.1"
},
"event": {
"action": "suspend",
@@ -26,9 +26,9 @@
"category": [
"configuration"
],
- "created": "2023-05-30T15:57:13.805Z",
+ "created": "2023-07-06T16:28:01.807Z",
"dataset": "1password.audit_events",
- "ingested": "2023-05-30T15:57:17Z",
+ "ingested": "2023-07-06T16:28:02Z",
"kind": "event",
"type": [
"access"
@@ -38,8 +38,19 @@
"type": "httpjson"
},
"onepassword": {
+ "actor_uuid": "GLF6WUEKS5CSNDJ2OG6TCZD3M4",
+ "actor_details": {
+ "uuid": "GLF6WUEKS5CSNDJ2OG6TCZD3M4",
+ "name": "Test Actor",
+ "email": "test.actor@domain.com"
+ },
"object_type": "user",
"object_uuid": "ZRQCUD6A65AKHFETOUFO7NL4OM",
+ "object_details": {
+ "uuid": "ZRQCUD6A65AKHFETOUFO7NL4OM",
+ "name": "Test Object",
+ "email": "test.object@domain.com"
+ },
"session": {
"device_uuid": "rqtd557fn2husnstp5nc66w2xa",
"login_time": "2022-10-24T21:07:34.703106271Z",
diff --git a/packages/1password/data_stream/item_usages/_dev/test/pipeline/test-itemusages.json-expected.json b/packages/1password/data_stream/item_usages/_dev/test/pipeline/test-itemusages.json-expected.json
index 0e1dc04c455..544fae42768 100644
--- a/packages/1password/data_stream/item_usages/_dev/test/pipeline/test-itemusages.json-expected.json
+++ b/packages/1password/data_stream/item_usages/_dev/test/pipeline/test-itemusages.json-expected.json
@@ -3,7 +3,7 @@
{
"@timestamp": "2021-08-30T18:57:42.484Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "reveal",
@@ -76,7 +76,7 @@
{
"@timestamp": "2021-08-30T19:10:00.123Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
diff --git a/packages/1password/data_stream/item_usages/elasticsearch/ingest_pipeline/default.yml b/packages/1password/data_stream/item_usages/elasticsearch/ingest_pipeline/default.yml
index 1d57554f4f7..8b230b89b3c 100644
--- a/packages/1password/data_stream/item_usages/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/1password/data_stream/item_usages/elasticsearch/ingest_pipeline/default.yml
@@ -16,7 +16,7 @@ processors:
#######################
- set:
field: ecs.version
- value: '8.8.0'
+ value: '8.9.0'
# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down
- set:
field: event.created
diff --git a/packages/1password/data_stream/item_usages/sample_event.json b/packages/1password/data_stream/item_usages/sample_event.json
index 6b1c52bae98..c4e920fcdb2 100644
--- a/packages/1password/data_stream/item_usages/sample_event.json
+++ b/packages/1password/data_stream/item_usages/sample_event.json
@@ -1,11 +1,11 @@
{
"@timestamp": "2021-08-30T18:57:42.484Z",
"agent": {
- "ephemeral_id": "cb0f64dc-e67b-4c05-abab-c76b645f5d31",
- "id": "437fe922-4551-429d-a49f-0a4ad40bf297",
+ "ephemeral_id": "9bb571f6-a939-462a-8ade-8e81db645f4c",
+ "id": "d7b99bc0-ce95-4664-af6f-80d525d96e77",
"name": "docker-fleet-agent",
"type": "filebeat",
- "version": "8.8.0"
+ "version": "8.7.1"
},
"data_stream": {
"dataset": "1password.item_usages",
@@ -13,12 +13,12 @@
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
- "id": "437fe922-4551-429d-a49f-0a4ad40bf297",
+ "id": "d7b99bc0-ce95-4664-af6f-80d525d96e77",
"snapshot": false,
- "version": "8.8.0"
+ "version": "8.7.1"
},
"event": {
"action": "reveal",
@@ -26,9 +26,9 @@
"category": [
"file"
],
- "created": "2023-05-30T15:57:58.916Z",
+ "created": "2023-07-06T16:28:36.877Z",
"dataset": "1password.item_usages",
- "ingested": "2023-05-30T15:57:59Z",
+ "ingested": "2023-07-06T16:28:37Z",
"kind": "event",
"type": [
"access"
diff --git a/packages/1password/data_stream/signin_attempts/_dev/test/pipeline/test-signinattempts.json-expected.json b/packages/1password/data_stream/signin_attempts/_dev/test/pipeline/test-signinattempts.json-expected.json
index 4860ebe51b8..18073acd013 100644
--- a/packages/1password/data_stream/signin_attempts/_dev/test/pipeline/test-signinattempts.json-expected.json
+++ b/packages/1password/data_stream/signin_attempts/_dev/test/pipeline/test-signinattempts.json-expected.json
@@ -3,7 +3,7 @@
{
"@timestamp": "2021-08-11T14:28:03.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success",
@@ -78,7 +78,7 @@
{
"@timestamp": "2021-08-11T15:04:22.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "credentials_failed",
diff --git a/packages/1password/data_stream/signin_attempts/elasticsearch/ingest_pipeline/default.yml b/packages/1password/data_stream/signin_attempts/elasticsearch/ingest_pipeline/default.yml
index 1f002325800..065ee3bef28 100644
--- a/packages/1password/data_stream/signin_attempts/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/1password/data_stream/signin_attempts/elasticsearch/ingest_pipeline/default.yml
@@ -16,7 +16,7 @@ processors:
#######################
- set:
field: ecs.version
- value: '8.8.0'
+ value: '8.9.0'
# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down
- set:
field: event.created
diff --git a/packages/1password/data_stream/signin_attempts/sample_event.json b/packages/1password/data_stream/signin_attempts/sample_event.json
index b28f772cb35..4a1878f2c0a 100644
--- a/packages/1password/data_stream/signin_attempts/sample_event.json
+++ b/packages/1password/data_stream/signin_attempts/sample_event.json
@@ -1,11 +1,11 @@
{
"@timestamp": "2021-08-11T14:28:03.000Z",
"agent": {
- "ephemeral_id": "a8a828b3-bb8a-4339-8bad-78fe5093d055",
- "id": "437fe922-4551-429d-a49f-0a4ad40bf297",
+ "ephemeral_id": "9bb571f6-a939-462a-8ade-8e81db645f4c",
+ "id": "d7b99bc0-ce95-4664-af6f-80d525d96e77",
"name": "docker-fleet-agent",
"type": "filebeat",
- "version": "8.8.0"
+ "version": "8.7.1"
},
"data_stream": {
"dataset": "1password.signin_attempts",
@@ -13,12 +13,12 @@
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
- "id": "437fe922-4551-429d-a49f-0a4ad40bf297",
+ "id": "d7b99bc0-ce95-4664-af6f-80d525d96e77",
"snapshot": false,
- "version": "8.8.0"
+ "version": "8.7.1"
},
"event": {
"action": "success",
@@ -26,9 +26,9 @@
"category": [
"authentication"
],
- "created": "2023-05-30T15:58:35.089Z",
+ "created": "2023-07-06T16:29:08.915Z",
"dataset": "1password.signin_attempts",
- "ingested": "2023-05-30T15:58:38Z",
+ "ingested": "2023-07-06T16:29:09Z",
"kind": "event",
"outcome": "success",
"type": [
diff --git a/packages/1password/docs/README.md b/packages/1password/docs/README.md
index f36c1c4f47a..5c3e0b77129 100644
--- a/packages/1password/docs/README.md
+++ b/packages/1password/docs/README.md
@@ -34,9 +34,9 @@ Use the 1Password Events API to retrieve information about sign-in attempts. Eve
| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
-| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date |
| event.dataset | Event dataset | constant_keyword |
-| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword |
| event.module | Event module | constant_keyword |
| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
@@ -79,11 +79,11 @@ An example event for `signin_attempts` looks as following:
{
"@timestamp": "2021-08-11T14:28:03.000Z",
"agent": {
- "ephemeral_id": "a8a828b3-bb8a-4339-8bad-78fe5093d055",
- "id": "437fe922-4551-429d-a49f-0a4ad40bf297",
+ "ephemeral_id": "9bb571f6-a939-462a-8ade-8e81db645f4c",
+ "id": "d7b99bc0-ce95-4664-af6f-80d525d96e77",
"name": "docker-fleet-agent",
"type": "filebeat",
- "version": "8.8.0"
+ "version": "8.7.1"
},
"data_stream": {
"dataset": "1password.signin_attempts",
@@ -91,12 +91,12 @@ An example event for `signin_attempts` looks as following:
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
- "id": "437fe922-4551-429d-a49f-0a4ad40bf297",
+ "id": "d7b99bc0-ce95-4664-af6f-80d525d96e77",
"snapshot": false,
- "version": "8.8.0"
+ "version": "8.7.1"
},
"event": {
"action": "success",
@@ -104,9 +104,9 @@ An example event for `signin_attempts` looks as following:
"category": [
"authentication"
],
- "created": "2023-05-30T15:58:35.089Z",
+ "created": "2023-07-06T16:29:08.915Z",
"dataset": "1password.signin_attempts",
- "ingested": "2023-05-30T15:58:38Z",
+ "ingested": "2023-07-06T16:29:09Z",
"kind": "event",
"outcome": "success",
"type": [
@@ -175,9 +175,9 @@ This uses the 1Password Events API to retrieve information about items in shared
| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
-| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date |
| event.dataset | Event dataset | constant_keyword |
-| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword |
| event.module | Event module | constant_keyword |
| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
| input.type | Input type | keyword |
@@ -218,11 +218,11 @@ An example event for `item_usages` looks as following:
{
"@timestamp": "2021-08-30T18:57:42.484Z",
"agent": {
- "ephemeral_id": "cb0f64dc-e67b-4c05-abab-c76b645f5d31",
- "id": "437fe922-4551-429d-a49f-0a4ad40bf297",
+ "ephemeral_id": "9bb571f6-a939-462a-8ade-8e81db645f4c",
+ "id": "d7b99bc0-ce95-4664-af6f-80d525d96e77",
"name": "docker-fleet-agent",
"type": "filebeat",
- "version": "8.8.0"
+ "version": "8.7.1"
},
"data_stream": {
"dataset": "1password.item_usages",
@@ -230,12 +230,12 @@ An example event for `item_usages` looks as following:
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
- "id": "437fe922-4551-429d-a49f-0a4ad40bf297",
+ "id": "d7b99bc0-ce95-4664-af6f-80d525d96e77",
"snapshot": false,
- "version": "8.8.0"
+ "version": "8.7.1"
},
"event": {
"action": "reveal",
@@ -243,9 +243,9 @@ An example event for `item_usages` looks as following:
"category": [
"file"
],
- "created": "2023-05-30T15:57:58.916Z",
+ "created": "2023-07-06T16:28:36.877Z",
"dataset": "1password.item_usages",
- "ingested": "2023-05-30T15:57:59Z",
+ "ingested": "2023-07-06T16:28:37Z",
"kind": "event",
"type": [
"access"
@@ -313,15 +313,25 @@ This uses the 1Password Events API to retrieve information about audit events. E
| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
-| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date |
| event.dataset | Event dataset | constant_keyword |
-| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword |
| event.module | Event module | constant_keyword |
| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
| input.type | Input type | keyword |
+| onepassword.actor_details.email | The email of the actor. | keyword |
+| onepassword.actor_details.name | The name of the actor. | keyword |
+| onepassword.actor_details.uuid | The UUID of the actor. | keyword |
+| onepassword.actor_uuid | The UUID of the actor. | keyword |
+| onepassword.aux_details.email | The email of the aux resource. | keyword |
+| onepassword.aux_details.name | The name of the aux resource. | keyword |
+| onepassword.aux_details.uuid | The UUID of the aux resource. | keyword |
| onepassword.aux_id | Any auxilary id related to the event. | long |
| onepassword.aux_info | Any auxilary info related to the event. | text |
| onepassword.aux_uuid | Any auxilary uuid related to the event. | keyword |
+| onepassword.object_details.email | The email of the object. | keyword |
+| onepassword.object_details.name | The name of the object. | keyword |
+| onepassword.object_details.uuid | The UUID of the object. | keyword |
| onepassword.object_type | The type of object changed by the event. | keyword |
| onepassword.object_uuid | The UUID of the object changed by the event. | keyword |
| onepassword.session.device_uuid | The device uuid of the session used to create the event. | keyword |
@@ -342,7 +352,10 @@ This uses the 1Password Events API to retrieve information about audit events. E
| source.geo.region_name | Region name. | keyword |
| source.ip | IP address of the source (IPv4 or IPv6). | ip |
| tags | List of keywords used to tag each event. | keyword |
+| user.email | User email address. | keyword |
| user.id | Unique identifier of the user. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user.name.text | Multi-field of `user.name`. | match_only_text |
An example event for `audit_events` looks as following:
@@ -351,11 +364,11 @@ An example event for `audit_events` looks as following:
{
"@timestamp": "2022-10-24T21:16:52.827Z",
"agent": {
- "ephemeral_id": "26875e28-ac90-42f2-bcc9-5969510c2882",
- "id": "437fe922-4551-429d-a49f-0a4ad40bf297",
+ "ephemeral_id": "9bb571f6-a939-462a-8ade-8e81db645f4c",
+ "id": "d7b99bc0-ce95-4664-af6f-80d525d96e77",
"name": "docker-fleet-agent",
"type": "filebeat",
- "version": "8.8.0"
+ "version": "8.7.1"
},
"data_stream": {
"dataset": "1password.audit_events",
@@ -363,12 +376,12 @@ An example event for `audit_events` looks as following:
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
- "id": "437fe922-4551-429d-a49f-0a4ad40bf297",
+ "id": "d7b99bc0-ce95-4664-af6f-80d525d96e77",
"snapshot": false,
- "version": "8.8.0"
+ "version": "8.7.1"
},
"event": {
"action": "suspend",
@@ -376,9 +389,9 @@ An example event for `audit_events` looks as following:
"category": [
"configuration"
],
- "created": "2023-05-30T15:57:13.805Z",
+ "created": "2023-07-06T16:28:01.807Z",
"dataset": "1password.audit_events",
- "ingested": "2023-05-30T15:57:17Z",
+ "ingested": "2023-07-06T16:28:02Z",
"kind": "event",
"type": [
"access"
@@ -388,8 +401,19 @@ An example event for `audit_events` looks as following:
"type": "httpjson"
},
"onepassword": {
+ "actor_uuid": "GLF6WUEKS5CSNDJ2OG6TCZD3M4",
+ "actor_details": {
+ "uuid": "GLF6WUEKS5CSNDJ2OG6TCZD3M4",
+ "name": "Test Actor",
+ "email": "test.actor@domain.com"
+ },
"object_type": "user",
"object_uuid": "ZRQCUD6A65AKHFETOUFO7NL4OM",
+ "object_details": {
+ "uuid": "ZRQCUD6A65AKHFETOUFO7NL4OM",
+ "name": "Test Object",
+ "email": "test.object@domain.com"
+ },
"session": {
"device_uuid": "rqtd557fn2husnstp5nc66w2xa",
"login_time": "2022-10-24T21:07:34.703106271Z",
diff --git a/packages/1password/kibana/tags.yml b/packages/1password/kibana/tags.yml
new file mode 100644
index 00000000000..47f20a8f551
--- /dev/null
+++ b/packages/1password/kibana/tags.yml
@@ -0,0 +1,4 @@
+- text: Security Solution
+ asset_types:
+ - dashboard
+ - search
diff --git a/packages/1password/manifest.yml b/packages/1password/manifest.yml
index 597b1285dcd..497c458d6ff 100644
--- a/packages/1password/manifest.yml
+++ b/packages/1password/manifest.yml
@@ -1,7 +1,7 @@
-format_version: 2.7.0
+format_version: 2.11.0
name: 1password
title: "1Password"
-version: "1.15.0"
+version: "1.19.0"
description: Collect logs from 1Password with Elastic Agent.
type: integration
categories:
@@ -57,6 +57,7 @@ policy_templates:
- name: http_client_timeout
type: text
title: HTTP Client Timeout
+ description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.
multi: false
required: false
show_user: true
diff --git a/packages/airflow/changelog.yml b/packages/airflow/changelog.yml
index a40f439b551..7025ab3d3de 100644
--- a/packages/airflow/changelog.yml
+++ b/packages/airflow/changelog.yml
@@ -1,4 +1,19 @@
# newer versions go on top
+- version: "0.4.0"
+ changes:
+ - description: Enable time series data streams for the metrics datasets. This dramatically reduces storage for metrics and is expected to progressively improve query performance. For more details, see https://www.elastic.co/guide/en/elasticsearch/reference/current/tsds.html.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6776
+- version: "0.3.1"
+ changes:
+ - description: Remove metric_type mapping for 'airflow.scheduler.heartbeat' field and adjust the dashboard to visualize this field using 'last_value'.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7554
+- version: "0.3.0"
+ changes:
+ - description: Revert metrics field definition to the format used before introducing metric_type.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7469
- version: "0.2.0"
changes:
- description: Add metric_type mapping for the fields of `statsd` datastream.
diff --git a/packages/airflow/data_stream/statsd/fields/fields.yml b/packages/airflow/data_stream/statsd/fields/fields.yml
index ebcb21de8d7..00bfdfe5a24 100644
--- a/packages/airflow/data_stream/statsd/fields/fields.yml
+++ b/packages/airflow/data_stream/statsd/fields/fields.yml
@@ -2,9 +2,14 @@
type: group
fields:
- name: '*.count'
- type: double
+ type: object
+ object_type: double
+ object_type_mapping_type: "*"
metric_type: counter
description: Airflow counters
+ - name: scheduler_heartbeat.count
+ type: double
+ description: Airflow scheduler heartbeat
- name: '*.max'
type: object
object_type: double
@@ -36,7 +41,9 @@
object_type_mapping_type: "*"
description: Airflow standard deviation timers metric
- name: '*.value'
- type: double
+ type: object
+ object_type: double
+ object_type_mapping_type: "*"
metric_type: gauge
description: Airflow gauges
- name: 'dag_file'
diff --git a/packages/airflow/data_stream/statsd/manifest.yml b/packages/airflow/data_stream/statsd/manifest.yml
index ae5c2cd427a..23f50d6375d 100644
--- a/packages/airflow/data_stream/statsd/manifest.yml
+++ b/packages/airflow/data_stream/statsd/manifest.yml
@@ -6,3 +6,5 @@ streams:
enabled: true
title: Airflow metrics
description: Collect Airflow metrics
+elasticsearch:
+ index_mode: "time_series"
diff --git a/packages/airflow/docs/README.md b/packages/airflow/docs/README.md
index 25fddda4e44..9b8beaebb00 100644
--- a/packages/airflow/docs/README.md
+++ b/packages/airflow/docs/README.md
@@ -29,19 +29,20 @@ statsd_prefix =
|---|---|---|---|
| @timestamp | Event timestamp. | date | |
| agent.id | | keyword | |
-| airflow.\*.count | Airflow counters | double | counter |
+| airflow.\*.count | Airflow counters | object | counter |
| airflow.\*.max | Airflow max timers metric | object | |
| airflow.\*.mean | Airflow mean timers metric | object | |
| airflow.\*.mean_rate | Airflow mean rate timers metric | object | |
| airflow.\*.median | Airflow median timers metric | object | |
| airflow.\*.min | Airflow min timers metric | object | |
| airflow.\*.stddev | Airflow standard deviation timers metric | object | |
-| airflow.\*.value | Airflow gauges | double | gauge |
+| airflow.\*.value | Airflow gauges | object | gauge |
| airflow.dag_file | Airflow dag file metadata | keyword | |
| airflow.dag_id | Airflow dag id metadata | keyword | |
| airflow.job_name | Airflow job name metadata | keyword | |
| airflow.operator_name | Airflow operator name metadata | keyword | |
| airflow.pool_name | Airflow pool name metadata | keyword | |
+| airflow.scheduler_heartbeat.count | Airflow scheduler heartbeat | double | |
| airflow.status | Airflow status metadata | keyword | |
| airflow.task_id | Airflow task id metadata | keyword | |
| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | |
diff --git a/packages/airflow/kibana/dashboard/airflow-a3aa42d0-a465-11ed-9ff0-ab4dd59e4c75.json b/packages/airflow/kibana/dashboard/airflow-a3aa42d0-a465-11ed-9ff0-ab4dd59e4c75.json
index b1ddbc8f1a3..dfb8d882bf5 100644
--- a/packages/airflow/kibana/dashboard/airflow-a3aa42d0-a465-11ed-9ff0-ab4dd59e4c75.json
+++ b/packages/airflow/kibana/dashboard/airflow-a3aa42d0-a465-11ed-9ff0-ab4dd59e4c75.json
@@ -433,17 +433,21 @@
"048f8624-04ff-4967-8515-011f90aae3ab": {
"customLabel": true,
"dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "airflow.scheduler_heartbeat.count: *"
+ },
"isBucketed": false,
"label": "Scheduler Heartbeat",
- "operationType": "sum",
+ "operationType": "last_value",
"params": {
- "emptyAsNull": true,
"format": {
"id": "number",
"params": {
"decimals": 0
}
- }
+ },
+ "sortField": "@timestamp"
},
"scale": "ratio",
"sourceField": "airflow.scheduler_heartbeat.count"
@@ -944,16 +948,6 @@
"id": "metrics-*",
"name": "1582880b-fb1a-4969-800d-bd594057a5ac:indexpattern-datasource-layer-a12d3d3c-3859-4532-a639-fdb7ba3fd1eb",
"type": "index-pattern"
- },
- {
- "id": "airflow-fleet-managed-default",
- "name": "tag-fleet-managed-default",
- "type": "tag"
- },
- {
- "id": "airflow-fleet-pkg-airflow-default",
- "name": "tag-fleet-pkg-airflow-default",
- "type": "tag"
}
],
"type": "dashboard"
diff --git a/packages/airflow/manifest.yml b/packages/airflow/manifest.yml
index fc69c7c3b8d..48136adec8e 100644
--- a/packages/airflow/manifest.yml
+++ b/packages/airflow/manifest.yml
@@ -1,6 +1,6 @@
name: airflow
title: Airflow
-version: "0.2.0"
+version: "0.4.0"
description: Airflow Integration.
type: integration
format_version: 1.0.0
@@ -8,7 +8,7 @@ license: basic
categories:
- observability
conditions:
- kibana.version: "^8.5.0"
+ kibana.version: "^8.9.0"
icons:
- src: /img/airflow.svg
title: Airflow logo
diff --git a/packages/akamai/_dev/build/build.yml b/packages/akamai/_dev/build/build.yml
index 074278e5b1f..c8eeec8cacf 100644
--- a/packages/akamai/_dev/build/build.yml
+++ b/packages/akamai/_dev/build/build.yml
@@ -1,3 +1,3 @@
dependencies:
ecs:
- reference: git@v8.8.0
+ reference: git@v8.9.0
diff --git a/packages/akamai/changelog.yml b/packages/akamai/changelog.yml
index 59302252a88..7b4a5ab68d3 100644
--- a/packages/akamai/changelog.yml
+++ b/packages/akamai/changelog.yml
@@ -1,4 +1,34 @@
# newer versions go on top
+- version: 2.16.0
+ changes:
+ - description: "The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest."
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7883
+- version: "2.15.0"
+ changes:
+ - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7789
+- version: "2.14.0"
+ changes:
+ - description: Update package to ECS 8.9.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7107
+- version: "2.13.0"
+ changes:
+ - description: Document duration units.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6992
+- version: "2.12.0"
+ changes:
+ - description: Add event limit parameter to REST endpoint stream.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7132
+- version: "2.11.0"
+ changes:
+ - description: Document valid duration units.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6706
- version: "2.10.0"
changes:
- description: Ensure event.kind is correctly set for pipeline errors.
diff --git a/packages/akamai/data_stream/siem/_dev/test/pipeline/test-http-json.log-expected.json b/packages/akamai/data_stream/siem/_dev/test/pipeline/test-http-json.log-expected.json
index 9a5feb12cde..f07aee92629 100644
--- a/packages/akamai/data_stream/siem/_dev/test/pipeline/test-http-json.log-expected.json
+++ b/packages/akamai/data_stream/siem/_dev/test/pipeline/test-http-json.log-expected.json
@@ -107,7 +107,7 @@
"ip": "89.160.20.156"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -272,7 +272,7 @@
"ip": "89.160.20.156"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
diff --git a/packages/akamai/data_stream/siem/agent/stream/httpjson.yml.hbs b/packages/akamai/data_stream/siem/agent/stream/httpjson.yml.hbs
index 4c04047189e..e1db00567d8 100644
--- a/packages/akamai/data_stream/siem/agent/stream/httpjson.yml.hbs
+++ b/packages/akamai/data_stream/siem/agent/stream/httpjson.yml.hbs
@@ -27,6 +27,11 @@ request.transforms:
target: url.params.offset
value: >-
[[ if (index .cursor "last_offset") ]][[ .cursor.last_offset ]][[ end ]]
+{{#if event_limit}}
+ - set:
+ target: url.params.limit
+ value: '{{event_limit}}'
+{{/if}}
- set:
target: header.XTimestamp
value: '[[ formatDate (now) "20060102T15:04:05-0700" ]]'
diff --git a/packages/akamai/data_stream/siem/elasticsearch/ingest_pipeline/default.yml b/packages/akamai/data_stream/siem/elasticsearch/ingest_pipeline/default.yml
index a46333eb209..80f340d8b90 100644
--- a/packages/akamai/data_stream/siem/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/akamai/data_stream/siem/elasticsearch/ingest_pipeline/default.yml
@@ -3,7 +3,7 @@ description: Pipeline for parsing Akamai logs
processors:
- set:
field: ecs.version
- value: '8.8.0'
+ value: '8.9.0'
- rename:
field: message
target_field: event.original
diff --git a/packages/akamai/data_stream/siem/manifest.yml b/packages/akamai/data_stream/siem/manifest.yml
index a762ec6b8a5..1de85ac81b0 100644
--- a/packages/akamai/data_stream/siem/manifest.yml
+++ b/packages/akamai/data_stream/siem/manifest.yml
@@ -46,6 +46,7 @@ streams:
- name: http_client_timeout
type: text
title: HTTP Client Timeout
+ description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.
multi: false
required: false
show_user: true
@@ -56,7 +57,7 @@ streams:
multi: false
required: true
show_user: true
- description: Interval at which the logs will be pulled. The value must be between 2m and 1h.
+ description: Interval at which the logs will be pulled. The value must be between 2m and 1h. Supported units for this parameter are h/m/s.
default: 1h
- name: initial_interval
type: text
@@ -65,7 +66,14 @@ streams:
required: true
show_user: true
default: 24h
- description: Initial interval to poll for events. Default is 24 hours.
+ description: Initial interval to poll for events. Default is 24 hours. Supported units for this parameter are h/m/s.
+ - name: event_limit
+ type: integer
+ multi: false
+ required: false
+ show_user: false
+ title: Event Limit
+ description: Defines the approximate maximum number of security events each fetch returns, in both offset and time-based modes. The default limit is 10000 and the maximum limit available is 600000. Listing an unlimited number of logs isn't possible. Expect requests to return a slightly higher number of security events than you set in the limit parameter, because data is stored in different buckets.
- name: proxy_url
type: text
title: Proxy URL
@@ -170,7 +178,7 @@ streams:
required: false
show_user: true
default: 120s
- description: Defines the maximum time that the sdk will wait for a bucket api response before timing out.
+ description: Defines the maximum time that the sdk will wait for a bucket api response before timing out. Valid time units are ns, us, ms, s, m, h.
- name: buckets
type: yaml
title: Buckets
diff --git a/packages/akamai/data_stream/siem/sample_event.json b/packages/akamai/data_stream/siem/sample_event.json
index 645ff12c0eb..605cf79c4d3 100644
--- a/packages/akamai/data_stream/siem/sample_event.json
+++ b/packages/akamai/data_stream/siem/sample_event.json
@@ -107,7 +107,7 @@
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "cdda426a-7e47-48c4-b2f5-b9f1ad5bf08a",
diff --git a/packages/akamai/docs/README.md b/packages/akamai/docs/README.md
index f0aa0991374..ae3dab85261 100644
--- a/packages/akamai/docs/README.md
+++ b/packages/akamai/docs/README.md
@@ -73,14 +73,14 @@ See [Akamai API get started](https://techdocs.akamai.com/siem-integration/refere
| error.message | Error message. | match_only_text |
| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
-| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date |
| event.dataset | Event dataset | constant_keyword |
| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
-| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword |
| event.module | Event module | constant_keyword |
| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
-| event.start | event.start contains the date when the event started or when the activity was first observed. | date |
+| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date |
| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
| host.architecture | Operating system architecture. | keyword |
| host.containerized | If the host is a container. | boolean |
@@ -257,7 +257,7 @@ An example event for `siem` looks as following:
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "cdda426a-7e47-48c4-b2f5-b9f1ad5bf08a",
diff --git a/packages/akamai/kibana/tags.yml b/packages/akamai/kibana/tags.yml
new file mode 100644
index 00000000000..47f20a8f551
--- /dev/null
+++ b/packages/akamai/kibana/tags.yml
@@ -0,0 +1,4 @@
+- text: Security Solution
+ asset_types:
+ - dashboard
+ - search
diff --git a/packages/akamai/manifest.yml b/packages/akamai/manifest.yml
index bb13c97ea23..49ddc804ce2 100644
--- a/packages/akamai/manifest.yml
+++ b/packages/akamai/manifest.yml
@@ -1,12 +1,13 @@
name: akamai
title: Akamai
-version: "2.10.0"
+version: "2.16.0"
description: Collect logs from Akamai with Elastic Agent.
type: integration
-format_version: 2.7.0
+format_version: "3.0.0"
categories: [security, cdn_security]
conditions:
- kibana.version: "^8.7.1"
+ kibana:
+ version: "^8.7.1"
icons:
- src: /img/akamai_logo.svg
title: Akamai
@@ -25,3 +26,4 @@ policy_templates:
description: "Collecting SIEM logs from Akamai via Google Cloud Storage"
owner:
github: elastic/security-external-integrations
+ type: elastic
diff --git a/packages/amazon_security_lake/_dev/build/build.yml b/packages/amazon_security_lake/_dev/build/build.yml
new file mode 100644
index 00000000000..0757a6edf35
--- /dev/null
+++ b/packages/amazon_security_lake/_dev/build/build.yml
@@ -0,0 +1,4 @@
+dependencies:
+ ecs:
+ reference: git@v8.10.0
+ import_mappings: true
diff --git a/packages/amazon_security_lake/_dev/build/docs/README.md b/packages/amazon_security_lake/_dev/build/docs/README.md
new file mode 100644
index 00000000000..c1d2e8795a6
--- /dev/null
+++ b/packages/amazon_security_lake/_dev/build/docs/README.md
@@ -0,0 +1,109 @@
+# Amazon Security Lake
+
+This [Amazon Security Lake](https://aws.amazon.com/security-lake/) integration helps you analyze security data, so you can get a more complete understanding of your security posture across the entire organization. With Security Lake, you can also improve the protection of your workloads, applications, and data.
+
+Security Lake automates the collection of security-related log and event data from integrated AWS services and third-party services. It also helps you manage the lifecycle of data with customizable retention and replication settings. Security Lake converts ingested data into Apache Parquet format and a standard open-source schema called the Open Cybersecurity Schema Framework (OCSF). With OCSF support, Security Lake normalizes and combines security data from AWS and a broad range of enterprise security data sources.
+
+The Amazon Security Lake integration can be used in two different modes to collect data:
+- AWS S3 polling mode: Amazon Security Lake writes data to S3, and Elastic Agent polls the S3 bucket by listing its contents and reading new files.
+- AWS S3 SQS mode: Amazon Security Lake writes data to S3, S3 sends a notification of a new object to SQS, the Elastic Agent receives the notification from SQS, and then reads the S3 object. Multiple agents can be used in this mode.
+
+## Compatibility
+
+This module follows the latest OCSF Schema Version **v1.0.0-rc.3**.
+
+## Data streams
+
+The Amazon Security Lake integration collects logs for the below [AWS services](https://docs.aws.amazon.com/security-lake/latest/userguide/open-cybersecurity-schema-framework.html) combined in a data stream named event:
+
+| Source | Class Name |
+|-------------------------------------|-----------------------------------------------------|
+| CloudTrail Lambda Data Events | API Activity |
+| CloudTrail Management Events | API Activity, Authentication, or Account Change |
+| CloudTrail S3 Data Events | API Activity |
+| Route 53 | DNS Activity |
+| Security Hub | Security Finding |
+| VPC Flow Logs | Network Activity |
+
+### **NOTE**:
+- The Amazon Security Lake integration supports events collected from [AWS services](https://docs.aws.amazon.com/security-lake/latest/userguide/internal-sources.html).
+
+## Requirements
+
+- Elastic Agent must be installed.
+- You can install only one Elastic Agent per host.
+- Elastic Agent is required to stream data from the S3 bucket and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines.
+
+### Installing and managing an Elastic Agent:
+
+You have a few options for installing and managing an Elastic Agent:
+
+### Install a Fleet-managed Elastic Agent (recommended):
+
+With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier.
+
+### Install Elastic Agent in standalone mode (advanced users):
+
+With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only.
+
+### Install Elastic Agent in a containerized environment:
+
+You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, and we provide deployment manifests for running on Kubernetes.
+
+There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html).
+
+The minimum **kibana.version** required is **8.11.0**.
+
+## Setup
+
+### To collect data from an AWS S3 bucket or AWS SQS, follow the below steps:
+
+1. To enable and start Amazon Security Lake, follow the steps mentioned here: `https://docs.aws.amazon.com/security-lake/latest/userguide/getting-started.html`.
+2. Above steps will create AWS S3 bucket and AWS SQS queue.
+3. Please follow below steps to create [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html#roles-creatingrole-user-console):
+ 1. Sign in to the AWS Management Console and open the [IAM console](https://console.aws.amazon.com/iam/).
+ 2. In the navigation panel, choose Roles and then click on Create role.
+ 3. Choose **AWS account** role type.
+ 
+ 4. To create a role user have two options,
+ - To create a role for your account, choose **This account**.
+ 
+ - To create a role for another account, choose **Another AWS account** and enter the Account ID to which you want to grant access to your resources.
+ 
+ 5. If you are granting permissions to users from an account that you don't control, and the users will assume this role programmatically, select **Require external ID**. The external ID can be any phrase or number that is agreed upon between you and the administrator of the third party account. Then Click Next.
+ 
+ 6. Select **AmazonS3FullAccess** and **AmazonSQSFullAccess** from Permissions policies. Then Click Next.
+ 
+ 
+ 7. For Role name, enter a name for your role. Role name must be unique within your AWS account.
+ 8. Preview the role and then choose Create role.
+
+### Enabling the integration in Elastic:
+
+1. In Kibana go to Management > Integrations.
+2. In "Search for integrations" search bar, type Amazon Security Lake.
+3. Click on the "Amazon Security Lake" integration from the search results.
+4. Click on the Add Amazon Security Lake Integration button to add the integration.
+5. By default collect logs via S3 Bucket toggle will be off and collect logs for AWS SQS.
+6. While adding the integration, if you want to collect logs via AWS SQS, then you have to put the following details:
+ - queue url
+ - collect logs via S3 Bucket toggled off
+ - Shared Credential File Path and Credential Profile Name / Access Key Id and Secret Access Key
+
+ or if you want to collect logs via AWS S3, then you have to put the following details:
+ - bucket arn
+ - collect logs via S3 Bucket toggled on
+ - Shared Credential File Path and Credential Profile Name / Access Key Id and Secret Access Key
+7. If user wants to access security lake by Assuming Role then add Role ARN or if user want to access resources of another account using Role ARN then add Role ARN and external ID.
+
+**NOTE**: There are other input combination options available, please check [here](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-aws-s3.html).
+
+## Logs reference
+
+### Event
+
+This is the `Event` dataset.
+
+#### Example
+
+{{fields "event"}}
\ No newline at end of file
diff --git a/packages/amazon_security_lake/changelog.yml b/packages/amazon_security_lake/changelog.yml
new file mode 100644
index 00000000000..38784b5ade4
--- /dev/null
+++ b/packages/amazon_security_lake/changelog.yml
@@ -0,0 +1,26 @@
+# newer versions go on top
+- version: 0.4.0
+ changes:
+ - description: "The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest."
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7883
+- version: "0.3.0"
+ changes:
+ - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7789
+- version: "0.2.1"
+ changes:
+ - description: Readme indentation fixing.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7838
+- version: "0.2.0"
+ changes:
+ - description: Add External ID parameter and Update User guide.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7833
+- version: "0.1.0"
+ changes:
+ - description: Initial release.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7176
diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-account-change.log b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-account-change.log
new file mode 100644
index 00000000000..baeb516ae1b
--- /dev/null
+++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-account-change.log
@@ -0,0 +1 @@
+{"activity_id":1,"activity_name":"Create","actor":{"idp":{},"session":{"created_time":1679071437000,"issuer":"arn:aws:iam::112233445566:role/Admin","mfa":false},"user":{"account":{"uid": "112233445566"},"credential_uid":"ASIA2W7SOKHDHBO4U2HE","type":"AssumedRole","uid":"AROA2W7SOKHDLNCOKZNPS:Admin-user"}},"api":{"operation":"CreateUser","request":{"uid":"c99bf9da-e0bd-4bf7-bb32-c8be25618afc"},"response":{},"service":{"name":"iam.amazonaws.com"}},"category_name":"Audit Activity","category_uid":3,"class_name":"Account Change","class_uid":3001,"cloud":{"provider":"AWS","region":"us-east-1"},"http_request":{"user_agent":"AWS Internal"},"metadata":{"product":{"feature":{"name":"Management"},"name":"CloudTrail","vendor_name":"AWS","version":"1.08"},"profiles":["cloud"],"uid":"7dd15a89-ae0f-4340-8e6c-d6981246c71b","version":"1.0.0-rc.2"},"severity":"Informational","severity_id":1,"src_endpoint":{"ip":"1.128.0.0"},"status":"Success","status_id":1,"time":1679072879000,"type_name":"Account Change: Create","type_uid":300101,"unmapped":{"eventType":"AwsApiCall","managementEvent":"true","readOnly":"false","recipientAccountId":"112233445566","responseElements.user.arn":"arn:aws:iam::112233445566:user/test_user2","responseElements.user.createDate":"Mar 17, 2023 5:07:59 PM","responseElements.user.path":"/","sessionCredentialFromConsole":"true","userIdentity.sessionContext.sessionIssuer.accountId":"112233445566","userIdentity.sessionContext.sessionIssuer.principalId":"AROA2W7SOKHDLNCOKZNPS","userIdentity.sessionContext.sessionIssuer.type":"Role","userIdentity.sessionContext.sessionIssuer.userName":"Admin"},"user":{"name":"test_user2","uid":"AIDA2W7SOKHDM47UMJRTX"}}
diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-account-change.log-expected.json b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-account-change.log-expected.json
new file mode 100644
index 00000000000..f1c4bf9ef6c
--- /dev/null
+++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-account-change.log-expected.json
@@ -0,0 +1,144 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2023-03-17T17:07:59.000Z",
+ "cloud": {
+ "provider": "AWS",
+ "region": "us-east-1"
+ },
+ "ecs": {
+ "version": "8.10.0"
+ },
+ "event": {
+ "action": "create",
+ "category": [
+ "iam"
+ ],
+ "id": "7dd15a89-ae0f-4340-8e6c-d6981246c71b",
+ "kind": "event",
+ "original": "{\"activity_id\":1,\"activity_name\":\"Create\",\"actor\":{\"idp\":{},\"session\":{\"created_time\":1679071437000,\"issuer\":\"arn:aws:iam::112233445566:role/Admin\",\"mfa\":false},\"user\":{\"account\":{\"uid\": \"112233445566\"},\"credential_uid\":\"ASIA2W7SOKHDHBO4U2HE\",\"type\":\"AssumedRole\",\"uid\":\"AROA2W7SOKHDLNCOKZNPS:Admin-user\"}},\"api\":{\"operation\":\"CreateUser\",\"request\":{\"uid\":\"c99bf9da-e0bd-4bf7-bb32-c8be25618afc\"},\"response\":{},\"service\":{\"name\":\"iam.amazonaws.com\"}},\"category_name\":\"Audit Activity\",\"category_uid\":3,\"class_name\":\"Account Change\",\"class_uid\":3001,\"cloud\":{\"provider\":\"AWS\",\"region\":\"us-east-1\"},\"http_request\":{\"user_agent\":\"AWS Internal\"},\"metadata\":{\"product\":{\"feature\":{\"name\":\"Management\"},\"name\":\"CloudTrail\",\"vendor_name\":\"AWS\",\"version\":\"1.08\"},\"profiles\":[\"cloud\"],\"uid\":\"7dd15a89-ae0f-4340-8e6c-d6981246c71b\",\"version\":\"1.0.0-rc.2\"},\"severity\":\"Informational\",\"severity_id\":1,\"src_endpoint\":{\"ip\":\"1.128.0.0\"},\"status\":\"Success\",\"status_id\":1,\"time\":1679072879000,\"type_name\":\"Account Change: Create\",\"type_uid\":300101,\"unmapped\":{\"eventType\":\"AwsApiCall\",\"managementEvent\":\"true\",\"readOnly\":\"false\",\"recipientAccountId\":\"112233445566\",\"responseElements.user.arn\":\"arn:aws:iam::112233445566:user/test_user2\",\"responseElements.user.createDate\":\"Mar 17, 2023 5:07:59 PM\",\"responseElements.user.path\":\"/\",\"sessionCredentialFromConsole\":\"true\",\"userIdentity.sessionContext.sessionIssuer.accountId\":\"112233445566\",\"userIdentity.sessionContext.sessionIssuer.principalId\":\"AROA2W7SOKHDLNCOKZNPS\",\"userIdentity.sessionContext.sessionIssuer.type\":\"Role\",\"userIdentity.sessionContext.sessionIssuer.userName\":\"Admin\"},\"user\":{\"name\":\"test_user2\",\"uid\":\"AIDA2W7SOKHDM47UMJRTX\"}}",
+ "outcome": "success",
+ "provider": "AWS",
+ "severity": 1,
+ "type": [
+ "info",
+ "user",
+ "creation"
+ ]
+ },
+ "ocsf": {
+ "activity_id": "1",
+ "activity_name": "Create",
+ "actor": {
+ "session": {
+ "created_time": "2023-03-17T16:43:57.000Z",
+ "issuer": "arn:aws:iam::112233445566:role/Admin",
+ "mfa": false
+ },
+ "user": {
+ "account": {
+ "uid": "112233445566"
+ },
+ "credential_uid": "ASIA2W7SOKHDHBO4U2HE",
+ "type": "AssumedRole",
+ "uid": "AROA2W7SOKHDLNCOKZNPS:Admin-user"
+ }
+ },
+ "api": {
+ "operation": "CreateUser",
+ "request": {
+ "uid": "c99bf9da-e0bd-4bf7-bb32-c8be25618afc"
+ },
+ "service": {
+ "name": "iam.amazonaws.com"
+ }
+ },
+ "category_name": "Audit Activity",
+ "category_uid": "3",
+ "class_name": "Account Change",
+ "class_uid": "3001",
+ "cloud": {
+ "provider": "AWS",
+ "region": "us-east-1"
+ },
+ "http_request": {
+ "user_agent": "AWS Internal"
+ },
+ "metadata": {
+ "product": {
+ "feature": {
+ "name": "Management"
+ },
+ "name": "CloudTrail",
+ "vendor_name": "AWS",
+ "version": "1.08"
+ },
+ "profiles": [
+ "cloud"
+ ],
+ "uid": "7dd15a89-ae0f-4340-8e6c-d6981246c71b",
+ "version": "1.0.0-rc.2"
+ },
+ "severity": "Informational",
+ "severity_id": 1,
+ "src_endpoint": {
+ "ip": "1.128.0.0"
+ },
+ "status": "Success",
+ "status_id": "1",
+ "time": "2023-03-17T17:07:59.000Z",
+ "type_name": "Account Change: Create",
+ "type_uid": "300101",
+ "unmapped": {
+ "eventType": "AwsApiCall",
+ "managementEvent": "true",
+ "readOnly": "false",
+ "recipientAccountId": "112233445566",
+ "responseElements.user.arn": "arn:aws:iam::112233445566:user/test_user2",
+ "responseElements.user.createDate": "Mar 17, 2023 5:07:59 PM",
+ "responseElements.user.path": "/",
+ "sessionCredentialFromConsole": "true",
+ "userIdentity.sessionContext.sessionIssuer.accountId": "112233445566",
+ "userIdentity.sessionContext.sessionIssuer.principalId": "AROA2W7SOKHDLNCOKZNPS",
+ "userIdentity.sessionContext.sessionIssuer.type": "Role",
+ "userIdentity.sessionContext.sessionIssuer.userName": "Admin"
+ },
+ "user": {
+ "name": "test_user2",
+ "uid": "AIDA2W7SOKHDM47UMJRTX"
+ }
+ },
+ "related": {
+ "ip": [
+ "1.128.0.0"
+ ],
+ "user": [
+ "AROA2W7SOKHDLNCOKZNPS:Admin-user",
+ "AIDA2W7SOKHDM47UMJRTX",
+ "test_user2"
+ ]
+ },
+ "source": {
+ "ip": "1.128.0.0"
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "id": "AROA2W7SOKHDLNCOKZNPS:Admin-user",
+ "target": {
+ "id": "AIDA2W7SOKHDM47UMJRTX",
+ "name": "test_user2"
+ }
+ },
+ "user_agent": {
+ "device": {
+ "name": "Other"
+ },
+ "name": "Other",
+ "original": "AWS Internal"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-api-activity.log b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-api-activity.log
new file mode 100644
index 00000000000..ef2d7fb6e06
--- /dev/null
+++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-api-activity.log
@@ -0,0 +1 @@
+{"activity_id":2,"activity_name":"Read","actor":{"idp":{},"session":{},"user":{"account":{"uid": "811596193553"},"credential_uid":"AKIA3Z2XBVUDFQ9TU4MD","name":"Level6","type":"IAMUser","uid":"AIDADO2GQD0K8TEF7KW1V"}},"api":{"operation":"DescribeDirectConnectGateways","request":{"uid":"1c8a6220-4263-4763-b526-20c1d1dd012c"},"response":{},"service":{"name":"directconnect.amazonaws.com"}},"category_name":"Application Activity","category_uid":6,"class_name":"API Activity","class_uid":6003,"cloud":{"provider":"AWS","region":"us-east-1"},"http_request":{"user_agent":"Boto3/1.15.2 Python/3.8.2 Linux/5.6.3-arch1-1 Botocore/1.18.2"},"metadata":{"product":{"feature":{"name":"Management, Data, and Insights"},"name":"CloudTrail","vendor_name":"AWS","version":"1.05"},"profiles":["cloud"],"uid":"71c88be9-ea5c-43c7-8c82-02ecb5ec7f09","version":"1.0.0-rc.2"},"severity":"Informational","severity_id":1,"src_endpoint":{"ip":"1.128.0.0"},"status":"Success","status_id":1,"time":1600726972000,"type_name":"API Activity: Read","type_uid":300502,"unmapped":{"eventType":"AwsApiCall","recipientAccountId":"811596193553"}}
diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-api-activity.log-expected.json b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-api-activity.log-expected.json
new file mode 100644
index 00000000000..fed7e9f90ad
--- /dev/null
+++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-api-activity.log-expected.json
@@ -0,0 +1,126 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2020-09-21T22:22:52.000Z",
+ "cloud": {
+ "provider": "AWS",
+ "region": "us-east-1"
+ },
+ "ecs": {
+ "version": "8.10.0"
+ },
+ "event": {
+ "action": "read",
+ "category": [
+ "web"
+ ],
+ "id": "71c88be9-ea5c-43c7-8c82-02ecb5ec7f09",
+ "kind": "event",
+ "original": "{\"activity_id\":2,\"activity_name\":\"Read\",\"actor\":{\"idp\":{},\"session\":{},\"user\":{\"account\":{\"uid\": \"811596193553\"},\"credential_uid\":\"AKIA3Z2XBVUDFQ9TU4MD\",\"name\":\"Level6\",\"type\":\"IAMUser\",\"uid\":\"AIDADO2GQD0K8TEF7KW1V\"}},\"api\":{\"operation\":\"DescribeDirectConnectGateways\",\"request\":{\"uid\":\"1c8a6220-4263-4763-b526-20c1d1dd012c\"},\"response\":{},\"service\":{\"name\":\"directconnect.amazonaws.com\"}},\"category_name\":\"Application Activity\",\"category_uid\":6,\"class_name\":\"API Activity\",\"class_uid\":6003,\"cloud\":{\"provider\":\"AWS\",\"region\":\"us-east-1\"},\"http_request\":{\"user_agent\":\"Boto3/1.15.2 Python/3.8.2 Linux/5.6.3-arch1-1 Botocore/1.18.2\"},\"metadata\":{\"product\":{\"feature\":{\"name\":\"Management, Data, and Insights\"},\"name\":\"CloudTrail\",\"vendor_name\":\"AWS\",\"version\":\"1.05\"},\"profiles\":[\"cloud\"],\"uid\":\"71c88be9-ea5c-43c7-8c82-02ecb5ec7f09\",\"version\":\"1.0.0-rc.2\"},\"severity\":\"Informational\",\"severity_id\":1,\"src_endpoint\":{\"ip\":\"1.128.0.0\"},\"status\":\"Success\",\"status_id\":1,\"time\":1600726972000,\"type_name\":\"API Activity: Read\",\"type_uid\":300502,\"unmapped\":{\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"811596193553\"}}",
+ "outcome": "success",
+ "provider": "AWS",
+ "severity": 1,
+ "type": [
+ "info"
+ ]
+ },
+ "ocsf": {
+ "activity_id": "2",
+ "activity_name": "Read",
+ "actor": {
+ "user": {
+ "account": {
+ "uid": "811596193553"
+ },
+ "credential_uid": "AKIA3Z2XBVUDFQ9TU4MD",
+ "name": "Level6",
+ "type": "IAMUser",
+ "uid": "AIDADO2GQD0K8TEF7KW1V"
+ }
+ },
+ "api": {
+ "operation": "DescribeDirectConnectGateways",
+ "request": {
+ "uid": "1c8a6220-4263-4763-b526-20c1d1dd012c"
+ },
+ "service": {
+ "name": "directconnect.amazonaws.com"
+ }
+ },
+ "category_name": "Application Activity",
+ "category_uid": "6",
+ "class_name": "API Activity",
+ "class_uid": "6003",
+ "cloud": {
+ "provider": "AWS",
+ "region": "us-east-1"
+ },
+ "http_request": {
+ "user_agent": "Boto3/1.15.2 Python/3.8.2 Linux/5.6.3-arch1-1 Botocore/1.18.2"
+ },
+ "metadata": {
+ "product": {
+ "feature": {
+ "name": "Management, Data, and Insights"
+ },
+ "name": "CloudTrail",
+ "vendor_name": "AWS",
+ "version": "1.05"
+ },
+ "profiles": [
+ "cloud"
+ ],
+ "uid": "71c88be9-ea5c-43c7-8c82-02ecb5ec7f09",
+ "version": "1.0.0-rc.2"
+ },
+ "severity": "Informational",
+ "severity_id": 1,
+ "src_endpoint": {
+ "ip": "1.128.0.0"
+ },
+ "status": "Success",
+ "status_id": "1",
+ "time": "2020-09-21T22:22:52.000Z",
+ "type_name": "API Activity: Read",
+ "type_uid": "300502",
+ "unmapped": {
+ "eventType": "AwsApiCall",
+ "recipientAccountId": "811596193553"
+ }
+ },
+ "related": {
+ "ip": [
+ "1.128.0.0"
+ ],
+ "user": [
+ "AIDADO2GQD0K8TEF7KW1V",
+ "Level6"
+ ]
+ },
+ "source": {
+ "ip": "1.128.0.0"
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "id": "AIDADO2GQD0K8TEF7KW1V",
+ "name": "Level6"
+ },
+ "user_agent": {
+ "device": {
+ "name": "Spider"
+ },
+ "name": "Boto3",
+ "original": "Boto3/1.15.2 Python/3.8.2 Linux/5.6.3-arch1-1 Botocore/1.18.2",
+ "os": {
+ "full": "Linux 5.6.3",
+ "name": "Linux",
+ "version": "5.6.3"
+ },
+ "version": "1.15.2"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-authentication.log b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-authentication.log
new file mode 100644
index 00000000000..a08b923212c
--- /dev/null
+++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-authentication.log
@@ -0,0 +1 @@
+{"activity_id":1,"activity_name":"Logon","actor":{"idp":{},"session":{},"user":{"account":{"uid": "112233445566"},"name":"anaya","type":"IAMUser","uid":"AIDACKCEVSQ6C2EXAMPLE"}},"api":{"operation":"ConsoleLogin","request":{"uid":"''"},"response":{},"service":{"name":"signin.amazonaws.com"}},"category_name":"Audit Activity","category_uid":3,"class_name":"Authentication","class_uid":3002,"cloud":{"provider":"AWS","region":"us-east-1"},"dst_endpoint":{"svc_name":"https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true"},"http_request":{"user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36"},"metadata":{"product":{"feature":{"name":"Management"},"name":"CloudTrail","vendor_name":"AWS","version":"1.08"},"profiles":["cloud"],"uid":"fed06f42-cb12-4764-8c69-121063dc79b9","version":"1.0.0-rc.2"},"severity":"Informational","severity_id":1,"src_endpoint":{"ip":"1.128.0.0"},"status":"Success","status_id":1,"time":1668097474000,"type_name":"Authentication: Logon","type_uid":300201,"unmapped":{"additionalEventData.MFAIdentifier":"arn:aws:iam::111122223333:u2f/user/anaya/default-AAAAAAAABBBBBBBBCCCCCCCCDD","additionalEventData.MobileVersion":"No","eventType":"AwsConsoleSignIn","recipientAccountId":"111122223333"},"user":{"uid":"AIDACKCEVSQ6C2EXAMPLE"}}
diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-authentication.log-expected.json b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-authentication.log-expected.json
new file mode 100644
index 00000000000..269c175cdcc
--- /dev/null
+++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-authentication.log-expected.json
@@ -0,0 +1,142 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2022-11-10T16:24:34.000Z",
+ "cloud": {
+ "provider": "AWS",
+ "region": "us-east-1"
+ },
+ "ecs": {
+ "version": "8.10.0"
+ },
+ "event": {
+ "action": "logon",
+ "category": [
+ "authentication"
+ ],
+ "id": "fed06f42-cb12-4764-8c69-121063dc79b9",
+ "kind": "event",
+ "original": "{\"activity_id\":1,\"activity_name\":\"Logon\",\"actor\":{\"idp\":{},\"session\":{},\"user\":{\"account\":{\"uid\": \"112233445566\"},\"name\":\"anaya\",\"type\":\"IAMUser\",\"uid\":\"AIDACKCEVSQ6C2EXAMPLE\"}},\"api\":{\"operation\":\"ConsoleLogin\",\"request\":{\"uid\":\"''\"},\"response\":{},\"service\":{\"name\":\"signin.amazonaws.com\"}},\"category_name\":\"Audit Activity\",\"category_uid\":3,\"class_name\":\"Authentication\",\"class_uid\":3002,\"cloud\":{\"provider\":\"AWS\",\"region\":\"us-east-1\"},\"dst_endpoint\":{\"svc_name\":\"https://console.aws.amazon.com/console/home?state=hashArgs%23\u0026isauthcode=true\"},\"http_request\":{\"user_agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36\"},\"metadata\":{\"product\":{\"feature\":{\"name\":\"Management\"},\"name\":\"CloudTrail\",\"vendor_name\":\"AWS\",\"version\":\"1.08\"},\"profiles\":[\"cloud\"],\"uid\":\"fed06f42-cb12-4764-8c69-121063dc79b9\",\"version\":\"1.0.0-rc.2\"},\"severity\":\"Informational\",\"severity_id\":1,\"src_endpoint\":{\"ip\":\"1.128.0.0\"},\"status\":\"Success\",\"status_id\":1,\"time\":1668097474000,\"type_name\":\"Authentication: Logon\",\"type_uid\":300201,\"unmapped\":{\"additionalEventData.MFAIdentifier\":\"arn:aws:iam::111122223333:u2f/user/anaya/default-AAAAAAAABBBBBBBBCCCCCCCCDD\",\"additionalEventData.MobileVersion\":\"No\",\"eventType\":\"AwsConsoleSignIn\",\"recipientAccountId\":\"111122223333\"},\"user\":{\"uid\":\"AIDACKCEVSQ6C2EXAMPLE\"}}",
+ "outcome": "success",
+ "provider": "AWS",
+ "severity": 1,
+ "type": [
+ "info",
+ "start"
+ ]
+ },
+ "network": {
+ "application": [
+ "https://console.aws.amazon.com/console/home?state=hashargs%23\u0026isauthcode=true"
+ ]
+ },
+ "ocsf": {
+ "activity_id": "1",
+ "activity_name": "Logon",
+ "actor": {
+ "user": {
+ "account": {
+ "uid": "112233445566"
+ },
+ "name": "anaya",
+ "type": "IAMUser",
+ "uid": "AIDACKCEVSQ6C2EXAMPLE"
+ }
+ },
+ "api": {
+ "operation": "ConsoleLogin",
+ "request": {
+ "uid": "''"
+ },
+ "service": {
+ "name": "signin.amazonaws.com"
+ }
+ },
+ "category_name": "Audit Activity",
+ "category_uid": "3",
+ "class_name": "Authentication",
+ "class_uid": "3002",
+ "cloud": {
+ "provider": "AWS",
+ "region": "us-east-1"
+ },
+ "dst_endpoint": {
+ "svc_name": "https://console.aws.amazon.com/console/home?state=hashArgs%23\u0026isauthcode=true"
+ },
+ "http_request": {
+ "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36"
+ },
+ "metadata": {
+ "product": {
+ "feature": {
+ "name": "Management"
+ },
+ "name": "CloudTrail",
+ "vendor_name": "AWS",
+ "version": "1.08"
+ },
+ "profiles": [
+ "cloud"
+ ],
+ "uid": "fed06f42-cb12-4764-8c69-121063dc79b9",
+ "version": "1.0.0-rc.2"
+ },
+ "severity": "Informational",
+ "severity_id": 1,
+ "src_endpoint": {
+ "ip": "1.128.0.0"
+ },
+ "status": "Success",
+ "status_id": "1",
+ "time": "2022-11-10T16:24:34.000Z",
+ "type_name": "Authentication: Logon",
+ "type_uid": "300201",
+ "unmapped": {
+ "additionalEventData.MFAIdentifier": "arn:aws:iam::111122223333:u2f/user/anaya/default-AAAAAAAABBBBBBBBCCCCCCCCDD",
+ "additionalEventData.MobileVersion": "No",
+ "eventType": "AwsConsoleSignIn",
+ "recipientAccountId": "111122223333"
+ },
+ "user": {
+ "uid": "AIDACKCEVSQ6C2EXAMPLE"
+ }
+ },
+ "related": {
+ "ip": [
+ "1.128.0.0"
+ ],
+ "user": [
+ "AIDACKCEVSQ6C2EXAMPLE",
+ "anaya"
+ ]
+ },
+ "source": {
+ "ip": "1.128.0.0"
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "id": "AIDACKCEVSQ6C2EXAMPLE",
+ "name": "anaya",
+ "target": {
+ "id": "AIDACKCEVSQ6C2EXAMPLE"
+ }
+ },
+ "user_agent": {
+ "device": {
+ "name": "Mac"
+ },
+ "name": "Chrome",
+ "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36",
+ "os": {
+ "full": "Mac OS X 10.11.6",
+ "name": "Mac OS X",
+ "version": "10.11.6"
+ },
+ "version": "67.0.3396.99"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/tenable_io/data_stream/scanner/_dev/test/pipeline/test-common-config.yml b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-common-config.yml
old mode 100755
new mode 100644
similarity index 100%
rename from packages/tenable_io/data_stream/scanner/_dev/test/pipeline/test-common-config.yml
rename to packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-common-config.yml
diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-dns-activity.log b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-dns-activity.log
new file mode 100644
index 00000000000..13194e00419
--- /dev/null
+++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-dns-activity.log
@@ -0,0 +1 @@
+{"metadata":{"product":{"version":"1.100000","name":"Route 53","feature":{"name":"Resolver Query Logs"},"vendor_name":"AWS"},"profiles":["cloud","security_control"],"version":"1.0.0-rc.2"},"cloud":{"account":{"uid":"123456789012"},"region":"us-east-1","provider":"AWS"},"src_endpoint":{"vpc_uid":"vpc-00000000000000000","ip":"10.200.21.100","port":15083},"time":1665694956000,"query":{"hostname":"ip-127-0-0-62.alert.firewall.canary.","type":"A","class":"IN"},"answers":[{"type":"A","rdata":"127.0.0.62","class":"IN"}],"connection_info":{"protocol_name":"UDP","direction":"Unknown","direction_id":0},"dst_endpoint":{"instance_uid":"rslvr-in-0000000000000000","interface_uid":"rni-0000000000000000"},"severity_id":1,"severity":"Informational","class_name":"DNS Activity","class_uid":4003,"category_name":"Network Activity","category_uid":4,"disposition":"No Action","disposition_id":16,"rcode_id":0,"rcode":"NoError","activity_id":2,"activity_name":"Response","type_name":"DNS Activity: Response","type_uid":400302,"unmapped":{"firewall_rule_group_id":"rslvr-frg-000000000000000","firewall_domain_list_id":"rslvr-fdl-0000000000000"}}
diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-dns-activity.log-expected.json b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-dns-activity.log-expected.json
new file mode 100644
index 00000000000..2b823320eb4
--- /dev/null
+++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-dns-activity.log-expected.json
@@ -0,0 +1,143 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2022-10-13T21:02:36.000Z",
+ "cloud": {
+ "account": {
+ "id": "123456789012"
+ },
+ "provider": "AWS",
+ "region": "us-east-1"
+ },
+ "dns": {
+ "answers": {
+ "class": [
+ "IN"
+ ],
+ "data": [
+ "127.0.0.62"
+ ],
+ "type": [
+ "A"
+ ]
+ },
+ "header_flags": [],
+ "question": {
+ "class": [
+ "IN"
+ ],
+ "name": "ip-127-0-0-62.alert.firewall.canary.",
+ "type": [
+ "A"
+ ]
+ },
+ "response_code": "NoError"
+ },
+ "ecs": {
+ "version": "8.10.0"
+ },
+ "event": {
+ "action": "response",
+ "category": [
+ "network"
+ ],
+ "kind": "event",
+ "original": "{\"metadata\":{\"product\":{\"version\":\"1.100000\",\"name\":\"Route 53\",\"feature\":{\"name\":\"Resolver Query Logs\"},\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"security_control\"],\"version\":\"1.0.0-rc.2\"},\"cloud\":{\"account\":{\"uid\":\"123456789012\"},\"region\":\"us-east-1\",\"provider\":\"AWS\"},\"src_endpoint\":{\"vpc_uid\":\"vpc-00000000000000000\",\"ip\":\"10.200.21.100\",\"port\":15083},\"time\":1665694956000,\"query\":{\"hostname\":\"ip-127-0-0-62.alert.firewall.canary.\",\"type\":\"A\",\"class\":\"IN\"},\"answers\":[{\"type\":\"A\",\"rdata\":\"127.0.0.62\",\"class\":\"IN\"}],\"connection_info\":{\"protocol_name\":\"UDP\",\"direction\":\"Unknown\",\"direction_id\":0},\"dst_endpoint\":{\"instance_uid\":\"rslvr-in-0000000000000000\",\"interface_uid\":\"rni-0000000000000000\"},\"severity_id\":1,\"severity\":\"Informational\",\"class_name\":\"DNS Activity\",\"class_uid\":4003,\"category_name\":\"Network Activity\",\"category_uid\":4,\"disposition\":\"No Action\",\"disposition_id\":16,\"rcode_id\":0,\"rcode\":\"NoError\",\"activity_id\":2,\"activity_name\":\"Response\",\"type_name\":\"DNS Activity: Response\",\"type_uid\":400302,\"unmapped\":{\"firewall_rule_group_id\":\"rslvr-frg-000000000000000\",\"firewall_domain_list_id\":\"rslvr-fdl-0000000000000\"}}",
+ "provider": "AWS",
+ "severity": 1,
+ "type": [
+ "info",
+ "protocol"
+ ]
+ },
+ "network": {
+ "direction": [
+ "unknown"
+ ],
+ "transport": "udp"
+ },
+ "ocsf": {
+ "activity_id": "2",
+ "activity_name": "Response",
+ "answers": [
+ {
+ "class": "IN",
+ "rdata": "127.0.0.62",
+ "type": "A"
+ }
+ ],
+ "category_name": "Network Activity",
+ "category_uid": "4",
+ "class_name": "DNS Activity",
+ "class_uid": "4003",
+ "cloud": {
+ "account": {
+ "uid": "123456789012"
+ },
+ "provider": "AWS",
+ "region": "us-east-1"
+ },
+ "connection_info": {
+ "direction": "Unknown",
+ "direction_id": "0",
+ "protocol_name": "UDP"
+ },
+ "disposition": "No Action",
+ "disposition_id": "16",
+ "dst_endpoint": {
+ "instance_uid": "rslvr-in-0000000000000000",
+ "interface_uid": "rni-0000000000000000"
+ },
+ "metadata": {
+ "product": {
+ "feature": {
+ "name": "Resolver Query Logs"
+ },
+ "name": "Route 53",
+ "vendor_name": "AWS",
+ "version": "1.100000"
+ },
+ "profiles": [
+ "cloud",
+ "security_control"
+ ],
+ "version": "1.0.0-rc.2"
+ },
+ "query": {
+ "class": "IN",
+ "hostname": "ip-127-0-0-62.alert.firewall.canary.",
+ "type": "A"
+ },
+ "rcode": "NoError",
+ "rcode_id": "0",
+ "severity": "Informational",
+ "severity_id": 1,
+ "src_endpoint": {
+ "ip": "10.200.21.100",
+ "port": 15083,
+ "vpc_uid": "vpc-00000000000000000"
+ },
+ "time": "2022-10-13T21:02:36.000Z",
+ "type_name": "DNS Activity: Response",
+ "type_uid": "400302",
+ "unmapped": {
+ "firewall_domain_list_id": "rslvr-fdl-0000000000000",
+ "firewall_rule_group_id": "rslvr-frg-000000000000000"
+ }
+ },
+ "related": {
+ "ip": [
+ "10.200.21.100"
+ ]
+ },
+ "source": {
+ "ip": "10.200.21.100",
+ "port": 15083
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-network-activity.log b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-network-activity.log
new file mode 100644
index 00000000000..91748f35854
--- /dev/null
+++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-network-activity.log
@@ -0,0 +1 @@
+{"metadata":{"product":{"version":"5","name":"Amazon VPC","feature":{"name":"Flowlogs"},"vendor_name":"AWS"},"profiles":["cloud","security_control"],"version":"1.0.0-rc.2"},"cloud":{"account":{"uid":"123456789012"},"region":"us-east-1","zone":"use1-az1","provider":"AWS"},"src_endpoint":{"port":56858,"svc_name":"-","ip":"1.128.0.0"},"dst_endpoint":{"port":39938,"svc_name":"-","ip":"172.31.2.52","interface_uid":"eni-000000000000000000","vpc_uid":"vpc-00000000","instance_uid":"i-000000000000000000","subnet_uid":"subnet-000000000000000000"},"connection_info":{"protocol_num":6,"tcp_flags":2,"protocol_ver":"IPv4","boundary_id":99,"boundary":"-","direction_id":1,"direction":"Inbound"},"traffic":{"packets":1,"bytes":40},"time":1649721732000,"start_time":1649721732000,"end_time":1649721788000,"status_code":"OK","severity_id":1,"severity":"Informational","class_name":"Network Activity","class_uid":4001,"category_name":"Network Activity","category_uid":4,"activity_name":"Refuse","activity_id":5,"disposition":"Blocked","disposition_id":2,"type_uid":400105,"type_name":"Network Activity: Refuse","unmapped":{"sublocation_id":"-","sublocation_type":"-"}}
diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-network-activity.log-expected.json b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-network-activity.log-expected.json
new file mode 100644
index 00000000000..25baa70c153
--- /dev/null
+++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-network-activity.log-expected.json
@@ -0,0 +1,136 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2022-04-12T00:02:12.000Z",
+ "cloud": {
+ "account": {
+ "id": "123456789012"
+ },
+ "availability_zone": "use1-az1",
+ "provider": "AWS",
+ "region": "us-east-1"
+ },
+ "destination": {
+ "ip": "172.31.2.52",
+ "port": 39938
+ },
+ "ecs": {
+ "version": "8.10.0"
+ },
+ "event": {
+ "action": "refuse",
+ "category": [
+ "network"
+ ],
+ "end": "2022-04-12T00:03:08.000Z",
+ "kind": "event",
+ "original": "{\"metadata\":{\"product\":{\"version\":\"5\",\"name\":\"Amazon VPC\",\"feature\":{\"name\":\"Flowlogs\"},\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"security_control\"],\"version\":\"1.0.0-rc.2\"},\"cloud\":{\"account\":{\"uid\":\"123456789012\"},\"region\":\"us-east-1\",\"zone\":\"use1-az1\",\"provider\":\"AWS\"},\"src_endpoint\":{\"port\":56858,\"svc_name\":\"-\",\"ip\":\"1.128.0.0\"},\"dst_endpoint\":{\"port\":39938,\"svc_name\":\"-\",\"ip\":\"172.31.2.52\",\"interface_uid\":\"eni-000000000000000000\",\"vpc_uid\":\"vpc-00000000\",\"instance_uid\":\"i-000000000000000000\",\"subnet_uid\":\"subnet-000000000000000000\"},\"connection_info\":{\"protocol_num\":6,\"tcp_flags\":2,\"protocol_ver\":\"IPv4\",\"boundary_id\":99,\"boundary\":\"-\",\"direction_id\":1,\"direction\":\"Inbound\"},\"traffic\":{\"packets\":1,\"bytes\":40},\"time\":1649721732000,\"start_time\":1649721732000,\"end_time\":1649721788000,\"status_code\":\"OK\",\"severity_id\":1,\"severity\":\"Informational\",\"class_name\":\"Network Activity\",\"class_uid\":4001,\"category_name\":\"Network Activity\",\"category_uid\":4,\"activity_name\":\"Refuse\",\"activity_id\":5,\"disposition\":\"Blocked\",\"disposition_id\":2,\"type_uid\":400105,\"type_name\":\"Network Activity: Refuse\",\"unmapped\":{\"sublocation_id\":\"-\",\"sublocation_type\":\"-\"}}",
+ "provider": "AWS",
+ "severity": 1,
+ "start": "2022-04-12T00:02:12.000Z",
+ "type": [
+ "info",
+ "denied"
+ ]
+ },
+ "network": {
+ "application": [
+ "-"
+ ],
+ "bytes": 40,
+ "direction": [
+ "inbound"
+ ],
+ "iana_number": "6",
+ "packets": 1,
+ "type": "ipv4"
+ },
+ "ocsf": {
+ "activity_id": "5",
+ "activity_name": "Refuse",
+ "category_name": "Network Activity",
+ "category_uid": "4",
+ "class_name": "Network Activity",
+ "class_uid": "4001",
+ "cloud": {
+ "account": {
+ "uid": "123456789012"
+ },
+ "provider": "AWS",
+ "region": "us-east-1",
+ "zone": "use1-az1"
+ },
+ "connection_info": {
+ "boundary": "-",
+ "boundary_id": "99",
+ "direction": "Inbound",
+ "direction_id": "1",
+ "protocol_num": "6",
+ "protocol_ver": "IPv4",
+ "tcp_flags": 2
+ },
+ "disposition": "Blocked",
+ "disposition_id": "2",
+ "dst_endpoint": {
+ "instance_uid": "i-000000000000000000",
+ "interface_uid": "eni-000000000000000000",
+ "ip": "172.31.2.52",
+ "port": 39938,
+ "subnet_uid": "subnet-000000000000000000",
+ "svc_name": "-",
+ "vpc_uid": "vpc-00000000"
+ },
+ "end_time": "2022-04-12T00:03:08.000Z",
+ "metadata": {
+ "product": {
+ "feature": {
+ "name": "Flowlogs"
+ },
+ "name": "Amazon VPC",
+ "vendor_name": "AWS",
+ "version": "5"
+ },
+ "profiles": [
+ "cloud",
+ "security_control"
+ ],
+ "version": "1.0.0-rc.2"
+ },
+ "severity": "Informational",
+ "severity_id": 1,
+ "src_endpoint": {
+ "ip": "1.128.0.0",
+ "port": 56858,
+ "svc_name": "-"
+ },
+ "start_time": "2022-04-12T00:02:12.000Z",
+ "status_code": "OK",
+ "time": "2022-04-12T00:02:12.000Z",
+ "traffic": {
+ "bytes": 40,
+ "packets": 1
+ },
+ "type_name": "Network Activity: Refuse",
+ "type_uid": "400105",
+ "unmapped": {
+ "sublocation_id": "-",
+ "sublocation_type": "-"
+ }
+ },
+ "related": {
+ "ip": [
+ "1.128.0.0",
+ "172.31.2.52"
+ ]
+ },
+ "source": {
+ "ip": "1.128.0.0",
+ "port": 56858
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-security-findings.log b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-security-findings.log
new file mode 100644
index 00000000000..f9f5b6041db
--- /dev/null
+++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-security-findings.log
@@ -0,0 +1 @@
+{"activity_id":2,"activity_name":"Update","category_name":"Findings","category_uid":2,"class_name":"Security Finding","class_uid":2001,"cloud":{"account":{"uid": "522536594833"},"provider":"AWS","region":"us-east-1"},"compliance":{"requirements":["PCI1.2"],"status":"PASSED","status_detail":"CloudWatch alarms do not exist in the account"},"finding":{"created_time":1635449619417,"desc":"This control checks whether unrestricted incoming traffic for the security groups is accessible to the specified ports [3389, 20, 23, 110, 143, 3306, 8080, 1433, 9200, 9300, 25, 445, 135, 21, 1434, 4333, 5432, 5500, 5601, 22, 3000, 5000, 8088, 8888] that have the highest risk. This control passes when none of the rules in a security group allow ingress traffic from 0.0.0.0/0 for the listed ports.","first_seen_time":1635449619417,"last_seen_time":1659636565316,"modified_time":1659636559100,"related_events":[{"product_uid":"arn:aws:securityhub:us-west-2::product/aws/guardduty","uid":"123e4567-e89b-12d3-a456-426655440000"},{"product_uid":"arn:aws:securityhub:us-west-2::product/aws/guardduty","uid":"AcmeNerfHerder-111111111111-x189dx7824"}],"remediation":{"desc":"For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.","kb_articles":["https://docs.aws.amazon.com/console/securityhub/EC2.19/remediation"]},"title":"EC2.19 Security groups should not allow unrestricted access to ports with high risk","types":["Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"],"uid":"test"},"malware":[{"classification_ids":[1],"classifications":["Adware"],"name":"Stringler","path":"/usr/sbin/stringler"}],"metadata":{"product":{"feature":{"name":"Security Hub","uid":"aws-foundational-security-best-practices/v/1.0.0/EC2.19"},"name":"Security Hub","uid":"arn:aws:securityhub:us-east-1::product/aws/securityhub","vendor_name":"AWS","version":"2018-10-08"},"profiles":["cloud"],"version":"1.0.0-rc.2"},"process":{"created_time":1538087851000,"file":{"name":"''","path":"/usr/sbin/syslogd","type_id":0},"name":"syslogd","parent_process":{"pid":56789},"pid":12345,"terminated_time":1538091451000},"resources":[{"cloud_partition":"aws","details":"{\"AwsEc2SecurityGroup\":{\"GroupName\":\"eks-cluster-sg-detective-test-486840310\",\"GroupId\":\"sg-0daf160f08dfed499\",\"OwnerId\":\"522536594833\",\"VpcId\":\"vpc-0ccabdde7ace9327a\",\"IpPermissions\":[{\"IpProtocol\":\"-1\",\"UserIdGroupPairs\":[{\"GroupId\":\"sg-0daf160f08dfed499\",\"UserId\":\"522536594833\"},{\"GroupId\":\"sg-0e92935097ad2f657\",\"UserId\":\"522536594833\"}]}],\"IpPermissionsEgress\":[{\"IpProtocol\":\"-1\",\"IpRanges\":[{\"CidrIp\":\"0.0.0.0/0\"}]}]}}","labels":["billingCode=Lotus-1-2-3","needsPatching=true"],"region":"us-east-1","type":"AwsEc2SecurityGroup","uid":"arn:aws:ec2:us-east-1:522536594833:security-group/sg-0daf160f08dfed499"}],"severity":"Informational","severity_id":1,"state":"Resolved","state_id":4,"time":1659636559100,"type_name":"Security Finding: Update","type_uid":200102,"unmapped":{"CompanyName":"AWS","Compliance.StatusReasons[].ReasonCode":"CW_ALARMS_NOT_PRESENT","FindingProviderFields.Severity.Label":"INFORMATIONAL","FindingProviderFields.Severity.Original":"INFORMATIONAL","FindingProviderFields.Types[]":"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices","Malware[].State":"OBSERVED","ProductFields.ControlId":"EC2.19","ProductFields.RecommendationUrl":"https://docs.aws.amazon.com/console/securityhub/EC2.19/remediation","ProductFields.RelatedAWSResources:0/name":"securityhub-vpc-sg-restricted-common-ports-2af29baf","ProductFields.RelatedAWSResources:0/type":"AWS::Config::ConfigRule","ProductFields.Resources:0/Id":"arn:aws:ec2:us-east-1:522536594833:security-group/sg-0daf160f08dfed499","ProductFields.StandardsArn":"arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0","ProductFields.StandardsControlArn":"arn:aws:securityhub:us-east-1:522536594833:control/aws-foundational-security-best-practices/v/1.0.0/EC2.19","ProductFields.StandardsSubscriptionArn":"arn:aws:securityhub:us-east-1:522536594833:subscription/aws-foundational-security-best-practices/v/1.0.0","ProductFields.aws/securityhub/CompanyName":"AWS","ProductFields.aws/securityhub/FindingId":"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:522536594833:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.19/finding/bf428107-eee0-4d19-a013-92748ed69eef","ProductFields.aws/securityhub/ProductName":"Security Hub","RecordState":"ACTIVE","Severity.Normalized":"0","Severity.Original":"INFORMATIONAL","Severity.Product":"0","Vulnerabilities[].Cvss[].BaseScore":"4.7,1.0","Vulnerabilities[].Cvss[].BaseVector":"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N,AV:L/AC:M/Au:N/C:C/I:N/A:N","Vulnerabilities[].Cvss[].Version":"V3,V2","Vulnerabilities[].Vendor.VendorSeverity":"Medium","WorkflowState":"NEW"},"vulnerabilities":[{"cve":{"created_time":1579132903000,"cvss":{"base_score":4.7,"vector_string":"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","version":"V3"},"modified_time":1579132903000,"uid":"CVE-2020-12345"},"kb_articles":["https://alas.aws.amazon.com/ALAS-2020-1337.html"],"packages":[{"architecture":"x86_64","epoch":1,"name":"openssl","release":"16.amzn2.0.3","version":"1.0.2k"},{"architecture":"x86_64","epoch":3,"name":"yaml","release":"16.amzn2.0.3","version":"4.3.2"}],"references":["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418"],"related_vulnerabilities":["CVE-2020-12345"],"vendor_name":"Alas"}]}
diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-security-findings.log-expected.json b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-security-findings.log-expected.json
new file mode 100644
index 00000000000..1c57891c400
--- /dev/null
+++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-security-findings.log-expected.json
@@ -0,0 +1,250 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2022-08-04T18:09:19.100Z",
+ "cloud": {
+ "account": {
+ "id": "522536594833"
+ },
+ "provider": "AWS",
+ "region": "us-east-1"
+ },
+ "ecs": {
+ "version": "8.10.0"
+ },
+ "event": {
+ "action": "update",
+ "category": [
+ "malware",
+ "vulnerability"
+ ],
+ "created": "2021-10-28T19:33:39.417Z",
+ "kind": "alert",
+ "original": "{\"activity_id\":2,\"activity_name\":\"Update\",\"category_name\":\"Findings\",\"category_uid\":2,\"class_name\":\"Security Finding\",\"class_uid\":2001,\"cloud\":{\"account\":{\"uid\": \"522536594833\"},\"provider\":\"AWS\",\"region\":\"us-east-1\"},\"compliance\":{\"requirements\":[\"PCI1.2\"],\"status\":\"PASSED\",\"status_detail\":\"CloudWatch alarms do not exist in the account\"},\"finding\":{\"created_time\":1635449619417,\"desc\":\"This control checks whether unrestricted incoming traffic for the security groups is accessible to the specified ports [3389, 20, 23, 110, 143, 3306, 8080, 1433, 9200, 9300, 25, 445, 135, 21, 1434, 4333, 5432, 5500, 5601, 22, 3000, 5000, 8088, 8888] that have the highest risk. This control passes when none of the rules in a security group allow ingress traffic from 0.0.0.0/0 for the listed ports.\",\"first_seen_time\":1635449619417,\"last_seen_time\":1659636565316,\"modified_time\":1659636559100,\"related_events\":[{\"product_uid\":\"arn:aws:securityhub:us-west-2::product/aws/guardduty\",\"uid\":\"123e4567-e89b-12d3-a456-426655440000\"},{\"product_uid\":\"arn:aws:securityhub:us-west-2::product/aws/guardduty\",\"uid\":\"AcmeNerfHerder-111111111111-x189dx7824\"}],\"remediation\":{\"desc\":\"For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.\",\"kb_articles\":[\"https://docs.aws.amazon.com/console/securityhub/EC2.19/remediation\"]},\"title\":\"EC2.19 Security groups should not allow unrestricted access to ports with high risk\",\"types\":[\"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\"],\"uid\":\"test\"},\"malware\":[{\"classification_ids\":[1],\"classifications\":[\"Adware\"],\"name\":\"Stringler\",\"path\":\"/usr/sbin/stringler\"}],\"metadata\":{\"product\":{\"feature\":{\"name\":\"Security Hub\",\"uid\":\"aws-foundational-security-best-practices/v/1.0.0/EC2.19\"},\"name\":\"Security Hub\",\"uid\":\"arn:aws:securityhub:us-east-1::product/aws/securityhub\",\"vendor_name\":\"AWS\",\"version\":\"2018-10-08\"},\"profiles\":[\"cloud\"],\"version\":\"1.0.0-rc.2\"},\"process\":{\"created_time\":1538087851000,\"file\":{\"name\":\"''\",\"path\":\"/usr/sbin/syslogd\",\"type_id\":0},\"name\":\"syslogd\",\"parent_process\":{\"pid\":56789},\"pid\":12345,\"terminated_time\":1538091451000},\"resources\":[{\"cloud_partition\":\"aws\",\"details\":\"{\\\"AwsEc2SecurityGroup\\\":{\\\"GroupName\\\":\\\"eks-cluster-sg-detective-test-486840310\\\",\\\"GroupId\\\":\\\"sg-0daf160f08dfed499\\\",\\\"OwnerId\\\":\\\"522536594833\\\",\\\"VpcId\\\":\\\"vpc-0ccabdde7ace9327a\\\",\\\"IpPermissions\\\":[{\\\"IpProtocol\\\":\\\"-1\\\",\\\"UserIdGroupPairs\\\":[{\\\"GroupId\\\":\\\"sg-0daf160f08dfed499\\\",\\\"UserId\\\":\\\"522536594833\\\"},{\\\"GroupId\\\":\\\"sg-0e92935097ad2f657\\\",\\\"UserId\\\":\\\"522536594833\\\"}]}],\\\"IpPermissionsEgress\\\":[{\\\"IpProtocol\\\":\\\"-1\\\",\\\"IpRanges\\\":[{\\\"CidrIp\\\":\\\"0.0.0.0/0\\\"}]}]}}\",\"labels\":[\"billingCode=Lotus-1-2-3\",\"needsPatching=true\"],\"region\":\"us-east-1\",\"type\":\"AwsEc2SecurityGroup\",\"uid\":\"arn:aws:ec2:us-east-1:522536594833:security-group/sg-0daf160f08dfed499\"}],\"severity\":\"Informational\",\"severity_id\":1,\"state\":\"Resolved\",\"state_id\":4,\"time\":1659636559100,\"type_name\":\"Security Finding: Update\",\"type_uid\":200102,\"unmapped\":{\"CompanyName\":\"AWS\",\"Compliance.StatusReasons[].ReasonCode\":\"CW_ALARMS_NOT_PRESENT\",\"FindingProviderFields.Severity.Label\":\"INFORMATIONAL\",\"FindingProviderFields.Severity.Original\":\"INFORMATIONAL\",\"FindingProviderFields.Types[]\":\"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\",\"Malware[].State\":\"OBSERVED\",\"ProductFields.ControlId\":\"EC2.19\",\"ProductFields.RecommendationUrl\":\"https://docs.aws.amazon.com/console/securityhub/EC2.19/remediation\",\"ProductFields.RelatedAWSResources:0/name\":\"securityhub-vpc-sg-restricted-common-ports-2af29baf\",\"ProductFields.RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"ProductFields.Resources:0/Id\":\"arn:aws:ec2:us-east-1:522536594833:security-group/sg-0daf160f08dfed499\",\"ProductFields.StandardsArn\":\"arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0\",\"ProductFields.StandardsControlArn\":\"arn:aws:securityhub:us-east-1:522536594833:control/aws-foundational-security-best-practices/v/1.0.0/EC2.19\",\"ProductFields.StandardsSubscriptionArn\":\"arn:aws:securityhub:us-east-1:522536594833:subscription/aws-foundational-security-best-practices/v/1.0.0\",\"ProductFields.aws/securityhub/CompanyName\":\"AWS\",\"ProductFields.aws/securityhub/FindingId\":\"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:522536594833:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.19/finding/bf428107-eee0-4d19-a013-92748ed69eef\",\"ProductFields.aws/securityhub/ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Severity.Normalized\":\"0\",\"Severity.Original\":\"INFORMATIONAL\",\"Severity.Product\":\"0\",\"Vulnerabilities[].Cvss[].BaseScore\":\"4.7,1.0\",\"Vulnerabilities[].Cvss[].BaseVector\":\"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N,AV:L/AC:M/Au:N/C:C/I:N/A:N\",\"Vulnerabilities[].Cvss[].Version\":\"V3,V2\",\"Vulnerabilities[].Vendor.VendorSeverity\":\"Medium\",\"WorkflowState\":\"NEW\"},\"vulnerabilities\":[{\"cve\":{\"created_time\":1579132903000,\"cvss\":{\"base_score\":4.7,\"vector_string\":\"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"version\":\"V3\"},\"modified_time\":1579132903000,\"uid\":\"CVE-2020-12345\"},\"kb_articles\":[\"https://alas.aws.amazon.com/ALAS-2020-1337.html\"],\"packages\":[{\"architecture\":\"x86_64\",\"epoch\":1,\"name\":\"openssl\",\"release\":\"16.amzn2.0.3\",\"version\":\"1.0.2k\"},{\"architecture\":\"x86_64\",\"epoch\":3,\"name\":\"yaml\",\"release\":\"16.amzn2.0.3\",\"version\":\"4.3.2\"}],\"references\":[\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418\"],\"related_vulnerabilities\":[\"CVE-2020-12345\"],\"vendor_name\":\"Alas\"}]}",
+ "provider": "AWS",
+ "severity": 1,
+ "type": [
+ "info"
+ ]
+ },
+ "file": {
+ "name": "''",
+ "path": "/usr/sbin/syslogd"
+ },
+ "ocsf": {
+ "activity_id": "2",
+ "activity_name": "Update",
+ "category_name": "Findings",
+ "category_uid": "2",
+ "class_name": "Security Finding",
+ "class_uid": "2001",
+ "cloud": {
+ "account": {
+ "uid": "522536594833"
+ },
+ "provider": "AWS",
+ "region": "us-east-1"
+ },
+ "compliance": {
+ "requirements": [
+ "PCI1.2"
+ ],
+ "status": "PASSED",
+ "status_detail": "CloudWatch alarms do not exist in the account"
+ },
+ "finding": {
+ "created_time": "2021-10-28T19:33:39.417Z",
+ "desc": "This control checks whether unrestricted incoming traffic for the security groups is accessible to the specified ports [3389, 20, 23, 110, 143, 3306, 8080, 1433, 9200, 9300, 25, 445, 135, 21, 1434, 4333, 5432, 5500, 5601, 22, 3000, 5000, 8088, 8888] that have the highest risk. This control passes when none of the rules in a security group allow ingress traffic from 0.0.0.0/0 for the listed ports.",
+ "first_seen_time": "2021-10-28T19:33:39.417Z",
+ "last_seen_time": "2022-08-04T18:09:25.316Z",
+ "modified_time": "2022-08-04T18:09:19.100Z",
+ "related_events": [
+ {
+ "product_uid": "arn:aws:securityhub:us-west-2::product/aws/guardduty",
+ "uid": "123e4567-e89b-12d3-a456-426655440000"
+ },
+ {
+ "product_uid": "arn:aws:securityhub:us-west-2::product/aws/guardduty",
+ "uid": "AcmeNerfHerder-111111111111-x189dx7824"
+ }
+ ],
+ "remediation": {
+ "desc": "For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.",
+ "kb_articles": [
+ "https://docs.aws.amazon.com/console/securityhub/EC2.19/remediation"
+ ]
+ },
+ "title": "EC2.19 Security groups should not allow unrestricted access to ports with high risk",
+ "types": [
+ "Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"
+ ],
+ "uid": "test"
+ },
+ "malware": [
+ {
+ "classification_ids": [
+ "1"
+ ],
+ "classifications": [
+ "Adware"
+ ],
+ "name": "Stringler",
+ "path": "/usr/sbin/stringler"
+ }
+ ],
+ "metadata": {
+ "product": {
+ "feature": {
+ "name": "Security Hub",
+ "uid": "aws-foundational-security-best-practices/v/1.0.0/EC2.19"
+ },
+ "name": "Security Hub",
+ "uid": "arn:aws:securityhub:us-east-1::product/aws/securityhub",
+ "vendor_name": "AWS",
+ "version": "2018-10-08"
+ },
+ "profiles": [
+ "cloud"
+ ],
+ "version": "1.0.0-rc.2"
+ },
+ "process": {
+ "created_time": "2018-09-27T22:37:31.000Z",
+ "file": {
+ "name": "''",
+ "path": "/usr/sbin/syslogd",
+ "type_id": "0"
+ },
+ "name": "syslogd",
+ "parent_process": {
+ "pid": 56789
+ },
+ "pid": 12345,
+ "terminated_time": "2018-09-27T23:37:31.000Z"
+ },
+ "resources": [
+ {
+ "cloud_partition": "aws",
+ "details": "{\"AwsEc2SecurityGroup\":{\"GroupName\":\"eks-cluster-sg-detective-test-486840310\",\"GroupId\":\"sg-0daf160f08dfed499\",\"OwnerId\":\"522536594833\",\"VpcId\":\"vpc-0ccabdde7ace9327a\",\"IpPermissions\":[{\"IpProtocol\":\"-1\",\"UserIdGroupPairs\":[{\"GroupId\":\"sg-0daf160f08dfed499\",\"UserId\":\"522536594833\"},{\"GroupId\":\"sg-0e92935097ad2f657\",\"UserId\":\"522536594833\"}]}],\"IpPermissionsEgress\":[{\"IpProtocol\":\"-1\",\"IpRanges\":[{\"CidrIp\":\"0.0.0.0/0\"}]}]}}",
+ "labels": [
+ "billingCode=Lotus-1-2-3",
+ "needsPatching=true"
+ ],
+ "region": "us-east-1",
+ "type": "AwsEc2SecurityGroup",
+ "uid": "arn:aws:ec2:us-east-1:522536594833:security-group/sg-0daf160f08dfed499"
+ }
+ ],
+ "severity": "Informational",
+ "severity_id": 1,
+ "state": "Resolved",
+ "state_id": "4",
+ "time": "2022-08-04T18:09:19.100Z",
+ "type_name": "Security Finding: Update",
+ "type_uid": "200102",
+ "unmapped": {
+ "CompanyName": "AWS",
+ "Compliance.StatusReasons[].ReasonCode": "CW_ALARMS_NOT_PRESENT",
+ "FindingProviderFields.Severity.Label": "INFORMATIONAL",
+ "FindingProviderFields.Severity.Original": "INFORMATIONAL",
+ "FindingProviderFields.Types[]": "Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices",
+ "Malware[].State": "OBSERVED",
+ "ProductFields.ControlId": "EC2.19",
+ "ProductFields.RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/EC2.19/remediation",
+ "ProductFields.RelatedAWSResources:0/name": "securityhub-vpc-sg-restricted-common-ports-2af29baf",
+ "ProductFields.RelatedAWSResources:0/type": "AWS::Config::ConfigRule",
+ "ProductFields.Resources:0/Id": "arn:aws:ec2:us-east-1:522536594833:security-group/sg-0daf160f08dfed499",
+ "ProductFields.StandardsArn": "arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0",
+ "ProductFields.StandardsControlArn": "arn:aws:securityhub:us-east-1:522536594833:control/aws-foundational-security-best-practices/v/1.0.0/EC2.19",
+ "ProductFields.StandardsSubscriptionArn": "arn:aws:securityhub:us-east-1:522536594833:subscription/aws-foundational-security-best-practices/v/1.0.0",
+ "ProductFields.aws/securityhub/CompanyName": "AWS",
+ "ProductFields.aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:522536594833:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.19/finding/bf428107-eee0-4d19-a013-92748ed69eef",
+ "ProductFields.aws/securityhub/ProductName": "Security Hub",
+ "RecordState": "ACTIVE",
+ "Severity.Normalized": "0",
+ "Severity.Original": "INFORMATIONAL",
+ "Severity.Product": "0",
+ "Vulnerabilities[].Cvss[].BaseScore": "4.7,1.0",
+ "Vulnerabilities[].Cvss[].BaseVector": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N,AV:L/AC:M/Au:N/C:C/I:N/A:N",
+ "Vulnerabilities[].Cvss[].Version": "V3,V2",
+ "Vulnerabilities[].Vendor.VendorSeverity": "Medium",
+ "WorkflowState": "NEW"
+ },
+ "vulnerabilities": [
+ {
+ "cve": {
+ "created_time": 1579132903000,
+ "cvss": {
+ "base_score": 4.7,
+ "vector_string": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+ "version": "V3"
+ },
+ "modified_time": 1579132903000,
+ "uid": "CVE-2020-12345"
+ },
+ "kb_articles": [
+ "https://alas.aws.amazon.com/ALAS-2020-1337.html"
+ ],
+ "packages": [
+ {
+ "architecture": "x86_64",
+ "epoch": 1,
+ "name": "openssl",
+ "release": "16.amzn2.0.3",
+ "version": "1.0.2k"
+ },
+ {
+ "architecture": "x86_64",
+ "epoch": 3,
+ "name": "yaml",
+ "release": "16.amzn2.0.3",
+ "version": "4.3.2"
+ }
+ ],
+ "references": [
+ "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418"
+ ],
+ "related_vulnerabilities": [
+ "CVE-2020-12345"
+ ],
+ "vendor_name": "Alas"
+ }
+ ]
+ },
+ "process": {
+ "end": "2018-09-27T23:37:31.000Z",
+ "name": "syslogd",
+ "parent": {
+ "pid": 56789
+ },
+ "pid": 12345,
+ "start": "2018-09-27T22:37:31.000Z"
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields"
+ ],
+ "vulnerability": {
+ "id": [
+ "CVE-2020-12345"
+ ],
+ "reference": [
+ "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418"
+ ],
+ "scanner": {
+ "vendor": [
+ "Alas"
+ ]
+ },
+ "score": {
+ "base": [
+ 4.7
+ ],
+ "version": [
+ "V3"
+ ]
+ }
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/amazon_security_lake/data_stream/event/agent/stream/aws-s3.yml.hbs b/packages/amazon_security_lake/data_stream/event/agent/stream/aws-s3.yml.hbs
new file mode 100644
index 00000000000..505f3090f38
--- /dev/null
+++ b/packages/amazon_security_lake/data_stream/event/agent/stream/aws-s3.yml.hbs
@@ -0,0 +1,101 @@
+{{#if collect_s3_logs}}
+
+{{#if bucket_arn}}
+bucket_arn: {{bucket_arn}}
+{{/if}}
+{{#if number_of_workers}}
+number_of_workers: {{number_of_workers}}
+{{/if}}
+{{#if interval}}
+bucket_list_interval: {{interval}}
+{{/if}}
+{{#if bucket_list_prefix}}
+bucket_list_prefix: {{bucket_list_prefix}}
+{{/if}}
+
+{{else}}
+
+{{#if queue_url}}
+queue_url: {{queue_url}}
+{{/if}}
+{{#if region}}
+region: {{region}}
+{{/if}}
+{{#if visibility_timeout}}
+visibility_timeout: {{visibility_timeout}}
+{{/if}}
+{{#if api_timeout}}
+api_timeout: {{api_timeout}}
+{{/if}}
+{{#if max_number_of_messages}}
+max_number_of_messages: {{max_number_of_messages}}
+{{/if}}
+{{#if file_selectors}}
+file_selectors:
+{{file_selectors}}
+{{/if}}
+
+{{/if}}
+
+{{#if access_key_id}}
+access_key_id: {{access_key_id}}
+{{/if}}
+{{#if secret_access_key}}
+secret_access_key: {{secret_access_key}}
+{{/if}}
+{{#if session_token}}
+session_token: {{session_token}}
+{{/if}}
+{{#if shared_credential_file}}
+shared_credential_file: {{shared_credential_file}}
+{{/if}}
+{{#if credential_profile_name}}
+credential_profile_name: {{credential_profile_name}}
+{{/if}}
+{{#if role_arn}}
+role_arn: {{role_arn}}
+{{/if}}
+{{#if external_id}}
+external_id: {{external_id}}
+{{/if}}
+{{#if default_region}}
+default_region: {{default_region}}
+{{/if}}
+decoding.codec.parquet.enabled: true
+{{#if decoding_batch_size}}
+decoding.codec.parquet.batch_size: {{decoding_batch_size}}
+{{/if}}
+{{#if decoding_process_parallel}}
+decoding.codec.parquet.process_parallel: {{decoding_process_parallel}}
+{{/if}}
+{{#if fips_enabled}}
+fips_enabled: {{fips_enabled}}
+{{/if}}
+{{#if proxy_url}}
+proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+ssl: {{ssl}}
+{{/if}}
+tags:
+{{#if collect_s3_logs}}
+ - collect_s3_logs
+{{else}}
+ - collect_sqs_logs
+{{/if}}
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#if preserve_duplicate_custom_fields}}
+ - preserve_duplicate_custom_fields
+{{/if}}
+{{#each tags as |tag|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 00000000000..f4d5f88317a
--- /dev/null
+++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,1165 @@
+---
+description: Pipeline for processing Amazon Security Lake Events.
+# Base Event docs: https://schema.ocsf.io/1.0.0-rc.3/base_event
+processors:
+ - set:
+ field: ecs.version
+ tag: set_ecs_version
+ value: 8.10.0
+ - rename:
+ field: message
+ target_field: event.original
+ tag: rename_message
+ ignore_missing: true
+ - json:
+ field: event.original
+ tag: json_decoding
+ target_field: ocsf
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.class_uid
+ tag: convert_class_uid_to_string
+ type: string
+ ignore_missing: true
+ - set:
+ field: event.kind
+ tag: set_event_kind
+ if: ctx.ocsf?.class_uid != null && ['3001','3002','4001','4003','6003'].contains(ctx.ocsf.class_uid)
+ value: event
+ - set:
+ field: event.kind
+ tag: set_event_kind
+ if: ctx.ocsf?.class_uid != null && ['2001'].contains(ctx.ocsf.class_uid)
+ value: alert
+ - append:
+ field: event.category
+ tag: append_malware_into_event_category
+ value: malware
+ allow_duplicates: false
+ if: ctx.ocsf?.class_uid != null && ['2001'].contains(ctx.ocsf.class_uid) && ctx.ocsf.malware != null
+ - append:
+ field: event.category
+ tag: append_vulnerability_into_event_category
+ value: vulnerability
+ allow_duplicates: false
+ if: ctx.ocsf?.class_uid != null && ['2001'].contains(ctx.ocsf.class_uid) && ctx.ocsf.vulnerabilities != null
+ - append:
+ field: event.category
+ tag: append_iam_into_event_category
+ value: iam
+ allow_duplicates: false
+ if: ctx.ocsf?.class_uid != null && ['3001'].contains(ctx.ocsf.class_uid)
+ - append:
+ field: event.category
+ tag: append_authentication_into_event_category
+ value: authentication
+ allow_duplicates: false
+ if: ctx.ocsf?.class_uid != null && ['3002'].contains(ctx.ocsf.class_uid)
+ - append:
+ field: event.category
+ tag: append_network_into_event_category
+ value: network
+ allow_duplicates: false
+ if: ctx.ocsf?.class_uid != null && ['4001','4003'].contains(ctx.ocsf.class_uid)
+ - append:
+ field: event.category
+ tag: append_web_into_event_category
+ value: web
+ allow_duplicates: false
+ if: ctx.ocsf?.class_uid != null && ['6003'].contains(ctx.ocsf.class_uid)
+ - append:
+ field: event.type
+ tag: append_info_into_event_type
+ value: info
+ allow_duplicates: false
+ if: ctx.ocsf?.class_uid != null && ['2001','3001','3002','4001','4003','6003'].contains(ctx.ocsf.class_uid)
+ - append:
+ field: event.type
+ tag: append_user_into_event_type
+ value: user
+ allow_duplicates: false
+ if: ctx.ocsf?.class_uid != null && ['3001'].contains(ctx.ocsf.class_uid)
+ - append:
+ field: event.type
+ tag: append_protocol_into_event_type
+ value: protocol
+ allow_duplicates: false
+ if: ctx.ocsf?.class_uid != null && ['4003'].contains(ctx.ocsf.class_uid)
+ - append:
+ field: event.type
+ tag: append_creation_into_event_type
+ value: creation
+ allow_duplicates: false
+ if: ctx.ocsf?.class_uid != null && ['3001'].contains(ctx.ocsf.class_uid) && ctx.ocsf.activity_name == 'Create'
+ - append:
+ field: event.type
+ tag: append_deletion_into_event_type
+ value: deletion
+ allow_duplicates: false
+ if: ctx.ocsf?.class_uid != null && ['3001'].contains(ctx.ocsf.class_uid) && ctx.ocsf.activity_name == 'Delete'
+ - append:
+ field: event.type
+ tag: append_start_into_event_type
+ value: start
+ allow_duplicates: false
+ if: ctx.ocsf?.class_uid != null && ['3002','4001'].contains(ctx.ocsf.class_uid) && ['Logon','Open'].contains(ctx.ocsf.activity_name)
+ - append:
+ field: event.type
+ tag: append_end_into_event_type
+ value: end
+ allow_duplicates: false
+ if: ctx.ocsf?.class_uid != null && ['3002','4001'].contains(ctx.ocsf.class_uid) && ['Logoff','Close'].contains(ctx.ocsf.activity_name)
+ - append:
+ field: event.type
+ tag: append_denied_into_event_type
+ value: denied
+ allow_duplicates: false
+ if: ctx.ocsf?.class_uid != null && ['4001','4003'].contains(ctx.ocsf.class_uid) && ['Refuse'].contains(ctx.ocsf.activity_name)
+ - set:
+ field: cloud.account.id
+ tag: set_cloud_account_uid
+ copy_from: ocsf.cloud.account.uid
+ ignore_empty_value: true
+ - set:
+ field: cloud.account.name
+ tag: set_cloud_account_name
+ copy_from: ocsf.cloud.account.name
+ ignore_empty_value: true
+ - set:
+ field: cloud.availability_zone
+ tag: set_cloud_availability_zone
+ copy_from: ocsf.cloud.zone
+ ignore_empty_value: true
+ - set:
+ field: cloud.project.id
+ tag: set_cloud_project_id
+ copy_from: ocsf.cloud.project_uid
+ ignore_empty_value: true
+ - set:
+ field: cloud.provider
+ tag: set_cloud_provider
+ copy_from: ocsf.cloud.provider
+ ignore_empty_value: true
+ - set:
+ field: cloud.region
+ tag: set_cloud_region
+ copy_from: ocsf.cloud.region
+ ignore_empty_value: true
+ - lowercase:
+ field: ocsf.activity_name
+ tag: lowercase_event_action
+ target_field: event.action
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.activity_name
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - gsub:
+ field: event.action
+ pattern: '[: ]'
+ replacement: '-'
+ tag: gsub_event_action
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: event.action
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: event.code
+ tag: set_event_code
+ copy_from: ocsf.metadata.event_code
+ ignore_empty_value: true
+ - convert:
+ field: ocsf.duration
+ tag: convert_duration_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.duration
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - script:
+ description: Convert duration from milliseconds to nanoseconds.
+ tag: script_duration_ms_to_ns
+ lang: painless
+ if: ctx.ocsf?.duration != null
+ source: >-
+ ctx.event.duration = ctx.ocsf.duration * 1000000;
+ - set:
+ field: event.id
+ tag: set_event_id
+ copy_from: ocsf.metadata.uid
+ ignore_empty_value: true
+ - set:
+ field: event.provider
+ tag: set_event_provider_from_metadata_log_provider
+ copy_from: ocsf.metadata.log_provider
+ ignore_empty_value: true
+ - set:
+ field: event.provider
+ tag: set_event_provider_from_metadata_product_vendor_name
+ copy_from: ocsf.metadata.product.vendor_name
+ ignore_empty_value: true
+ if: ctx.ocsf?.metadata?.log_provider == null
+ - convert:
+ field: ocsf.metadata.sequence
+ tag: convert_metadata_sequence_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.metadata.sequence
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: event.sequence
+ tag: set_event_sequence
+ copy_from: ocsf.metadata.sequence
+ ignore_empty_value: true
+ - set:
+ field: message
+ tag: set_message
+ copy_from: ocsf.message
+ ignore_empty_value: true
+ - foreach:
+ field: ocsf.metadata.labels
+ if: ctx.ocsf?.metadata?.labels instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: tags
+ tag: append_metadata_labels_to_tags
+ value: '{{{_ingest._value}}}'
+ allow_duplicates: false
+ - convert:
+ field: ocsf.api.response.code
+ tag: convert_api_response_code_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.api.response.code
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.activity_id
+ tag: convert_activity_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.category_uid
+ tag: convert_category_uid_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.cloud.account.type_id
+ tag: convert_cloud_account_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.count
+ tag: convert_count_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.count
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.end_time_dt
+ tag: date_end_time_dt
+ target_field: ocsf.end_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.end_time_dt != null && ctx.ocsf.end_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.end_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: event.end
+ tag: set_event_end_from_end_time_dt
+ copy_from: ocsf.end_time_dt
+ ignore_empty_value: true
+ - date:
+ field: ocsf.end_time
+ tag: date_end_time
+ target_field: ocsf.end_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.end_time != null && ctx.ocsf.end_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.end_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: event.end
+ tag: set_event_end_from_end_time
+ copy_from: ocsf.end_time
+ ignore_empty_value: true
+ - date:
+ field: ocsf.time_dt
+ tag: date_timestamp_from_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.time_dt != null && ctx.ocsf.time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.time
+ tag: date_timestamp_from_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.time != null && ctx.ocsf.time != ''
+ on_failure:
+ - remove:
+ field: ocsf.time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.time_dt
+ tag: date_time_dt
+ target_field: ocsf.time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.time_dt != null && ctx.ocsf.time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.time
+ tag: date_time
+ target_field: ocsf.time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.time != null && ctx.ocsf.time != ''
+ on_failure:
+ - remove:
+ field: ocsf.time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.metadata.logged_time_dt
+ tag: date_metadata_logged_time_dt
+ target_field: ocsf.metadata.logged_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.metadata?.logged_time_dt != null && ctx.ocsf.metadata.logged_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.metadata.logged_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.metadata.logged_time
+ tag: date_metadata_logged_time
+ target_field: ocsf.metadata.logged_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.metadata?.logged_time != null && ctx.ocsf.metadata.logged_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.metadata.logged_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.metadata.modified_time_dt
+ tag: date_metadata_modified_time_dt
+ target_field: ocsf.metadata.modified_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.metadata?.modified_time_dt != null && ctx.ocsf.metadata.modified_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.metadata.modified_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.metadata.modified_time
+ tag: date_metadata_modified_time
+ target_field: ocsf.metadata.modified_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.metadata?.modified_time != null && ctx.ocsf.metadata.modified_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.metadata.modified_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.metadata.processed_time_dt
+ tag: date_metadata_processed_time_dt
+ target_field: ocsf.metadata.processed_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.metadata?.processed_time_dt != null && ctx.ocsf.metadata.processed_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.metadata.processed_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.metadata.processed_time
+ tag: date_metadata_processed_time
+ target_field: ocsf.metadata.processed_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.metadata?.processed_time != null && ctx.ocsf.metadata.processed_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.metadata.processed_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: ocsf.observables
+ if: ctx.ocsf?.observables instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value.reputation.base_score
+ tag: convert_reputation_base_score_to_double
+ type: double
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.reputation.base_score
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: ocsf.observables
+ if: ctx.ocsf?.observables instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value.reputation.score_id
+ tag: convert_reputation_score_id_to_string
+ type: string
+ ignore_missing: true
+ - foreach:
+ field: ocsf.observables
+ if: ctx.ocsf?.observables instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value.type_id
+ tag: convert_type_id_to_string
+ type: string
+ ignore_missing: true
+ - script:
+ lang: painless
+ tag: script_to_map_observables_into_key_value_pair
+ description: Map observables into key value pair.
+ if: ctx.ocsf?.observables != null && ctx.ocsf.observables instanceof List
+ source: >
+ for (int i = 0; i < ctx.ocsf.observables.length; ++i) {
+ if (ctx['ocsf']['observables'][i]['value'] != null) {
+ ctx.ocsf.observables[i][ctx['ocsf']['observables'][i]['name']] = ctx['ocsf']['observables'][i]['value'];
+ }
+ }
+ - convert:
+ field: ocsf.severity_id
+ tag: convert_severity_id_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.severity_id
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: event.severity
+ tag: set_event_severity
+ copy_from: ocsf.severity_id
+ ignore_empty_value: true
+ - date:
+ field: ocsf.start_time_dt
+ tag: date_start_time_dt
+ target_field: ocsf.start_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.start_time_dt != null && ctx.ocsf.start_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.start_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: event.start
+ tag: set_event_start_from_start_time_dt
+ copy_from: ocsf.start_time_dt
+ ignore_empty_value: true
+ - date:
+ field: ocsf.start_time
+ tag: date_start_time
+ target_field: ocsf.start_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.start_time != null && ctx.ocsf.start_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.start_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: event.start
+ tag: set_event_start_from_start_time
+ copy_from: ocsf.start_time
+ ignore_empty_value: true
+ - convert:
+ field: ocsf.status_id
+ tag: convert_status_id_to_string
+ type: string
+ ignore_missing: true
+ - set:
+ field: event.outcome
+ value: unknown
+ if: ctx.ocsf?.status_id == '0'
+ - set:
+ field: event.outcome
+ value: success
+ if: ctx.ocsf?.status_id == '1'
+ - set:
+ field: event.outcome
+ value: failure
+ if: ctx.ocsf?.status_id == '2'
+ - convert:
+ field: ocsf.timezone_offset
+ tag: convert_timezone_offset_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.timezone_offset
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.type_uid
+ tag: convert_type_uid_to_string
+ type: string
+ ignore_missing: true
+ - json:
+ field: ocsf.raw_data
+ if: ctx.ocsf?.raw_data instanceof String
+ tag: json_decoding_raw_data
+ on_failure:
+ - rename:
+ field: ocsf.raw_data
+ target_field: ocsf.raw_data_keyword
+ ignore_missing: true
+ - pipeline:
+ name: '{{ IngestPipeline "pipeline_object_actor" }}'
+ if: ctx.ocsf?.class_uid != null && ['3001','3002','4001','4003','6003'].contains(ctx.ocsf.class_uid) && ctx.ocsf.actor != null
+ tag: pipeline_object_actor
+ ignore_missing_pipeline: true
+ - pipeline:
+ name: '{{ IngestPipeline "pipeline_object_attack" }}'
+ if: ctx.ocsf?.class_uid != null && ['2001','4001','4003'].contains(ctx.ocsf.class_uid) && ctx.ocsf.attacks != null
+ tag: pipeline_object_attack
+ ignore_missing_pipeline: true
+ - pipeline:
+ name: '{{ IngestPipeline "pipeline_object_network_connection_info" }}'
+ if: ctx.ocsf?.class_uid != null && ['4001','4003'].contains(ctx.ocsf.class_uid) && ctx.ocsf.connection_info != null
+ tag: pipeline_object_network_connection_info
+ ignore_missing_pipeline: true
+ - pipeline:
+ name: '{{ IngestPipeline "pipeline_object_device" }}'
+ if: ctx.ocsf?.class_uid != null && ['3001','3002','4001','4003'].contains(ctx.ocsf.class_uid) && ctx.ocsf.device != null
+ tag: pipeline_object_device
+ ignore_missing_pipeline: true
+ - pipeline:
+ name: '{{ IngestPipeline "pipeline_object_http_request" }}'
+ if: ctx.ocsf?.class_uid != null && ['3001','3002','6003'].contains(ctx.ocsf.class_uid) && ctx.ocsf.http_request != null
+ tag: pipeline_object_http_request
+ ignore_missing_pipeline: true
+ - pipeline:
+ name: '{{ IngestPipeline "pipeline_object_malware" }}'
+ if: ctx.ocsf?.class_uid != null && ['2001','4001','4003'].contains(ctx.ocsf.class_uid) && ctx.ocsf.malware != null
+ tag: pipeline_object_malware
+ ignore_missing_pipeline: true
+ - pipeline:
+ name: '{{ IngestPipeline "pipeline_object_network_endpoint" }}'
+ if: ctx.ocsf?.class_uid != null && ['3001','3002','4001','4003','6003'].contains(ctx.ocsf.class_uid) && (ctx.ocsf.dst_endpoint != null || ctx.ocsf.src_endpoint != null)
+ tag: pipeline_object_network_endpoint
+ ignore_missing_pipeline: true
+ - pipeline:
+ name: '{{ IngestPipeline "pipeline_object_process" }}'
+ if: ctx.ocsf?.class_uid != null && ['2001'].contains(ctx.ocsf.class_uid) && ctx.ocsf.process != null
+ tag: pipeline_object_process
+ ignore_missing_pipeline: true
+ - pipeline:
+ name: '{{ IngestPipeline "pipeline_object_proxy" }}'
+ if: ctx.ocsf?.class_uid != null && ['4001','4003'].contains(ctx.ocsf.class_uid) && ctx.ocsf.proxy != null
+ tag: pipeline_object_proxy
+ ignore_missing_pipeline: true
+ - pipeline:
+ name: '{{ IngestPipeline "pipeline_object_tls" }}'
+ if: ctx.ocsf?.class_uid != null && ['4001','4003'].contains(ctx.ocsf.class_uid) && ctx.ocsf.tls != null
+ tag: pipeline_object_tls
+ ignore_missing_pipeline: true
+ - pipeline:
+ name: '{{ IngestPipeline "pipeline_object_traffic" }}'
+ if: ctx.ocsf?.class_uid != null && ['4001','4003'].contains(ctx.ocsf.class_uid) && ctx.ocsf.traffic != null
+ tag: pipeline_object_traffic
+ ignore_missing_pipeline: true
+ - pipeline:
+ name: '{{ IngestPipeline "pipeline_object_user" }}'
+ if: ctx.ocsf?.class_uid != null && ['3001','3002'].contains(ctx.ocsf.class_uid) && ctx.ocsf.user != null
+ tag: pipeline_object_user
+ ignore_missing_pipeline: true
+ - pipeline:
+ name: '{{ IngestPipeline "pipeline_category_findings" }}'
+ if: ctx.ocsf?.category_uid != null && ctx.ocsf.category_uid == '2'
+ tag: pipeline_category_findings
+ ignore_missing_pipeline: true
+ - pipeline:
+ name: '{{ IngestPipeline "pipeline_category_identity_and_access_management" }}'
+ if: ctx.ocsf?.category_uid != null && ctx.ocsf.category_uid == '3'
+ tag: pipeline_category_identity_and_access_management
+ ignore_missing_pipeline: true
+ - pipeline:
+ name: '{{ IngestPipeline "pipeline_category_network_activity" }}'
+ if: ctx.ocsf?.category_uid != null && ctx.ocsf.category_uid == '4'
+ tag: pipeline_category_network_activity
+ ignore_missing_pipeline: true
+ - pipeline:
+ name: '{{ IngestPipeline "pipeline_category_application_activity" }}'
+ if: ctx.ocsf?.category_uid != null && ctx.ocsf.category_uid == '6'
+ tag: pipeline_category_application_activity
+ ignore_missing_pipeline: true
+ - foreach:
+ field: ocsf.process.user.groups
+ if: ctx.ocsf?.process?.user?.groups instanceof List
+ ignore_failure: true
+ processor:
+ remove:
+ field:
+ - _ingest._value.uid
+ - _ingest._value.name
+ tag: remove_duplicate_custom_fields_from_process_user_groups_array
+ ignore_missing: true
+ if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields'))
+ - foreach:
+ field: ocsf.actor.process.user.groups
+ if: ctx.ocsf?.actor?.process?.user?.groups instanceof List
+ ignore_failure: true
+ processor:
+ remove:
+ field:
+ - _ingest._value.uid
+ - _ingest._value.name
+ tag: remove_duplicate_custom_fields_from_actor_process_user_groups_array
+ ignore_missing: true
+ if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields'))
+ - foreach:
+ field: ocsf.process.parent_process.user.groups
+ if: ctx.ocsf?.process?.parent_process?.user?.groups instanceof List
+ ignore_failure: true
+ processor:
+ remove:
+ field:
+ - _ingest._value.uid
+ - _ingest._value.name
+ tag: remove_duplicate_custom_fields_from_process_parent_process_user_groups_array
+ ignore_missing: true
+ if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields'))
+ - foreach:
+ field: ocsf.actor.process.parent_process.user.groups
+ if: ctx.ocsf?.actor?.process?.parent_process?.user?.groups instanceof List
+ ignore_failure: true
+ processor:
+ remove:
+ field:
+ - _ingest._value.uid
+ - _ingest._value.name
+ tag: remove_duplicate_custom_fields_from_actor_process_parent_process_user_groups_array
+ ignore_missing: true
+ if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields'))
+ - foreach:
+ field: ocsf.actor.user.groups
+ if: ctx.ocsf?.actor?.user?.groups instanceof List
+ ignore_failure: true
+ processor:
+ remove:
+ field:
+ - _ingest._value.uid
+ - _ingest._value.name
+ tag: remove_duplicate_custom_fields_from_actor_user_groups_array
+ ignore_missing: true
+ if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields'))
+ - foreach:
+ field: ocsf.user.groups
+ if: ctx.ocsf?.user?.groups instanceof List
+ ignore_failure: true
+ processor:
+ remove:
+ field:
+ - _ingest._value.uid
+ - _ingest._value.name
+ tag: remove_duplicate_custom_fields_from_user_groups_array
+ ignore_missing: true
+ if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields'))
+ - foreach:
+ field: ocsf.user_result.groups
+ if: ctx.ocsf?.user_result?.groups instanceof List
+ ignore_failure: true
+ processor:
+ remove:
+ field:
+ - _ingest._value.uid
+ - _ingest._value.name
+ tag: remove_duplicate_custom_fields_from_user_result_groups_array
+ ignore_missing: true
+ if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields'))
+ - foreach:
+ field: ocsf.tls.sans
+ if: ctx.ocsf?.tls?.sans instanceof List
+ ignore_failure: true
+ processor:
+ remove:
+ field:
+ - _ingest._value.name
+ tag: remove_duplicate_custom_fields_from_tls_sans_array
+ ignore_missing: true
+ if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields'))
+ - foreach:
+ field: ocsf.attacks
+ if: ctx.ocsf?.attacks instanceof List
+ ignore_failure: true
+ processor:
+ remove:
+ field:
+ - _ingest._value.technique.uid
+ - _ingest._value.technique.name
+ tag: remove_duplicate_custom_fields_from_attacks_array
+ ignore_missing: true
+ if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields'))
+ - foreach:
+ field: ocsf.attacks
+ if: ctx.ocsf?.attacks instanceof List
+ ignore_failure: true
+ processor:
+ foreach:
+ field: _ingest._value.tactics
+ ignore_failure: true
+ processor:
+ remove:
+ field:
+ - _ingest._value.uid
+ - _ingest._value.name
+ tag: remove_duplicate_custom_fields_from_attacks_tactics_array
+ ignore_missing: true
+ if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields'))
+ - foreach:
+ field: ocsf.vulnerabilities
+ if: ctx.ocsf?.vulnerabilities instanceof List
+ ignore_failure: true
+ processor:
+ remove:
+ field:
+ - _ingest._value.desc
+ - _ingest._value.cve.uid
+ - _ingest._value.references
+ - _ingest._value.vendor_name
+ - _ingest._value.cve.cvss.base_score
+ - _ingest._value.cve.cvss.version
+ - _ingest._value.severity
+ tag: remove_duplicate_custom_fields_from_vulnerabilities_array
+ ignore_missing: true
+ if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields'))
+ - foreach:
+ field: ocsf.answers
+ if: ctx.ocsf?.answers instanceof List
+ ignore_failure: true
+ processor:
+ remove:
+ field:
+ - _ingest._value.rdata
+ - _ingest._value.packet_uid
+ - _ingest._value.class
+ - _ingest._value.type
+ - _ingest._value.ttl
+ tag: remove_duplicate_custom_fields_from_answers_array
+ ignore_missing: true
+ if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields'))
+ - foreach:
+ field: ocsf.malware
+ if: ctx.ocsf?.malware instanceof List
+ ignore_failure: true
+ processor:
+ foreach:
+ field: _ingest._value.cves
+ ignore_failure: true
+ processor:
+ remove:
+ field:
+ - _ingest._value.cvss.base_score
+ - _ingest._value.cvss.version
+ - _ingest._value.uid
+ tag: remove_duplicate_custom_fields_from_malware_cves_array
+ ignore_missing: true
+ if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields'))
+ - remove:
+ field:
+ - ocsf.time
+ - ocsf.cloud.account.uid
+ - ocsf.cloud.account.name
+ - ocsf.cloud.zone
+ - ocsf.cloud.project_uid
+ - ocsf.cloud.provider
+ - ocsf.cloud.region
+ - ocsf.metadata.event_code
+ - ocsf.end_time
+ - ocsf.metadata.uid
+ - ocsf.metadata.log_provider
+ - ocsf.metadata.sequence
+ - ocsf.severity_id
+ - ocsf.message
+ - ocsf.metadata.labels
+ - ocsf.process.container.uid
+ - ocsf.process.container.image.name
+ - ocsf.process.container.image.tag
+ - ocsf.process.container.image.labels
+ - ocsf.process.container.name
+ - ocsf.process.container.runtime
+ - ocsf.finding.created_time
+ - ocsf.finding.src_url
+ - ocsf.risk_score
+ - ocsf.process.file.accessed_time
+ - ocsf.process.file.created_time
+ - ocsf.process.file.parent_folder
+ - ocsf.process.file.uid
+ - ocsf.process.file.mime_type
+ - ocsf.process.file.modified_time
+ - ocsf.process.file.name
+ - ocsf.process.file.owner.name
+ - ocsf.process.file.path
+ - ocsf.process.file.size
+ - ocsf.process.file.type
+ - ocsf.process.file.owner.uid
+ - ocsf.process.file.signature.certificate.issuer
+ - ocsf.process.file.signature.certificate.expiration_time
+ - ocsf.process.file.signature.certificate.serial_number
+ - ocsf.process.file.signature.certificate.subject
+ - ocsf.process.file.signature.certificate.version
+ - ocsf.process.container.orchestrator
+ - ocsf.process.cmd_line
+ - ocsf.process.terminated_time
+ - ocsf.process.uid
+ - ocsf.process.egid
+ - ocsf.process.group.uid
+ - ocsf.process.group.name
+ - ocsf.process.name
+ - ocsf.process.pid
+ - ocsf.process.created_time
+ - ocsf.process.tid
+ - ocsf.process.user.domain
+ - ocsf.process.user.email_addr
+ - ocsf.process.user.full_name
+ - ocsf.process.euid
+ - ocsf.process.user.uid
+ - ocsf.process.user.name
+ - ocsf.process.parent_process.cmd_line
+ - ocsf.process.parent_process.terminated_time
+ - ocsf.process.parent_process.uid
+ - ocsf.process.parent_process.egid
+ - ocsf.process.parent_process.group.uid
+ - ocsf.process.parent_process.group.name
+ - ocsf.process.parent_process.name
+ - ocsf.process.parent_process.pid
+ - ocsf.process.parent_process.created_time
+ - ocsf.process.parent_process.tid
+ - ocsf.process.parent_process.user.domain
+ - ocsf.process.parent_process.user.email_addr
+ - ocsf.process.parent_process.user.full_name
+ - ocsf.process.parent_process.euid
+ - ocsf.process.parent_process.user.uid
+ - ocsf.process.parent_process.user.name
+ - ocsf.actor.process.cmd_line
+ - ocsf.actor.process.container.image.labels
+ - ocsf.actor.process.container.image.name
+ - ocsf.actor.process.container.image.tag
+ - ocsf.actor.process.container.name
+ - ocsf.actor.process.container.orchestrator
+ - ocsf.actor.process.container.runtime
+ - ocsf.actor.process.container.uid
+ - ocsf.actor.process.created_time
+ - ocsf.actor.process.egid
+ - ocsf.actor.process.euid
+ - ocsf.actor.process.file.accessed_time
+ - ocsf.actor.process.file.created_time
+ - ocsf.actor.process.file.mime_type
+ - ocsf.actor.process.file.modified_time
+ - ocsf.actor.process.file.name
+ - ocsf.actor.process.file.owner.name
+ - ocsf.actor.process.file.owner.uid
+ - ocsf.actor.process.file.parent_folder
+ - ocsf.actor.process.file.path
+ - ocsf.actor.process.file.signature.certificate.expiration_time
+ - ocsf.actor.process.file.signature.certificate.issuer
+ - ocsf.actor.process.file.signature.certificate.serial_number
+ - ocsf.actor.process.file.signature.certificate.subject
+ - ocsf.actor.process.file.signature.certificate.version
+ - ocsf.actor.process.file.size
+ - ocsf.actor.process.file.type
+ - ocsf.actor.process.file.uid
+ - ocsf.actor.process.group.name
+ - ocsf.actor.process.group.uid
+ - ocsf.actor.process.name
+ - ocsf.actor.process.pid
+ - ocsf.actor.process.terminated_time
+ - ocsf.actor.process.tid
+ - ocsf.actor.process.uid
+ - ocsf.actor.process.user.domain
+ - ocsf.actor.process.user.email_addr
+ - ocsf.actor.process.user.full_name
+ - ocsf.actor.process.user.name
+ - ocsf.actor.process.user.uid
+ - ocsf.actor.process.parent_process.cmd_line
+ - ocsf.actor.process.parent_process.created_time
+ - ocsf.actor.process.parent_process.egid
+ - ocsf.actor.process.parent_process.euid
+ - ocsf.actor.process.parent_process.group.name
+ - ocsf.actor.process.parent_process.group.uid
+ - ocsf.actor.process.parent_process.name
+ - ocsf.actor.process.parent_process.pid
+ - ocsf.actor.process.parent_process.terminated_time
+ - ocsf.actor.process.parent_process.tid
+ - ocsf.actor.process.parent_process.uid
+ - ocsf.actor.process.parent_process.user.domain
+ - ocsf.actor.process.parent_process.user.email_addr
+ - ocsf.actor.process.parent_process.user.full_name
+ - ocsf.actor.process.parent_process.user.name
+ - ocsf.actor.process.parent_process.user.uid
+ - ocsf.actor.user.domain
+ - ocsf.actor.user.email_addr
+ - ocsf.actor.user.full_name
+ - ocsf.actor.user.name
+ - ocsf.actor.user.uid
+ - ocsf.user.domain
+ - ocsf.user.email_addr
+ - ocsf.user.full_name
+ - ocsf.user.name
+ - ocsf.user.uid
+ - ocsf.user_result.domain
+ - ocsf.user_result.email_addr
+ - ocsf.user_result.full_name
+ - ocsf.user_result.name
+ - ocsf.user_result.uid
+ - ocsf.traffic.bytes
+ - ocsf.traffic.bytes_in
+ - ocsf.traffic.bytes_out
+ - ocsf.traffic.packets
+ - ocsf.traffic.packets_in
+ - ocsf.traffic.packets_out
+ - ocsf.tls.certificate.expiration_time
+ - ocsf.tls.certificate.issuer
+ - ocsf.tls.certificate.serial_number
+ - ocsf.tls.certificate.subject
+ - ocsf.tls.certificate.version
+ - ocsf.tls.cipher
+ - ocsf.tls.client_ciphers
+ - ocsf.tls.ja3_hash.value
+ - ocsf.tls.ja3s_hash.value
+ - ocsf.tls.sni
+ - ocsf.tls.version
+ - ocsf.start_time
+ - ocsf.src_endpoint.domain
+ - ocsf.src_endpoint.hostname
+ - ocsf.src_endpoint.ip
+ - ocsf.src_endpoint.location.city
+ - ocsf.src_endpoint.location.continent
+ - ocsf.src_endpoint.location.coordinates
+ - ocsf.src_endpoint.location.country
+ - ocsf.src_endpoint.location.desc
+ - ocsf.src_endpoint.location.postal_code
+ - ocsf.src_endpoint.location.region
+ - ocsf.src_endpoint.mac
+ - ocsf.src_endpoint.port
+ - ocsf.src_endpoint.svc_name
+ - ocsf.dst_endpoint.domain
+ - ocsf.dst_endpoint.hostname
+ - ocsf.dst_endpoint.ip
+ - ocsf.dst_endpoint.location.city
+ - ocsf.dst_endpoint.location.continent
+ - ocsf.dst_endpoint.location.coordinates
+ - ocsf.dst_endpoint.location.country
+ - ocsf.dst_endpoint.location.desc
+ - ocsf.dst_endpoint.location.postal_code
+ - ocsf.dst_endpoint.location.region
+ - ocsf.dst_endpoint.mac
+ - ocsf.dst_endpoint.port
+ - ocsf.dst_endpoint.svc_name
+ - ocsf.connection_info.protocol_name
+ - ocsf.connection_info.protocol_num
+ - ocsf.connection_info.protocol_ver
+ - ocsf.device.domain
+ - ocsf.device.hostname
+ - ocsf.device.ip
+ - ocsf.device.location.city
+ - ocsf.device.location.continent
+ - ocsf.device.location.coordinates
+ - ocsf.device.location.country
+ - ocsf.device.location.desc
+ - ocsf.device.location.postal_code
+ - ocsf.device.location.region
+ - ocsf.device.mac
+ - ocsf.device.name
+ - ocsf.device.os.build
+ - ocsf.device.os.name
+ - ocsf.device.risk_level
+ - ocsf.device.risk_score
+ - ocsf.device.type
+ - ocsf.device.uid
+ - ocsf.device.vlan_uid
+ - ocsf.http_request.http_method
+ - ocsf.http_request.referrer
+ - ocsf.http_request.uid
+ - ocsf.http_request.url.hostname
+ - ocsf.http_request.url.path
+ - ocsf.http_request.url.port
+ - ocsf.http_request.url.query_string
+ - ocsf.http_request.url.scheme
+ - ocsf.http_request.url.subdomain
+ - ocsf.http_request.url.url_string
+ - ocsf.http_request.user_agent
+ - ocsf.http_request.version
+ - ocsf.query.hostname
+ - ocsf.query.packet_uid
+ - ocsf.query.class
+ - ocsf.query.type
+ - ocsf.rcode
+ - ocsf.service.name
+ - ocsf.service.uid
+ - ocsf.service.version
+ tag: remove_duplicate_custom_fields
+ ignore_missing: true
+ if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields'))
+ - remove:
+ field: event.original
+ tag: remove_event_original
+ ignore_missing: true
+ if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))
+ - script:
+ lang: painless
+ description: Drops null/empty values recursively.
+ tag: painless_remove_null
+ source: |-
+ boolean drop(Object object) {
+ if (object == null || object == '') {
+ return true;
+ } else if (object instanceof Map) {
+ ((Map) object).values().removeIf(v -> drop(v));
+ return (((Map) object).size() == 0);
+ } else if (object instanceof List) {
+ ((List) object).removeIf(v -> drop(v));
+ return (((List) object).length == 0);
+ }
+ return false;
+ }
+ drop(ctx);
+ - foreach:
+ field: dns.answers.ttl
+ if: ctx.dns?.answers?.ttl instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value
+ tag: convert_dns_answers_ttl_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: vulnerability.score.base
+ if: ctx.vulnerability?.score?.base instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value
+ tag: convert_vulnerability_score_base_to_double
+ type: double
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: event.kind
+ value: pipeline_error
+ tag: set_pipeline_error_into_event_kind
+ if: ctx.error?.message != null
+on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: event.kind
+ value: pipeline_error
diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_application_activity.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_application_activity.yml
new file mode 100644
index 00000000000..91265cea003
--- /dev/null
+++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_application_activity.yml
@@ -0,0 +1,81 @@
+---
+description: Pipeline for processing API Activity category.
+# API Activity class docs: https://schema.ocsf.io/1.0.0-rc.3/class/graph/api_activity
+processors:
+ - foreach:
+ field: ocsf.resources
+ if: ctx.ocsf?.resources instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value.owner.account.type_id
+ tag: convert_resources_owner_account_type_id_to_string
+ type: string
+ ignore_missing: true
+ - foreach:
+ field: ocsf.resources
+ if: ctx.ocsf?.resources instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value.owner.type_id
+ tag: convert_resources_owner_type_id_to_string
+ type: string
+ ignore_missing: true
+ - foreach:
+ field: ocsf.resources
+ if: ctx.ocsf?.resources instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: related.user
+ tag: append_resources_owner_uid_alt_into_related_user
+ value: '{{{_ingest._value.owner.uid_alt}}}'
+ allow_duplicates: false
+ - foreach:
+ field: ocsf.resources
+ if: ctx.ocsf?.resources instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: related.user
+ tag: append_resources_owner_email_addr_into_related_user
+ value: '{{{_ingest._value.owner.email_addr}}}'
+ allow_duplicates: false
+ - foreach:
+ field: ocsf.resources
+ if: ctx.ocsf?.resources instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: related.user
+ tag: append_resources_owner_full_name_into_related_user
+ value: '{{{_ingest._value.owner.full_name}}}'
+ allow_duplicates: false
+ - foreach:
+ field: ocsf.resources
+ if: ctx.ocsf?.resources instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: related.user
+ tag: append_resources_owner_name_into_related_user
+ value: '{{{_ingest._value.owner.name}}}'
+ allow_duplicates: false
+ - foreach:
+ field: ocsf.resources
+ if: ctx.ocsf?.resources instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: related.user
+ tag: append_resources_owner_uid_into_related_user
+ value: '{{{_ingest._value.owner.uid}}}'
+ allow_duplicates: false
+on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: event.kind
+ value: pipeline_error
diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_findings.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_findings.yml
new file mode 100644
index 00000000000..2e6e9e118e1
--- /dev/null
+++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_findings.yml
@@ -0,0 +1,541 @@
+---
+description: Pipeline for processing Findings category.
+# Security Findings Class docs: https://schema.ocsf.io/1.0.0-rc.3/classes/security_finding
+processors:
+ - set:
+ field: event.reference
+ tag: set_event_reference
+ copy_from: ocsf.finding.src_url
+ ignore_empty_value: true
+ - uri_parts:
+ field: ocsf.finding.src_url
+ tag: uri_parts_finding_src_url
+ if: ctx.ocsf?.finding?.src_url != null
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.analytic.type_id
+ tag: convert_analytic_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.confidence_id
+ tag: convert_confidence_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.confidence_score
+ tag: convert_confidence_score_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.confidence_score
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.finding.created_time_dt
+ tag: date_finding_created_time_dt
+ target_field: event.created
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.finding?.created_time_dt != null && ctx.ocsf.finding.created_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.finding.created_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.finding.created_time
+ tag: date_finding_created_time
+ target_field: event.created
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.finding?.created_time != null && ctx.ocsf.finding.created_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.finding.created_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.finding.created_time_dt
+ tag: date_finding_created_time_dt
+ target_field: ocsf.finding.created_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.finding?.created_time_dt != null && ctx.ocsf.finding.created_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.finding.created_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.finding.created_time
+ tag: date_finding_created_time
+ target_field: ocsf.finding.created_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.finding?.created_time != null && ctx.ocsf.finding.created_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.finding.created_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.finding.first_seen_time_dt
+ tag: date_finding_first_seen_time_dt
+ target_field: ocsf.finding.first_seen_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.finding?.first_seen_time_dt != null && ctx.ocsf.finding.first_seen_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.finding.first_seen_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.finding.first_seen_time
+ tag: date_finding_first_seen_time
+ target_field: ocsf.finding.first_seen_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.finding?.first_seen_time != null && ctx.ocsf.finding.first_seen_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.finding.first_seen_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.finding.last_seen_time_dt
+ tag: date_finding_last_seen_time_dt
+ target_field: ocsf.finding.last_seen_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.finding?.last_seen_time_dt != null && ctx.ocsf.finding.last_seen_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.finding.last_seen_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.finding.last_seen_time
+ tag: date_finding_last_seen_time
+ target_field: ocsf.finding.last_seen_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.finding?.last_seen_time != null && ctx.ocsf.finding.last_seen_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.finding.last_seen_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.finding.modified_time_dt
+ tag: date_finding_modified_time_dt
+ target_field: ocsf.finding.modified_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.finding?.modified_time_dt != null && ctx.ocsf.finding.modified_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.finding.modified_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.finding.modified_time
+ tag: date_finding_modified_time
+ target_field: ocsf.finding.modified_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.finding?.modified_time != null && ctx.ocsf.finding.modified_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.finding.modified_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: ocsf.finding.related_events
+ if: ctx.ocsf?.finding?.related_events instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value.type_uid
+ tag: convert_finding_related_events_type_uid_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.impact_score
+ tag: convert_impact_score_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.impact_score
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.state_id
+ tag: convert_state_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.impact_id
+ tag: convert_impact_id_to_string
+ type: string
+ ignore_missing: true
+ - foreach:
+ field: ocsf.kill_chain
+ if: ctx.ocsf?.kill_chain instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value.phase_id
+ tag: convert_kill_chain_phase_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.risk_level_id
+ tag: convert_risk_level_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.risk_score
+ tag: convert_risk_score_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.risk_score
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: event.risk_score
+ tag: set_event_risk_score
+ copy_from: ocsf.risk_score
+ ignore_empty_value: true
+ - foreach:
+ field: ocsf.vulnerabilities
+ if: ctx.ocsf?.vulnerabilities instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: vulnerability.id
+ value: '{{{_ingest._value.cve.uid}}}'
+ tag: append_vulnerabilities_cve_uid_into_vulnerability_id
+ allow_duplicates: false
+ - foreach:
+ field: ocsf.vulnerabilities
+ if: ctx.ocsf?.vulnerabilities instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: vulnerability.score.version
+ value: '{{{_ingest._value.cve.cvss.version}}}'
+ tag: append_vulnerabilities_cve_cvss_version_into_vulnerability_score_version
+ allow_duplicates: false
+ - foreach:
+ field: ocsf.vulnerabilities
+ if: ctx.ocsf?.vulnerabilities instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: vulnerability.description
+ value: '{{{_ingest._value.desc}}}'
+ tag: append_vulnerabilities_desc_into_vulnerability_description
+ - foreach:
+ field: ocsf.vulnerabilities
+ if: ctx.ocsf?.vulnerabilities instanceof List
+ ignore_failure: true
+ processor:
+ foreach:
+ field: _ingest._value.references
+ ignore_failure: true
+ processor:
+ append:
+ field: vulnerability.reference
+ value: '{{{_ingest._value}}}'
+ tag: append_vulnerabilities_references_into_vulnerability_references
+ - foreach:
+ field: ocsf.vulnerabilities
+ if: ctx.ocsf?.vulnerabilities instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value.cve.cvss.base_score
+ tag: convert_vulnerabilities_cve_cvss_base_score_to_double
+ type: double
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.cve.cvss.base_score
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: ocsf.vulnerabilities
+ if: ctx.ocsf?.vulnerabilities instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: vulnerability.score.base
+ value: '{{{_ingest._value.cve.cvss.base_score}}}'
+ tag: append_vulnerabilities_cve_cvss_base_score_into_vulnerability_score_base
+ allow_duplicates: false
+ - foreach:
+ field: ocsf.vulnerabilities
+ if: ctx.ocsf?.vulnerabilities instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: vulnerability.severity
+ value: '{{{_ingest._value.severity}}}'
+ tag: append_vulnerabilities_severity_into_vulnerability_severity
+ allow_duplicates: false
+ - foreach:
+ field: ocsf.vulnerabilities
+ if: ctx.ocsf?.vulnerabilities instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: vulnerability.scanner.vendor
+ value: '{{{_ingest._value.vendor_name}}}'
+ tag: append_vulnerabilities_vendor_name_into_vulnerability_scanner_vendor
+ allow_duplicates: false
+ - foreach:
+ field: ocsf.vulnerabilities
+ if: ctx.ocsf?.vulnerabilities instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value.cve.cvss.overall_score
+ tag: convert_vulnerabilities_cve_cvss_overall_score_to_double
+ type: double
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.cve.cvss.overall_score
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: ocsf.vulnerabilities
+ if: ctx.ocsf?.vulnerabilities instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value.cve.cvss.severity
+ tag: convert_vulnerabilities_cve_cvss_severity_to_double
+ type: double
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.cve.cvss.severity
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: ocsf.vulnerabilities
+ if: ctx.ocsf?.vulnerabilities instanceof List
+ ignore_failure: true
+ processor:
+ date:
+ field: _ingest._value.cve.created_time_dt
+ target_field: _ingest.cve.created_time_dt
+ tag: date_vulnerabilities_cve_created_time_dt
+ formats:
+ - ISO8601
+ on_failure:
+ - remove:
+ field: _ingest._value.cve.created_time_dt
+ ignore_missing: true
+ - foreach:
+ field: ocsf.vulnerabilities
+ if: ctx.ocsf?.vulnerabilities instanceof List
+ ignore_failure: true
+ processor:
+ date:
+ field: _ingest._value.cve.created_time
+ target_field: _ingest.cve.created_time
+ tag: date_vulnerabilities_cve_created_time
+ formats:
+ - UNIX_MS
+ on_failure:
+ - remove:
+ field: _ingest._value.cve.created_time
+ ignore_missing: true
+ - foreach:
+ field: ocsf.vulnerabilities
+ if: ctx.ocsf?.vulnerabilities instanceof List
+ ignore_failure: true
+ processor:
+ date:
+ field: _ingest._value.cve.modified_time_dt
+ target_field: _ingest.cve.modified_time_dt
+ tag: date_vulnerabilities_cve_modified_time_dt
+ formats:
+ - ISO8601
+ on_failure:
+ - remove:
+ field: _ingest._value.cve.modified_time_dt
+ ignore_missing: true
+ - foreach:
+ field: ocsf.vulnerabilities
+ if: ctx.ocsf?.vulnerabilities instanceof List
+ ignore_failure: true
+ processor:
+ date:
+ field: _ingest._value.cve.modified_time
+ target_field: _ingest.cve.modified_time
+ tag: date_vulnerabilities_cve_modified_time
+ formats:
+ - UNIX_MS
+ on_failure:
+ - remove:
+ field: _ingest._value.cve.modified_time
+ ignore_missing: true
+ - foreach:
+ field: ocsf.vulnerabilities
+ if: ctx.ocsf?.vulnerabilities instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value.fix_available
+ tag: convert_vulnerabilities_fix_available_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.fix_available
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: ocsf.vulnerabilities
+ if: ctx.ocsf?.vulnerabilities instanceof List
+ ignore_failure: true
+ processor:
+ foreach:
+ field: _ingest._value.packages
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value.epoch
+ tag: convert_vulnerabilities_packages_epoch_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.epoch
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: ocsf.resources
+ if: ctx.ocsf?.resources instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: related.user
+ tag: append_resources_owner_email_addr_into_related_user
+ value: '{{{_ingest._value.owner.email_addr}}}'
+ allow_duplicates: false
+ - foreach:
+ field: ocsf.resources
+ if: ctx.ocsf?.resources instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: related.user
+ tag: append_resources_owner_full_name_into_related_user
+ value: '{{{_ingest._value.owner.full_name}}}'
+ allow_duplicates: false
+ - foreach:
+ field: ocsf.resources
+ if: ctx.ocsf?.resources instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: related.user
+ tag: append_resources_owner_uid_into_related_user
+ value: '{{{_ingest._value.owner.uid}}}'
+ allow_duplicates: false
+ - foreach:
+ field: ocsf.resources
+ if: ctx.ocsf?.resources instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: related.user
+ tag: append_resources_owner_name_into_related_user
+ value: '{{{_ingest._value.owner.name}}}'
+ allow_duplicates: false
+ - foreach:
+ field: ocsf.resources
+ if: ctx.ocsf?.resources instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value.owner.account.type_id
+ tag: convert_resources_owner_account_type_id_to_string
+ type: string
+ ignore_missing: true
+ - foreach:
+ field: ocsf.resources
+ if: ctx.ocsf?.resources instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value.owner.type_id
+ tag: convert_resources_owner_type_id_to_string
+ type: string
+ ignore_missing: true
+ - foreach:
+ field: ocsf.resources
+ if: ctx.ocsf?.resources instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: related.user
+ tag: append_resources_owner_uid_alt_into_related_user
+ value: '{{{_ingest._value.owner.uid_alt}}}'
+ allow_duplicates: false
+on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: event.kind
+ value: pipeline_error
diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_identity_and_access_management.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_identity_and_access_management.yml
new file mode 100644
index 00000000000..afef15df447
--- /dev/null
+++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_identity_and_access_management.yml
@@ -0,0 +1,1734 @@
+---
+description: Pipeline for processing Identity & Access Management category.
+# Account Change Class docs: https://schema.ocsf.io/1.0.0-rc.3/classes/account_change
+# Authentication Class docs: https://schema.ocsf.io/1.0.0-rc.3/classes/authentication
+processors:
+ - set:
+ field: user.changes.domain
+ tag: set_user_changes_domain
+ copy_from: ocsf.user_result.domain
+ ignore_empty_value: true
+ - set:
+ field: user.changes.email
+ tag: set_user_changes_email
+ copy_from: ocsf.user_result.email_addr
+ ignore_empty_value: true
+ - append:
+ field: related.user
+ tag: append_user_result_email_addr_into_related_user
+ value: '{{{ocsf.user_result.email_addr}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.user_result?.email_addr != null
+ - set:
+ field: user.changes.full_name
+ tag: set_user_changes_full_name
+ copy_from: ocsf.user_result.full_name
+ ignore_empty_value: true
+ - append:
+ field: related.user
+ tag: append_user_result_full_name_into_related_user
+ value: '{{{ocsf.user_result.full_name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.user_result?.full_name != null
+ - foreach:
+ field: ocsf.user_result.groups
+ if: ctx.ocsf?.user_result?.groups instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: user.changes.group.id
+ value: '{{{_ingest._value.uid}}}'
+ tag: append_user_result_groups_uid_into_user_changes_group_id
+ allow_duplicates: false
+ - foreach:
+ field: ocsf.user_result.groups
+ if: ctx.ocsf?.user_result?.groups instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: user.changes.group.name
+ value: '{{{_ingest._value.name}}}'
+ tag: append_user_result_groups_name_into_user_changes_group_name
+ allow_duplicates: false
+ - set:
+ field: user.changes.id
+ tag: set_user_changes_id
+ copy_from: ocsf.user_result.uid
+ ignore_empty_value: true
+ - append:
+ field: related.user
+ tag: append_user_result_uid_into_related_user
+ value: '{{{ocsf.user_result.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.user_result?.uid != null
+ - set:
+ field: user.changes.name
+ tag: set_user_changes_name
+ copy_from: ocsf.user_result.name
+ ignore_empty_value: true
+ - append:
+ field: related.user
+ tag: append_user_result_name_into_related_user
+ value: '{{{ocsf.user_result.name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.user_result?.name != null
+ - convert:
+ field: ocsf.user_result.account.type_id
+ tag: convert_user_result_account_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.user_result.type_id
+ tag: convert_user_result_type_id_to_string
+ type: string
+ ignore_missing: true
+ - append:
+ field: related.user
+ tag: append_user_result_uid_alt_into_related_user
+ value: '{{{ocsf.user_result.uid_alt}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.user_result?.uid_alt != null
+ - convert:
+ field: ocsf.auth_protocol_id
+ tag: convert_auth_protocol_id_to_string
+ type: string
+ ignore_missing: true
+ - date:
+ field: ocsf.certificate.created_time_dt
+ tag: date_certificate_created_time_dt
+ target_field: ocsf.certificate.created_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.certificate?.created_time_dt != null && ctx.ocsf.certificate.created_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.certificate.created_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.certificate.created_time
+ tag: date_certificate_created_time
+ target_field: ocsf.certificate.created_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.certificate?.created_time != null && ctx.ocsf.certificate.created_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.certificate.created_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.certificate.expiration_time_dt
+ tag: date_certificate_expiration_time_dt
+ target_field: ocsf.certificate.expiration_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.certificate?.expiration_time_dt != null && ctx.ocsf.certificate.expiration_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.certificate.expiration_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.certificate.expiration_time
+ tag: date_certificate_expiration_time
+ target_field: ocsf.certificate.expiration_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.certificate?.expiration_time != null && ctx.ocsf.certificate.expiration_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.certificate.expiration_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: ocsf.certificate.fingerprints
+ if: ctx.ocsf?.certificate?.fingerprints instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: related.hash
+ value: '{{{_ingest._value.value}}}'
+ tag: append_certificate_fingerprints_value_into_related_hash
+ allow_duplicates: false
+ - convert:
+ field: ocsf.is_cleartext
+ tag: convert_is_cleartext_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.is_cleartext
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - append:
+ field: related.hash
+ tag: append_logon_process_container_hash_value_into_related_hash
+ value: '{{{ocsf.logon_process.container.hash.value}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.container?.hash?.value != null
+ - date:
+ field: ocsf.logon_process.file.accessed_time_dt
+ target_field: ocsf.logon_process.file.accessed_time_dt
+ tag: date_logon_process_file_accessed_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.logon_process?.file?.accessed_time_dt != null && ctx.ocsf.logon_process.file.accessed_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.file.accessed_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.logon_process.file.accessed_time
+ target_field: ocsf.logon_process.file.accessed_time
+ tag: date_logon_process_file_accessed_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.logon_process?.file?.accessed_time != null && ctx.ocsf.logon_process.file.accessed_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.file.accessed_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.logon_process.file.created_time_dt
+ target_field: ocsf.logon_process.file.created_time_dt
+ tag: date_logon_process_file_created_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.logon_process?.file?.created_time_dt != null && ctx.ocsf.logon_process.file.created_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.file.created_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.logon_process.file.created_time
+ target_field: ocsf.logon_process.file.created_time
+ tag: date_logon_process_file_created_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.logon_process?.file?.created_time != null && ctx.ocsf.logon_process.file.created_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.file.created_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: ocsf.logon_process.file.hashes
+ if: ctx.ocsf?.logon_process?.file?.hashes instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: related.hash
+ tag: append_logon_process_file_hashes_value_into_related_hash
+ value: '{{{_ingest._value.value}}}'
+ allow_duplicates: false
+ - date:
+ field: ocsf.logon_process.file.modified_time_dt
+ target_field: ocsf.logon_process.file.modified_time_dt
+ tag: date_logon_process_file_modified_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.logon_process?.file?.modified_time_dt != null && ctx.ocsf.logon_process.file.modified_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.file.modified_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.logon_process.file.modified_time
+ target_field: ocsf.logon_process.file.modified_time
+ tag: date_logon_process_file_modified_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.logon_process?.file?.modified_time != null && ctx.ocsf.logon_process.file.modified_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.file.modified_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - append:
+ field: related.user
+ tag: append_logon_process_file_owner_name_into_related_user
+ value: '{{{ocsf.logon_process.file.owner.name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.file?.owner?.name != null
+ - convert:
+ field: ocsf.logon_process.file.size
+ tag: convert_logon_process_file_size_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.file.size
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - append:
+ field: related.user
+ tag: append_logon_process_file_owner_uid_into_related_user
+ value: '{{{ocsf.logon_process.file.owner.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.file?.owner?.uid != null
+ - date:
+ field: ocsf.logon_process.file.signature.certificate.expiration_time_dt
+ target_field: ocsf.logon_process.file.signature.certificate.expiration_time_dt
+ tag: date_logon_process_file_signature_certificate_expiration_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.logon_process?.file?.signature?.certificate?.expiration_time_dt != null && ctx.ocsf.logon_process.file.signature.certificate.expiration_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.file.signature.certificate.expiration_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.logon_process.file.signature.certificate.expiration_time
+ target_field: ocsf.logon_process.file.signature.certificate.expiration_time
+ tag: date_logon_process_file_signature_certificate_expiration_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.logon_process?.file?.signature?.certificate?.expiration_time != null && ctx.ocsf.logon_process.file.signature.certificate.expiration_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.file.signature.certificate.expiration_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.logon_process.terminated_time_dt
+ target_field: ocsf.logon_process.terminated_time_dt
+ tag: date_logon_process_terminated_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.logon_process?.terminated_time_dt != null && ctx.ocsf.logon_process.terminated_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.terminated_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.logon_process.terminated_time
+ target_field: ocsf.logon_process.terminated_time
+ tag: date_logon_process_terminated_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.logon_process?.terminated_time != null && ctx.ocsf.logon_process.terminated_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.terminated_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.logon_process.egid
+ tag: convert_logon_process_egid_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.logon_process.pid
+ tag: convert_logon_process_pid_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.pid
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.logon_process.created_time_dt
+ target_field: ocsf.logon_process.created_time_dt
+ tag: date_logon_process_created_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.logon_process?.created_time_dt != null && ctx.ocsf.logon_process.created_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.created_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.logon_process.created_time
+ target_field: ocsf.logon_process.created_time
+ tag: date_logon_process_created_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.logon_process?.created_time != null && ctx.ocsf.logon_process.created_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.created_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.logon_process.tid
+ tag: convert_logon_process_tid_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.tid
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - append:
+ field: related.user
+ tag: append_logon_process_user_email_addr_into_related_user
+ value: '{{{ocsf.logon_process.user.email_addr}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.user?.email_addr != null
+ - append:
+ field: related.user
+ tag: append_logon_process_user_full_name_into_related_user
+ value: '{{{ocsf.logon_process.user.full_name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.user?.full_name != null
+ - convert:
+ field: ocsf.logon_process.euid
+ tag: convert_logon_process_euid_to_string
+ type: string
+ ignore_missing: true
+ - append:
+ field: related.user
+ tag: append_logon_process_euid_into_related_user
+ value: '{{{ocsf.logon_process.euid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.euid != null
+ - append:
+ field: related.user
+ tag: append_logon_process_uid_into_related_user
+ value: '{{{ocsf.logon_process.user.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.user?.uid != null
+ - append:
+ field: related.user
+ tag: append_logon_process_user_name_into_related_user
+ value: '{{{ocsf.logon_process.user.name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.user?.name != null
+ - convert:
+ field: ocsf.logon_process.container.hash.algorithm_id
+ tag: convert_logon_process_container_hash_algorithm_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.logon_process.auid
+ tag: convert_logon_process_auid_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.logon_process.container.size
+ tag: convert_logon_process_container_size_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.container.size
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.logon_process.file.accessor.account.type_id
+ tag: convert_logon_process_file_accessor_account_type_id_to_string
+ type: string
+ ignore_missing: true
+ - append:
+ field: related.user
+ tag: append_logon_process_file_accessor_uid_alt_into_related_user
+ value: '{{{ocsf.logon_process.file.accessor.uid_alt}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.file?.accessor?.uid_alt != null
+ - append:
+ field: related.user
+ tag: append_logon_process_file_accessor_email_addr_into_related_user
+ value: '{{{ocsf.logon_process.file.accessor.email_addr}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.file?.accessor?.email_addr != null
+ - append:
+ field: related.user
+ tag: append_logon_process_file_accessor_full_name_into_related_user
+ value: '{{{ocsf.logon_process.file.accessor.full_name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.file?.accessor?.full_name != null
+ - append:
+ field: related.user
+ tag: append_logon_process_file_accessor_name_into_related_user
+ value: '{{{ocsf.logon_process.file.accessor.name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.file?.accessor?.name != null
+ - append:
+ field: related.user
+ tag: append_logon_process_file_accessor_uid_into_related_user
+ value: '{{{ocsf.logon_process.file.accessor.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.file?.accessor?.uid != null
+ - convert:
+ field: ocsf.logon_process.file.accessor.type_id
+ tag: convert_logon_process_file_accessor_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.logon_process.file.attributes
+ tag: convert_logon_process_file_attributes_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.file.attributes
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.logon_process.file.confidentiality_id
+ tag: convert_logon_process_file_confidentiality_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.logon_process.file.creator.account.type_id
+ tag: convert_logon_process_file_creator_account_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.logon_process.file.creator.type_id
+ tag: convert_logon_process_file_creator_type_id_to_string
+ type: string
+ ignore_missing: true
+ - foreach:
+ field: ocsf.logon_process.file.signature.certificate.fingerprints
+ if: ctx.ocsf?.logon_process?.file?.signature?.certificate?.fingerprints instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value.algorithm_id
+ tag: convert_logon_process_file_signature_certificate_fingerprints_algorithm_id_to_string
+ type: string
+ ignore_missing: true
+ - foreach:
+ field: ocsf.logon_process.file.signature.certificate.fingerprints
+ if: ctx.ocsf?.logon_process?.file?.signature?.certificate?.fingerprints instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: related.hash
+ tag: append_logon_process_file_signature_certificate_fingerprints_value_into_related_hash
+ value: '{{{_ingest._value.value}}}'
+ allow_duplicates: false
+ - convert:
+ field: ocsf.logon_process.file.signature.algorithm_id
+ tag: convert_logon_process_file_signature_algorithm_id_to_string
+ type: string
+ ignore_missing: true
+ - append:
+ field: related.hash
+ tag: append_logon_process_file_signature_value_into_related_hash
+ value: '{{{ocsf.logon_process.file.signature.value}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.file?.signature?.value != null
+ - date:
+ field: ocsf.logon_process.file.signature.certificate.created_time_dt
+ target_field: ocsf.logon_process.file.signature.certificate.created_time_dt
+ tag: date_logon_process_file_signature_certificate_created_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.logon_process?.file?.signature?.certificate?.created_time_dt != null && ctx.ocsf.logon_process.file.signature.certificate.created_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.file.signature.certificate.created_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.logon_process.file.signature.certificate.created_time
+ target_field: ocsf.logon_process.file.signature.certificate.created_time
+ tag: date_logon_process_file_signature_certificate_created_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.logon_process?.file?.signature?.certificate?.created_time != null && ctx.ocsf.logon_process.file.signature.certificate.created_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.file.signature.certificate.created_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.logon_process.file.signature.created_time_dt
+ target_field: ocsf.logon_process.file.signature.created_time_dt
+ tag: date_logon_process_file_signature_created_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.logon_process?.file?.signature?.created_time_dt != null && ctx.ocsf.logon_process.file.signature.created_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.file.signature.created_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.logon_process.file.signature.created_time
+ target_field: ocsf.logon_process.file.signature.created_time
+ tag: date_logon_process_file_signature_created_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.logon_process?.file?.signature?.created_time != null && ctx.ocsf.logon_process.file.signature.created_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.file.signature.created_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.logon_process.file.signature.digest.algorithm_id
+ tag: convert_logon_process_file_signature_digest_algorithm_id_to_string
+ type: string
+ ignore_missing: true
+ - append:
+ field: related.hash
+ tag: append_logon_process_file_signature_digest_value_into_related_hash
+ value: '{{{ocsf.logon_process.file.signature.digest.value}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.file?.signature?.digest?.value != null
+ - foreach:
+ field: ocsf.logon_process.file.hashes
+ if: ctx.ocsf?.logon_process?.file?.hashes instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value.algorithm_id
+ tag: convert_logon_process_file_hashes_algorithm_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.logon_process.file.modifier.account.type_id
+ tag: convert_logon_process_file_modifier_account_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.logon_process.file.modifier.type_id
+ tag: convert_logon_process_file_modifier_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.logon_process.file.owner.account.type_id
+ tag: convert_logon_process_file_owner_account_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.logon_process.file.owner.type_id
+ tag: convert_logon_process_file_owner_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.logon_process.file.is_system
+ tag: convert_logon_process_file_is_system_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.file.is_system
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.logon_process.file.type_id
+ tag: convert_logon_process_file_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.logon_process.integrity_id
+ tag: convert_logon_process_integrity_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.logon_process.namespace_pid
+ tag: convert_logon_process_namespace_pid_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.namespace_pid
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - script:
+ description: Stringify the parent_process object if its depth_limit is greater than 20.
+ if: ctx.ocsf?.logon_process?.parent_process != null
+ tag: script_logon_process_parent_process_stringify
+ lang: painless
+ source: |-
+ def process = ctx.ocsf.logon_process.parent_process;
+ def count = 0;
+ while (true) {
+ if (process != null && process.parent_process != null) {
+ count += 1;
+ process = process.parent_process;
+ } else {
+ break;
+ }
+ }
+ if (count >= 15) {
+ ctx.ocsf.logon_process.parent_process.put("parent_process_keyword", ctx.ocsf.logon_process.parent_process.parent_process.toString());
+ ctx.ocsf.logon_process.parent_process.remove("parent_process");
+ }
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - append:
+ field: related.hash
+ tag: append_logon_process_parent_process_container_hash_value_into_related_hash
+ value: '{{{ocsf.logon_process.parent_process.container.hash.value}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.parent_process?.container?.hash?.value != null
+ - date:
+ field: ocsf.logon_process.parent_process.file.accessed_time_dt
+ target_field: ocsf.logon_process.parent_process.file.accessed_time_dt
+ tag: date_logon_process_parent_process_file_accessed_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.logon_process?.parent_process?.file?.accessed_time_dt != null && ctx.ocsf.logon_process.parent_process.file.accessed_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.parent_process.file.accessed_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.logon_process.parent_process.file.accessed_time
+ target_field: ocsf.logon_process.parent_process.file.accessed_time
+ tag: date_logon_process_parent_process_file_accessed_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.logon_process?.parent_process?.file?.accessed_time != null && ctx.ocsf.logon_process.parent_process.file.accessed_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.parent_process.file.accessed_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.logon_process.parent_process.file.created_time_dt
+ target_field: ocsf.logon_process.parent_process.file.created_time_dt
+ tag: date_logon_process_parent_process_file_created_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.logon_process?.parent_process?.file?.created_time_dt != null && ctx.ocsf.logon_process.parent_process.file.created_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.parent_process.file.created_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.logon_process.parent_process.file.created_time
+ target_field: ocsf.logon_process.parent_process.file.created_time
+ tag: date_logon_process_parent_process_file_created_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.logon_process?.parent_process?.file?.created_time != null && ctx.ocsf.logon_process.parent_process.file.created_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.parent_process.file.created_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: ocsf.logon_process.parent_process.file.hashes
+ if: ctx.ocsf?.logon_process?.parent_process?.file?.hashes instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: related.hash
+ tag: append_logon_process_parent_process_file_hashes_value_into_related_hash
+ value: '{{{_ingest._value.value}}}'
+ allow_duplicates: false
+ - date:
+ field: ocsf.logon_process.parent_process.file.modified_time_dt
+ target_field: ocsf.logon_process.parent_process.file.modified_time_dt
+ tag: date_logon_process_parent_process_file_modified_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.logon_process?.parent_process?.file?.modified_time_dt != null && ctx.ocsf.logon_process.parent_process.file.modified_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.parent_process.file.modified_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.logon_process.parent_process.file.modified_time
+ target_field: ocsf.logon_process.parent_process.file.modified_time
+ tag: date_logon_process_parent_process_file_modified_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.logon_process?.parent_process?.file?.modified_time != null && ctx.ocsf.logon_process.parent_process.file.modified_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.parent_process.file.modified_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - append:
+ field: related.user
+ tag: append_logon_process_parent_process_file_owner_name_into_related_user
+ value: '{{{ocsf.logon_process.parent_process.file.owner.name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.parent_process?.file?.owner?.name != null
+ - convert:
+ field: ocsf.logon_process.parent_process.file.size
+ tag: convert_logon_process_parent_process_file_size_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.parent_process.file.size
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - append:
+ field: related.user
+ tag: append_logon_process_parent_process_file_owner_uid_into_related_user
+ value: '{{{ocsf.logon_process.parent_process.file.owner.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.parent_process?.file?.owner?.uid != null
+ - date:
+ field: ocsf.logon_process.parent_process.file.signature.certificate.expiration_time_dt
+ target_field: ocsf.logon_process.parent_process.file.signature.certificate.expiration_time_dt
+ tag: date_logon_process_parent_process_file_signature_certificate_expiration_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.logon_process?.parent_process?.file?.signature?.certificate?.expiration_time_dt != null && ctx.ocsf.logon_process.parent_process.file.signature.certificate.expiration_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.parent_process.file.signature.certificate.expiration_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.logon_process.parent_process.file.signature.certificate.expiration_time
+ target_field: ocsf.logon_process.parent_process.file.signature.certificate.expiration_time
+ tag: date_logon_process_parent_process_file_signature_certificate_expiration_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.logon_process?.parent_process?.file?.signature?.certificate?.expiration_time != null && ctx.ocsf.logon_process.parent_process.file.signature.certificate.expiration_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.parent_process.file.signature.certificate.expiration_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.logon_process.parent_process.terminated_time_dt
+ target_field: ocsf.logon_process.parent_process.terminated_time_dt
+ tag: date_logon_process_parent_process_terminated_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.logon_process?.parent_process?.terminated_time_dt != null && ctx.ocsf.logon_process.parent_process.terminated_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.parent_process.terminated_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.logon_process.parent_process.terminated_time
+ target_field: ocsf.logon_process.parent_process.terminated_time
+ tag: date_logon_process_parent_process_terminated_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.logon_process?.parent_process?.terminated_time != null && ctx.ocsf.logon_process.parent_process.terminated_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.parent_process.terminated_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.logon_process.parent_process.egid
+ tag: convert_logon_process_parent_process_egid_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.logon_process.parent_process.pid
+ tag: convert_logon_process_parent_process_pid_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.parent_process.pid
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.logon_process.parent_process.created_time_dt
+ target_field: ocsf.logon_process.parent_process.created_time_dt
+ tag: date_logon_process_parent_process_created_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.logon_process?.parent_process?.created_time_dt != null && ctx.ocsf.logon_process.parent_process.created_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.parent_process.created_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.logon_process.parent_process.created_time
+ target_field: ocsf.logon_process.parent_process.created_time
+ tag: date_logon_process_parent_process_created_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.logon_process?.parent_process?.created_time != null && ctx.ocsf.logon_process.parent_process.created_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.parent_process.created_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.logon_process.parent_process.tid
+ tag: convert_logon_process_parent_process_tid_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.parent_process.tid
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - append:
+ field: related.user
+ tag: append_logon_process_parent_process_user_email_addr_into_related_user
+ value: '{{{ocsf.logon_process.parent_process.user.email_addr}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.parent_process?.user?.email_addr != null
+ - append:
+ field: related.user
+ tag: append_logon_process_parent_process_user_full_name_into_related_user
+ value: '{{{ocsf.logon_process.parent_process.user.full_name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.parent_process?.user?.full_name != null
+ - convert:
+ field: ocsf.logon_process.parent_process.euid
+ tag: convert_logon_process_parent_process_euid_to_string
+ type: string
+ ignore_missing: true
+ - append:
+ field: related.user
+ tag: append_logon_process_parent_process_euid_into_related_user
+ value: '{{{ocsf.logon_process.parent_process.euid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.parent_process?.euid != null
+ - append:
+ field: related.user
+ tag: append_logon_process_parent_process_uid_into_related_user
+ value: '{{{ocsf.logon_process.parent_process.user.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.parent_process?.user?.uid != null
+ - append:
+ field: related.user
+ tag: append_logon_process_parent_process_user_name_into_related_user
+ value: '{{{ocsf.logon_process.parent_process.user.name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.parent_process?.user?.name != null
+ - convert:
+ field: ocsf.logon_process.parent_process.container.hash.algorithm_id
+ tag: convert_logon_process_parent_process_container_hash_algorithm_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.logon_process.parent_process.auid
+ tag: convert_logon_process_parent_process_auid_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.logon_process.parent_process.container.size
+ tag: convert_logon_process_parent_process_container_size_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.parent_process.container.size
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.logon_process.parent_process.file.accessor.account.type_id
+ tag: convert_logon_process_parent_process_file_accessor_account_type_id_to_string
+ type: string
+ ignore_missing: true
+ - append:
+ field: related.user
+ tag: append_logon_process_parent_process_file_accessor_uid_alt_into_related_user
+ value: '{{{ocsf.logon_process.parent_process.file.accessor.uid_alt}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.parent_process?.file?.accessor?.uid_alt != null
+ - append:
+ field: related.user
+ tag: append_logon_process_parent_process_file_accessor_email_addr_into_related_user
+ value: '{{{ocsf.logon_process.parent_process.file.accessor.email_addr}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.parent_process?.file?.accessor?.email_addr != null
+ - append:
+ field: related.user
+ tag: append_logon_process_parent_process_file_accessor_full_name_into_related_user
+ value: '{{{ocsf.logon_process.parent_process.file.accessor.full_name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.parent_process?.file?.accessor?.full_name != null
+ - append:
+ field: related.user
+ tag: append_logon_process_parent_process_file_accessor_name_into_related_user
+ value: '{{{ocsf.logon_process.parent_process.file.accessor.name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.parent_process?.file?.accessor?.name != null
+ - append:
+ field: related.user
+ tag: append_logon_process_parent_process_file_accessor_uid_into_related_user
+ value: '{{{ocsf.logon_process.parent_process.file.accessor.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.parent_process?.file?.accessor?.uid != null
+ - convert:
+ field: ocsf.logon_process.parent_process.file.accessor.type_id
+ tag: convert_logon_process_parent_process_file_accessor_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.logon_process.parent_process.file.attributes
+ tag: convert_logon_process_parent_process_file_attributes_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.parent_process.file.attributes
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.logon_process.parent_process.file.confidentiality_id
+ tag: convert_logon_process_parent_process_file_confidentiality_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.logon_process.parent_process.file.creator.account.type_id
+ tag: convert_logon_process_parent_process_file_creator_account_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.logon_process.parent_process.file.creator.type_id
+ tag: convert_logon_process_parent_process_file_creator_type_id_to_string
+ type: string
+ ignore_missing: true
+ - foreach:
+ field: ocsf.logon_process.parent_process.file.signature.certificate.fingerprints
+ if: ctx.ocsf?.logon_process?.parent_process?.file?.signature?.certificate?.fingerprints instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value.algorithm_id
+ tag: convert_logon_process_parent_process_file_signature_certificate_fingerprints_algorithm_id_to_string
+ type: string
+ ignore_missing: true
+ - foreach:
+ field: ocsf.logon_process.parent_process.file.signature.certificate.fingerprints
+ if: ctx.ocsf?.logon_process?.parent_process?.file?.signature?.certificate?.fingerprints instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: related.hash
+ tag: append_logon_process_parent_process_file_signature_certificate_fingerprints_value_into_related_hash
+ value: '{{{_ingest._value.value}}}'
+ allow_duplicates: false
+ - convert:
+ field: ocsf.logon_process.parent_process.file.signature.algorithm_id
+ tag: convert_logon_process_parent_process_file_signature_algorithm_id_to_string
+ type: string
+ ignore_missing: true
+ - append:
+ field: related.hash
+ tag: append_logon_process_parent_process_file_signature_value_into_related_hash
+ value: '{{{ocsf.logon_process.parent_process.file.signature.value}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.parent_process?.file?.signature?.value != null
+ - date:
+ field: ocsf.logon_process.parent_process.file.signature.certificate.created_time_dt
+ target_field: ocsf.logon_process.parent_process.file.signature.certificate.created_time_dt
+ tag: date_logon_process_parent_process_file_signature_certificate_created_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.logon_process?.parent_process?.file?.signature?.certificate?.created_time_dt != null && ctx.ocsf.logon_process.parent_process.file.signature.certificate.created_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.parent_process.file.signature.certificate.created_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.logon_process.parent_process.file.signature.certificate.created_time
+ target_field: ocsf.logon_process.parent_process.file.signature.certificate.created_time
+ tag: date_logon_process_parent_process_file_signature_certificate_created_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.logon_process?.parent_process?.file?.signature?.certificate?.created_time != null && ctx.ocsf.logon_process.parent_process.file.signature.certificate.created_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.parent_process.file.signature.certificate.created_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.logon_process.parent_process.file.signature.created_time_dt
+ target_field: ocsf.logon_process.parent_process.file.signature.created_time_dt
+ tag: date_logon_process_parent_process_file_signature_created_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.logon_process?.parent_process?.file?.signature?.created_time_dt != null && ctx.ocsf.logon_process.parent_process.file.signature.created_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.parent_process.file.signature.created_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.logon_process.parent_process.file.signature.created_time
+ target_field: ocsf.logon_process.parent_process.file.signature.created_time
+ tag: date_logon_process_parent_process_file_signature_created_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.logon_process?.parent_process?.file?.signature?.created_time != null && ctx.ocsf.logon_process.parent_process.file.signature.created_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.parent_process.file.signature.created_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.logon_process.parent_process.file.signature.digest.algorithm_id
+ tag: convert_logon_process_parent_process_file_signature_digest_algorithm_id_to_string
+ type: string
+ ignore_missing: true
+ - append:
+ field: related.hash
+ tag: append_logon_process_parent_process_file_signature_digest_value_into_related_hash
+ value: '{{{ocsf.logon_process.parent_process.file.signature.digest.value}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.parent_process?.file?.signature?.digest?.value != null
+ - foreach:
+ field: ocsf.logon_process.parent_process.file.hashes
+ if: ctx.ocsf?.logon_process?.parent_process?.file?.hashes instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value.algorithm_id
+ tag: convert_logon_process_parent_process_file_hashes_algorithm_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.logon_process.parent_process.file.modifier.account.type_id
+ tag: convert_logon_process_parent_process_file_modifier_account_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.logon_process.parent_process.file.modifier.type_id
+ tag: convert_logon_process_parent_process_file_modifier_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.logon_process.parent_process.file.owner.account.type_id
+ tag: convert_logon_process_parent_process_file_owner_account_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.logon_process.parent_process.file.owner.type_id
+ tag: convert_logon_process_parent_process_file_owner_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.logon_process.parent_process.file.is_system
+ tag: convert_logon_process_parent_process_file_is_system_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.parent_process.file.is_system
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.logon_process.parent_process.file.type_id
+ tag: convert_logon_process_parent_process_file_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.logon_process.parent_process.integrity_id
+ tag: convert_logon_process_parent_process_integrity_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.logon_process.parent_process.namespace_pid
+ tag: convert_logon_process_parent_process_namespace_pid_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.parent_process.namespace_pid
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.logon_process.parent_process.session.created_time_dt
+ target_field: ocsf.logon_process.parent_process.session.created_time_dt
+ tag: date_logon_process_parent_process_session_created_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.logon_process?.parent_process?.session?.created_time_dt != null && ctx.ocsf.logon_process.parent_process.session.created_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.parent_process.session.created_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.logon_process.parent_process.session.created_time
+ target_field: ocsf.logon_process.parent_process.session.created_time
+ tag: date_logon_process_parent_process_session_created_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.logon_process?.parent_process?.session?.created_time != null && ctx.ocsf.logon_process.parent_process.session.created_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.parent_process.session.created_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.logon_process.parent_process.session.expiration_time_dt
+ target_field: ocsf.logon_process.parent_process.session.expiration_time_dt
+ tag: date_logon_process_parent_process_session_expiration_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.logon_process?.parent_process?.session?.expiration_time_dt != null && ctx.ocsf.logon_process.parent_process.session.expiration_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.parent_process.session.expiration_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.logon_process.parent_process.session.expiration_time
+ target_field: ocsf.logon_process.parent_process.session.expiration_time
+ tag: date_logon_process_parent_process_session_expiration_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.logon_process?.parent_process?.session?.expiration_time != null && ctx.ocsf.logon_process.parent_process.session.expiration_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.parent_process.session.expiration_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.logon_process.parent_process.session.mfa
+ tag: convert_logon_process_parent_process_session_mfa_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.parent_process.session.mfa
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.logon_process.parent_process.session.is_remote
+ tag: convert_logon_process_parent_process_session_is_remote_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.parent_process.session.is_remote
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.logon_process.parent_process.user.account.type_id
+ tag: convert_logon_process_parent_process_user_account_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.logon_process.parent_process.user.type_id
+ tag: convert_logon_process_parent_process_user_type_id_to_string
+ type: string
+ ignore_missing: true
+ - append:
+ field: related.user
+ tag: append_logon_process_parent_process_file_creator_uid_alt_into_related_user
+ value: '{{{ocsf.logon_process.parent_process.file.creator.uid_alt}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.parent_process?.file?.creator?.uid_alt != null
+ - append:
+ field: related.user
+ tag: append_logon_process_parent_process_file_creator_email_addr_into_related_user
+ value: '{{{ocsf.logon_process.parent_process.file.creator.email_addr}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.parent_process?.file?.creator?.email_addr != null
+ - append:
+ field: related.user
+ tag: append_logon_process_parent_process_file_creator_full_name_into_related_user
+ value: '{{{ocsf.logon_process.parent_process.file.creator.full_name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.parent_process?.file?.creator?.full_name != null
+ - append:
+ field: related.user
+ tag: append_logon_process_parent_process_file_creator_name_into_related_user
+ value: '{{{ocsf.logon_process.parent_process.file.creator.name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.parent_process?.file?.creator?.name != null
+ - append:
+ field: related.user
+ tag: append_logon_process_parent_process_file_creator_uid_into_related_user
+ value: '{{{ocsf.logon_process.parent_process.file.creator.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.parent_process?.file?.creator?.uid != null
+ - append:
+ field: related.user
+ tag: append_logon_process_parent_process_file_modifier_uid_alt_into_related_user
+ value: '{{{ocsf.logon_process.parent_process.file.modifier.uid_alt}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.parent_process?.file?.modifier?.uid_alt != null
+ - append:
+ field: related.user
+ tag: append_logon_process_parent_process_file_modifier_email_addr_into_related_user
+ value: '{{{ocsf.logon_process.parent_process.file.modifier.email_addr}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.parent_process?.file?.modifier?.email_addr != null
+ - append:
+ field: related.user
+ tag: append_logon_process_parent_process_file_modifier_full_name_into_related_user
+ value: '{{{ocsf.logon_process.parent_process.file.modifier.full_name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.parent_process?.file?.modifier?.full_name != null
+ - append:
+ field: related.user
+ tag: append_logon_process_parent_process_file_modifier_name_into_related_user
+ value: '{{{ocsf.logon_process.parent_process.file.modifier.name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.parent_process?.file?.modifier?.name != null
+ - append:
+ field: related.user
+ tag: append_logon_process_parent_process_file_modifier_uid_into_related_user
+ value: '{{{ocsf.logon_process.parent_process.file.modifier.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.parent_process?.file?.modifier?.uid != null
+ - append:
+ field: related.user
+ tag: append_logon_process_parent_process_file_owner_uid_alt_into_related_user
+ value: '{{{ocsf.logon_process.parent_process.file.owner.uid_alt}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.parent_process?.file?.owner?.uid_alt != null
+ - append:
+ field: related.user
+ tag: append_logon_process_parent_process_file_owner_email_addr_into_related_user
+ value: '{{{ocsf.logon_process.parent_process.file.owner.email_addr}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.parent_process?.file?.owner?.email_addr != null
+ - append:
+ field: related.user
+ tag: append_logon_process_parent_process_file_owner_full_name_into_related_user
+ value: '{{{ocsf.logon_process.parent_process.file.owner.full_name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.parent_process?.file?.owner?.full_name != null
+ - append:
+ field: related.user
+ tag: append_logon_process_parent_process_user_uid_alt_into_related_user
+ value: '{{{ocsf.logon_process.parent_process.user.uid_alt}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.parent_process?.user?.uid_alt != null
+ - date:
+ field: ocsf.logon_process.session.created_time_dt
+ target_field: ocsf.logon_process.session.created_time_dt
+ tag: date_logon_process_session_created_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.logon_process?.session?.created_time_dt != null && ctx.ocsf.logon_process.session.created_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.session.created_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.logon_process.session.created_time
+ target_field: ocsf.logon_process.session.created_time
+ tag: date_logon_process_session_created_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.logon_process?.session?.created_time != null && ctx.ocsf.logon_process.session.created_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.session.created_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.logon_process.session.expiration_time_dt
+ target_field: ocsf.logon_process.session.expiration_time_dt
+ tag: date_logon_process_session_expiration_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.logon_process?.session?.expiration_time_dt != null && ctx.ocsf.logon_process.session.expiration_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.session.expiration_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.logon_process.session.expiration_time
+ target_field: ocsf.logon_process.session.expiration_time
+ tag: date_logon_process_session_expiration_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.logon_process?.session?.expiration_time != null && ctx.ocsf.logon_process.session.expiration_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.session.expiration_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.logon_process.session.mfa
+ tag: convert_logon_process_session_mfa_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.session.mfa
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.logon_process.session.is_remote
+ tag: convert_logon_process_session_is_remote_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.logon_process.session.is_remote
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.logon_process.user.account.type_id
+ tag: convert_logon_process_user_account_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.logon_process.user.type_id
+ tag: convert_logon_process_user_type_id_to_string
+ type: string
+ ignore_missing: true
+ - append:
+ field: related.user
+ tag: append_logon_process_file_creator_uid_alt_into_related_user
+ value: '{{{ocsf.logon_process.file.creator.uid_alt}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.file?.creator?.uid_alt != null
+ - append:
+ field: related.user
+ tag: append_logon_process_file_creator_email_addr_into_related_user
+ value: '{{{ocsf.logon_process.file.creator.email_addr}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.file?.creator?.email_addr != null
+ - append:
+ field: related.user
+ tag: append_logon_process_file_creator_full_name_into_related_user
+ value: '{{{ocsf.logon_process.file.creator.full_name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.file?.creator?.full_name != null
+ - append:
+ field: related.user
+ tag: append_logon_process_file_creator_name_into_related_user
+ value: '{{{ocsf.logon_process.file.creator.name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.file?.creator?.name != null
+ - append:
+ field: related.user
+ tag: append_logon_process_file_creator_uid_into_related_user
+ value: '{{{ocsf.logon_process.file.creator.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.file?.creator?.uid != null
+ - append:
+ field: related.user
+ tag: append_logon_process_file_modifier_uid_alt_into_related_user
+ value: '{{{ocsf.logon_process.file.modifier.uid_alt}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.file?.modifier?.uid_alt != null
+ - append:
+ field: related.user
+ tag: append_logon_process_file_modifier_email_addr_into_related_user
+ value: '{{{ocsf.logon_process.file.modifier.email_addr}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.file?.modifier?.email_addr != null
+ - append:
+ field: related.user
+ tag: append_logon_process_file_modifier_full_name_into_related_user
+ value: '{{{ocsf.logon_process.file.modifier.full_name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.file?.modifier?.full_name != null
+ - append:
+ field: related.user
+ tag: append_logon_process_file_modifier_name_into_related_user
+ value: '{{{ocsf.logon_process.file.modifier.name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.file?.modifier?.name != null
+ - append:
+ field: related.user
+ tag: append_logon_process_file_modifier_uid_into_related_user
+ value: '{{{ocsf.logon_process.file.modifier.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.file?.modifier?.uid != null
+ - append:
+ field: related.user
+ tag: append_logon_process_file_owner_uid_alt_into_related_user
+ value: '{{{ocsf.logon_process.file.owner.uid_alt}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.file?.owner?.uid_alt != null
+ - append:
+ field: related.user
+ tag: append_logon_process_file_owner_email_addr_into_related_user
+ value: '{{{ocsf.logon_process.file.owner.email_addr}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.file?.owner?.email_addr != null
+ - append:
+ field: related.user
+ tag: append_logon_process_file_owner_full_name_into_related_user
+ value: '{{{ocsf.logon_process.file.owner.full_name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.file?.owner?.full_name != null
+ - append:
+ field: related.user
+ tag: append_logon_process_user_uid_alt_into_related_user
+ value: '{{{ocsf.logon_process.user.uid_alt}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.logon_process?.user?.uid_alt != null
+ - convert:
+ field: ocsf.logon_type_id
+ tag: convert_logon_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.is_mfa
+ tag: convert_is_mfa_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.is_mfa
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.is_new_logon
+ tag: convert_is_new_logon_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.is_new_logon
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.is_remote
+ tag: convert_is_remote_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.is_remote
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: service.name
+ tag: set_service_name
+ copy_from: ocsf.service.name
+ ignore_empty_value: true
+ - set:
+ field: service.id
+ tag: set_service_id
+ copy_from: ocsf.service.uid
+ ignore_empty_value: true
+ - set:
+ field: service.version
+ tag: set_service_version
+ copy_from: ocsf.service.version
+ ignore_empty_value: true
+ - date:
+ field: ocsf.session.created_time_dt
+ tag: date_session_created_time_dt
+ target_field: ocsf.session.created_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.session?.created_time_dt != null && ctx.ocsf.session.created_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.session.created_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.session.created_time
+ tag: date_session_created_time
+ target_field: ocsf.session.created_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.session?.created_time != null && ctx.ocsf.session.created_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.session.created_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.session.expiration_time_dt
+ tag: date_session_expiration_time_dt
+ target_field: ocsf.session.expiration_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.session?.expiration_time_dt != null && ctx.ocsf.session.expiration_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.session.expiration_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.session.expiration_time
+ tag: date_session_expiration_time
+ target_field: ocsf.session.expiration_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.session?.expiration_time != null && ctx.ocsf.session.expiration_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.session.expiration_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.session.is_remote
+ tag: convert_session_is_remote_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.session.is_remote
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.session.mfa
+ tag: convert_session_mfa_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.session.mfa
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: event.kind
+ value: pipeline_error
diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_network_activity.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_network_activity.yml
new file mode 100644
index 00000000000..ea4d3455eae
--- /dev/null
+++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_network_activity.yml
@@ -0,0 +1,238 @@
+---
+description: Pipeline for processing Network Activity category.
+# Network Activity Class docs: https://schema.ocsf.io/1.0.0-rc.3/categories/network
+processors:
+ - convert:
+ field: ocsf.disposition_id
+ tag: convert_disposition_id_to_string
+ type: string
+ ignore_missing: true
+ - foreach:
+ field: ocsf.answers
+ if: ctx.ocsf?.answers instanceof List
+ ignore_failure: true
+ processor:
+ foreach:
+ field: _ingest._value.flag_ids
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value
+ tag: convert_answers_flag_ids_to_string
+ type: string
+ ignore_missing: true
+ - foreach:
+ field: ocsf.answers
+ if: ctx.ocsf?.answers instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value.packet_uid
+ tag: convert_answers_packet_uid_to_string
+ type: string
+ ignore_missing: true
+ - foreach:
+ field: ocsf.answers
+ if: ctx.ocsf?.answers instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value.ttl
+ tag: convert_answers_ttl_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.ttl
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: ocsf.answers
+ if: ctx.ocsf?.answers instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: dns.answers.data
+ tag: append_answers_data_into_dns_answer_data
+ value: '{{{_ingest._value.rdata}}}'
+ allow_duplicates: false
+ - foreach:
+ field: ocsf.answers
+ if: ctx.ocsf?.answers instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: dns.id
+ tag: append_answers_packet_uid_into_dns_id
+ value: '{{{_ingest._value.packet_uid}}}'
+ allow_duplicates: false
+ - foreach:
+ field: ocsf.answers
+ if: ctx.ocsf?.answers instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: dns.answers.class
+ tag: append_answers_class_into_dns_answer_class
+ value: '{{{_ingest._value.class}}}'
+ allow_duplicates: false
+ - foreach:
+ field: ocsf.answers
+ if: ctx.ocsf?.answers instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: dns.answers.type
+ tag: append_answers_type_into_dns_answer_type
+ value: '{{{_ingest._value.type}}}'
+ allow_duplicates: false
+ - foreach:
+ field: ocsf.answers
+ if: ctx.ocsf?.answers instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: dns.answers.ttl
+ tag: append_answers_ttl_into_dns_answer_ttl
+ value: '{{{_ingest._value.ttl}}}'
+ allow_duplicates: false
+ - convert:
+ field: ocsf.query.opcode_id
+ tag: convert_query_opcode_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.query.packet_uid
+ tag: convert_query_packet_uid_to_string
+ type: string
+ ignore_missing: true
+ - set:
+ field: dns.question.name
+ tag: set_dns_question_name
+ copy_from: ocsf.query.hostname
+ ignore_empty_value: true
+ - append:
+ field: dns.id
+ tag: append_query_packet_uid_into_dns_id
+ value: '{{{ocsf.query.packet_uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.query?.packet_uid != null
+ - append:
+ field: dns.question.class
+ tag: append_query_class_into_dns_question_class
+ value: '{{{ocsf.query.class}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.query?.class != null
+ - append:
+ field: dns.question.type
+ tag: append_query_type_into_dns_question_type
+ value: '{{{ocsf.query.type}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.query?.type != null
+ - date:
+ field: ocsf.query_time_dt
+ tag: date_query_time_dt
+ target_field: ocsf.query_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.query_time_dt != null && ctx.ocsf.query_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.query_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.query_time
+ tag: date_query_time
+ target_field: ocsf.query_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.query_time != null && ctx.ocsf.query_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.query_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: dns.response_code
+ tag: set_dns_response_code
+ copy_from: ocsf.rcode
+ ignore_empty_value: true
+ - convert:
+ field: ocsf.rcode_id
+ tag: convert_rcode_id_to_string
+ type: string
+ ignore_missing: true
+ - date:
+ field: ocsf.response_time_dt
+ tag: date_response_time_dt
+ target_field: ocsf.response_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.response_time_dt != null && ctx.ocsf.response_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.response_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.response_time
+ tag: date_response_time
+ target_field: ocsf.response_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.response_time != null && ctx.ocsf.response_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.response_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - script:
+ lang: painless
+ tag: script_dns_header_flags
+ if: ctx.ocsf?.answers instanceof List
+ params:
+ 'Authoritative Answer': 'AA'
+ 'Authentic Data': 'AD'
+ 'Recursion Desired': 'RD'
+ 'Recursion Available': 'RA'
+ 'Checking Disabled': 'CD'
+ source: >-
+ if (ctx.dns == null) {
+ ctx.dns = new HashMap();
+ }
+ def list = new HashSet();
+ for (def answer : ctx.ocsf.answers) {
+ if (answer.flags != null)
+ {
+ for (int i = 0; i < answer.flags.length; i++) {
+ def flag = answer.flags[i];
+ if(params.containsKey(flag))
+ {
+ list.add(params.get(flag));
+ }
+ }
+ }
+ }
+ ctx.dns.put('header_flags', list);
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: event.kind
+ value: pipeline_error
diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_actor.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_actor.yml
new file mode 100644
index 00000000000..a5d00d6ea70
--- /dev/null
+++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_actor.yml
@@ -0,0 +1,2035 @@
+---
+description: Pipeline for processing Actor object.
+# Actor object docs: https://schema.ocsf.io/1.0.0-rc.3/objects/actor
+processors:
+ - set:
+ field: container.id
+ tag: set_container_id
+ copy_from: ocsf.actor.process.container.uid
+ ignore_empty_value: true
+ - script:
+ description: Set value for container.image.hash.all.
+ if: ctx.ocsf?.actor?.process?.container?.hash?.value != null
+ tag: script_container_image_hash_all
+ lang: painless
+ params:
+ MD5: md5
+ SHA-1: sha1
+ SHA-256: sha256
+ SHA-512: sha512
+ CTPH: ssdeep
+ TLSH: tlsh
+ source: |-
+ if (params.get(ctx.ocsf.actor.process.container.hash.algorithm) == null) {
+ return;
+ }
+ if (ctx.container == null) {
+ ctx.container = new HashMap();
+ }
+ if (ctx.container.image == null) {
+ ctx.container.image = new HashMap();
+ }
+ if (ctx.container.image.hash == null) {
+ ctx.container.image.hash = new HashMap();
+ }
+ def list = new ArrayList();
+ def value = params.get(ctx.ocsf.actor.process.container.hash.algorithm) + ':' + ctx.ocsf.actor.process.container.hash.value;
+ list.add(value);
+ ctx.container.image.hash.all = list;
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - append:
+ field: related.hash
+ tag: append_actor_process_container_hash_value_into_related_hash
+ value: '{{{ocsf.actor.process.container.hash.value}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.container?.hash?.value != null
+ - set:
+ field: container.image.name
+ tag: set_container_image_name
+ copy_from: ocsf.actor.process.container.image.name
+ ignore_empty_value: true
+ - append:
+ field: container.image.tag
+ tag: append_actor_process_container_image_tag_into_container_image_tag
+ value: '{{{ocsf.actor.process.container.image.tag}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.container?.image?.tag != null
+ - set:
+ field: container.labels
+ tag: set_container_labels
+ copy_from: ocsf.actor.process.container.image.labels
+ ignore_empty_value: true
+ - set:
+ field: orchestrator.type
+ tag: set_orchestrator_type
+ copy_from: ocsf.actor.process.container.orchestrator
+ ignore_empty_value: true
+ - set:
+ field: container.name
+ tag: set_container_name
+ copy_from: ocsf.actor.process.container.name
+ ignore_empty_value: true
+ - set:
+ field: container.runtime
+ tag: set_container_runtime
+ copy_from: ocsf.actor.process.container.runtime
+ ignore_empty_value: true
+ - date:
+ field: ocsf.actor.process.file.accessed_time_dt
+ target_field: ocsf.actor.process.file.accessed_time_dt
+ tag: date_actor_process_file_accessed_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.actor?.process?.file?.accessed_time_dt != null && ctx.ocsf.actor.process.file.accessed_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.file.accessed_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: file.accessed
+ tag: set_file_accessed_from_actor_process_file_accessed_time_dt
+ copy_from: ocsf.actor.process.file.accessed_time_dt
+ ignore_empty_value: true
+ - date:
+ field: ocsf.actor.process.file.accessed_time
+ target_field: ocsf.actor.process.file.accessed_time
+ tag: date_actor_process_file_accessed_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.actor?.process?.file?.accessed_time != null && ctx.ocsf.actor.process.file.accessed_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.file.accessed_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: file.accessed
+ tag: set_file_accessed_from_actor_process_file_accessed_time
+ copy_from: ocsf.actor.process.file.accessed_time
+ ignore_empty_value: true
+ - date:
+ field: ocsf.actor.process.file.created_time_dt
+ target_field: ocsf.actor.process.file.created_time_dt
+ tag: date_actor_process_file_created_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.actor?.process?.file?.created_time_dt != null && ctx.ocsf.actor.process.file.created_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.file.created_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: file.created
+ tag: set_file_created_actor_process_file_created_time_dt
+ copy_from: ocsf.actor.process.file.created_time_dt
+ ignore_empty_value: true
+ - date:
+ field: ocsf.actor.process.file.created_time
+ target_field: ocsf.actor.process.file.created_time
+ tag: date_actor_process_file_created_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.actor?.process?.file?.created_time != null && ctx.ocsf.actor.process.file.created_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.file.created_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: file.created
+ tag: set_file_created_actor_process_file_created_time
+ copy_from: ocsf.actor.process.file.created_time
+ ignore_empty_value: true
+ - set:
+ field: file.directory
+ tag: set_file_directory
+ copy_from: ocsf.actor.process.file.parent_folder
+ ignore_empty_value: true
+ - script:
+ description: Set value for file.hash.*.
+ if: ctx.ocsf?.actor?.process?.file?.hashes != null
+ tag: script_file_hash_*
+ lang: painless
+ params:
+ MD5: md5
+ SHA-1: sha1
+ SHA-256: sha256
+ SHA-512: sha512
+ CTPH: ssdeep
+ TLSH: tlsh
+ source: |-
+ if (ctx.file == null) {
+ ctx.file = new HashMap();
+ }
+ if (ctx.file.hash == null) {
+ ctx.file.hash = new HashMap();
+ }
+ Map map = new HashMap();
+ def hashes = ctx.ocsf.actor.process.file.get('hashes');
+ for (def hash: hashes) {
+ def hashAlgorithm = params.get(hash.get('algorithm'));
+ if (hashAlgorithm == null) {
+ continue;
+ }
+ if (map.containsKey(hashAlgorithm)) {
+ map[hashAlgorithm].add(hash.get('value'));
+ } else {
+ Set set = new HashSet();
+ set.add(hash.get('value'));
+ map.put(hashAlgorithm, set);
+ }
+ }
+ ctx.file.hash = map;
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: ocsf.actor.process.file.hashes
+ if: ctx.ocsf?.actor?.process?.file?.hashes instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: related.hash
+ tag: append_actor_process_file_hashes_value_into_related_hash
+ value: '{{{_ingest._value.value}}}'
+ allow_duplicates: false
+ - set:
+ field: file.inode
+ tag: set_file_inode
+ copy_from: ocsf.actor.process.file.uid
+ ignore_empty_value: true
+ - set:
+ field: file.mime_type
+ tag: set_file_mime_type
+ copy_from: ocsf.actor.process.file.mime_type
+ ignore_empty_value: true
+ - date:
+ field: ocsf.actor.process.file.modified_time_dt
+ target_field: ocsf.actor.process.file.modified_time_dt
+ tag: date_actor_process_file_modified_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.actor?.process?.file?.modified_time_dt != null && ctx.ocsf.actor.process.file.modified_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.file.modified_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: file.mtime
+ tag: set_file_mtime_from_actor_process_file_modified_time_dt
+ copy_from: ocsf.actor.process.file.modified_time_dt
+ ignore_empty_value: true
+ - date:
+ field: ocsf.actor.process.file.modified_time
+ target_field: ocsf.actor.process.file.modified_time
+ tag: date_actor_process_file_modified_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.actor?.process?.file?.modified_time != null && ctx.ocsf.actor.process.file.modified_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.file.modified_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: file.mtime
+ tag: set_file_mtime_from_actor_process_file_modified_time
+ copy_from: ocsf.actor.process.file.modified_time
+ ignore_empty_value: true
+ - set:
+ field: file.name
+ tag: set_file_name
+ copy_from: ocsf.actor.process.file.name
+ ignore_empty_value: true
+ - set:
+ field: file.owner
+ tag: set_file_owner
+ copy_from: ocsf.actor.process.file.owner.name
+ ignore_empty_value: true
+ - append:
+ field: related.user
+ tag: append_actor_process_file_owner_name_into_related_user
+ value: '{{{ocsf.actor.process.file.owner.name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.file?.owner?.name != null
+ - set:
+ field: file.path
+ tag: set_file_path
+ copy_from: ocsf.actor.process.file.path
+ ignore_empty_value: true
+ - convert:
+ field: ocsf.actor.process.file.size
+ tag: convert_actor_process_file_size_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.file.size
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: file.size
+ tag: set_file_size
+ copy_from: ocsf.actor.process.file.size
+ ignore_empty_value: true
+ - set:
+ field: file.type
+ tag: set_file_type
+ copy_from: ocsf.actor.process.file.type
+ ignore_empty_value: true
+ - set:
+ field: file.uid
+ tag: set_file_uid
+ copy_from: ocsf.actor.process.file.owner.uid
+ ignore_empty_value: true
+ - append:
+ field: related.user
+ tag: append_actor_process_file_owner_uid_into_related_user
+ value: '{{{ocsf.actor.process.file.owner.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.file?.owner?.uid != null
+ - set:
+ field: file.x509.issuer.distinguished_name
+ tag: set_file_x509_issuer_distinguished_name
+ copy_from: ocsf.actor.process.file.signature.certificate.issuer
+ ignore_empty_value: true
+ - date:
+ field: ocsf.actor.process.file.signature.certificate.expiration_time_dt
+ target_field: ocsf.actor.process.file.signature.certificate.expiration_time_dt
+ tag: date_actor_process_file_signature_certificate_expiration_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.actor?.process?.file?.signature?.certificate?.expiration_time_dt != null && ctx.ocsf.actor.process.file.signature.certificate.expiration_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.file.signature.certificate.expiration_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: file.x509.not_after
+ tag: set_file_x509_not_after_from_actor_process_file_signature_certificate_expiration_time_dt
+ copy_from: ocsf.actor.process.file.signature.certificate.expiration_time_dt
+ ignore_empty_value: true
+ - date:
+ field: ocsf.actor.process.file.signature.certificate.expiration_time
+ target_field: ocsf.actor.process.file.signature.certificate.expiration_time
+ tag: date_actor_process_file_signature_certificate_expiration_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.actor?.process?.file?.signature?.certificate?.expiration_time != null && ctx.ocsf.actor.process.file.signature.certificate.expiration_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.file.signature.certificate.expiration_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: file.x509.not_after
+ tag: set_file_x509_not_after_from_actor_process_file_signature_certificate_expiration_time
+ copy_from: ocsf.actor.process.file.signature.certificate.expiration_time
+ ignore_empty_value: true
+ - set:
+ field: file.x509.serial_number
+ tag: set_file_x509_serial_number
+ copy_from: ocsf.actor.process.file.signature.certificate.serial_number
+ ignore_empty_value: true
+ - set:
+ field: file.x509.subject.distinguished_name
+ tag: set_file_x509_subject_distinguished_name
+ copy_from: ocsf.actor.process.file.signature.certificate.subject
+ ignore_empty_value: true
+ - set:
+ field: file.x509.version_number
+ tag: set_file_x509_version_number
+ copy_from: ocsf.actor.process.file.signature.certificate.version
+ ignore_empty_value: true
+ - set:
+ field: process.command_line
+ tag: set_process_command_line
+ copy_from: ocsf.actor.process.cmd_line
+ ignore_empty_value: true
+ - date:
+ field: ocsf.actor.process.terminated_time_dt
+ target_field: ocsf.actor.process.terminated_time_dt
+ tag: date_actor_process_terminated_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.actor?.process?.terminated_time_dt != null && ctx.ocsf.actor.process.terminated_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.terminated_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: process.end
+ tag: set_process_end_from_actor_process_terminated_time_dt
+ copy_from: ocsf.actor.process.terminated_time_dt
+ ignore_empty_value: true
+ - date:
+ field: ocsf.actor.process.terminated_time
+ target_field: ocsf.actor.process.terminated_time
+ tag: date_actor_process_terminated_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.actor?.process?.terminated_time != null && ctx.ocsf.actor.process.terminated_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.terminated_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: process.end
+ tag: set_process_end_from_actor_process_terminated_time
+ copy_from: ocsf.actor.process.terminated_time
+ ignore_empty_value: true
+ - convert:
+ field: ocsf.actor.process.egid
+ tag: convert_actor_process_egid_to_string
+ type: string
+ ignore_missing: true
+ - append:
+ field: process.group.id
+ tag: append_process_group_id_from_actor_process_egid
+ value: '{{{ocsf.actor.process.egid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.egid != null
+ - append:
+ field: process.group.id
+ tag: append_process_group_id_from_actor_process_group_uid
+ value: '{{{ocsf.actor.process.group.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.group?.uid != null
+ - set:
+ field: process.group.name
+ tag: set_process_group_name
+ copy_from: ocsf.actor.process.group.name
+ ignore_empty_value: true
+ - set:
+ field: process.name
+ tag: set_process_name
+ copy_from: ocsf.actor.process.name
+ ignore_empty_value: true
+ - convert:
+ field: ocsf.actor.process.pid
+ tag: convert_actor_process_pid_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.pid
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: process.pid
+ tag: set_process_pid
+ copy_from: ocsf.actor.process.pid
+ ignore_empty_value: true
+ - date:
+ field: ocsf.actor.process.created_time_dt
+ target_field: ocsf.actor.process.created_time_dt
+ tag: date_actor_process_created_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.actor?.process?.created_time_dt != null && ctx.ocsf.actor.process.created_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.created_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: process.start
+ tag: set_process_start_from_actor_process_created_time_dt
+ copy_from: ocsf.actor.process.created_time_dt
+ ignore_empty_value: true
+ - date:
+ field: ocsf.actor.process.created_time
+ target_field: ocsf.actor.process.created_time
+ tag: date_actor_process_created_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.actor?.process?.created_time != null && ctx.ocsf.actor.process.created_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.created_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: process.start
+ tag: set_process_start_from_actor_process_created_time
+ copy_from: ocsf.actor.process.created_time
+ ignore_empty_value: true
+ - convert:
+ field: ocsf.actor.process.tid
+ tag: convert_actor_process_tid_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.tid
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: process.thread.id
+ tag: set_process_thread_id
+ copy_from: ocsf.actor.process.tid
+ ignore_empty_value: true
+ - set:
+ field: process.entity_id
+ tag: set_process_entity_id
+ copy_from: ocsf.actor.process.uid
+ ignore_empty_value: true
+ - set:
+ field: process.user.domain
+ tag: set_process_user_domain
+ copy_from: ocsf.actor.process.user.domain
+ ignore_empty_value: true
+ - set:
+ field: process.user.email
+ tag: set_process_user_email
+ copy_from: ocsf.actor.process.user.email_addr
+ ignore_empty_value: true
+ - append:
+ field: related.user
+ tag: append_actor_process_user_email_addr_into_related_user
+ value: '{{{ocsf.actor.process.user.email_addr}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.user?.email_addr != null
+ - set:
+ field: process.user.full_name
+ tag: set_process_user_full_name
+ copy_from: ocsf.actor.process.user.full_name
+ ignore_empty_value: true
+ - append:
+ field: related.user
+ tag: append_actor_process_user_full_name_into_related_user
+ value: '{{{ocsf.actor.process.user.full_name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.user?.full_name != null
+ - foreach:
+ field: ocsf.actor.process.user.groups
+ if: ctx.ocsf?.actor?.process?.user?.groups instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: process.user.group.id
+ tag: append_process_user_group_id
+ value: '{{{_ingest._value.uid}}}'
+ allow_duplicates: false
+ - foreach:
+ field: ocsf.actor.process.user.groups
+ if: ctx.ocsf?.actor?.process?.user?.groups instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: process.user.group.name
+ tag: append_process_user_group_name
+ value: '{{{_ingest._value.name}}}'
+ allow_duplicates: false
+ - convert:
+ field: ocsf.actor.process.euid
+ tag: convert_actor_process_euid_to_string
+ type: string
+ ignore_missing: true
+ - append:
+ field: process.user.id
+ tag: append_process_user_id_from_actor_process_euid
+ value: '{{{ocsf.actor.process.euid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.euid != null
+ - append:
+ field: related.user
+ tag: append_actor_process_euid_into_related_user
+ value: '{{{ocsf.actor.process.euid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.euid != null
+ - append:
+ field: process.user.id
+ tag: append_process_user_id_from_actor_process_uid
+ value: '{{{ocsf.actor.process.user.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.user?.uid != null
+ - append:
+ field: related.user
+ tag: append_actor_process_uid_into_related_user
+ value: '{{{ocsf.actor.process.user.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.user?.uid != null
+ - set:
+ field: process.user.name
+ tag: set_process_user_name
+ copy_from: ocsf.actor.process.user.name
+ ignore_empty_value: true
+ - append:
+ field: related.user
+ tag: append_actor_process_user_name_into_related_user
+ value: '{{{ocsf.actor.process.user.name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.user?.name != null
+ - set:
+ field: user.domain
+ tag: set_user_domain
+ copy_from: ocsf.actor.user.domain
+ ignore_empty_value: true
+ - set:
+ field: user.email
+ tag: set_user_email
+ copy_from: ocsf.actor.user.email_addr
+ ignore_empty_value: true
+ - append:
+ field: related.user
+ tag: append_actor_user_email_addr_into_related_user
+ value: '{{{ocsf.actor.user.email_addr}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.user?.email_addr != null
+ - set:
+ field: user.full_name
+ tag: set_user_full_name
+ copy_from: ocsf.actor.user.full_name
+ ignore_empty_value: true
+ - append:
+ field: related.user
+ tag: append_actor_user_full_name_into_related_user
+ value: '{{{ocsf.actor.user.full_name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.user?.full_name != null
+ - foreach:
+ field: ocsf.actor.user.groups
+ if: ctx.ocsf?.actor?.user?.groups instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: user.group.id
+ tag: append_user_group_id
+ value: '{{{_ingest._value.uid}}}'
+ allow_duplicates: false
+ - foreach:
+ field: ocsf.actor.user.groups
+ if: ctx.ocsf?.actor?.user?.groups instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: user.group.name
+ tag: append_user_group_name
+ value: '{{{_ingest._value.name}}}'
+ allow_duplicates: false
+ - set:
+ field: user.id
+ tag: set_user_id
+ copy_from: ocsf.actor.user.uid
+ ignore_empty_value: true
+ - append:
+ field: related.user
+ tag: append_actor_user_uid_into_related_user
+ value: '{{{ocsf.actor.user.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.user?.uid != null
+ - set:
+ field: user.name
+ tag: set_user_name
+ copy_from: ocsf.actor.user.name
+ ignore_empty_value: true
+ - append:
+ field: related.user
+ tag: append_actor_user_name_into_related_user
+ value: '{{{ocsf.actor.user.name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.user?.name != null
+ - convert:
+ field: ocsf.actor.process.container.hash.algorithm_id
+ tag: convert_actor_process_container_hash_algorithm_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.actor.process.auid
+ tag: convert_actor_process_auid_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.actor.process.container.size
+ tag: convert_actor_process_container_size_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.container.size
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.actor.process.file.accessor.account.type_id
+ tag: convert_actor_process_file_accessor_account_type_id_to_string
+ type: string
+ ignore_missing: true
+ - append:
+ field: related.user
+ tag: append_actor_process_file_accessor_uid_alt_into_related_user
+ value: '{{{ocsf.actor.process.file.accessor.uid_alt}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.file?.accessor?.uid_alt != null
+ - append:
+ field: related.user
+ tag: append_actor_process_file_accessor_email_addr_into_related_user
+ value: '{{{ocsf.actor.process.file.accessor.email_addr}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.file?.accessor?.email_addr != null
+ - append:
+ field: related.user
+ tag: append_actor_process_file_accessor_full_name_into_related_user
+ value: '{{{ocsf.actor.process.file.accessor.full_name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.file?.accessor?.full_name != null
+ - append:
+ field: related.user
+ tag: append_actor_process_file_accessor_name_into_related_user
+ value: '{{{ocsf.actor.process.file.accessor.name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.file?.accessor?.name != null
+ - append:
+ field: related.user
+ tag: append_actor_process_file_accessor_uid_into_related_user
+ value: '{{{ocsf.actor.process.file.accessor.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.file?.accessor?.uid != null
+ - convert:
+ field: ocsf.actor.process.file.accessor.type_id
+ tag: convert_actor_process_file_accessor_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.actor.process.file.attributes
+ tag: convert_actor_process_file_attributes_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.file.attributes
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.actor.process.file.confidentiality_id
+ tag: convert_actor_process_file_confidentiality_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.actor.process.file.creator.account.type_id
+ tag: convert_actor_process_file_creator_account_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.actor.process.file.creator.type_id
+ tag: convert_actor_process_file_creator_type_id_to_string
+ type: string
+ ignore_missing: true
+ - foreach:
+ field: ocsf.actor.process.file.signature.certificate.fingerprints
+ if: ctx.ocsf?.actor?.process?.file?.signature?.certificate?.fingerprints instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value.algorithm_id
+ tag: convert_actor_process_file_signature_certificate_fingerprints_algorithm_id_to_string
+ type: string
+ ignore_missing: true
+ - foreach:
+ field: ocsf.actor.process.file.signature.certificate.fingerprints
+ if: ctx.ocsf?.actor?.process?.file?.signature?.certificate?.fingerprints instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: related.hash
+ tag: append_actor_process_file_signature_certificate_fingerprints_value_into_related_hash
+ value: '{{{_ingest._value.value}}}'
+ allow_duplicates: false
+ - convert:
+ field: ocsf.actor.process.file.signature.algorithm_id
+ tag: convert_actor_process_file_signature_algorithm_id_to_string
+ type: string
+ ignore_missing: true
+ - append:
+ field: related.hash
+ tag: append_actor_process_file_signature_value_into_related_hash
+ value: '{{{ocsf.actor.process.file.signature.value}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.file?.signature?.value != null
+ - date:
+ field: ocsf.actor.process.file.signature.certificate.created_time_dt
+ target_field: ocsf.actor.process.file.signature.certificate.created_time_dt
+ tag: date_actor_process_file_signature_certificate_created_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.actor?.process?.file?.signature?.certificate?.created_time_dt != null && ctx.ocsf.actor.process.file.signature.certificate.created_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.file.signature.certificate.created_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.actor.process.file.signature.certificate.created_time
+ target_field: ocsf.actor.process.file.signature.certificate.created_time
+ tag: date_actor_process_file_signature_certificate_created_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.actor?.process?.file?.signature?.certificate?.created_time != null && ctx.ocsf.actor.process.file.signature.certificate.created_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.file.signature.certificate.created_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.actor.process.file.signature.created_time_dt
+ target_field: ocsf.actor.process.file.signature.created_time_dt
+ tag: date_actor_process_file_signature_created_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.actor?.process?.file?.signature?.created_time_dt != null && ctx.ocsf.actor.process.file.signature.created_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.file.signature.created_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.actor.process.file.signature.created_time
+ target_field: ocsf.actor.process.file.signature.created_time
+ tag: date_actor_process_file_signature_created_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.actor?.process?.file?.signature?.created_time != null && ctx.ocsf.actor.process.file.signature.created_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.file.signature.created_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.actor.process.file.signature.digest.algorithm_id
+ tag: convert_actor_process_file_signature_digest_algorithm_id_to_string
+ type: string
+ ignore_missing: true
+ - append:
+ field: related.hash
+ tag: append_actor_process_file_signature_digest_value_into_related_hash
+ value: '{{{ocsf.actor.process.file.signature.digest.value}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.file?.signature?.digest?.value != null
+ - foreach:
+ field: ocsf.actor.process.file.hashes
+ if: ctx.ocsf?.actor?.process?.file?.hashes instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value.algorithm_id
+ tag: convert_actor_process_file_hashes_algorithm_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.actor.process.file.modifier.account.type_id
+ tag: convert_actor_process_file_modifier_account_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.actor.process.file.modifier.type_id
+ tag: convert_actor_process_file_modifier_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.actor.process.file.owner.account.type_id
+ tag: convert_actor_process_file_owner_account_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.actor.process.file.owner.type_id
+ tag: convert_actor_process_file_owner_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.actor.process.file.is_system
+ tag: convert_actor_process_file_is_system_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.file.is_system
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.actor.process.file.type_id
+ tag: convert_actor_process_file_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.actor.process.integrity_id
+ tag: convert_actor_process_integrity_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.actor.process.namespace_pid
+ tag: convert_actor_process_namespace_pid_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.namespace_pid
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - script:
+ description: Stringify the parent_process object if its depth_limit is greater than 20.
+ if: ctx.ocsf?.actor?.process?.parent_process != null
+ tag: script_actor_process_parent_process_stringify
+ lang: painless
+ source: |-
+ def process = ctx.ocsf.actor.process.parent_process;
+ def count = 0;
+ while (true) {
+ if (process != null && process.parent_process != null) {
+ count += 1;
+ process = process.parent_process;
+ } else {
+ break;
+ }
+ }
+ if (count >= 15) {
+ ctx.ocsf.actor.process.parent_process.put("parent_process_keyword", ctx.ocsf.actor.process.parent_process.parent_process.toString());
+ ctx.ocsf.actor.process.parent_process.remove("parent_process");
+ }
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - append:
+ field: related.hash
+ tag: append_actor_process_parent_process_container_hash_value_into_related_hash
+ value: '{{{ocsf.actor.process.parent_process.container.hash.value}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.parent_process?.container?.hash?.value != null
+ - date:
+ field: ocsf.actor.process.parent_process.file.accessed_time_dt
+ target_field: ocsf.actor.process.parent_process.file.accessed_time_dt
+ tag: date_actor_process_parent_process_file_accessed_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.actor?.process?.parent_process?.file?.accessed_time_dt != null && ctx.ocsf.actor.process.parent_process.file.accessed_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.parent_process.file.accessed_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.actor.process.parent_process.file.accessed_time
+ target_field: ocsf.actor.process.parent_process.file.accessed_time
+ tag: date_actor_process_parent_process_file_accessed_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.actor?.process?.parent_process?.file?.accessed_time != null && ctx.ocsf.actor.process.parent_process.file.accessed_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.parent_process.file.accessed_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.actor.process.parent_process.file.created_time_dt
+ target_field: ocsf.actor.process.parent_process.file.created_time_dt
+ tag: date_actor_process_parent_process_file_created_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.actor?.process?.parent_process?.file?.created_time_dt != null && ctx.ocsf.actor.process.parent_process.file.created_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.parent_process.file.created_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.actor.process.parent_process.file.created_time
+ target_field: ocsf.actor.process.parent_process.file.created_time
+ tag: date_actor_process_parent_process_file_created_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.actor?.process?.parent_process?.file?.created_time != null && ctx.ocsf.actor.process.parent_process.file.created_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.parent_process.file.created_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: ocsf.actor.process.parent_process.file.hashes
+ if: ctx.ocsf?.actor?.process?.parent_process?.file?.hashes instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: related.hash
+ tag: append_actor_process_parent_process_file_hashes_value_into_related_hash
+ value: '{{{_ingest._value.value}}}'
+ allow_duplicates: false
+ - date:
+ field: ocsf.actor.process.parent_process.file.modified_time_dt
+ target_field: ocsf.actor.process.parent_process.file.modified_time_dt
+ tag: date_actor_process_parent_process_file_modified_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.actor?.process?.parent_process?.file?.modified_time_dt != null && ctx.ocsf.actor.process.parent_process.file.modified_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.parent_process.file.modified_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.actor.process.parent_process.file.modified_time
+ target_field: ocsf.actor.process.parent_process.file.modified_time
+ tag: date_actor_process_parent_process_file_modified_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.actor?.process?.parent_process?.file?.modified_time != null && ctx.ocsf.actor.process.parent_process.file.modified_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.parent_process.file.modified_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - append:
+ field: related.user
+ tag: append_actor_process_parent_process_file_owner_name_into_related_user
+ value: '{{{ocsf.actor.process.parent_process.file.owner.name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.parent_process?.file?.owner?.name != null
+ - convert:
+ field: ocsf.actor.process.parent_process.file.size
+ tag: convert_actor_process_parent_process_file_size_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.parent_process.file.size
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - append:
+ field: related.user
+ tag: append_actor_process_parent_process_file_owner_uid_into_related_user
+ value: '{{{ocsf.actor.process.parent_process.file.owner.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.parent_process?.file?.owner?.uid != null
+ - date:
+ field: ocsf.actor.process.parent_process.file.signature.certificate.expiration_time_dt
+ target_field: ocsf.actor.process.parent_process.file.signature.certificate.expiration_time_dt
+ tag: date_actor_process_parent_process_file_signature_certificate_expiration_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.actor?.process?.parent_process?.file?.signature?.certificate?.expiration_time_dt != null && ctx.ocsf.actor.process.parent_process.file.signature.certificate.expiration_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.parent_process.file.signature.certificate.expiration_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.actor.process.parent_process.file.signature.certificate.expiration_time
+ target_field: ocsf.actor.process.parent_process.file.signature.certificate.expiration_time
+ tag: date_actor_process_parent_process_file_signature_certificate_expiration_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.actor?.process?.parent_process?.file?.signature?.certificate?.expiration_time != null && ctx.ocsf.actor.process.parent_process.file.signature.certificate.expiration_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.parent_process.file.signature.certificate.expiration_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: process.parent.command_line
+ tag: set_process_parent_command_line
+ copy_from: ocsf.actor.process.parent_process.cmd_line
+ ignore_empty_value: true
+ - date:
+ field: ocsf.actor.process.parent_process.terminated_time_dt
+ target_field: ocsf.actor.process.parent_process.terminated_time_dt
+ tag: date_actor_process_parent_process_terminated_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.actor?.process?.parent_process?.terminated_time_dt != null && ctx.ocsf.actor.process.parent_process.terminated_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.parent_process.terminated_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: process.parent.end
+ tag: set_process_parent_end_from_actor_process_parent_process_terminated_time_dt
+ copy_from: ocsf.actor.process.parent_process.terminated_time_dt
+ ignore_empty_value: true
+ - date:
+ field: ocsf.actor.process.parent_process.terminated_time
+ target_field: ocsf.actor.process.parent_process.terminated_time
+ tag: date_actor_process_parent_process_terminated_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.actor?.process?.parent_process?.terminated_time != null && ctx.ocsf.actor.process.parent_process.terminated_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.parent_process.terminated_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: process.parent.end
+ tag: set_process_parent_process_end_from_actor_process_terminated_time
+ copy_from: ocsf.actor.process.parent_process.terminated_time
+ ignore_empty_value: true
+ - convert:
+ field: ocsf.actor.process.parent_process.egid
+ tag: convert_actor_process_parent_process_egid_to_string
+ type: string
+ ignore_missing: true
+ - append:
+ field: process.parent.group.id
+ tag: append_process_parent_group_id_from_actor_process_parent_process_egid
+ value: '{{{ocsf.actor.process.parent_process.egid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.parent_process?.egid != null
+ - append:
+ field: process.parent.group.id
+ tag: append_process_parent_group_id_from_actor_process_parent_process_group_uid
+ value: '{{{ocsf.actor.process.parent_process.group.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.parent_process?.group?.uid != null
+ - set:
+ field: process.parent.group.name
+ tag: set_process_parent_group_name
+ copy_from: ocsf.actor.process.parent_process.group.name
+ ignore_empty_value: true
+ - set:
+ field: process.parent.name
+ tag: set_process_parent_name
+ copy_from: ocsf.actor.process.parent_process.name
+ ignore_empty_value: true
+ - convert:
+ field: ocsf.actor.process.parent_process.pid
+ tag: convert_actor_process_parent_process_pid_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.parent_process.pid
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: process.parent.pid
+ tag: set_process_parent_pid
+ copy_from: ocsf.actor.process.parent_process.pid
+ ignore_empty_value: true
+ - date:
+ field: ocsf.actor.process.parent_process.created_time_dt
+ target_field: ocsf.actor.process.parent_process.created_time_dt
+ tag: date_actor_process_parent_process_created_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.actor?.process?.parent_process?.created_time_dt != null && ctx.ocsf.actor.process.parent_process.created_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.parent_process.created_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: process.parent.start
+ tag: set_process_parent_start_from_actor_process_parent_process_created_time_dt
+ copy_from: ocsf.actor.process.parent_process.created_time_dt
+ ignore_empty_value: true
+ - date:
+ field: ocsf.actor.process.parent_process.created_time
+ target_field: ocsf.actor.process.parent_process.created_time
+ tag: date_actor_process_parent_process_created_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.actor?.process?.parent_process?.created_time != null && ctx.ocsf.actor.process.parent_process.created_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.parent_process.created_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: process.parent.start
+ tag: set_process_parent_process_start_from_actor_process_created_time
+ copy_from: ocsf.actor.process.parent_process.created_time
+ ignore_empty_value: true
+ - convert:
+ field: ocsf.actor.process.parent_process.tid
+ tag: convert_actor_process_parent_process_tid_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.parent_process.tid
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: process.parent.thread.id
+ tag: set_process_parent_thread_id
+ copy_from: ocsf.actor.process.parent_process.tid
+ ignore_empty_value: true
+ - set:
+ field: process.parent.entity_id
+ tag: set_process_parent_entity_id
+ copy_from: ocsf.actor.process.parent_process.uid
+ ignore_empty_value: true
+ - set:
+ field: process.parent.user.domain
+ tag: set_process_parent_user_domain
+ copy_from: ocsf.actor.process.parent_process.user.domain
+ ignore_empty_value: true
+ - set:
+ field: process.parent.user.email
+ tag: set_process_parent_user_email
+ copy_from: ocsf.actor.process.parent_process.user.email_addr
+ ignore_empty_value: true
+ - append:
+ field: related.user
+ tag: append_actor_process_parent_process_user_email_addr_into_related_user
+ value: '{{{ocsf.actor.process.parent_process.user.email_addr}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.parent_process?.user?.email_addr != null
+ - set:
+ field: process.parent.user.full_name
+ tag: set_process_parent_user_full_name
+ copy_from: ocsf.actor.process.parent_process.user.full_name
+ ignore_empty_value: true
+ - append:
+ field: related.user
+ tag: append_actor_process_parent_process_user_full_name_into_related_user
+ value: '{{{ocsf.actor.process.parent_process.user.full_name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.parent_process?.user?.full_name != null
+ - foreach:
+ field: ocsf.actor.process.parent_process.user.groups
+ if: ctx.ocsf?.actor?.process?.parent_process?.user?.groups instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: process.parent.user.group.id
+ tag: append_process_parent_user_group_id
+ value: '{{{_ingest._value.uid}}}'
+ allow_duplicates: false
+ - foreach:
+ field: ocsf.actor.process.parent_process.user.groups
+ if: ctx.ocsf?.actor?.process?.parent_process?.user?.groups instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: process.parent.user.group.name
+ tag: append_process_parent_user_group_name
+ value: '{{{_ingest._value.name}}}'
+ allow_duplicates: false
+ - convert:
+ field: ocsf.actor.process.parent_process.euid
+ tag: convert_actor_process_parent_process_euid_to_string
+ type: string
+ ignore_missing: true
+ - append:
+ field: process.parent.user.id
+ tag: append_process_parent_user_id_from_actor_process_parent_process_euid
+ value: '{{{ocsf.actor.process.parent_process.euid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.parent_process?.euid != null
+ - append:
+ field: related.user
+ tag: append_actor_process_parent_process_euid_into_related_user
+ value: '{{{ocsf.actor.process.parent_process.euid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.parent_process?.euid != null
+ - append:
+ field: process.parent.user.id
+ tag: append_process_parent_user_id_from_actor_process_parent_process_uid
+ value: '{{{ocsf.actor.process.parent_process.user.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.parent_process?.user?.uid != null
+ - append:
+ field: related.user
+ tag: append_actor_process_parent_process_uid_into_related_user
+ value: '{{{ocsf.actor.process.parent_process.user.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.parent_process?.user?.uid != null
+ - set:
+ field: process.parent.user.name
+ tag: set_process_parnt_user_name
+ copy_from: ocsf.actor.process.parent_process.user.name
+ ignore_empty_value: true
+ - append:
+ field: related.user
+ tag: append_actor_process_parent_process_user_name_into_related_user
+ value: '{{{ocsf.actor.process.parent_process.user.name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.parent_process?.user?.name != null
+ - convert:
+ field: ocsf.actor.process.parent_process.container.hash.algorithm_id
+ tag: convert_actor_process_parent_process_container_hash_algorithm_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.actor.process.parent_process.auid
+ tag: convert_actor_process_parent_process_auid_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.actor.process.parent_process.container.size
+ tag: convert_actor_process_parent_process_container_size_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.parent_process.container.size
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.actor.process.parent_process.file.accessor.account.type_id
+ tag: convert_actor_process_parent_process_file_accessor_account_type_id_to_string
+ type: string
+ ignore_missing: true
+ - append:
+ field: related.user
+ tag: append_actor_process_parent_process_file_accessor_uid_alt_into_related_user
+ value: '{{{ocsf.actor.process.parent_process.file.accessor.uid_alt}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.parent_process?.file?.accessor?.uid_alt != null
+ - append:
+ field: related.user
+ tag: append_actor_process_parent_process_file_accessor_email_addr_into_related_user
+ value: '{{{ocsf.actor.process.parent_process.file.accessor.email_addr}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.parent_process?.file?.accessor?.email_addr != null
+ - append:
+ field: related.user
+ tag: append_actor_process_parent_process_file_accessor_full_name_into_related_user
+ value: '{{{ocsf.actor.process.parent_process.file.accessor.full_name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.parent_process?.file?.accessor?.full_name != null
+ - append:
+ field: related.user
+ tag: append_actor_process_parent_process_file_accessor_name_into_related_user
+ value: '{{{ocsf.actor.process.parent_process.file.accessor.name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.parent_process?.file?.accessor?.name != null
+ - append:
+ field: related.user
+ tag: append_actor_process_parent_process_file_accessor_uid_into_related_user
+ value: '{{{ocsf.actor.process.parent_process.file.accessor.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.parent_process?.file?.accessor?.uid != null
+ - convert:
+ field: ocsf.actor.process.parent_process.file.accessor.type_id
+ tag: convert_actor_process_parent_process_file_accessor_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.actor.process.parent_process.file.attributes
+ tag: convert_actor_process_parent_process_file_attributes_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.parent_process.file.attributes
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.actor.process.parent_process.file.confidentiality_id
+ tag: convert_actor_process_parent_process_file_confidentiality_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.actor.process.parent_process.file.creator.account.type_id
+ tag: convert_actor_process_parent_process_file_creator_account_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.actor.process.parent_process.file.creator.type_id
+ tag: convert_actor_process_parent_process_file_creator_type_id_to_string
+ type: string
+ ignore_missing: true
+ - foreach:
+ field: ocsf.actor.process.parent_process.file.signature.certificate.fingerprints
+ if: ctx.ocsf?.actor?.process?.parent_process?.file?.signature?.certificate?.fingerprints instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value.algorithm_id
+ tag: convert_actor_process_parent_process_file_signature_certificate_fingerprints_algorithm_id_to_string
+ type: string
+ ignore_missing: true
+ - foreach:
+ field: ocsf.actor.process.parent_process.file.signature.certificate.fingerprints
+ if: ctx.ocsf?.actor?.process?.parent_process?.file?.signature?.certificate?.fingerprints instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: related.hash
+ tag: append_actor_process_parent_process_file_signature_certificate_fingerprints_value_into_related_hash
+ value: '{{{_ingest._value.value}}}'
+ allow_duplicates: false
+ - convert:
+ field: ocsf.actor.process.parent_process.file.signature.algorithm_id
+ tag: convert_actor_process_parent_process_file_signature_algorithm_id_to_string
+ type: string
+ ignore_missing: true
+ - append:
+ field: related.hash
+ tag: append_actor_process_parent_process_file_signature_value_into_related_hash
+ value: '{{{ocsf.actor.process.parent_process.file.signature.value}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.parent_process?.file?.signature?.value != null
+ - date:
+ field: ocsf.actor.process.parent_process.file.signature.certificate.created_time_dt
+ target_field: ocsf.actor.process.parent_process.file.signature.certificate.created_time_dt
+ tag: date_actor_process_parent_process_file_signature_certificate_created_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.actor?.process?.parent_process?.file?.signature?.certificate?.created_time_dt != null && ctx.ocsf.actor.process.parent_process.file.signature.certificate.created_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.parent_process.file.signature.certificate.created_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.actor.process.parent_process.file.signature.certificate.created_time
+ target_field: ocsf.actor.process.parent_process.file.signature.certificate.created_time
+ tag: date_actor_process_parent_process_file_signature_certificate_created_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.actor?.process?.parent_process?.file?.signature?.certificate?.created_time != null && ctx.ocsf.actor.process.parent_process.file.signature.certificate.created_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.parent_process.file.signature.certificate.created_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.actor.process.parent_process.file.signature.created_time_dt
+ target_field: ocsf.actor.process.parent_process.file.signature.created_time_dt
+ tag: date_actor_process_parent_process_file_signature_created_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.actor?.process?.parent_process?.file?.signature?.created_time_dt != null && ctx.ocsf.actor.process.parent_process.file.signature.created_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.parent_process.file.signature.created_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.actor.process.parent_process.file.signature.created_time
+ target_field: ocsf.actor.process.parent_process.file.signature.created_time
+ tag: date_actor_process_parent_process_file_signature_created_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.actor?.process?.parent_process?.file?.signature?.created_time != null && ctx.ocsf.actor.process.parent_process.file.signature.created_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.parent_process.file.signature.created_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.actor.process.parent_process.file.signature.digest.algorithm_id
+ tag: convert_actor_process_parent_process_file_signature_digest_algorithm_id_to_string
+ type: string
+ ignore_missing: true
+ - append:
+ field: related.hash
+ tag: append_actor_process_parent_process_file_signature_digest_value_into_related_hash
+ value: '{{{ocsf.actor.process.parent_process.file.signature.digest.value}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.parent_process?.file?.signature?.digest?.value != null
+ - foreach:
+ field: ocsf.actor.process.parent_process.file.hashes
+ if: ctx.ocsf?.actor?.process?.parent_process?.file?.hashes instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value.algorithm_id
+ tag: convert_actor_process_parent_process_file_hashes_algorithm_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.actor.process.parent_process.file.modifier.account.type_id
+ tag: convert_actor_process_parent_process_file_modifier_account_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.actor.process.parent_process.file.modifier.type_id
+ tag: convert_actor_process_parent_process_file_modifier_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.actor.process.parent_process.file.owner.account.type_id
+ tag: convert_actor_process_parent_process_file_owner_account_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.actor.process.parent_process.file.owner.type_id
+ tag: convert_actor_process_parent_process_file_owner_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.actor.process.parent_process.file.is_system
+ tag: convert_actor_process_parent_process_file_is_system_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.parent_process.file.is_system
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.actor.process.parent_process.file.type_id
+ tag: convert_actor_process_parent_process_file_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.actor.process.parent_process.integrity_id
+ tag: convert_actor_process_parent_process_integrity_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.actor.process.parent_process.namespace_pid
+ tag: convert_actor_process_parent_process_namespace_pid_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.parent_process.namespace_pid
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.actor.process.parent_process.session.created_time_dt
+ target_field: ocsf.actor.process.parent_process.session.created_time_dt
+ tag: date_actor_process_parent_process_session_created_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.actor?.process?.parent_process?.session?.created_time_dt != null && ctx.ocsf.actor.process.parent_process.session.created_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.parent_process.session.created_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.actor.process.parent_process.session.created_time
+ target_field: ocsf.actor.process.parent_process.session.created_time
+ tag: date_actor_process_parent_process_session_created_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.actor?.process?.parent_process?.session?.created_time != null && ctx.ocsf.actor.process.parent_process.session.created_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.parent_process.session.created_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.actor.process.parent_process.session.expiration_time_dt
+ target_field: ocsf.actor.process.parent_process.session.expiration_time_dt
+ tag: date_actor_process_parent_process_session_expiration_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.actor?.process?.parent_process?.session?.expiration_time_dt != null && ctx.ocsf.actor.process.parent_process.session.expiration_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.parent_process.session.expiration_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.actor.process.parent_process.session.expiration_time
+ target_field: ocsf.actor.process.parent_process.session.expiration_time
+ tag: date_actor_process_parent_process_session_expiration_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.actor?.process?.parent_process?.session?.expiration_time != null && ctx.ocsf.actor.process.parent_process.session.expiration_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.parent_process.session.expiration_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.actor.process.parent_process.session.mfa
+ tag: convert_actor_process_parent_process_session_mfa_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.parent_process.session.mfa
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.actor.process.parent_process.session.is_remote
+ tag: convert_actor_process_parent_process_session_is_remote_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.parent_process.session.is_remote
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.actor.process.parent_process.user.account.type_id
+ tag: convert_actor_process_parent_process_user_account_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.actor.process.parent_process.user.type_id
+ tag: convert_actor_process_parent_process_user_type_id_to_string
+ type: string
+ ignore_missing: true
+ - append:
+ field: related.user
+ tag: append_actor_process_parent_process_file_creator_uid_alt_into_related_user
+ value: '{{{ocsf.actor.process.parent_process.file.creator.uid_alt}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.parent_process?.file?.creator?.uid_alt != null
+ - append:
+ field: related.user
+ tag: append_actor_process_parent_process_file_creator_email_addr_into_related_user
+ value: '{{{ocsf.actor.process.parent_process.file.creator.email_addr}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.parent_process?.file?.creator?.email_addr != null
+ - append:
+ field: related.user
+ tag: append_actor_process_parent_process_file_creator_full_name_into_related_user
+ value: '{{{ocsf.actor.process.parent_process.file.creator.full_name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.parent_process?.file?.creator?.full_name != null
+ - append:
+ field: related.user
+ tag: append_actor_process_parent_process_file_creator_name_into_related_user
+ value: '{{{ocsf.actor.process.parent_process.file.creator.name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.parent_process?.file?.creator?.name != null
+ - append:
+ field: related.user
+ tag: append_actor_process_parent_process_file_creator_uid_into_related_user
+ value: '{{{ocsf.actor.process.parent_process.file.creator.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.parent_process?.file?.creator?.uid != null
+ - append:
+ field: related.user
+ tag: append_actor_process_parent_process_file_modifier_uid_alt_into_related_user
+ value: '{{{ocsf.actor.process.parent_process.file.modifier.uid_alt}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.parent_process?.file?.modifier?.uid_alt != null
+ - append:
+ field: related.user
+ tag: append_actor_process_parent_process_file_modifier_email_addr_into_related_user
+ value: '{{{ocsf.actor.process.parent_process.file.modifier.email_addr}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.parent_process?.file?.modifier?.email_addr != null
+ - append:
+ field: related.user
+ tag: append_actor_process_parent_process_file_modifier_full_name_into_related_user
+ value: '{{{ocsf.actor.process.parent_process.file.modifier.full_name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.parent_process?.file?.modifier?.full_name != null
+ - append:
+ field: related.user
+ tag: append_actor_process_parent_process_file_modifier_name_into_related_user
+ value: '{{{ocsf.actor.process.parent_process.file.modifier.name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.parent_process?.file?.modifier?.name != null
+ - append:
+ field: related.user
+ tag: append_actor_process_parent_process_file_modifier_uid_into_related_user
+ value: '{{{ocsf.actor.process.parent_process.file.modifier.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.parent_process?.file?.modifier?.uid != null
+ - append:
+ field: related.user
+ tag: append_actor_process_parent_process_file_owner_uid_alt_into_related_user
+ value: '{{{ocsf.actor.process.parent_process.file.owner.uid_alt}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.parent_process?.file?.owner?.uid_alt != null
+ - append:
+ field: related.user
+ tag: append_actor_process_parent_process_file_owner_email_addr_into_related_user
+ value: '{{{ocsf.actor.process.parent_process.file.owner.email_addr}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.parent_process?.file?.owner?.email_addr != null
+ - append:
+ field: related.user
+ tag: append_actor_process_parent_process_file_owner_full_name_into_related_user
+ value: '{{{ocsf.actor.process.parent_process.file.owner.full_name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.parent_process?.file?.owner?.full_name != null
+ - append:
+ field: related.user
+ tag: append_actor_process_parent_process_user_uid_alt_into_related_user
+ value: '{{{ocsf.actor.process.parent_process.user.uid_alt}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.parent_process?.user?.uid_alt != null
+ - date:
+ field: ocsf.actor.process.session.created_time_dt
+ target_field: ocsf.actor.process.session.created_time_dt
+ tag: date_actor_process_session_created_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.actor?.process?.session?.created_time_dt != null && ctx.ocsf.actor.process.session.created_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.session.created_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.actor.process.session.created_time
+ target_field: ocsf.actor.process.session.created_time
+ tag: date_actor_process_session_created_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.actor?.process?.session?.created_time != null && ctx.ocsf.actor.process.session.created_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.session.created_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.actor.process.session.expiration_time_dt
+ target_field: ocsf.actor.process.session.expiration_time_dt
+ tag: date_actor_process_session_expiration_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.actor?.process?.session?.expiration_time_dt != null && ctx.ocsf.actor.process.session.expiration_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.session.expiration_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.actor.process.session.expiration_time
+ target_field: ocsf.actor.process.session.expiration_time
+ tag: date_actor_process_session_expiration_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.actor?.process?.session?.expiration_time != null && ctx.ocsf.actor.process.session.expiration_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.session.expiration_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.actor.process.session.mfa
+ tag: convert_actor_process_session_mfa_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.session.mfa
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.actor.process.session.is_remote
+ tag: convert_actor_process_session_is_remote_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.actor.process.session.is_remote
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.actor.process.user.account.type_id
+ tag: convert_actor_process_user_account_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.actor.process.user.type_id
+ tag: convert_actor_process_user_type_id_to_string
+ type: string
+ ignore_missing: true
+ - date:
+ field: ocsf.actor.session.created_time_dt
+ target_field: ocsf.actor.session.created_time_dt
+ tag: date_actor_session_created_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.actor?.session?.created_time_dt != null && ctx.ocsf.actor.session.created_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.session.created_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.actor.session.created_time
+ target_field: ocsf.actor.session.created_time
+ tag: date_actor_session_created_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.actor?.session?.created_time != null && ctx.ocsf.actor.session.created_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.session.created_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.actor.session.expiration_time_dt
+ target_field: ocsf.actor.session.expiration_time_dt
+ tag: date_actor_session_expiration_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.actor?.session?.expiration_time_dt != null && ctx.ocsf.actor.session.expiration_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.session.expiration_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.actor.session.expiration_time
+ target_field: ocsf.actor.session.expiration_time
+ tag: date_actor_session_expiration_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.actor?.session?.expiration_time != null && ctx.ocsf.actor.session.expiration_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.actor.session.expiration_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.actor.session.mfa
+ tag: convert_actor_session_mfa_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.actor.session.mfa
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.actor.session.is_remote
+ tag: convert_actor_session_is_remote_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.actor.session.is_remote
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.actor.user.account.type_id
+ tag: convert_actor_user_account_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.actor.user.type_id
+ tag: convert_actor_user_type_id_to_string
+ type: string
+ ignore_missing: true
+ - append:
+ field: related.user
+ tag: append_actor_process_file_creator_uid_alt_into_related_user
+ value: '{{{ocsf.actor.process.file.creator.uid_alt}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.file?.creator?.uid_alt != null
+ - append:
+ field: related.user
+ tag: append_actor_process_file_creator_email_addr_into_related_user
+ value: '{{{ocsf.actor.process.file.creator.email_addr}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.file?.creator?.email_addr != null
+ - append:
+ field: related.user
+ tag: append_actor_process_file_creator_full_name_into_related_user
+ value: '{{{ocsf.actor.process.file.creator.full_name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.file?.creator?.full_name != null
+ - append:
+ field: related.user
+ tag: append_actor_process_file_creator_name_into_related_user
+ value: '{{{ocsf.actor.process.file.creator.name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.file?.creator?.name != null
+ - append:
+ field: related.user
+ tag: append_actor_process_file_creator_uid_into_related_user
+ value: '{{{ocsf.actor.process.file.creator.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.file?.creator?.uid != null
+ - append:
+ field: related.user
+ tag: append_actor_process_file_modifier_uid_alt_into_related_user
+ value: '{{{ocsf.actor.process.file.modifier.uid_alt}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.file?.modifier?.uid_alt != null
+ - append:
+ field: related.user
+ tag: append_actor_process_file_modifier_email_addr_into_related_user
+ value: '{{{ocsf.actor.process.file.modifier.email_addr}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.file?.modifier?.email_addr != null
+ - append:
+ field: related.user
+ tag: append_actor_process_file_modifier_full_name_into_related_user
+ value: '{{{ocsf.actor.process.file.modifier.full_name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.file?.modifier?.full_name != null
+ - append:
+ field: related.user
+ tag: append_actor_process_file_modifier_name_into_related_user
+ value: '{{{ocsf.actor.process.file.modifier.name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.file?.modifier?.name != null
+ - append:
+ field: related.user
+ tag: append_actor_process_file_modifier_uid_into_related_user
+ value: '{{{ocsf.actor.process.file.modifier.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.file?.modifier?.uid != null
+ - append:
+ field: related.user
+ tag: append_actor_process_file_owner_uid_alt_into_related_user
+ value: '{{{ocsf.actor.process.file.owner.uid_alt}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.file?.owner?.uid_alt != null
+ - append:
+ field: related.user
+ tag: append_actor_process_file_owner_email_addr_into_related_user
+ value: '{{{ocsf.actor.process.file.owner.email_addr}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.file?.owner?.email_addr != null
+ - append:
+ field: related.user
+ tag: append_actor_process_file_owner_full_name_into_related_user
+ value: '{{{ocsf.actor.process.file.owner.full_name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.file?.owner?.full_name != null
+ - append:
+ field: related.user
+ tag: append_actor_process_user_uid_alt_into_related_user
+ value: '{{{ocsf.actor.process.user.uid_alt}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.process?.user?.uid_alt != null
+ - append:
+ field: related.user
+ tag: append_actor_user_uid_alt_into_related_user
+ value: '{{{ocsf.actor.user.uid_alt}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.actor?.user?.uid_alt != null
+on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: event.kind
+ value: pipeline_error
diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_attack.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_attack.yml
new file mode 100644
index 00000000000..2776f5f575d
--- /dev/null
+++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_attack.yml
@@ -0,0 +1,59 @@
+---
+description: Pipeline for processing Attack object.
+# Attack object docs: https://schema.ocsf.io/1.0.0-rc.3/objects/attack
+processors:
+ - foreach:
+ field: ocsf.attacks
+ if: ctx.ocsf?.attacks instanceof List
+ ignore_failure: true
+ processor:
+ foreach:
+ field: _ingest._value.tactics
+ ignore_failure: true
+ processor:
+ append:
+ field: threat.tactic.id
+ value: '{{{_ingest._value.uid}}}'
+ tag: append_attacks_tactics_uid_into_threat_tactic_id
+ allow_duplicates: false
+ - foreach:
+ field: ocsf.attacks
+ if: ctx.ocsf?.attacks instanceof List
+ ignore_failure: true
+ processor:
+ foreach:
+ field: _ingest._value.tactics
+ ignore_failure: true
+ processor:
+ append:
+ field: threat.tactic.name
+ value: '{{{_ingest._value.name}}}'
+ tag: append_attacks_tactics_name_into_threat_tactic_name
+ allow_duplicates: false
+ - foreach:
+ field: ocsf.attacks
+ if: ctx.ocsf?.attacks instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: threat.technique.name
+ value: '{{{_ingest._value.technique.name}}}'
+ tag: append_attacks_technique_name_into_threat_technique_name
+ allow_duplicates: false
+ - foreach:
+ field: ocsf.attacks
+ if: ctx.ocsf?.attacks instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: threat.technique.id
+ value: '{{{_ingest._value.technique.uid}}}'
+ tag: append_attacks_technique_uid_into_threat_technique_id
+ allow_duplicates: false
+on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: event.kind
+ value: pipeline_error
diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_device.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_device.yml
new file mode 100644
index 00000000000..5964cbeb6b4
--- /dev/null
+++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_device.yml
@@ -0,0 +1,649 @@
+---
+description: Pipeline for processing Device object.
+# Device object docs: https://schema.ocsf.io/1.0.0-rc.3/objects/device
+processors:
+ - set:
+ field: host.domain
+ copy_from: ocsf.device.domain
+ tag: set_host_domain
+ ignore_empty_value: true
+ - append:
+ field: related.hosts
+ value: '{{{ocsf.device.domain}}}'
+ tag: append_device_domain_into_related_hosts
+ allow_duplicates: false
+ if: ctx.ocsf?.device?.domain != null
+ - set:
+ field: host.geo.city_name
+ copy_from: ocsf.device.location.city
+ tag: set_host_geo_city_name
+ ignore_empty_value: true
+ - set:
+ field: host.geo.continent_name
+ copy_from: ocsf.device.location.continent
+ tag: set_host_geo_continent_name
+ ignore_empty_value: true
+ - set:
+ field: host.geo.country_iso_code
+ copy_from: ocsf.device.location.country
+ tag: set_host_geo_country_iso_code
+ ignore_empty_value: true
+ - convert:
+ field: ocsf.device.location.coordinates
+ tag: convert_device_location_coordinates_to_double
+ type: double
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.device.location.coordinates
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: host.geo.location
+ copy_from: ocsf.device.location.coordinates
+ tag: set_host_geo_location
+ ignore_empty_value: true
+ - set:
+ field: host.geo.name
+ copy_from: ocsf.device.location.desc
+ tag: set_host_geo_name
+ ignore_empty_value: true
+ - set:
+ field: host.geo.postal_code
+ copy_from: ocsf.device.location.postal_code
+ tag: set_host_geo_postal_code
+ ignore_empty_value: true
+ - set:
+ field: host.geo.region_iso_code
+ copy_from: ocsf.device.location.region
+ tag: set_host_geo_region_iso_code
+ ignore_empty_value: true
+ - set:
+ field: host.hostname
+ copy_from: ocsf.device.hostname
+ tag: set_host_hostname
+ ignore_empty_value: true
+ - append:
+ field: related.hosts
+ value: '{{{ocsf.device.hostname}}}'
+ tag: append_device_hostname_into_related_hosts
+ allow_duplicates: false
+ if: ctx.ocsf?.device?.hostname != null
+ - set:
+ field: host.id
+ copy_from: ocsf.device.uid
+ tag: set_host_id
+ ignore_empty_value: true
+ - convert:
+ field: ocsf.device.ip
+ tag: convert_device_ip_to_ip
+ type: ip
+ ignore_missing: true
+ if: ctx.ocsf?.device?.ip != '' || ctx.ocsf.device.ip != '-'
+ on_failure:
+ - remove:
+ field: ocsf.device.ip
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - append:
+ field: host.ip
+ value: '{{{ocsf.device.ip}}}'
+ tag: append_device_ip_into_host_ip
+ allow_duplicates: false
+ if: ctx.ocsf?.device?.ip != null
+ - append:
+ field: related.ip
+ value: '{{{ocsf.device.ip}}}'
+ tag: append_device_ip_into_related_ip
+ allow_duplicates: false
+ if: ctx.ocsf?.device?.ip != null
+ - gsub:
+ field: ocsf.device.mac
+ pattern: '[:.]'
+ replacement: '-'
+ tag: gsub_device_mac
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.device.mac
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - uppercase:
+ field: ocsf.device.mac
+ tag: uppercase_device_mac
+ ignore_missing: true
+ if: ctx.ocsf?.device?.mac != ''
+ on_failure:
+ - remove:
+ field: ocsf.device.mac
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - append:
+ field: host.mac
+ value: '{{{ocsf.device.mac}}}'
+ tag: append_device_ip_into_host_mac
+ allow_duplicates: false
+ if: ctx.ocsf?.device?.mac != null
+ - lowercase:
+ field: ocsf.device.name
+ target_field: host.name
+ tag: lowercase_host_name
+ ignore_missing: true
+ if: ctx.ocsf?.device?.name != ''
+ on_failure:
+ - remove:
+ field: ocsf.device.name
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - append:
+ field: related.hosts
+ value: '{{{ocsf.device.name}}}'
+ tag: append_device_name_into_related_hosts
+ allow_duplicates: false
+ if: ctx.ocsf?.device?.name != null
+ - set:
+ field: host.os.name
+ copy_from: ocsf.device.os.name
+ tag: set_host_os_name
+ ignore_empty_value: true
+ - set:
+ field: host.os.type
+ copy_from: ocsf.device.os.type
+ tag: set_host_os_type
+ ignore_empty_value: true
+ if: ctx.ocsf?.device?.os?.type != null && ['Linux','Windows','Android','macOS','iOS'].contains(ctx.ocsf.device.os.type)
+ - lowercase:
+ field: host.os.type
+ tag: lowercase_host_os_type
+ ignore_missing: true
+ if: ctx.host?.os?.type != ''
+ on_failure:
+ - remove:
+ field: host.os.type
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: host.os.version
+ copy_from: ocsf.device.os.build
+ tag: set_host_os_version
+ ignore_empty_value: true
+ - set:
+ field: host.risk.static_level
+ copy_from: ocsf.device.risk_level
+ tag: set_host_risk_static_level
+ ignore_empty_value: true
+ - convert:
+ field: ocsf.device.risk_score
+ tag: convert_device_risk_score_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.device.risk_score
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: host.risk.static_score
+ copy_from: ocsf.device.risk_score
+ tag: set_host_risk_static_score
+ ignore_empty_value: true
+ - set:
+ field: host.type
+ copy_from: ocsf.device.type
+ tag: set_host_type
+ ignore_empty_value: true
+ - set:
+ field: network.vlan.id
+ copy_from: ocsf.device.vlan_uid
+ tag: set_network_vlan_id
+ ignore_empty_value: true
+ - date:
+ field: ocsf.device.created_time_dt
+ tag: date_device_created_time_dt
+ target_field: ocsf.device.created_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.device?.created_time_dt != null && ctx.ocsf.device.created_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.device.created_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.device.created_time
+ tag: date_device_created_time
+ target_field: ocsf.device.created_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.device?.created_time != null && ctx.ocsf.device.created_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.device.created_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.device.first_seen_time_dt
+ tag: date_device_first_seen_time_dt
+ target_field: ocsf.device.first_seen_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.device?.first_seen_time_dt != null && ctx.ocsf.device.first_seen_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.device.first_seen_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.device.first_seen_time
+ tag: date_device_first_seen_time
+ target_field: ocsf.device.first_seen_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.device?.first_seen_time != null && ctx.ocsf.device.first_seen_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.device.first_seen_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.device.hw_info.cpu_bits
+ tag: convert_device_hw_info_cpu_bits_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.device.hw_info.cpu_bits
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.device.hw_info.cpu_cores
+ tag: convert_device_hw_info_cpu_cores_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.device.hw_info.cpu_cores
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.device.hw_info.cpu_count
+ tag: convert_device_hw_info_cpu_count_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.device.hw_info.cpu_count
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.device.hw_info.cpu_speed
+ tag: convert_device_hw_info_cpu_speed_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.device.hw_info.cpu_speed
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.device.hw_info.desktop_display.color_depth
+ tag: convert_device_hw_info_desktop_display_color_depth_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.device.hw_info.desktop_display.color_depth
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.device.hw_info.desktop_display.physical_height
+ tag: convert_device_hw_info_desktop_display_physical_height_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.device.hw_info.desktop_display.physical_height
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.device.hw_info.desktop_display.physical_orientation
+ tag: convert_device_hw_info_desktop_display_physical_orientation_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.device.hw_info.desktop_display.physical_orientation
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.device.hw_info.desktop_display.physical_width
+ tag: convert_device_hw_info_desktop_display_physical_width_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.device.hw_info.desktop_display.physical_width
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.device.hw_info.desktop_display.scale_factor
+ tag: convert_device_hw_info_desktop_display_scale_factor_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.device.hw_info.desktop_display.scale_factor
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.device.hw_info.keyboard_info.function_keys
+ tag: convert_device_hw_info_keyboard_info_function_keys_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.device.hw_info.keyboard_info.function_keys
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.device.hw_info.keyboard_info.keyboard_subtype
+ tag: convert_device_hw_info_keyboard_info_keyboard_subtype_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.device.hw_info.keyboard_info.keyboard_subtype
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.device.hw_info.ram_size
+ tag: convert_device_hw_info_ram_size_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.device.hw_info.ram_size
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.device.is_compliant
+ tag: convert_device_is_compliant_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.device.is_compliant
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.device.is_managed
+ tag: convert_device_is_managed_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.device.is_managed
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.device.is_personal
+ tag: convert_device_is_personal_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.device.is_personal
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.device.is_trusted
+ tag: convert_device_is_trusted_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.device.is_trusted
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.device.last_seen_time_dt
+ tag: date_device_last_seen_time_dt
+ target_field: ocsf.device.last_seen_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.device?.last_seen_time_dt != null && ctx.ocsf.device.last_seen_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.device.last_seen_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.device.last_seen_time
+ tag: date_device_last_seen_time
+ target_field: ocsf.device.last_seen_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.device?.last_seen_time != null && ctx.ocsf.device.last_seen_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.device.last_seen_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.device.location.is_on_premises
+ tag: convert_device_location_is_on_premises_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.device.location.is_on_premises
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.device.modified_time_dt
+ tag: date_device_modified_time_dt
+ target_field: ocsf.device.modified_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.device?.modified_time_dt != null && ctx.ocsf.device.modified_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.device.modified_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.device.modified_time
+ tag: date_device_modified_time
+ target_field: ocsf.device.modified_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.device?.modified_time != null && ctx.ocsf.device.modified_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.device.modified_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: ocsf.device.network_interfaces
+ if: ctx.ocsf?.device?.network_interfaces instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: related.hosts
+ value: '{{{_ingest._value.hostname}}}'
+ tag: append_device_network_interfaces_hostname_into_related_hosts
+ allow_duplicates: false
+ - foreach:
+ field: ocsf.device.network_interfaces
+ if: ctx.ocsf?.device?.network_interfaces instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value.ip
+ tag: convert_device_network_interfaces_ip_to_ip
+ type: ip
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.ip
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: ocsf.device.network_interfaces
+ if: ctx.ocsf?.device?.network_interfaces instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: related.ip
+ value: '{{{_ingest._value.ip}}}'
+ tag: append_device_network_interfaces_ip_into_related_ip
+ allow_duplicates: false
+ - foreach:
+ field: ocsf.device.network_interfaces
+ if: ctx.ocsf?.device?.network_interfaces instanceof List
+ ignore_failure: true
+ processor:
+ gsub:
+ field: _ingest._value.mac
+ pattern: '[:.]'
+ replacement: '-'
+ tag: gsub_device_network_interfaces_mac
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.mac
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: ocsf.device.network_interfaces
+ if: ctx.ocsf?.device?.network_interfaces instanceof List
+ ignore_failure: true
+ processor:
+ uppercase:
+ field: _ingest._value.mac
+ tag: uppercase_device_network_interfaces_mac
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.mac
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: ocsf.device.network_interfaces
+ if: ctx.ocsf?.device?.network_interfaces instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value.type_id
+ tag: convert_device_network_interfaces_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.device.os.cpu_bits
+ tag: convert_device_os_cpu_bits_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.device.os.cpu_bits
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.device.os.sp_ver
+ tag: convert_device_os_sp_ver_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.device.os.type_id
+ tag: convert_device_os_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.device.risk_level_id
+ tag: convert_device_risk_level_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.device.type_id
+ tag: convert_device_type_id_to_string
+ type: string
+ ignore_missing: true
+on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: event.kind
+ value: pipeline_error
diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_http_request.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_http_request.yml
new file mode 100644
index 00000000000..a3aea6c0b5e
--- /dev/null
+++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_http_request.yml
@@ -0,0 +1,131 @@
+---
+description: Pipeline for processing Http Request object.
+# Http Request object docs: https://schema.ocsf.io/1.0.0-rc.3/objects/http_request
+processors:
+ - set:
+ field: http.request.id
+ tag: set_http_request_id
+ copy_from: ocsf.http_request.uid
+ ignore_empty_value: true
+ - set:
+ field: http.request.method
+ tag: set_http_request_method
+ copy_from: ocsf.http_request.http_method
+ ignore_empty_value: true
+ - set:
+ field: http.request.referrer
+ tag: set_http_request_referrer
+ copy_from: ocsf.http_request.referrer
+ ignore_empty_value: true
+ - set:
+ field: http.version
+ tag: set_http_version
+ copy_from: ocsf.http_request.version
+ ignore_empty_value: true
+ - set:
+ field: url.domain
+ tag: set_url_domain
+ copy_from: ocsf.http_request.url.hostname
+ ignore_empty_value: true
+ - append:
+ field: related.hosts
+ tag: append_url_domain_into_related_hosts
+ value: '{{{url.domain}}}'
+ allow_duplicates: false
+ if: ctx.url?.domain != null
+ - set:
+ field: url.original
+ tag: set_url_original
+ copy_from: ocsf.http_request.url.url_string
+ ignore_empty_value: true
+ - set:
+ field: url.path
+ tag: set_url_path
+ copy_from: ocsf.http_request.url.path
+ ignore_empty_value: true
+ - convert:
+ field: ocsf.http_request.url.port
+ tag: convert_http_request_url_port_to_long
+ type: long
+ ignore_missing: true
+ if: ctx.ocsf?.http_request?.url?.port != ''
+ on_failure:
+ - remove:
+ field: ocsf.http_request.url.port
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ allow_duplicates: false
+ - set:
+ field: url.port
+ tag: set_url_port
+ copy_from: ocsf.http_request.url.port
+ ignore_empty_value: true
+ - set:
+ field: url.query
+ tag: set_url_query
+ copy_from: ocsf.http_request.url.query_string
+ ignore_empty_value: true
+ - set:
+ field: url.scheme
+ tag: set_url_scheme
+ copy_from: ocsf.http_request.url.scheme
+ ignore_empty_value: true
+ - set:
+ field: url.subdomain
+ tag: set_url_subdomain
+ copy_from: ocsf.http_request.url.subdomain
+ ignore_empty_value: true
+ - user_agent:
+ field: ocsf.http_request.user_agent
+ ignore_missing: true
+ - set:
+ field: user_agent.original
+ tag: set_user_agent_original
+ copy_from: ocsf.http_request.user_agent
+ ignore_empty_value: true
+ - foreach:
+ field: ocsf.http_request.x_forwarded_for
+ if: ctx.ocsf?.http_request?.x_forwarded_for instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value
+ tag: convert_http_request_x_forwarded_for_to_ip
+ type: ip
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: ocsf.http_request.url.category_ids
+ if: ctx.ocsf?.http_request?.url?.category_ids instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value
+ tag: convert_http_request_url_category_ids_to_string
+ type: string
+ ignore_missing: true
+ - foreach:
+ field: ocsf.http_request.x_forwarded_for
+ if: ctx.ocsf?.http_request?.x_forwarded_for instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: related.ip
+ tag: append_http_request_x_forwarded_for_into_related_ip
+ value: '{{{_ingest._value}}}'
+ allow_duplicates: false
+on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: event.kind
+ value: pipeline_error
diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_malware.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_malware.yml
new file mode 100644
index 00000000000..2e01c17422e
--- /dev/null
+++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_malware.yml
@@ -0,0 +1,185 @@
+---
+description: Pipeline for processing Malware object.
+# Malware object docs: https://schema.ocsf.io/1.0.0-rc.3/objects/malware
+processors:
+ - foreach:
+ field: ocsf.malware
+ if: ctx.ocsf?.malware instanceof List
+ ignore_failure: true
+ processor:
+ foreach:
+ field: _ingest._value.cves
+ ignore_failure: true
+ processor:
+ date:
+ field: _ingest._value.created_time_dt
+ tag: date_malware_cves_created_time_dt
+ target_field: _ingest._value.created_time_dt
+ formats:
+ - ISO8601
+ on_failure:
+ - remove:
+ field: _ingest._value.created_time_dt
+ ignore_missing: true
+ - foreach:
+ field: ocsf.malware
+ if: ctx.ocsf?.malware instanceof List
+ ignore_failure: true
+ processor:
+ foreach:
+ field: _ingest._value.cves
+ ignore_failure: true
+ processor:
+ date:
+ field: _ingest._value.created_time
+ tag: date_malware_cves_created_time
+ target_field: _ingest._value.created_time
+ formats:
+ - UNIX_MS
+ on_failure:
+ - remove:
+ field: _ingest._value.created_time
+ ignore_missing: true
+ - foreach:
+ field: ocsf.malware
+ if: ctx.ocsf?.malware instanceof List
+ ignore_failure: true
+ processor:
+ foreach:
+ field: _ingest._value.cves
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value.cvss.base_score
+ tag: convert_malware_cves_base_score_to_double
+ type: double
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.cvss.base_score
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: ocsf.malware
+ if: ctx.ocsf?.malware instanceof List
+ ignore_failure: true
+ processor:
+ foreach:
+ field: _ingest._value.classification_ids
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value
+ tag: convert_malware_classification_ids_to_string
+ type: string
+ ignore_missing: true
+ - foreach:
+ field: ocsf.malware
+ if: ctx.ocsf?.malware instanceof List && ctx.ocsf.class_uid != '2001'
+ ignore_failure: true
+ processor:
+ foreach:
+ field: _ingest._value.cves
+ ignore_failure: true
+ processor:
+ append:
+ field: vulnerability.score.base
+ tag: append_malware_cves_cvss_base_score_into_vulnerability_score_base
+ value: '{{{_ingest._value.cvss.base_score}}}'
+ allow_duplicates: false
+ - foreach:
+ field: ocsf.malware
+ if: ctx.ocsf?.malware instanceof List
+ ignore_failure: true
+ processor:
+ foreach:
+ field: _ingest._value.cves
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value.cvss.overall_score
+ tag: convert_malware_cves_cvss_overall_score_to_double
+ type: double
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value.cvss.overall_score
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: ocsf.malware
+ if: ctx.ocsf?.malware instanceof List && ctx.ocsf.class_uid != '2001'
+ ignore_failure: true
+ processor:
+ foreach:
+ field: _ingest._value.cves
+ ignore_failure: true
+ processor:
+ append:
+ field: vulnerability.score.version
+ tag: append_malware_cves_cvss_version_into_vulnerability_score_version
+ value: '{{{_ingest._value.cvss.version}}}'
+ allow_duplicates: false
+ - foreach:
+ field: ocsf.malware
+ if: ctx.ocsf?.malware instanceof List
+ ignore_failure: true
+ processor:
+ foreach:
+ field: _ingest._value.cves
+ ignore_failure: true
+ processor:
+ date:
+ field: _ingest._value.modified_time_dt
+ tag: date_malware_cves_modified_time_dt
+ target_field: _ingest._value.modified_time_dt
+ formats:
+ - ISO8601
+ on_failure:
+ - remove:
+ field: _ingest._value.modified_time_dt
+ ignore_missing: true
+ - foreach:
+ field: ocsf.malware
+ if: ctx.ocsf?.malware instanceof List
+ ignore_failure: true
+ processor:
+ foreach:
+ field: _ingest._value.cves
+ ignore_failure: true
+ processor:
+ date:
+ field: _ingest._value.modified_time
+ tag: date_malware_cves_modified_time
+ target_field: _ingest._value.modified_time
+ formats:
+ - UNIX_MS
+ on_failure:
+ - remove:
+ field: _ingest._value.modified_time
+ ignore_missing: true
+ - foreach:
+ field: ocsf.malware
+ if: ctx.ocsf?.malware instanceof List && ctx.ocsf.class_uid != '2001'
+ ignore_failure: true
+ processor:
+ foreach:
+ field: _ingest._value.cves
+ ignore_failure: true
+ processor:
+ append:
+ field: vulnerability.id
+ tag: append_malware_cves_uid_into_vulnerability_id
+ value: '{{{_ingest._value.uid}}}'
+ allow_duplicates: false
+on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: event.kind
+ value: pipeline_error
diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_network_connection_info.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_network_connection_info.yml
new file mode 100644
index 00000000000..692e69d8fe7
--- /dev/null
+++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_network_connection_info.yml
@@ -0,0 +1,105 @@
+---
+description: Pipeline for processing Network Connection object.
+# Network Connection object docs: https://schema.ocsf.io/1.0.0-rc.3/objects/network_connection_info
+processors:
+ - convert:
+ field: ocsf.connection_info.boundary_id
+ tag: convert_connection_info_boundary_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.connection_info.direction_id
+ tag: convert_connection_info_direction_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.connection_info.protocol_ver_id
+ tag: convert_connection_info_protocol_ver_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.connection_info.protocol_num
+ tag: convert_connection_info_protocol_num_to_long
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.connection_info.tcp_flags
+ tag: convert_connection_info_tcp_flags_to_long
+ type: long
+ ignore_missing: true
+ if: ctx.ocsf?.connection_info?.tcp_flags != ''
+ on_failure:
+ - remove:
+ field: ocsf.connection_info.tcp_flags
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - lowercase:
+ field: ocsf.connection_info.protocol_ver
+ tag: lowercase_ocsf_connection_info_protocol_ver
+ target_field: network.type
+ ignore_missing: true
+ if: ctx.ocsf?.connection_info?.protocol_ver != ''
+ on_failure:
+ - remove:
+ field: ocsf.connection_info.protocol_ver
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - lowercase:
+ field: ocsf.connection_info.protocol_name
+ tag: lowercase_ocsf_connection_info_protocol_name
+ target_field: network.transport
+ ignore_missing: true
+ if: ctx.ocsf?.connection_info?.protocol_name != ''
+ on_failure:
+ - remove:
+ field: ocsf.connection_info.protocol_name
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: network.iana_number
+ tag: set_network_iana_number
+ copy_from: ocsf.connection_info.protocol_num
+ ignore_empty_value: true
+ - append:
+ field: network.direction
+ tag: append_connection_info_boundary_into_network_direction
+ value: internal
+ allow_duplicates: false
+ if: ctx.ocsf?.connection_info?.boundary != null && ctx.ocsf.connection_info.boundary == 'Internal'
+ - append:
+ field: network.direction
+ tag: append_connection_info_boundary_into_network_direction
+ value: external
+ allow_duplicates: false
+ if: ctx.ocsf?.connection_info?.boundary != null && ctx.ocsf.connection_info.boundary == 'External'
+ - append:
+ field: network.direction
+ tag: append_connection_info_direction_into_network_direction
+ value: inbound
+ allow_duplicates: false
+ if: ctx.ocsf?.connection_info?.direction != null && ctx.ocsf.connection_info.direction == 'Inbound'
+ - append:
+ field: network.direction
+ tag: append_connection_info_direction_into_network_direction
+ value: outbound
+ allow_duplicates: false
+ if: ctx.ocsf?.connection_info?.direction != null && ctx.ocsf.connection_info.direction == 'Outbound'
+ - append:
+ field: network.direction
+ tag: append_unknown_value_into_network_direction
+ value: unknown
+ allow_duplicates: false
+ if: (ctx.ocsf?.connection_info?.direction != null && ctx.ocsf.connection_info.direction == 'Unknown') || (ctx.ocsf?.connection_info?.boundary != null && ctx.ocsf.connection_info.boundary == 'Unknown')
+on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: event.kind
+ value: pipeline_error
diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_network_endpoint.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_network_endpoint.yml
new file mode 100644
index 00000000000..fab55380e74
--- /dev/null
+++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_network_endpoint.yml
@@ -0,0 +1,397 @@
+---
+description: Pipeline for processing Network Endpoint object.
+# Network Endpoint object docs: https://schema.ocsf.io/1.0.0-rc.3/objects/network_endpoint
+processors:
+ - append:
+ field: source.domain
+ tag: append_src_endpoint_domain_into_source_domain
+ value: '{{{ocsf.src_endpoint.domain}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.src_endpoint?.domain != null
+ - set:
+ field: source.geo.city_name
+ tag: set_source_geo_city_name
+ copy_from: ocsf.src_endpoint.location.city
+ ignore_empty_value: true
+ - set:
+ field: source.geo.continent_name
+ tag: set_source_geo_continent_name
+ copy_from: ocsf.src_endpoint.location.continent
+ ignore_empty_value: true
+ - foreach:
+ field: ocsf.src_endpoint.location.coordinates
+ if: ctx.ocsf?.src_endpoint?.location?.coordinates instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value
+ tag: convert_src_endpoint_location_coordinates_to_double
+ type: double
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: source.geo.location
+ tag: set_source_geo_location
+ copy_from: ocsf.src_endpoint.location.coordinates
+ ignore_empty_value: true
+ - set:
+ field: source.geo.country_iso_code
+ tag: set_source_geo_country_iso_code
+ copy_from: ocsf.src_endpoint.location.country
+ ignore_empty_value: true
+ - set:
+ field: source.geo.name
+ tag: set_source_geo_name
+ copy_from: ocsf.src_endpoint.location.desc
+ ignore_empty_value: true
+ - convert:
+ field: ocsf.src_endpoint.location.is_on_premises
+ tag: convert_src_endpoint_location_is_on_premises_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.src_endpoint.location.is_on_premises
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: source.geo.postal_code
+ tag: set_source_geo_postal_code
+ copy_from: ocsf.src_endpoint.location.postal_code
+ ignore_empty_value: true
+ - set:
+ field: source.geo.region_iso_code
+ tag: set_source_geo_region_iso_code
+ copy_from: ocsf.src_endpoint.location.region
+ ignore_empty_value: true
+ - append:
+ field: source.domain
+ tag: append_src_endpoint_hostname_into_source_domain
+ value: '{{{ocsf.src_endpoint.hostname}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.src_endpoint?.hostname != null
+ - foreach:
+ field: source.domain
+ if: ctx.source?.domain instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: related.hosts
+ tag: append_source_domain_into_related_hosts
+ value: '{{{_ingest._value}}}'
+ allow_duplicates: false
+ - convert:
+ field: ocsf.src_endpoint.ip
+ tag: convert_src_endpoint_ip_to_ip
+ type: ip
+ ignore_missing: true
+ if: ctx.ocsf?.src_endpoint?.ip != '' || ctx.ocsf.src_endpoint.ip != '-'
+ on_failure:
+ - remove:
+ field: ocsf.src_endpoint.ip
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - append:
+ field: related.ip
+ tag: append_src_endpoint_ip_into_related_ip
+ value: '{{{ocsf.src_endpoint.ip}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.src_endpoint?.ip != null
+ - set:
+ field: source.ip
+ tag: set_source_ip
+ copy_from: ocsf.src_endpoint.ip
+ ignore_empty_value: true
+ - foreach:
+ field: ocsf.src_endpoint.intermediate_ips
+ if: ctx.ocsf?.src_endpoint?.intermediate_ips instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value
+ tag: convert_src_endpoint_intermediate_ips_to_ip
+ type: ip
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: ocsf.src_endpoint.intermediate_ips
+ if: ctx.ocsf?.src_endpoint?.intermediate_ips instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: related.ip
+ tag: append_src_endpoint_intermediate_ips_into_related_ip
+ value: '{{{_ingest._value}}}'
+ allow_duplicates: false
+ - gsub:
+ field: ocsf.src_endpoint.mac
+ tag: gsub_src_endpoint_mac
+ pattern: '[-:.]'
+ replacement: '-'
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - uppercase:
+ field: ocsf.src_endpoint.mac
+ tag: uppercase_src_endpoint_mac
+ ignore_missing: true
+ if: ctx.ocsf?.src_endpoint?.mac != ''
+ on_failure:
+ - remove:
+ field: ocsf.src_endpoint.mac
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: source.mac
+ tag: set_source_mac
+ copy_from: ocsf.src_endpoint.mac
+ ignore_empty_value: true
+ - convert:
+ field: ocsf.src_endpoint.port
+ tag: convert_src_endpoint_port_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.src_endpoint.port
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: source.port
+ tag: set_source_port
+ copy_from: ocsf.src_endpoint.port
+ ignore_empty_value: true
+ - append:
+ field: network.application
+ tag: append_src_endpoint_svc_name_into_network_application
+ value: '{{{ocsf.src_endpoint.svc_name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.src_endpoint?.svc_name != null
+ - append:
+ field: destination.domain
+ tag: append_dst_endpoint_domain_into_destination_domain
+ value: '{{{ocsf.dst_endpoint.domain}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.dst_endpoint?.domain != null
+ - set:
+ field: destination.geo.city_name
+ tag: set_destination_geo_city_name
+ copy_from: ocsf.dst_endpoint.location.city
+ ignore_empty_value: true
+ - set:
+ field: destination.geo.continent_name
+ tag: set_destination_geo_continent_name
+ copy_from: ocsf.dst_endpoint.location.continent
+ ignore_empty_value: true
+ - foreach:
+ field: ocsf.dst_endpoint.location.coordinates
+ if: ctx.ocsf?.dst_endpoint?.location?.coordinates instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value
+ tag: convert_dst_endpoint_location_coordinates_to_double
+ type: double
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: destination.geo.location
+ tag: set_destination_geo_location
+ copy_from: ocsf.dst_endpoint.location.coordinates
+ ignore_empty_value: true
+ - set:
+ field: destination.geo.country_iso_code
+ tag: set_destination_geo_country_iso_code
+ copy_from: ocsf.dst_endpoint.location.country
+ ignore_empty_value: true
+ - set:
+ field: destination.geo.name
+ tag: set_destination_geo_name
+ copy_from: ocsf.dst_endpoint.location.desc
+ ignore_empty_value: true
+ - convert:
+ field: ocsf.dst_endpoint.location.is_on_premises
+ tag: convert_dst_endpoint_location_is_on_premises_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.dst_endpoint.location.is_on_premises
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: destination.geo.postal_code
+ tag: set_destination_geo_postal_code
+ copy_from: ocsf.dst_endpoint.location.postal_code
+ ignore_empty_value: true
+ - set:
+ field: destination.geo.region_iso_code
+ tag: set_destination_geo_region_iso_code
+ copy_from: ocsf.dst_endpoint.location.region
+ ignore_empty_value: true
+ - append:
+ field: destination.domain
+ tag: append_dst_endpoint_hostname_into_destination_domain
+ value: '{{{ocsf.dst_endpoint.hostname}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.dst_endpoint?.hostname != null
+ - foreach:
+ field: destination.domain
+ if: ctx.destination?.domain instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: related.hosts
+ tag: append_destination_domain_into_related_hosts
+ value: '{{{_ingest._value}}}'
+ allow_duplicates: false
+ - convert:
+ field: ocsf.dst_endpoint.ip
+ tag: convert_dst_endpoint_ip_to_ip
+ type: ip
+ ignore_missing: true
+ if: ctx.ocsf?.dst_endpoint?.ip != '' || ctx.ocsf.dst_endpoint.ip != '-'
+ on_failure:
+ - remove:
+ field: ocsf.dst_endpoint.ip
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - append:
+ field: related.ip
+ tag: append_dst_endpoint_ip_into_related_ip
+ value: '{{{ocsf.dst_endpoint.ip}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.dst_endpoint?.ip != null
+ - set:
+ field: destination.ip
+ tag: set_destination_ip
+ copy_from: ocsf.dst_endpoint.ip
+ ignore_empty_value: true
+ - foreach:
+ field: ocsf.dst_endpoint.intermediate_ips
+ if: ctx.ocsf?.dst_endpoint?.intermediate_ips instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value
+ tag: convert_dst_endpoint_intermediate_ips_to_ip
+ type: ip
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: ocsf.dst_endpoint.intermediate_ips
+ if: ctx.ocsf?.dst_endpoint?.intermediate_ips instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: related.ip
+ tag: append_dst_endpoint_intermediate_ips_into_related_ip
+ value: '{{{_ingest._value}}}'
+ allow_duplicates: false
+ - gsub:
+ field: ocsf.dst_endpoint.mac
+ tag: gsub_dst_endpoint_mac
+ pattern: '[-:.]'
+ replacement: '-'
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - uppercase:
+ field: ocsf.dst_endpoint.mac
+ tag: uppercase_dst_endpoint_mac
+ ignore_missing: true
+ if: ctx.ocsf?.dst_endpoint?.mac != ''
+ on_failure:
+ - remove:
+ field: ocsf.dst_endpoint.mac
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: destination.mac
+ tag: set_destination_mac
+ copy_from: ocsf.dst_endpoint.mac
+ ignore_empty_value: true
+ - convert:
+ field: ocsf.dst_endpoint.port
+ tag: convert_dst_endpoint_port_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.dst_endpoint.port
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: destination.port
+ tag: set_destination_port
+ copy_from: ocsf.dst_endpoint.port
+ ignore_empty_value: true
+ - append:
+ field: network.application
+ tag: append_dst_endpoint_domain_svc_name_into_network_application
+ value: '{{{ocsf.dst_endpoint.svc_name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.dst_endpoint?.svc_name != null
+ - lowercase:
+ field: network.application
+ tag: lowercase_network_application
+ ignore_missing: true
+ if: ctx.network?.application != ''
+ on_failure:
+ - remove:
+ field: network.application
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: event.kind
+ value: pipeline_error
diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_process.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_process.yml
new file mode 100644
index 00000000000..c8b24af6957
--- /dev/null
+++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_process.yml
@@ -0,0 +1,1877 @@
+---
+description: Pipeline for processing Process object.
+# Process object docs: https://schema.ocsf.io/1.0.0-rc.3/objects/process
+processors:
+ - set:
+ field: container.id
+ tag: set_container_id
+ copy_from: ocsf.process.container.uid
+ ignore_empty_value: true
+ - script:
+ description: Set value for container.image.hash.all.
+ if: ctx.ocsf?.process?.container?.hash?.value != null
+ tag: script_container_image_hash_all
+ lang: painless
+ params:
+ MD5: md5
+ SHA-1: sha1
+ SHA-256: sha256
+ SHA-512: sha512
+ CTPH: ssdeep
+ TLSH: tlsh
+ source: |-
+ if (params.get(ctx.ocsf.process.container.hash.algorithm) == null) {
+ return;
+ }
+ if (ctx.container == null) {
+ ctx.container = new HashMap();
+ }
+ if (ctx.container.image == null) {
+ ctx.container.image = new HashMap();
+ }
+ if (ctx.container.image.hash == null) {
+ ctx.container.image.hash = new HashMap();
+ }
+ def list = new ArrayList();
+ def value = params.get(ctx.ocsf.process.container.hash.algorithm) + ':' + ctx.ocsf.process.container.hash.value;
+ list.add(value);
+ ctx.container.image.hash.all = list;
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - append:
+ field: related.hash
+ tag: append_process_container_hash_value_into_related_hash
+ value: '{{{ocsf.process.container.hash.value}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.container?.hash?.value != null
+ - set:
+ field: container.image.name
+ tag: set_container_image_name
+ copy_from: ocsf.process.container.image.name
+ ignore_empty_value: true
+ - append:
+ field: container.image.tag
+ tag: append_process_container_image_tag_into_container_image_tag
+ value: '{{{ocsf.process.container.image.tag}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.container?.image?.tag != null
+ - set:
+ field: container.labels
+ tag: set_container_labels
+ copy_from: ocsf.process.container.image.labels
+ ignore_empty_value: true
+ - set:
+ field: orchestrator.type
+ tag: set_orchestrator_type
+ copy_from: ocsf.process.container.orchestrator
+ ignore_empty_value: true
+ - set:
+ field: container.name
+ tag: set_container_name
+ copy_from: ocsf.process.container.name
+ ignore_empty_value: true
+ - set:
+ field: container.runtime
+ tag: set_container_runtime
+ copy_from: ocsf.process.container.runtime
+ ignore_empty_value: true
+ - date:
+ field: ocsf.process.file.accessed_time_dt
+ target_field: ocsf.process.file.accessed_time_dt
+ tag: date_process_file_accessed_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.process?.file?.accessed_time_dt != null && ctx.ocsf.process.file.accessed_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.file.accessed_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: file.accessed
+ tag: set_file_accessed_from_process_file_accessed_time_dt
+ copy_from: ocsf.process.file.accessed_time_dt
+ ignore_empty_value: true
+ - date:
+ field: ocsf.process.file.accessed_time
+ target_field: ocsf.process.file.accessed_time
+ tag: date_process_file_accessed_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.process?.file?.accessed_time != null && ctx.ocsf.process.file.accessed_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.file.accessed_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: file.accessed
+ tag: set_file_accessed_from_process_file_accessed_time
+ copy_from: ocsf.process.file.accessed_time
+ ignore_empty_value: true
+ - date:
+ field: ocsf.process.file.created_time_dt
+ target_field: ocsf.process.file.created_time_dt
+ tag: date_process_file_created_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.process?.file?.created_time_dt != null && ctx.ocsf.process.file.created_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.file.created_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: file.created
+ tag: set_file_created_process_file_created_time_dt
+ copy_from: ocsf.process.file.created_time_dt
+ ignore_empty_value: true
+ - date:
+ field: ocsf.process.file.created_time
+ target_field: ocsf.process.file.created_time
+ tag: date_process_file_created_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.process?.file?.created_time != null && ctx.ocsf.process.file.created_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.file.created_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: file.created
+ tag: set_file_created_process_file_created_time
+ copy_from: ocsf.process.file.created_time
+ ignore_empty_value: true
+ - set:
+ field: file.directory
+ tag: set_file_directory
+ copy_from: ocsf.process.file.parent_folder
+ ignore_empty_value: true
+ - script:
+ description: Set value for file.hash.*.
+ if: ctx.ocsf?.process?.file?.hashes != null
+ tag: script_file_hash_*
+ lang: painless
+ params:
+ MD5: md5
+ SHA-1: sha1
+ SHA-256: sha256
+ SHA-512: sha512
+ CTPH: ssdeep
+ TLSH: tlsh
+ source: |-
+ if (ctx.file == null) {
+ ctx.file = new HashMap();
+ }
+ if (ctx.file.hash == null) {
+ ctx.file.hash = new HashMap();
+ }
+ Map map = new HashMap();
+ def hashes = ctx.ocsf.process.file.get('hashes');
+ for (def hash: hashes) {
+ def hashAlgorithm = params.get(hash.get('algorithm'));
+ if (hashAlgorithm == null) {
+ continue;
+ }
+ if (map.containsKey(hashAlgorithm)) {
+ map[hashAlgorithm].add(hash.get('value'));
+ } else {
+ Set set = new HashSet();
+ set.add(hash.get('value'));
+ map.put(hashAlgorithm, set);
+ }
+ }
+ ctx.file.hash = map;
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: ocsf.process.file.hashes
+ if: ctx.ocsf?.process?.file?.hashes instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: related.hash
+ tag: append_process_file_hashes_value_into_related_hash
+ value: '{{{_ingest._value.value}}}'
+ allow_duplicates: false
+ - set:
+ field: file.inode
+ tag: set_file_inode
+ copy_from: ocsf.process.file.uid
+ ignore_empty_value: true
+ - set:
+ field: file.mime_type
+ tag: set_file_mime_type
+ copy_from: ocsf.process.file.mime_type
+ ignore_empty_value: true
+ - date:
+ field: ocsf.process.file.modified_time_dt
+ target_field: ocsf.process.file.modified_time_dt
+ tag: date_process_file_modified_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.process?.file?.modified_time_dt != null && ctx.ocsf.process.file.modified_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.file.modified_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: file.mtime
+ tag: set_file_mtime_from_process_file_modified_time_dt
+ copy_from: ocsf.process.file.modified_time_dt
+ ignore_empty_value: true
+ - date:
+ field: ocsf.process.file.modified_time
+ target_field: ocsf.process.file.modified_time
+ tag: date_process_file_modified_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.process?.file?.modified_time != null && ctx.ocsf.process.file.modified_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.file.modified_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: file.mtime
+ tag: set_file_mtime_from_process_file_modified_time
+ copy_from: ocsf.process.file.modified_time
+ ignore_empty_value: true
+ - set:
+ field: file.name
+ tag: set_file_name
+ copy_from: ocsf.process.file.name
+ ignore_empty_value: true
+ - set:
+ field: file.owner
+ tag: set_file_owner
+ copy_from: ocsf.process.file.owner.name
+ ignore_empty_value: true
+ - append:
+ field: related.user
+ tag: append_process_file_owner_name_into_related_user
+ value: '{{{ocsf.process.file.owner.name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.file?.owner?.name != null
+ - set:
+ field: file.path
+ tag: set_file_path
+ copy_from: ocsf.process.file.path
+ ignore_empty_value: true
+ - convert:
+ field: ocsf.process.file.size
+ tag: convert_process_file_size_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.process.file.size
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: file.size
+ tag: set_file_size
+ copy_from: ocsf.process.file.size
+ ignore_empty_value: true
+ - set:
+ field: file.type
+ tag: set_file_type
+ copy_from: ocsf.process.file.type
+ ignore_empty_value: true
+ - set:
+ field: file.uid
+ tag: set_file_uid
+ copy_from: ocsf.process.file.owner.uid
+ ignore_empty_value: true
+ - append:
+ field: related.user
+ tag: append_process_file_owner_uid_into_related_user
+ value: '{{{ocsf.process.file.owner.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.file?.owner?.uid != null
+ - set:
+ field: file.x509.issuer.distinguished_name
+ tag: set_file_x509_issuer_distinguished_name
+ copy_from: ocsf.process.file.signature.certificate.issuer
+ ignore_empty_value: true
+ - date:
+ field: ocsf.process.file.signature.certificate.expiration_time_dt
+ target_field: ocsf.process.file.signature.certificate.expiration_time_dt
+ tag: date_process_file_signature_certificate_expiration_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.process?.file?.signature?.certificate?.expiration_time_dt != null && ctx.ocsf.process.file.signature.certificate.expiration_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.file.signature.certificate.expiration_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: file.x509.not_after
+ tag: set_file_x509_not_after_from_process_file_signature_certificate_expiration_time_dt
+ copy_from: ocsf.process.file.signature.certificate.expiration_time_dt
+ ignore_empty_value: true
+ - date:
+ field: ocsf.process.file.signature.certificate.expiration_time
+ target_field: ocsf.process.file.signature.certificate.expiration_time
+ tag: date_process_file_signature_certificate_expiration_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.process?.file?.signature?.certificate?.expiration_time != null && ctx.ocsf.process.file.signature.certificate.expiration_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.file.signature.certificate.expiration_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: file.x509.not_after
+ tag: set_file_x509_not_after_from_process_file_signature_certificate_expiration_time
+ copy_from: ocsf.process.file.signature.certificate.expiration_time
+ ignore_empty_value: true
+ - set:
+ field: file.x509.serial_number
+ tag: set_file_x509_serial_number
+ copy_from: ocsf.process.file.signature.certificate.serial_number
+ ignore_empty_value: true
+ - set:
+ field: file.x509.subject.distinguished_name
+ tag: set_file_x509_subject_distinguished_name
+ copy_from: ocsf.process.file.signature.certificate.subject
+ ignore_empty_value: true
+ - set:
+ field: file.x509.version_number
+ tag: set_file_x509_version_number
+ copy_from: ocsf.process.file.signature.certificate.version
+ ignore_empty_value: true
+ - set:
+ field: process.command_line
+ tag: set_process_command_line
+ copy_from: ocsf.process.cmd_line
+ ignore_empty_value: true
+ - date:
+ field: ocsf.process.terminated_time_dt
+ target_field: ocsf.process.terminated_time_dt
+ tag: date_process_terminated_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.process?.terminated_time_dt != null && ctx.ocsf.process.terminated_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.terminated_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: process.end
+ tag: set_process_end_from_process_terminated_time_dt
+ copy_from: ocsf.process.terminated_time_dt
+ ignore_empty_value: true
+ - date:
+ field: ocsf.process.terminated_time
+ target_field: ocsf.process.terminated_time
+ tag: date_process_terminated_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.process?.terminated_time != null && ctx.ocsf.process.terminated_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.terminated_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: process.end
+ tag: set_process_end_from_process_terminated_time
+ copy_from: ocsf.process.terminated_time
+ ignore_empty_value: true
+ - convert:
+ field: ocsf.process.egid
+ tag: convert_process_egid_to_string
+ type: string
+ ignore_missing: true
+ - append:
+ field: process.group.id
+ tag: append_process_group_id_from_process_egid
+ value: '{{{ocsf.process.egid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.egid != null
+ - append:
+ field: process.group.id
+ tag: append_process_group_id_from_process_group_uid
+ value: '{{{ocsf.process.group.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.group?.uid != null
+ - set:
+ field: process.group.name
+ tag: set_process_group_name
+ copy_from: ocsf.process.group.name
+ ignore_empty_value: true
+ - set:
+ field: process.name
+ tag: set_process_name
+ copy_from: ocsf.process.name
+ ignore_empty_value: true
+ - convert:
+ field: ocsf.process.pid
+ tag: convert_process_pid_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.process.pid
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: process.pid
+ tag: set_process_pid
+ copy_from: ocsf.process.pid
+ ignore_empty_value: true
+ - date:
+ field: ocsf.process.created_time_dt
+ target_field: ocsf.process.created_time_dt
+ tag: date_process_created_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.process?.created_time_dt != null && ctx.ocsf.process.created_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.created_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: process.start
+ tag: set_process_start_from_process_created_time_dt
+ copy_from: ocsf.process.created_time_dt
+ ignore_empty_value: true
+ - date:
+ field: ocsf.process.created_time
+ target_field: ocsf.process.created_time
+ tag: date_process_created_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.process?.created_time != null && ctx.ocsf.process.created_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.created_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: process.start
+ tag: set_process_start_from_process_created_time
+ copy_from: ocsf.process.created_time
+ ignore_empty_value: true
+ - convert:
+ field: ocsf.process.tid
+ tag: convert_process_tid_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.process.tid
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: process.thread.id
+ tag: set_process_thread_id
+ copy_from: ocsf.process.tid
+ ignore_empty_value: true
+ - set:
+ field: process.entity_id
+ tag: set_process_entity_id
+ copy_from: ocsf.process.uid
+ ignore_empty_value: true
+ - set:
+ field: process.user.domain
+ tag: set_process_user_domain
+ copy_from: ocsf.process.user.domain
+ ignore_empty_value: true
+ - set:
+ field: process.user.email
+ tag: set_process_user_email
+ copy_from: ocsf.process.user.email_addr
+ ignore_empty_value: true
+ - append:
+ field: related.user
+ tag: append_process_user_email_addr_into_related_user
+ value: '{{{ocsf.process.user.email_addr}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.user?.email_addr != null
+ - set:
+ field: process.user.full_name
+ tag: set_process_user_full_name
+ copy_from: ocsf.process.user.full_name
+ ignore_empty_value: true
+ - append:
+ field: related.user
+ tag: append_process_user_full_name_into_related_user
+ value: '{{{ocsf.process.user.full_name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.user?.full_name != null
+ - foreach:
+ field: ocsf.process.user.groups
+ if: ctx.ocsf?.process?.user?.groups instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: process.user.group.id
+ tag: append_process_user_group_id
+ value: '{{{_ingest._value.uid}}}'
+ allow_duplicates: false
+ - foreach:
+ field: ocsf.process.user.groups
+ if: ctx.ocsf?.process?.user?.groups instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: process.user.group.name
+ tag: append_process_user_group_name
+ value: '{{{_ingest._value.name}}}'
+ allow_duplicates: false
+ - convert:
+ field: ocsf.process.euid
+ tag: convert_process_euid_to_string
+ type: string
+ ignore_missing: true
+ - append:
+ field: process.user.id
+ tag: append_process_user_id_from_process_euid
+ value: '{{{ocsf.process.euid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.euid != null
+ - append:
+ field: related.user
+ tag: append_process_euid_into_related_user
+ value: '{{{ocsf.process.euid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.euid != null
+ - append:
+ field: process.user.id
+ tag: append_process_user_id_from_process_uid
+ value: '{{{ocsf.process.user.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.user?.uid != null
+ - append:
+ field: related.user
+ tag: append_process_uid_into_related_user
+ value: '{{{ocsf.process.user.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.user?.uid != null
+ - set:
+ field: process.user.name
+ tag: set_process_user_name
+ copy_from: ocsf.process.user.name
+ ignore_empty_value: true
+ - append:
+ field: related.user
+ tag: append_process_user_name_into_related_user
+ value: '{{{ocsf.process.user.name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.user?.name != null
+ - convert:
+ field: ocsf.process.container.hash.algorithm_id
+ tag: convert_process_container_hash_algorithm_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.process.auid
+ tag: convert_process_auid_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.process.container.size
+ tag: convert_process_container_size_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.process.container.size
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.process.file.accessor.account.type_id
+ tag: convert_process_file_accessor_account_type_id_to_string
+ type: string
+ ignore_missing: true
+ - append:
+ field: related.user
+ tag: append_process_file_accessor_uid_alt_into_related_user
+ value: '{{{ocsf.process.file.accessor.uid_alt}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.file?.accessor?.uid_alt != null
+ - append:
+ field: related.user
+ tag: append_process_file_accessor_email_addr_into_related_user
+ value: '{{{ocsf.process.file.accessor.email_addr}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.file?.accessor?.email_addr != null
+ - append:
+ field: related.user
+ tag: append_process_file_accessor_full_name_into_related_user
+ value: '{{{ocsf.process.file.accessor.full_name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.file?.accessor?.full_name != null
+ - append:
+ field: related.user
+ tag: append_process_file_accessor_name_into_related_user
+ value: '{{{ocsf.process.file.accessor.name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.file?.accessor?.name != null
+ - append:
+ field: related.user
+ tag: append_process_file_accessor_uid_into_related_user
+ value: '{{{ocsf.process.file.accessor.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.file?.accessor?.uid != null
+ - convert:
+ field: ocsf.process.file.accessor.type_id
+ tag: convert_process_file_accessor_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.process.file.attributes
+ tag: convert_process_file_attributes_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.process.file.attributes
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.process.file.confidentiality_id
+ tag: convert_process_file_confidentiality_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.process.file.creator.account.type_id
+ tag: convert_process_file_creator_account_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.process.file.creator.type_id
+ tag: convert_process_file_creator_type_id_to_string
+ type: string
+ ignore_missing: true
+ - foreach:
+ field: ocsf.process.file.signature.certificate.fingerprints
+ if: ctx.ocsf?.process?.file?.signature?.certificate?.fingerprints instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value.algorithm_id
+ tag: convert_process_file_signature_certificate_fingerprints_algorithm_id_to_string
+ type: string
+ ignore_missing: true
+ - foreach:
+ field: ocsf.process.file.signature.certificate.fingerprints
+ if: ctx.ocsf?.process?.file?.signature?.certificate?.fingerprints instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: related.hash
+ tag: append_process_file_signature_certificate_fingerprints_value_into_related_hash
+ value: '{{{_ingest._value.value}}}'
+ allow_duplicates: false
+ - convert:
+ field: ocsf.process.file.signature.algorithm_id
+ tag: convert_process_file_signature_algorithm_id_to_string
+ type: string
+ ignore_missing: true
+ - append:
+ field: related.hash
+ tag: append_process_file_signature_value_into_related_hash
+ value: '{{{ocsf.process.file.signature.value}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.file?.signature?.value != null
+ - date:
+ field: ocsf.process.file.signature.certificate.created_time_dt
+ target_field: ocsf.process.file.signature.certificate.created_time_dt
+ tag: date_process_file_signature_certificate_created_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.process?.file?.signature?.certificate?.created_time_dt != null && ctx.ocsf.process.file.signature.certificate.created_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.file.signature.certificate.created_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.process.file.signature.certificate.created_time
+ target_field: ocsf.process.file.signature.certificate.created_time
+ tag: date_process_file_signature_certificate_created_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.process?.file?.signature?.certificate?.created_time != null && ctx.ocsf.process.file.signature.certificate.created_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.file.signature.certificate.created_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.process.file.signature.created_time_dt
+ target_field: ocsf.process.file.signature.created_time_dt
+ tag: date_process_file_signature_created_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.process?.file?.signature?.created_time_dt != null && ctx.ocsf.process.file.signature.created_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.file.signature.created_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.process.file.signature.created_time
+ target_field: ocsf.process.file.signature.created_time
+ tag: date_process_file_signature_created_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.process?.file?.signature?.created_time != null && ctx.ocsf.process.file.signature.created_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.file.signature.created_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.process.file.signature.digest.algorithm_id
+ tag: convert_process_file_signature_digest_algorithm_id_to_string
+ type: string
+ ignore_missing: true
+ - append:
+ field: related.hash
+ tag: append_process_file_signature_digest_value_into_related_hash
+ value: '{{{ocsf.process.file.signature.digest.value}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.file?.signature?.digest?.value != null
+ - foreach:
+ field: ocsf.process.file.hashes
+ if: ctx.ocsf?.process?.file?.hashes instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value.algorithm_id
+ tag: convert_process_file_hashes_algorithm_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.process.file.modifier.account.type_id
+ tag: convert_process_file_modifier_account_type_id_to_string
+ type: string
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.process.file.modifier.account.type_id
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.process.file.modifier.type_id
+ tag: convert_process_file_modifier_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.process.file.owner.account.type_id
+ tag: convert_process_file_owner_account_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.process.file.owner.type_id
+ tag: convert_process_file_owner_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.process.file.is_system
+ tag: convert_process_file_is_system_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.process.file.is_system
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.process.file.type_id
+ tag: convert_process_file_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.process.integrity_id
+ tag: convert_process_integrity_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.process.namespace_pid
+ tag: convert_process_namespace_pid_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.process.namespace_pid
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - script:
+ description: Stringify the parent_process object if its depth_limit is greater than 20.
+ if: ctx.ocsf?.process?.parent_process != null
+ tag: script_process_parent_process_stringify
+ lang: painless
+ source: |-
+ def process = ctx.ocsf.process.parent_process;
+ def count = 0;
+ while (true) {
+ if (process != null && process.parent_process != null) {
+ count += 1;
+ process = process.parent_process;
+ } else {
+ break;
+ }
+ }
+ if (count >= 15) {
+ ctx.ocsf.process.parent_process.put("parent_process_keyword", ctx.ocsf.process.parent_process.parent_process.toString());
+ ctx.ocsf.process.parent_process.remove("parent_process");
+ }
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - append:
+ field: related.hash
+ tag: append_process_parent_process_container_hash_value_into_related_hash
+ value: '{{{ocsf.process.parent_process.container.hash.value}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.parent_process?.container?.hash?.value != null
+ - date:
+ field: ocsf.process.parent_process.file.accessed_time_dt
+ target_field: ocsf.process.parent_process.file.accessed_time_dt
+ tag: date_process_parent_process_file_accessed_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.process?.parent_process?.file?.accessed_time_dt != null && ctx.ocsf.process.parent_process.file.accessed_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.parent_process.file.accessed_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.process.parent_process.file.accessed_time
+ target_field: ocsf.process.parent_process.file.accessed_time
+ tag: date_process_parent_process_file_accessed_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.process?.parent_process?.file?.accessed_time != null && ctx.ocsf.process.parent_process.file.accessed_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.parent_process.file.accessed_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.process.parent_process.file.created_time_dt
+ target_field: ocsf.process.parent_process.file.created_time_dt
+ tag: date_process_parent_process_file_created_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.process?.parent_process?.file?.created_time_dt != null && ctx.ocsf.process.parent_process.file.created_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.parent_process.file.created_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.process.parent_process.file.created_time
+ target_field: ocsf.process.parent_process.file.created_time
+ tag: date_process_parent_process_file_created_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.process?.parent_process?.file?.created_time != null && ctx.ocsf.process.parent_process.file.created_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.parent_process.file.created_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: ocsf.process.parent_process.file.hashes
+ if: ctx.ocsf?.process?.parent_process?.file?.hashes instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: related.hash
+ tag: append_process_parent_process_file_hashes_value_into_related_hash
+ value: '{{{_ingest._value.value}}}'
+ allow_duplicates: false
+ - date:
+ field: ocsf.process.parent_process.file.modified_time_dt
+ target_field: ocsf.process.parent_process.file.modified_time_dt
+ tag: date_process_parent_process_file_modified_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.process?.parent_process?.file?.modified_time_dt != null && ctx.ocsf.process.parent_process.file.modified_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.parent_process.file.modified_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.process.parent_process.file.modified_time
+ target_field: ocsf.process.parent_process.file.modified_time
+ tag: date_process_parent_process_file_modified_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.process?.parent_process?.file?.modified_time != null && ctx.ocsf.process.parent_process.file.modified_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.parent_process.file.modified_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - append:
+ field: related.user
+ tag: append_process_parent_process_file_owner_name_into_related_user
+ value: '{{{ocsf.process.parent_process.file.owner.name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.parent_process?.file?.owner?.name != null
+ - convert:
+ field: ocsf.process.parent_process.file.size
+ tag: convert_process_parent_process_file_size_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.process.parent_process.file.size
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - append:
+ field: related.user
+ tag: append_process_parent_process_file_owner_uid_into_related_user
+ value: '{{{ocsf.process.parent_process.file.owner.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.parent_process?.file?.owner?.uid != null
+ - date:
+ field: ocsf.process.parent_process.file.signature.certificate.expiration_time_dt
+ target_field: ocsf.process.parent_process.file.signature.certificate.expiration_time_dt
+ tag: date_process_parent_process_file_signature_certificate_expiration_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.process?.parent_process?.file?.signature?.certificate?.expiration_time_dt != null && ctx.ocsf.process.parent_process.file.signature.certificate.expiration_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.parent_process.file.signature.certificate.expiration_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.process.parent_process.file.signature.certificate.expiration_time
+ target_field: ocsf.process.parent_process.file.signature.certificate.expiration_time
+ tag: date_process_parent_process_file_signature_certificate_expiration_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.process?.parent_process?.file?.signature?.certificate?.expiration_time != null && ctx.ocsf.process.parent_process.file.signature.certificate.expiration_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.parent_process.file.signature.certificate.expiration_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: process.parent.command_line
+ tag: set_process_parent_command_line
+ copy_from: ocsf.process.parent_process.cmd_line
+ ignore_empty_value: true
+ - date:
+ field: ocsf.process.parent_process.terminated_time_dt
+ target_field: ocsf.process.parent_process.terminated_time_dt
+ tag: date_process_parent_process_terminated_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.process?.parent_process?.terminated_time_dt != null && ctx.ocsf.process.parent_process.terminated_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.parent_process.terminated_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: process.parent.end
+ tag: set_process_parent_end_from_process_parent_process_terminated_time_dt
+ copy_from: ocsf.process.parent_process.terminated_time_dt
+ ignore_empty_value: true
+ - date:
+ field: ocsf.process.parent_process.terminated_time
+ target_field: ocsf.process.parent_process.terminated_time
+ tag: date_process_parent_process_terminated_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.process?.parent_process?.terminated_time != null && ctx.ocsf.process.parent_process.terminated_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.parent_process.terminated_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: process.parent.end
+ tag: set_process_parent_process_end_from_process_terminated_time
+ copy_from: ocsf.process.parent_process.terminated_time
+ ignore_empty_value: true
+ - convert:
+ field: ocsf.process.parent_process.egid
+ tag: convert_process_parent_process_egid_to_string
+ type: string
+ ignore_missing: true
+ - append:
+ field: process.parent.group.id
+ tag: append_process_parent_group_id_from_process_parent_process_egid
+ value: '{{{ocsf.process.parent_process.egid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.parent_process?.egid != null
+ - append:
+ field: process.parent.group.id
+ tag: append_process_parent_group_id_from_process_parent_process_group_uid
+ value: '{{{ocsf.process.parent_process.group.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.parent_process?.group?.uid != null
+ - set:
+ field: process.parent.group.name
+ tag: set_process_parent_group_name
+ copy_from: ocsf.process.parent_process.group.name
+ ignore_empty_value: true
+ - set:
+ field: process.parent.name
+ tag: set_process_parent_name
+ copy_from: ocsf.process.parent_process.name
+ ignore_empty_value: true
+ - convert:
+ field: ocsf.process.parent_process.pid
+ tag: convert_process_parent_process_pid_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.process.parent_process.pid
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: process.parent.pid
+ tag: set_process_parent_pid
+ copy_from: ocsf.process.parent_process.pid
+ ignore_empty_value: true
+ - date:
+ field: ocsf.process.parent_process.created_time_dt
+ target_field: ocsf.process.parent_process.created_time_dt
+ tag: date_process_parent_process_created_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.process?.parent_process?.created_time_dt != null && ctx.ocsf.process.parent_process.created_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.parent_process.created_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: process.parent.start
+ tag: set_process_parent_start_from_process_parent_process_created_time_dt
+ copy_from: ocsf.process.parent_process.created_time_dt
+ ignore_empty_value: true
+ - date:
+ field: ocsf.process.parent_process.created_time
+ target_field: ocsf.process.parent_process.created_time
+ tag: date_process_parent_process_created_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.process?.parent_process?.created_time != null && ctx.ocsf.process.parent_process.created_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.parent_process.created_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: process.parent.start
+ tag: set_process_parent_process_start_from_process_created_time
+ copy_from: ocsf.process.parent_process.created_time
+ ignore_empty_value: true
+ - convert:
+ field: ocsf.process.parent_process.tid
+ tag: convert_process_parent_process_tid_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.process.parent_process.tid
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: process.parent.thread.id
+ tag: set_process_parent_thread_id
+ copy_from: ocsf.process.parent_process.tid
+ ignore_empty_value: true
+ - set:
+ field: process.parent.entity_id
+ tag: set_process_parent_entity_id
+ copy_from: ocsf.process.parent_process.uid
+ ignore_empty_value: true
+ - set:
+ field: process.parent.user.domain
+ tag: set_process_parent_user_domain
+ copy_from: ocsf.process.parent_process.user.domain
+ ignore_empty_value: true
+ - set:
+ field: process.parent.user.email
+ tag: set_process_parent_user_email
+ copy_from: ocsf.process.parent_process.user.email_addr
+ ignore_empty_value: true
+ - append:
+ field: related.user
+ tag: append_process_parent_process_user_email_addr_into_related_user
+ value: '{{{ocsf.process.parent_process.user.email_addr}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.parent_process?.user?.email_addr != null
+ - set:
+ field: process.parent.user.full_name
+ tag: set_process_parent_user_full_name
+ copy_from: ocsf.process.parent_process.user.full_name
+ ignore_empty_value: true
+ - append:
+ field: related.user
+ tag: append_process_parent_process_user_full_name_into_related_user
+ value: '{{{ocsf.process.parent_process.user.full_name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.parent_process?.user?.full_name != null
+ - foreach:
+ field: ocsf.process.parent_process.user.groups
+ if: ctx.ocsf?.process?.parent_process?.user?.groups instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: process.parent.user.group.id
+ tag: append_process_parent_user_group_id
+ value: '{{{_ingest._value.uid}}}'
+ allow_duplicates: false
+ - foreach:
+ field: ocsf.process.parent_process.user.groups
+ if: ctx.ocsf?.process?.parent_process?.user?.groups instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: process.parent.user.group.name
+ tag: append_process_parent_user_group_name
+ value: '{{{_ingest._value.name}}}'
+ allow_duplicates: false
+ - convert:
+ field: ocsf.process.parent_process.euid
+ tag: convert_process_parent_process_euid_to_string
+ type: string
+ ignore_missing: true
+ - append:
+ field: process.parent.user.id
+ tag: append_process_parent_user_id_from_process_parent_process_euid
+ value: '{{{ocsf.process.parent_process.euid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.parent_process?.euid != null
+ - append:
+ field: related.user
+ tag: append_process_parent_process_euid_into_related_user
+ value: '{{{ocsf.process.parent_process.euid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.parent_process?.euid != null
+ - append:
+ field: process.parent.user.id
+ tag: append_process_parent_user_id_from_process_parent_process_uid
+ value: '{{{ocsf.process.parent_process.user.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.parent_process?.user?.uid != null
+ - append:
+ field: related.user
+ tag: append_process_parent_process_uid_into_related_user
+ value: '{{{ocsf.process.parent_process.user.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.parent_process?.user?.uid != null
+ - set:
+ field: process.parent.user.name
+ tag: set_process_parnt_user_name
+ copy_from: ocsf.process.parent_process.user.name
+ ignore_empty_value: true
+ - append:
+ field: related.user
+ tag: append_process_parent_process_user_name_into_related_user
+ value: '{{{ocsf.process.parent_process.user.name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.parent_process?.user?.name != null
+ - convert:
+ field: ocsf.process.parent_process.container.hash.algorithm_id
+ tag: convert_process_parent_process_container_hash_algorithm_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.process.parent_process.auid
+ tag: convert_process_parent_process_auid_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.process.parent_process.container.size
+ tag: convert_process_parent_process_container_size_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.process.parent_process.container.size
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.process.parent_process.file.accessor.account.type_id
+ tag: convert_process_parent_process_file_accessor_account_type_id_to_string
+ type: string
+ ignore_missing: true
+ - append:
+ field: related.user
+ tag: append_process_parent_process_file_accessor_uid_alt_into_related_user
+ value: '{{{ocsf.process.parent_process.file.accessor.uid_alt}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.parent_process?.file?.accessor?.uid_alt != null
+ - append:
+ field: related.user
+ tag: append_process_parent_process_file_accessor_email_addr_into_related_user
+ value: '{{{ocsf.process.parent_process.file.accessor.email_addr}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.parent_process?.file?.accessor?.email_addr != null
+ - append:
+ field: related.user
+ tag: append_process_parent_process_file_accessor_full_name_into_related_user
+ value: '{{{ocsf.process.parent_process.file.accessor.full_name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.parent_process?.file?.accessor?.full_name != null
+ - append:
+ field: related.user
+ tag: append_process_parent_process_file_accessor_name_into_related_user
+ value: '{{{ocsf.process.parent_process.file.accessor.name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.parent_process?.file?.accessor?.name != null
+ - append:
+ field: related.user
+ tag: append_process_parent_process_file_accessor_uid_into_related_user
+ value: '{{{ocsf.process.parent_process.file.accessor.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.parent_process?.file?.accessor?.uid != null
+ - convert:
+ field: ocsf.process.parent_process.file.accessor.type_id
+ tag: convert_process_parent_process_file_accessor_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.process.parent_process.file.attributes
+ tag: convert_process_parent_process_file_attributes_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.process.parent_process.file.attributes
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.process.parent_process.file.confidentiality_id
+ tag: convert_process_parent_process_file_confidentiality_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.process.parent_process.file.creator.account.type_id
+ tag: convert_process_parent_process_file_creator_account_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.process.parent_process.file.creator.type_id
+ tag: convert_process_parent_process_file_creator_type_id_to_string
+ type: string
+ ignore_missing: true
+ - foreach:
+ field: ocsf.process.parent_process.file.signature.certificate.fingerprints
+ if: ctx.ocsf?.process?.parent_process?.file?.signature?.certificate?.fingerprints instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value.algorithm_id
+ tag: convert_process_parent_process_file_signature_certificate_fingerprints_algorithm_id_to_string
+ type: string
+ ignore_missing: true
+ - foreach:
+ field: ocsf.process.parent_process.file.signature.certificate.fingerprints
+ if: ctx.ocsf?.process?.parent_process?.file?.signature?.certificate?.fingerprints instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: related.hash
+ tag: append_process_parent_process_file_signature_certificate_fingerprints_value_into_related_hash
+ value: '{{{_ingest._value.value}}}'
+ allow_duplicates: false
+ - convert:
+ field: ocsf.process.parent_process.file.signature.algorithm_id
+ tag: convert_process_parent_process_file_signature_algorithm_id_to_string
+ type: string
+ ignore_missing: true
+ - append:
+ field: related.hash
+ tag: append_process_parent_process_file_signature_value_into_related_hash
+ value: '{{{ocsf.process.parent_process.file.signature.value}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.parent_process?.file?.signature?.value != null
+ - date:
+ field: ocsf.process.parent_process.file.signature.certificate.created_time_dt
+ target_field: ocsf.process.parent_process.file.signature.certificate.created_time_dt
+ tag: date_process_parent_process_file_signature_certificate_created_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.process?.parent_process?.file?.signature?.certificate?.created_time_dt != null && ctx.ocsf.process.parent_process.file.signature.certificate.created_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.parent_process.file.signature.certificate.created_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.process.parent_process.file.signature.certificate.created_time
+ target_field: ocsf.process.parent_process.file.signature.certificate.created_time
+ tag: date_process_parent_process_file_signature_certificate_created_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.process?.parent_process?.file?.signature?.certificate?.created_time != null && ctx.ocsf.process.parent_process.file.signature.certificate.created_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.parent_process.file.signature.certificate.created_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.process.parent_process.file.signature.created_time_dt
+ target_field: ocsf.process.parent_process.file.signature.created_time_dt
+ tag: date_process_parent_process_file_signature_created_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.process?.parent_process?.file?.signature?.created_time_dt != null && ctx.ocsf.process.parent_process.file.signature.created_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.parent_process.file.signature.created_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.process.parent_process.file.signature.created_time
+ target_field: ocsf.process.parent_process.file.signature.created_time
+ tag: date_process_parent_process_file_signature_created_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.process?.parent_process?.file?.signature?.created_time != null && ctx.ocsf.process.parent_process.file.signature.created_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.parent_process.file.signature.created_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.process.parent_process.file.signature.digest.algorithm_id
+ tag: convert_process_parent_process_file_signature_digest_algorithm_id_to_string
+ type: string
+ ignore_missing: true
+ - append:
+ field: related.hash
+ tag: append_process_parent_process_file_signature_digest_value_into_related_hash
+ value: '{{{ocsf.process.parent_process.file.signature.digest.value}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.parent_process?.file?.signature?.digest?.value != null
+ - foreach:
+ field: ocsf.process.parent_process.file.hashes
+ if: ctx.ocsf?.process?.parent_process?.file?.hashes instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value.algorithm_id
+ tag: convert_process_parent_process_file_hashes_algorithm_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.process.parent_process.file.modifier.account.type_id
+ tag: convert_process_parent_process_file_modifier_account_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.process.parent_process.file.modifier.type_id
+ tag: convert_process_parent_process_file_modifier_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.process.parent_process.file.owner.account.type_id
+ tag: convert_process_parent_process_file_owner_account_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.process.parent_process.file.owner.type_id
+ tag: convert_process_parent_process_file_owner_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.process.parent_process.file.is_system
+ tag: convert_process_parent_process_file_is_system_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.process.parent_process.file.is_system
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.process.parent_process.file.type_id
+ tag: convert_process_parent_process_file_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.process.parent_process.integrity_id
+ tag: convert_process_parent_process_integrity_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.process.parent_process.namespace_pid
+ tag: convert_process_parent_process_namespace_pid_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.process.parent_process.namespace_pid
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.process.parent_process.session.created_time_dt
+ target_field: ocsf.process.parent_process.session.created_time_dt
+ tag: date_process_parent_process_session_created_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.process?.parent_process?.session?.created_time_dt != null && ctx.ocsf.process.parent_process.session.created_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.parent_process.session.created_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.process.parent_process.session.created_time
+ target_field: ocsf.process.parent_process.session.created_time
+ tag: date_process_parent_process_session_created_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.process?.parent_process?.session?.created_time != null && ctx.ocsf.process.parent_process.session.created_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.parent_process.session.created_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.process.parent_process.session.expiration_time_dt
+ target_field: ocsf.process.parent_process.session.expiration_time_dt
+ tag: date_process_parent_process_session_expiration_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.process?.parent_process?.session?.expiration_time_dt != null && ctx.ocsf.process.parent_process.session.expiration_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.parent_process.session.expiration_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.process.parent_process.session.expiration_time
+ target_field: ocsf.process.parent_process.session.expiration_time
+ tag: date_process_parent_process_session_expiration_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.process?.parent_process?.session?.expiration_time != null && ctx.ocsf.process.parent_process.session.expiration_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.parent_process.session.expiration_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.process.parent_process.session.mfa
+ tag: convert_process_parent_process_session_mfa_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.process.parent_process.session.mfa
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.process.parent_process.session.is_remote
+ tag: convert_process_parent_process_session_is_remote_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.process.parent_process.session.is_remote
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.process.parent_process.user.account.type_id
+ tag: convert_process_parent_process_user_account_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.process.parent_process.user.type_id
+ tag: convert_process_parent_process_user_type_id_to_string
+ type: string
+ ignore_missing: true
+ - append:
+ field: related.user
+ tag: append_process_parent_process_file_creator_uid_alt_into_related_user
+ value: '{{{ocsf.process.parent_process.file.creator.uid_alt}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.parent_process?.file?.creator?.uid_alt != null
+ - append:
+ field: related.user
+ tag: append_process_parent_process_file_creator_email_addr_into_related_user
+ value: '{{{ocsf.process.parent_process.file.creator.email_addr}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.parent_process?.file?.creator?.email_addr != null
+ - append:
+ field: related.user
+ tag: append_process_parent_process_file_creator_full_name_into_related_user
+ value: '{{{ocsf.process.parent_process.file.creator.full_name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.parent_process?.file?.creator?.full_name != null
+ - append:
+ field: related.user
+ tag: append_process_parent_process_file_creator_name_into_related_user
+ value: '{{{ocsf.process.parent_process.file.creator.name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.parent_process?.file?.creator?.name != null
+ - append:
+ field: related.user
+ tag: append_process_parent_process_file_creator_uid_into_related_user
+ value: '{{{ocsf.process.parent_process.file.creator.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.parent_process?.file?.creator?.uid != null
+ - append:
+ field: related.user
+ tag: append_process_parent_process_file_modifier_uid_alt_into_related_user
+ value: '{{{ocsf.process.parent_process.file.modifier.uid_alt}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.parent_process?.file?.modifier?.uid_alt != null
+ - append:
+ field: related.user
+ tag: append_process_parent_process_file_modifier_email_addr_into_related_user
+ value: '{{{ocsf.process.parent_process.file.modifier.email_addr}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.parent_process?.file?.modifier?.email_addr != null
+ - append:
+ field: related.user
+ tag: append_process_parent_process_file_modifier_full_name_into_related_user
+ value: '{{{ocsf.process.parent_process.file.modifier.full_name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.parent_process?.file?.modifier?.full_name != null
+ - append:
+ field: related.user
+ tag: append_process_parent_process_file_modifier_name_into_related_user
+ value: '{{{ocsf.process.parent_process.file.modifier.name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.parent_process?.file?.modifier?.name != null
+ - append:
+ field: related.user
+ tag: append_process_parent_process_file_modifier_uid_into_related_user
+ value: '{{{ocsf.process.parent_process.file.modifier.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.parent_process?.file?.modifier?.uid != null
+ - append:
+ field: related.user
+ tag: append_process_parent_process_file_owner_uid_alt_into_related_user
+ value: '{{{ocsf.process.parent_process.file.owner.uid_alt}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.parent_process?.file?.owner?.uid_alt != null
+ - append:
+ field: related.user
+ tag: append_process_parent_process_file_owner_email_addr_into_related_user
+ value: '{{{ocsf.process.parent_process.file.owner.email_addr}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.parent_process?.file?.owner?.email_addr != null
+ - append:
+ field: related.user
+ tag: append_process_parent_process_file_owner_full_name_into_related_user
+ value: '{{{ocsf.process.parent_process.file.owner.full_name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.parent_process?.file?.owner?.full_name != null
+ - append:
+ field: related.user
+ tag: append_process_parent_process_user_uid_alt_into_related_user
+ value: '{{{ocsf.process.parent_process.user.uid_alt}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.parent_process?.user?.uid_alt != null
+ - date:
+ field: ocsf.process.session.created_time_dt
+ target_field: ocsf.process.session.created_time_dt
+ tag: date_process_session_created_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.process?.session?.created_time_dt != null && ctx.ocsf.process.session.created_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.session.created_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.process.session.created_time
+ target_field: ocsf.process.session.created_time
+ tag: date_process_session_created_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.process?.session?.created_time != null && ctx.ocsf.process.session.created_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.session.created_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.process.session.expiration_time_dt
+ target_field: ocsf.process.session.expiration_time_dt
+ tag: date_process_session_expiration_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.process?.session?.expiration_time_dt != null && ctx.ocsf.process.session.expiration_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.session.expiration_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.process.session.expiration_time
+ target_field: ocsf.process.session.expiration_time
+ tag: date_process_session_expiration_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.process?.session?.expiration_time != null && ctx.ocsf.process.session.expiration_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.process.session.expiration_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.process.session.mfa
+ tag: convert_process_session_mfa_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.process.session.mfa
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.process.session.is_remote
+ tag: convert_process_session_is_remote_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.process.session.is_remote
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.process.user.account.type_id
+ tag: convert_process_user_account_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.process.user.type_id
+ tag: convert_process_user_type_id_to_string
+ type: string
+ ignore_missing: true
+ - append:
+ field: related.user
+ tag: append_process_file_creator_uid_alt_into_related_user
+ value: '{{{ocsf.process.file.creator.uid_alt}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.file?.creator?.uid_alt != null
+ - append:
+ field: related.user
+ tag: append_process_file_creator_email_addr_into_related_user
+ value: '{{{ocsf.process.file.creator.email_addr}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.file?.creator?.email_addr != null
+ - append:
+ field: related.user
+ tag: append_process_file_creator_full_name_into_related_user
+ value: '{{{ocsf.process.file.creator.full_name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.file?.creator?.full_name != null
+ - append:
+ field: related.user
+ tag: append_process_file_creator_name_into_related_user
+ value: '{{{ocsf.process.file.creator.name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.file?.creator?.name != null
+ - append:
+ field: related.user
+ tag: append_process_file_creator_uid_into_related_user
+ value: '{{{ocsf.process.file.creator.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.file?.creator?.uid != null
+ - append:
+ field: related.user
+ tag: append_process_file_modifier_uid_alt_into_related_user
+ value: '{{{ocsf.process.file.modifier.uid_alt}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.file?.modifier?.uid_alt != null
+ - append:
+ field: related.user
+ tag: append_process_file_modifier_email_addr_into_related_user
+ value: '{{{ocsf.process.file.modifier.email_addr}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.file?.modifier?.email_addr != null
+ - append:
+ field: related.user
+ tag: append_process_file_modifier_full_name_into_related_user
+ value: '{{{ocsf.process.file.modifier.full_name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.file?.modifier?.full_name != null
+ - append:
+ field: related.user
+ tag: append_process_file_modifier_name_into_related_user
+ value: '{{{ocsf.process.file.modifier.name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.file?.modifier?.name != null
+ - append:
+ field: related.user
+ tag: append_process_file_modifier_uid_into_related_user
+ value: '{{{ocsf.process.file.modifier.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.file?.modifier?.uid != null
+ - append:
+ field: related.user
+ tag: append_process_file_owner_uid_alt_into_related_user
+ value: '{{{ocsf.process.file.owner.uid_alt}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.file?.owner?.uid_alt != null
+ - append:
+ field: related.user
+ tag: append_process_file_owner_email_addr_into_related_user
+ value: '{{{ocsf.process.file.owner.email_addr}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.file?.owner?.email_addr != null
+ - append:
+ field: related.user
+ tag: append_process_file_owner_full_name_into_related_user
+ value: '{{{ocsf.process.file.owner.full_name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.file?.owner?.full_name != null
+ - append:
+ field: related.user
+ tag: append_process_user_uid_alt_into_related_user
+ value: '{{{ocsf.process.user.uid_alt}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.process?.user?.uid_alt != null
+on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: event.kind
+ value: pipeline_error
diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_proxy.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_proxy.yml
new file mode 100644
index 00000000000..f63c7baf5d3
--- /dev/null
+++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_proxy.yml
@@ -0,0 +1,132 @@
+---
+description: Pipeline for processing Network Proxy object.
+# Network Proxy object docs: https://schema.ocsf.io/1.0.0-rc.3/objects/network_proxy
+processors:
+ - convert:
+ field: ocsf.proxy.location.is_on_premises
+ tag: convert_proxy_location_is_on_premises_to_boolean
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.proxy.location.is_on_premises
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.proxy.ip
+ tag: convert_proxy_ip_to_ip
+ type: ip
+ ignore_missing: true
+ if: ctx.ocsf?.proxy?.ip != '' || ctx.ocsf.proxy.ip != '-'
+ on_failure:
+ - remove:
+ field: ocsf.proxy.ip
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - append:
+ field: related.ip
+ tag: append_proxy_ip_into_related_ip
+ value: '{{{ocsf.proxy.ip}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.proxy?.ip != null
+ - foreach:
+ field: ocsf.proxy.location.coordinates
+ if: ctx.ocsf?.proxy?.location?.coordinates instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value
+ tag: convert_proxy_location_coordinates_to_double
+ type: double
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.proxy.port
+ tag: convert_proxy_port_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.proxy.port
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: ocsf.proxy.intermediate_ips
+ if: ctx.ocsf?.proxy?.intermediate_ips instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value
+ tag: convert_proxy_intermediate_ips_to_ip
+ type: ip
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: ocsf.proxy.intermediate_ips
+ if: ctx.ocsf?.proxy?.intermediate_ips instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: related.ip
+ tag: append_proxy_intermediate_ips_into_related_ip
+ value: '{{{_ingest._value}}}'
+ allow_duplicates: false
+ - gsub:
+ field: ocsf.proxy.mac
+ tag: gsub_proxy_mac
+ pattern: '[-:.]'
+ replacement: '-'
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - uppercase:
+ field: ocsf.proxy.mac
+ tag: uppercase_proxy_mac
+ ignore_missing: true
+ if: ctx.ocsf?.proxy?.mac != ''
+ on_failure:
+ - remove:
+ field: ocsf.proxy.mac
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - append:
+ field: related.hosts
+ tag: append_proxy_domain_into_related_hosts
+ value: '{{{ocsf.proxy.domain}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.proxy?.domain != null
+ - append:
+ field: related.hosts
+ tag: append_proxy_hostname_into_related_hosts
+ value: '{{{ocsf.proxy.hostname}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.proxy?.hostname != null
+on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: event.kind
+ value: pipeline_error
diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_tls.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_tls.yml
new file mode 100644
index 00000000000..575803b7cdf
--- /dev/null
+++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_tls.yml
@@ -0,0 +1,306 @@
+---
+description: Pipeline for processing TLS object.
+# TLS object docs: https://schema.ocsf.io/1.0.0-rc.3/objects/tls
+processors:
+ - set:
+ field: tls.cipher
+ tag: set_tls_cipher
+ copy_from: ocsf.tls.cipher
+ ignore_empty_value: true
+ - set:
+ field: tls.client.ja3
+ tag: set_tls_client_ja3
+ copy_from: ocsf.tls.ja3_hash.value
+ ignore_empty_value: true
+ - append:
+ field: related.hash
+ tag: append_tls_client_ja3_into_related_hash
+ value: '{{{tls.client.ja3}}}'
+ allow_duplicates: false
+ if: ctx.tls?.client?.ja3 != null
+ - set:
+ field: tls.client.server_name
+ tag: set_tls_client_server_name
+ copy_from: ocsf.tls.sni
+ ignore_empty_value: true
+ - append:
+ field: related.hosts
+ tag: append_tls_client_server_name_into_related_hosts
+ value: '{{{tls.client.server_name}}}'
+ allow_duplicates: false
+ if: ctx.tls?.client?.server_name != null
+ - foreach:
+ field: ocsf.tls.client_ciphers
+ if: ctx.ocsf?.tls?.client_ciphers instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: tls.client.supported_ciphers
+ tag: append_tls_client_ciphers_into_tls_client_supported_ciphers
+ value: '{{{_ingest._value}}}'
+ allow_duplicates: false
+ - foreach:
+ field: ocsf.tls.sans
+ if: ctx.ocsf?.tls?.sans instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: tls.client.x509.alternative_names
+ tag: append_tls_sans_name_into_tls_client_x509_alternative_names
+ value: '{{{_ingest._value.name}}}'
+ allow_duplicates: false
+ - foreach:
+ field: json.tls.sans
+ if: ctx.json?.tls?.sans instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value.name
+ type: ip
+ target_field: _ingest._value.name_ips
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: related.hosts
+ tag: append_tls_sans_name_into_related_hosts
+ value: '{{{_ingest._value.name}}}'
+ allow_duplicates: false
+ - foreach:
+ field: json.tls.sans
+ if: ctx.json?.tls?.sans instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: related.ip
+ tag: append_tls_sans_name_ips_into_related_ip
+ value: '{{{_ingest._value.name_ips}}}'
+ allow_duplicates: false
+ - foreach:
+ field: json.tls.sans
+ if: ctx.json?.tls?.sans instanceof List
+ ignore_failure: true
+ processor:
+ remove:
+ field: _ingest._value.name_ips
+ tag: remove_tls_sans_name_ips
+ ignore_missing: true
+ - set:
+ field: tls.client.x509.issuer.distinguished_name
+ tag: set_tls_client_x509_issuer_distinguished_name
+ copy_from: ocsf.tls.certificate.issuer
+ ignore_empty_value: true
+ - date:
+ field: ocsf.tls.certificate.expiration_time_dt
+ tag: date_tls_certificate_expiration_time_dt
+ target_field: ocsf.tls.certificate.expiration_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.tls?.certificate?.expiration_time_dt != null && ctx.ocsf.tls.certificate.expiration_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.tls.certificate.expiration_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: ocsf.tls.extension_list
+ if: ctx.ocsf?.tls?.extension_list instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value.type_id
+ tag: convert_tls_extension_list_type_id_to_string
+ type: string
+ ignore_missing: true
+ - set:
+ field: tls.client.x509.not_after
+ tag: set_tls_client_x509_not_after_from_tls_certificate_expiration_time_dt
+ copy_from: ocsf.tls.certificate.expiration_time_dt
+ ignore_empty_value: true
+ - date:
+ field: ocsf.tls.certificate.expiration_time
+ tag: date_tls_certificate_expiration_time
+ target_field: ocsf.tls.certificate.expiration_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.tls?.certificate?.expiration_time != null && ctx.ocsf.tls.certificate.expiration_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.tls.certificate.expiration_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: tls.client.x509.not_after
+ tag: set_tls_client_x509_not_after_from_tls_certificate_expiration_time
+ copy_from: ocsf.tls.certificate.expiration_time
+ ignore_empty_value: true
+ - set:
+ field: tls.client.x509.serial_number
+ tag: set_tls_client_x509_serial_number
+ copy_from: ocsf.tls.certificate.serial_number
+ ignore_empty_value: true
+ - set:
+ field: tls.client.x509.subject.distinguished_name
+ tag: set_tls_client_x509_subject_distinguished_name
+ copy_from: ocsf.tls.certificate.subject
+ ignore_empty_value: true
+ - set:
+ field: tls.client.x509.version_number
+ tag: set_tls_client_x509_version_number
+ copy_from: ocsf.tls.certificate.version
+ ignore_empty_value: true
+ - set:
+ field: tls.server.ja3s
+ tag: set_tls_server_ja3s
+ copy_from: ocsf.tls.ja3s_hash.value
+ ignore_empty_value: true
+ - append:
+ field: related.hash
+ tag: append_tls_server_ja3s_into_related_hash
+ value: '{{{tls.server.ja3s}}}'
+ allow_duplicates: false
+ if: ctx.tls?.server?.ja3s != null
+ - set:
+ field: tls.version
+ tag: set_tls_version
+ copy_from: ocsf.tls.version
+ ignore_empty_value: true
+ - date:
+ field: ocsf.tls.certificate.created_time_dt
+ tag: date_tls_certificate_created_time_dt
+ target_field: ocsf.tls.certificate.created_time_dt
+ formats:
+ - ISO8601
+ if: ctx.ocsf?.tls?.certificate?.created_time_dt != null && ctx.ocsf.tls.certificate.created_time_dt != ''
+ on_failure:
+ - remove:
+ field: ocsf.tls.certificate.created_time_dt
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: ocsf.tls.certificate.created_time
+ tag: date_tls_certificate_created_time
+ target_field: ocsf.tls.certificate.created_time
+ formats:
+ - UNIX_MS
+ if: ctx.ocsf?.tls?.certificate?.created_time != null && ctx.ocsf.tls.certificate.created_time != ''
+ on_failure:
+ - remove:
+ field: ocsf.tls.certificate.created_time
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.tls.alert
+ tag: convert_tls_alert_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.tls.alert
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.tls.handshake_dur
+ tag: convert_tls_handshake_dur_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.tls.handshake_dur
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - script:
+ description: Set value for tls.client.hash.*.
+ tag: script_tls_client_hash_*
+ if: ctx.ocsf?.tls?.certificate?.fingerprints != null
+ lang: painless
+ params:
+ MD5: md5
+ SHA-1: sha1
+ SHA-256: sha256
+ source: |-
+ if (ctx.tls == null) {
+ ctx.tls = new HashMap();
+ }
+ if (ctx.tls.client == null) {
+ ctx.tls.client = new HashMap();
+ }
+ if (ctx.tls.client.hash == null) {
+ ctx.tls.client.hash = new HashMap();
+ }
+ Map map = new HashMap();
+ def hashes = ctx.ocsf.tls.certificate.get('fingerprints');
+ for (def hash: hashes) {
+ def hashAlgorithm = params.get(hash.get('algorithm'));
+ if (hashAlgorithm == null) {
+ continue;
+ }
+ if (map.containsKey(hashAlgorithm)) {
+ map[hashAlgorithm].add(hash.get('value'));
+ } else {
+ Set set = new HashSet();
+ set.add(hash.get('value'));
+ map.put(hashAlgorithm, set);
+ }
+ }
+ ctx.tls.client.hash = map;
+ - foreach:
+ field: tls.client.hash
+ if: ctx.tls?.client?.hash instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: related.hash
+ tag: append_tls_client_hash_into_related_hash
+ value: '{{{_ingest._value}}}'
+ allow_duplicates: false
+ - convert:
+ field: ocsf.tls.key_length
+ tag: convert_tls_key_length_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.tls.key_length
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: ocsf.tls.ja3_hash.algorithm_id
+ tag: convert_tls_ja3_hash_algorithm_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.tls.ja3s_hash.algorithm_id
+ tag: convert_tls_ja3s_hash_algorithm_id_to_string
+ type: string
+ ignore_missing: true
+ - foreach:
+ field: ocsf.tls.certificate.fingerprints
+ if: ctx.ocsf?.tls?.certificate?.fingerprints instanceof List
+ ignore_failure: true
+ processor:
+ convert:
+ field: _ingest._value.algorithm_id
+ tag: convert_tls_certificate_fingerprints_algorithm_id_to_string
+ type: string
+ ignore_missing: true
+on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: event.kind
+ value: pipeline_error
diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_traffic.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_traffic.yml
new file mode 100644
index 00000000000..551a2502c4a
--- /dev/null
+++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_traffic.yml
@@ -0,0 +1,113 @@
+---
+description: Pipeline for processing Network Traffic object.
+# Network Traffic object docs: https://schema.ocsf.io/1.0.0-rc.3/objects/network_traffic
+processors:
+ - convert:
+ field: ocsf.traffic.bytes_in
+ tag: convert_traffic_bytes_in_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.traffic.bytes_in
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: destination.bytes
+ tag: set_destination_bytes
+ copy_from: ocsf.traffic.bytes_in
+ ignore_empty_value: true
+ - convert:
+ field: ocsf.traffic.bytes_out
+ tag: convert_traffic_bytes_out_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.traffic.bytes_out
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: source.bytes
+ tag: set_source_bytes
+ copy_from: ocsf.traffic.bytes_out
+ ignore_empty_value: true
+ - convert:
+ field: ocsf.traffic.packets_in
+ tag: convert_traffic_packets_in_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.traffic.packets_in
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: destination.packets
+ tag: set_destination_packets
+ copy_from: ocsf.traffic.packets_in
+ ignore_empty_value: true
+ - convert:
+ field: ocsf.traffic.packets_out
+ tag: convert_traffic_packets_out_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.traffic.packets_out
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: source.packets
+ tag: set_source_packets
+ copy_from: ocsf.traffic.packets_out
+ ignore_empty_value: true
+ - convert:
+ field: ocsf.traffic.bytes
+ tag: convert_traffic_bytes_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.traffic.bytes
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: network.bytes
+ tag: set_network_bytes
+ copy_from: ocsf.traffic.bytes
+ ignore_empty_value: true
+ - convert:
+ field: ocsf.traffic.packets
+ tag: convert_traffic_packets_to_long
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: ocsf.traffic.packets
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: network.packets
+ tag: set_network_packets
+ copy_from: ocsf.traffic.packets
+ ignore_empty_value: true
+on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: event.kind
+ value: pipeline_error
diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml
new file mode 100644
index 00000000000..de5fdd2219e
--- /dev/null
+++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml
@@ -0,0 +1,96 @@
+---
+description: Pipeline for processing User object.
+# User object docs: https://schema.ocsf.io/1.0.0-rc.3/objects/user
+processors:
+ - set:
+ field: user.target.domain
+ tag: set_user_target_domain
+ copy_from: ocsf.user.domain
+ ignore_empty_value: true
+ - set:
+ field: user.target.email
+ tag: set_user_target_email
+ copy_from: ocsf.user.email_addr
+ ignore_empty_value: true
+ - append:
+ field: related.user
+ tag: append_user_email_addr_into_related_user
+ value: '{{{ocsf.user.email_addr}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.user?.email_addr != null
+ - set:
+ field: user.target.full_name
+ tag: set_user_target_full_name
+ copy_from: ocsf.user.full_name
+ ignore_empty_value: true
+ - append:
+ field: related.user
+ tag: append_user_full_name_into_related_user
+ value: '{{{ocsf.user.full_name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.user?.full_name != null
+ - foreach:
+ field: ocsf.user.groups
+ if: ctx.ocsf?.user?.groups instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: user.target.group.id
+ tag: append_user_target_group_id
+ value: '{{{_ingest._value.uid}}}'
+ allow_duplicates: false
+ - foreach:
+ field: ocsf.user.groups
+ if: ctx.ocsf?.user?.groups instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: user.target.group.name
+ tag: append_user_target_group_name
+ value: '{{{_ingest._value.name}}}'
+ allow_duplicates: false
+ - set:
+ field: user.target.id
+ tag: set_user_target_id
+ copy_from: ocsf.user.uid
+ ignore_empty_value: true
+ - append:
+ field: related.user
+ tag: append_user_uid_into_related_user
+ value: '{{{ocsf.user.uid}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.user?.uid != null
+ - set:
+ field: user.target.name
+ tag: set_user_target_name
+ copy_from: ocsf.user.name
+ ignore_empty_value: true
+ - append:
+ field: related.user
+ tag: append_user_name_into_related_user
+ value: '{{{ocsf.user.name}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.user?.name != null
+ - convert:
+ field: ocsf.user.account.type_id
+ tag: convert_user_account_type_id_to_string
+ type: string
+ ignore_missing: true
+ - convert:
+ field: ocsf.user.type_id
+ tag: convert_user_type_id_to_string
+ type: string
+ ignore_missing: true
+ - append:
+ field: related.user
+ tag: append_user_uid_alt_into_related_user
+ value: '{{{ocsf.user.uid_alt}}}'
+ allow_duplicates: false
+ if: ctx.ocsf?.user?.uid_alt != null
+on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: event.kind
+ value: pipeline_error
diff --git a/packages/amazon_security_lake/data_stream/event/fields/base-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/base-fields.yml
new file mode 100644
index 00000000000..c034c1b6dbb
--- /dev/null
+++ b/packages/amazon_security_lake/data_stream/event/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: event.module
+ type: constant_keyword
+ description: Event module.
+ value: amazon_security_lake
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset.
+ value: amazon_security_lake.event
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
diff --git a/packages/amazon_security_lake/data_stream/event/fields/beats.yml b/packages/amazon_security_lake/data_stream/event/fields/beats.yml
new file mode 100644
index 00000000000..b3701b581cf
--- /dev/null
+++ b/packages/amazon_security_lake/data_stream/event/fields/beats.yml
@@ -0,0 +1,9 @@
+- name: input.type
+ type: keyword
+ description: Type of filebeat input.
+- name: log.offset
+ type: long
+ description: Log offset.
+- name: tags
+ type: keyword
+ description: User defined tags.
diff --git a/packages/amazon_security_lake/data_stream/event/fields/ecs.yml b/packages/amazon_security_lake/data_stream/event/fields/ecs.yml
new file mode 100644
index 00000000000..0e00918bb29
--- /dev/null
+++ b/packages/amazon_security_lake/data_stream/event/fields/ecs.yml
@@ -0,0 +1,24 @@
+- name: process.group.id
+ type: keyword
+- name: process.group.name
+ type: keyword
+- name: process.parent.user.domain
+ type: keyword
+- name: process.parent.user.email
+ type: keyword
+- name: process.parent.user.full_name
+ type: keyword
+- name: process.parent.user.group.id
+ type: keyword
+- name: process.parent.user.group.name
+ type: keyword
+- name: process.user.domain
+ type: keyword
+- name: process.user.email
+ type: keyword
+- name: process.user.full_name
+ type: keyword
+- name: process.user.group.id
+ type: keyword
+- name: process.user.group.name
+ type: keyword
diff --git a/packages/amazon_security_lake/data_stream/event/fields/fields.yml b/packages/amazon_security_lake/data_stream/event/fields/fields.yml
new file mode 100644
index 00000000000..466c3649b26
--- /dev/null
+++ b/packages/amazon_security_lake/data_stream/event/fields/fields.yml
@@ -0,0 +1,6700 @@
+- name: ocsf
+ type: group
+ fields:
+ - name: activity_id
+ type: keyword
+ description: The normalized identifier of the activity that triggered the event.
+ - name: activity_name
+ type: keyword
+ description: The event activity name, as defined by the activity_id.
+ - name: actor
+ type: group
+ fields:
+ - name: authorizations
+ type: group
+ fields:
+ - name: decision
+ type: keyword
+ description: Authorization Result/outcome, e.g. allowed, denied.
+ - name: policy
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The description of the policy.
+ - name: group
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: name
+ type: keyword
+ description: 'The policy name. For example: IAM Policy.'
+ - name: uid
+ type: keyword
+ description: A unique identifier of the policy instance.
+ - name: version
+ type: keyword
+ description: The policy version number.
+ - name: idp
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the identity provider.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the identity provider.
+ - name: invoked_by
+ type: keyword
+ description: The name of the service that invoked the activity as described in the event.
+ - name: process
+ type: group
+ fields:
+ - name: auid
+ type: keyword
+ description: The audit user assigned at login by the audit subsystem.
+ - name: cmd_line
+ type: keyword
+ description: The full command line used to launch an application, service, process, or job.
+ - name: container
+ type: group
+ fields:
+ - name: hash
+ type: group
+ fields:
+ - name: algorithm
+ type: keyword
+ description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.
+ - name: algorithm_id
+ type: keyword
+ description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.
+ - name: value
+ type: keyword
+ description: The digital fingerprint value.
+ - name: image
+ type: group
+ fields:
+ - name: labels
+ type: keyword
+ description: The image labels.
+ - name: name
+ type: keyword
+ description: The image name.
+ - name: path
+ type: keyword
+ description: The full path to the image file.
+ - name: tag
+ type: keyword
+ description: The tag used by the container. It can indicate version, format, OS.
+ - name: uid
+ type: keyword
+ description: The unique image ID.
+ - name: name
+ type: keyword
+ description: The container name.
+ - name: network_driver
+ type: keyword
+ description: The network driver used by the container. For example, bridge, overlay, host, none, etc.
+ - name: orchestrator
+ type: keyword
+ description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift.
+ - name: pod_uuid
+ type: keyword
+ description: The unique identifier of the pod (or equivalent) that the container is executing on.
+ - name: runtime
+ type: keyword
+ description: The backend running the container, such as containerd or cri-o.
+ - name: size
+ type: long
+ description: The size of the container image.
+ - name: tag
+ type: keyword
+ description: The tag used by the container. It can indicate version, format, OS.
+ - name: uid
+ type: keyword
+ description: The full container unique identifier for this instantiation of the container.
+ - name: created_time
+ type: date
+ description: The time when the process was created/started.
+ - name: created_time_dt
+ type: date
+ description: The time when the process was created/started.
+ - name: egid
+ type: keyword
+ description: The effective group under which this process is running.
+ - name: euid
+ type: keyword
+ description: The effective user under which this process is running.
+ - name: file
+ type: group
+ fields:
+ - name: accessed_time
+ type: date
+ description: The time when the file was last accessed.
+ - name: accessed_time_dt
+ type: date
+ description: The time when the file was last accessed.
+ - name: accessor
+ type: group
+ fields:
+ - name: account
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the account (e.g. GCP Account Name).
+ - name: type
+ type: keyword
+ description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.
+ - name: type_id
+ type: keyword
+ description: The normalized account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the account (e.g. AWS Account ID).
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: domain
+ type: keyword
+ description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.'
+ - name: email_addr
+ type: keyword
+ description: The user's email address.
+ - name: full_name
+ type: keyword
+ description: The full name of the person, as per the LDAP Common Name attribute (cn).
+ - name: groups
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: name
+ type: keyword
+ description: The username. For example, janedoe1.
+ - name: org
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the organization. For example, Widget, Inc.
+ - name: ou_name
+ type: keyword
+ description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D.
+ - name: ou_uid
+ type: keyword
+ description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID.
+ - name: type
+ type: keyword
+ description: The type of the user. For example, System, AWS IAM User, etc.
+ - name: type_id
+ type: keyword
+ description: The account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.
+ - name: uid_alt
+ type: keyword
+ description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.
+ - name: attributes
+ type: long
+ description: The Bitmask value that represents the file attributes.
+ - name: company_name
+ type: keyword
+ description: 'The name of the company that published the file. For example: Microsoft Corporation.'
+ - name: confidentiality
+ type: keyword
+ description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source.
+ - name: confidentiality_id
+ type: keyword
+ description: The normalized identifier of the file content confidentiality indicator.
+ - name: created_time
+ type: date
+ description: The time when the file was created.
+ - name: created_time_dt
+ type: date
+ description: The time when the file was created.
+ - name: creator
+ type: group
+ fields:
+ - name: account
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the account (e.g. GCP Account Name).
+ - name: type
+ type: keyword
+ description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.
+ - name: type_id
+ type: keyword
+ description: The normalized account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the account (e.g. AWS Account ID).
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: domain
+ type: keyword
+ description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.'
+ - name: email_addr
+ type: keyword
+ description: The user's email address.
+ - name: full_name
+ type: keyword
+ description: The full name of the person, as per the LDAP Common Name attribute (cn).
+ - name: groups
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: name
+ type: keyword
+ description: The name of the city.
+ - name: org
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the organization. For example, Widget, Inc.
+ - name: ou_name
+ type: keyword
+ description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D.
+ - name: ou_uid
+ type: keyword
+ description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID.
+ - name: type
+ type: keyword
+ description: The type of the user. For example, System, AWS IAM User, etc.
+ - name: type_id
+ type: keyword
+ description: The account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.
+ - name: uid_alt
+ type: keyword
+ description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.
+ - name: desc
+ type: keyword
+ description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.'
+ - name: hashes
+ type: group
+ fields:
+ - name: algorithm
+ type: keyword
+ description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.
+ - name: algorithm_id
+ type: keyword
+ description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.
+ - name: value
+ type: keyword
+ description: The digital fingerprint value.
+ - name: is_system
+ type: boolean
+ description: The indication of whether the object is part of the operating system.
+ - name: mime_type
+ type: keyword
+ description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable.
+ - name: modified_time
+ type: date
+ description: The time when the file was last modified.
+ - name: modified_time_dt
+ type: date
+ description: The time when the file was last modified.
+ - name: modifier
+ type: group
+ fields:
+ - name: account
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the account (e.g. GCP Account Name).
+ - name: type
+ type: keyword
+ description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.
+ - name: type_id
+ type: keyword
+ description: The normalized account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the account (e.g. AWS Account ID).
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: domain
+ type: keyword
+ description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.'
+ - name: email_addr
+ type: keyword
+ description: 'The image name. For example: elixir.'
+ - name: full_name
+ type: keyword
+ description: The user's email address.
+ - name: groups
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: name
+ type: keyword
+ description: The username. For example, janedoe1.
+ - name: org
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the organization. For example, Widget, Inc.
+ - name: ou_name
+ type: keyword
+ description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D.
+ - name: ou_uid
+ type: keyword
+ description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID.
+ - name: type
+ type: keyword
+ description: The type of the user. For example, System, AWS IAM User, etc.
+ - name: type_id
+ type: keyword
+ description: The account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.
+ - name: uid_alt
+ type: keyword
+ description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.
+ - name: name
+ type: keyword
+ description: 'The name of the file. For example: svchost.exe.'
+ - name: owner
+ type: group
+ fields:
+ - name: account
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the account (e.g. GCP Account Name).
+ - name: type
+ type: keyword
+ description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.
+ - name: type_id
+ type: keyword
+ description: The normalized account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the account (e.g. AWS Account ID).
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: domain
+ type: keyword
+ description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.'
+ - name: email_addr
+ type: keyword
+ description: The user's email address.
+ - name: full_name
+ type: keyword
+ description: The full name of the person, as per the LDAP Common Name attribute (cn).
+ - name: groups
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: name
+ type: keyword
+ description: The username. For example, janedoe1.
+ - name: org
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the organization. For example, Widget, Inc.
+ - name: ou_name
+ type: keyword
+ description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D.
+ - name: ou_uid
+ type: keyword
+ description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID.
+ - name: type
+ type: keyword
+ description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc.
+ - name: type_id
+ type: keyword
+ description: The account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.
+ - name: uid_alt
+ type: keyword
+ description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.
+ - name: parent_folder
+ type: keyword
+ description: 'The parent folder in which the file resides. For example: c:\windows\system32.'
+ - name: path
+ type: keyword
+ description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.'
+ - name: product
+ type: group
+ fields:
+ - name: feature
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the feature.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the feature.
+ - name: version
+ type: keyword
+ description: The version of the feature.
+ - name: lang
+ type: keyword
+ description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).'
+ - name: name
+ type: keyword
+ description: The name of the feature.
+ - name: path
+ type: keyword
+ description: The installation path of the product.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the feature.
+ - name: vendor_name
+ type: keyword
+ description: The name of the vendor of the product.
+ - name: version
+ type: keyword
+ description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.'
+ - name: security_descriptor
+ type: keyword
+ description: The object security descriptor.
+ - name: signature
+ type: group
+ fields:
+ - name: algorithm
+ type: keyword
+ description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.
+ - name: algorithm_id
+ type: keyword
+ description: The identifier of the normalized digital signature algorithm.
+ - name: certificate
+ type: group
+ fields:
+ - name: created_time
+ type: date
+ description: The time when the certificate was created.
+ - name: created_time_dt
+ type: date
+ description: The time when the certificate was created.
+ - name: expiration_time
+ type: date
+ description: The expiration time of the certificate.
+ - name: expiration_time_dt
+ type: date
+ description: The expiration time of the certificate.
+ - name: fingerprints
+ type: group
+ fields:
+ - name: algorithm
+ type: keyword
+ description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.
+ - name: algorithm_id
+ type: keyword
+ description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.
+ - name: value
+ type: keyword
+ description: The digital fingerprint value.
+ - name: issuer
+ type: keyword
+ description: The certificate issuer distinguished name.
+ - name: serial_number
+ type: keyword
+ description: The serial number of the certificate used to create the digital signature.
+ - name: subject
+ type: keyword
+ description: The certificate subject distinguished name.
+ - name: version
+ type: keyword
+ description: The certificate version.
+ - name: created_time
+ type: date
+ description: The time when the digital signature was created.
+ - name: created_time_dt
+ type: date
+ description: The time when the digital signature was created.
+ - name: developer_uid
+ type: keyword
+ description: The developer ID on the certificate that signed the file.
+ - name: digest
+ type: group
+ fields:
+ - name: algorithm
+ type: keyword
+ description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.
+ - name: algorithm_id
+ type: keyword
+ description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.
+ - name: value
+ type: keyword
+ description: The digital fingerprint value.
+ - name: size
+ type: long
+ description: The size of data, in bytes.
+ - name: type
+ type: keyword
+ description: The file type.
+ - name: type_id
+ type: keyword
+ description: The file type ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the file as defined by the storage system, such the file system file ID.
+ - name: version
+ type: keyword
+ description: 'The file version. For example: 8.0.7601.17514.'
+ - name: xattributes
+ type: flattened
+ description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute.
+ - name: group
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: integrity
+ type: keyword
+ description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only).
+ - name: integrity_id
+ type: keyword
+ description: The normalized identifier of the process integrity level (Windows only).
+ - name: lineage
+ type: keyword
+ description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].'
+ - name: loaded_modules
+ type: keyword
+ description: The list of loaded module names.
+ - name: name
+ type: keyword
+ description: 'The friendly name of the process, for example: Notepad++.'
+ - name: namespace_pid
+ type: long
+ description: If running under a process namespace (such as in a container), the process identifier within that process namespace.
+ - name: parent_process
+ type: group
+ fields:
+ - name: auid
+ type: keyword
+ description: The audit user assigned at login by the audit subsystem.
+ - name: cmd_line
+ type: keyword
+ description: The full command line used to launch an application, service, process, or job.
+ - name: container
+ type: group
+ fields:
+ - name: hash
+ type: group
+ fields:
+ - name: algorithm
+ type: keyword
+ description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.
+ - name: algorithm_id
+ type: keyword
+ description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.
+ - name: value
+ type: keyword
+ description: The digital fingerprint value.
+ - name: image
+ type: group
+ fields:
+ - name: labels
+ type: keyword
+ description: The image labels.
+ - name: name
+ type: keyword
+ description: The image name.
+ - name: path
+ type: keyword
+ description: The full path to the image file.
+ - name: tag
+ type: keyword
+ description: The tag used by the container. It can indicate version, format, OS.
+ - name: uid
+ type: keyword
+ description: The unique image ID.
+ - name: name
+ type: keyword
+ description: The container name.
+ - name: network_driver
+ type: keyword
+ description: The network driver used by the container. For example, bridge, overlay, host, none, etc.
+ - name: orchestrator
+ type: keyword
+ description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift.
+ - name: pod_uuid
+ type: keyword
+ description: The unique identifier of the pod (or equivalent) that the container is executing on.
+ - name: runtime
+ type: keyword
+ description: The backend running the container, such as containerd or cri-o.
+ - name: size
+ type: long
+ description: The size of the container image.
+ - name: tag
+ type: keyword
+ description: The tag used by the container. It can indicate version, format, OS.
+ - name: uid
+ type: keyword
+ description: The full container unique identifier for this instantiation of the container.
+ - name: created_time
+ type: date
+ description: The time when the process was created/started.
+ - name: created_time_dt
+ type: date
+ description: The time when the process was created/started.
+ - name: egid
+ type: keyword
+ description: The effective group under which this process is running.
+ - name: euid
+ type: keyword
+ description: The effective user under which this process is running.
+ - name: file
+ type: group
+ fields:
+ - name: accessed_time
+ type: date
+ description: The time when the file was last accessed.
+ - name: accessed_time_dt
+ type: date
+ description: The time when the file was last accessed.
+ - name: accessor
+ type: group
+ fields:
+ - name: account
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the account (e.g. GCP Account Name).
+ - name: type
+ type: keyword
+ description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.
+ - name: type_id
+ type: keyword
+ description: The normalized account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the account (e.g. AWS Account ID).
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: domain
+ type: keyword
+ description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.'
+ - name: email_addr
+ type: keyword
+ description: The user's email address.
+ - name: full_name
+ type: keyword
+ description: The full name of the person, as per the LDAP Common Name attribute (cn).
+ - name: groups
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: name
+ type: keyword
+ description: The username. For example, janedoe1.
+ - name: org
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the organization. For example, Widget, Inc.
+ - name: ou_name
+ type: keyword
+ description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D.
+ - name: ou_uid
+ type: keyword
+ description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID.
+ - name: type
+ type: keyword
+ description: The type of the user. For example, System, AWS IAM User, etc.
+ - name: type_id
+ type: keyword
+ description: The account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.
+ - name: uid_alt
+ type: keyword
+ description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.
+ - name: attributes
+ type: long
+ description: The Bitmask value that represents the file attributes.
+ - name: company_name
+ type: keyword
+ description: 'The name of the company that published the file. For example: Microsoft Corporation.'
+ - name: confidentiality
+ type: keyword
+ description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source.
+ - name: confidentiality_id
+ type: keyword
+ description: The normalized identifier of the file content confidentiality indicator.
+ - name: created_time
+ type: date
+ description: The time when the file was created.
+ - name: created_time_dt
+ type: date
+ description: The time when the file was created.
+ - name: creator
+ type: group
+ fields:
+ - name: account
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the account (e.g. GCP Account Name).
+ - name: type
+ type: keyword
+ description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.
+ - name: type_id
+ type: keyword
+ description: The normalized account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the account (e.g. AWS Account ID).
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: domain
+ type: keyword
+ description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.'
+ - name: email_addr
+ type: keyword
+ description: The user's email address.
+ - name: full_name
+ type: keyword
+ description: The full name of the person, as per the LDAP Common Name attribute (cn).
+ - name: groups
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: name
+ type: keyword
+ description: The name of the city.
+ - name: org
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the organization. For example, Widget, Inc.
+ - name: ou_name
+ type: keyword
+ description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D.
+ - name: ou_uid
+ type: keyword
+ description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID.
+ - name: type
+ type: keyword
+ description: The type of the user. For example, System, AWS IAM User, etc.
+ - name: type_id
+ type: keyword
+ description: The account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.
+ - name: uid_alt
+ type: keyword
+ description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.
+ - name: desc
+ type: keyword
+ description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.'
+ - name: hashes
+ type: group
+ fields:
+ - name: algorithm
+ type: keyword
+ description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.
+ - name: algorithm_id
+ type: keyword
+ description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.
+ - name: value
+ type: keyword
+ description: The digital fingerprint value.
+ - name: is_system
+ type: boolean
+ description: The indication of whether the object is part of the operating system.
+ - name: mime_type
+ type: keyword
+ description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable.
+ - name: modified_time
+ type: date
+ description: The time when the file was last modified.
+ - name: modified_time_dt
+ type: date
+ description: The time when the file was last modified.
+ - name: modifier
+ type: group
+ fields:
+ - name: account
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the account (e.g. GCP Account Name).
+ - name: type
+ type: keyword
+ description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.
+ - name: type_id
+ type: keyword
+ description: The normalized account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the account (e.g. AWS Account ID).
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: domain
+ type: keyword
+ description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.'
+ - name: email_addr
+ type: keyword
+ description: 'The image name. For example: elixir.'
+ - name: full_name
+ type: keyword
+ description: The user's email address.
+ - name: groups
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: name
+ type: keyword
+ description: The username. For example, janedoe1.
+ - name: org
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the organization. For example, Widget, Inc.
+ - name: ou_name
+ type: keyword
+ description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D.
+ - name: ou_uid
+ type: keyword
+ description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID.
+ - name: type
+ type: keyword
+ description: The type of the user. For example, System, AWS IAM User, etc.
+ - name: type_id
+ type: keyword
+ description: The account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.
+ - name: uid_alt
+ type: keyword
+ description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.
+ - name: name
+ type: keyword
+ description: 'The name of the file. For example: svchost.exe.'
+ - name: owner
+ type: group
+ fields:
+ - name: account
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the account (e.g. GCP Account Name).
+ - name: type
+ type: keyword
+ description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.
+ - name: type_id
+ type: keyword
+ description: The normalized account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the account (e.g. AWS Account ID).
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: domain
+ type: keyword
+ description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.'
+ - name: email_addr
+ type: keyword
+ description: The user's email address.
+ - name: full_name
+ type: keyword
+ description: The full name of the person, as per the LDAP Common Name attribute (cn).
+ - name: groups
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: name
+ type: keyword
+ description: The username. For example, janedoe1.
+ - name: org
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the organization. For example, Widget, Inc.
+ - name: ou_name
+ type: keyword
+ description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D.
+ - name: ou_uid
+ type: keyword
+ description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID.
+ - name: type
+ type: keyword
+ description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc.
+ - name: type_id
+ type: keyword
+ description: The account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.
+ - name: uid_alt
+ type: keyword
+ description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.
+ - name: parent_folder
+ type: keyword
+ description: 'The parent folder in which the file resides. For example: c:\windows\system32.'
+ - name: path
+ type: keyword
+ description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.'
+ - name: product
+ type: group
+ fields:
+ - name: feature
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the feature.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the feature.
+ - name: version
+ type: keyword
+ description: The version of the feature.
+ - name: lang
+ type: keyword
+ description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).'
+ - name: name
+ type: keyword
+ description: The name of the feature.
+ - name: path
+ type: keyword
+ description: The installation path of the product.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the feature.
+ - name: vendor_name
+ type: keyword
+ description: The name of the vendor of the product.
+ - name: version
+ type: keyword
+ description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.'
+ - name: security_descriptor
+ type: keyword
+ description: The object security descriptor.
+ - name: signature
+ type: group
+ fields:
+ - name: algorithm
+ type: keyword
+ description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.
+ - name: algorithm_id
+ type: keyword
+ description: The identifier of the normalized digital signature algorithm.
+ - name: certificate
+ type: group
+ fields:
+ - name: created_time
+ type: date
+ description: The time when the certificate was created.
+ - name: created_time_dt
+ type: date
+ description: The time when the certificate was created.
+ - name: expiration_time
+ type: date
+ description: The expiration time of the certificate.
+ - name: expiration_time_dt
+ type: date
+ description: The expiration time of the certificate.
+ - name: fingerprints
+ type: group
+ fields:
+ - name: algorithm
+ type: keyword
+ description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.
+ - name: algorithm_id
+ type: keyword
+ description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.
+ - name: value
+ type: keyword
+ description: The digital fingerprint value.
+ - name: issuer
+ type: keyword
+ description: The certificate issuer distinguished name.
+ - name: serial_number
+ type: keyword
+ description: The serial number of the certificate used to create the digital signature.
+ - name: subject
+ type: keyword
+ description: The certificate subject distinguished name.
+ - name: version
+ type: keyword
+ description: The certificate version.
+ - name: created_time
+ type: date
+ description: The time when the digital signature was created.
+ - name: created_time_dt
+ type: date
+ description: The time when the digital signature was created.
+ - name: developer_uid
+ type: keyword
+ description: The developer ID on the certificate that signed the file.
+ - name: digest
+ type: group
+ fields:
+ - name: algorithm
+ type: keyword
+ description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.
+ - name: algorithm_id
+ type: keyword
+ description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.
+ - name: value
+ type: keyword
+ description: The digital fingerprint value.
+ - name: size
+ type: long
+ description: The size of data, in bytes.
+ - name: type
+ type: keyword
+ description: The file type.
+ - name: type_id
+ type: keyword
+ description: The file type ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the file as defined by the storage system, such the file system file ID.
+ - name: version
+ type: keyword
+ description: 'The file version. For example: 8.0.7601.17514.'
+ - name: xattributes
+ type: flattened
+ description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute.
+ - name: group
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: integrity
+ type: keyword
+ description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only).
+ - name: integrity_id
+ type: keyword
+ description: The normalized identifier of the process integrity level (Windows only).
+ - name: lineage
+ type: keyword
+ description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].'
+ - name: loaded_modules
+ type: keyword
+ description: The list of loaded module names.
+ - name: name
+ type: keyword
+ description: 'The friendly name of the process, for example: Notepad++.'
+ - name: namespace_pid
+ type: long
+ description: If running under a process namespace (such as in a container), the process identifier within that process namespace.
+ - name: parent_process
+ type: flattened
+ description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting.
+ - name: parent_process_keyword
+ type: keyword
+ ignore_above: 1024
+ - name: pid
+ type: long
+ description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process.
+ - name: sandbox
+ type: keyword
+ description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps.
+ - name: session
+ type: group
+ fields:
+ - name: created_time
+ type: date
+ description: The time when the session was created.
+ - name: created_time_dt
+ type: date
+ description: The time when the session was created.
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: expiration_time
+ type: date
+ description: The session expiration time.
+ - name: expiration_time_dt
+ type: date
+ description: The session expiration time.
+ - name: is_remote
+ type: boolean
+ description: The indication of whether the session is remote.
+ - name: issuer
+ type: keyword
+ description: The identifier of the session issuer.
+ - name: mfa
+ type: boolean
+ - name: uid
+ type: keyword
+ description: The unique identifier of the session.
+ - name: uuid
+ type: keyword
+ description: The universally unique identifier of the session.
+ - name: terminated_time
+ type: date
+ description: The time when the process was terminated.
+ - name: terminated_time_dt
+ type: date
+ description: The time when the process was terminated.
+ - name: tid
+ type: long
+ description: The Identifier of the thread associated with the event, as returned by the operating system.
+ - name: uid
+ type: keyword
+ description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process.
+ - name: user
+ type: group
+ fields:
+ - name: account
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the account (e.g. GCP Account Name).
+ - name: type
+ type: keyword
+ description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.
+ - name: type_id
+ type: keyword
+ description: The normalized account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the account (e.g. AWS Account ID).
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: domain
+ type: keyword
+ description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.'
+ - name: email_addr
+ type: keyword
+ description: The user's email address.
+ - name: full_name
+ type: keyword
+ description: The full name of the person, as per the LDAP Common Name attribute (cn).
+ - name: groups
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: name
+ type: keyword
+ description: The username. For example, janedoe1.
+ - name: org
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the organization. For example, Widget, Inc.
+ - name: ou_name
+ type: keyword
+ description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D.
+ - name: ou_uid
+ type: keyword
+ description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID.
+ - name: type
+ type: keyword
+ description: The type of the user. For example, System, AWS IAM User, etc.
+ - name: type_id
+ type: keyword
+ description: The account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.
+ - name: uid_alt
+ type: keyword
+ description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.
+ - name: xattributes
+ type: flattened
+ description: An unordered collection of zero or more name/value pairs that represent a process extended attribute.
+ - name: pid
+ type: long
+ description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process.
+ - name: sandbox
+ type: keyword
+ description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps.
+ - name: session
+ type: group
+ fields:
+ - name: created_time
+ type: date
+ description: The time when the session was created.
+ - name: created_time_dt
+ type: date
+ description: The time when the session was created.
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: expiration_time
+ type: date
+ description: The session expiration time.
+ - name: expiration_time_dt
+ type: date
+ description: The session expiration time.
+ - name: is_remote
+ type: boolean
+ description: The indication of whether the session is remote.
+ - name: issuer
+ type: keyword
+ description: The identifier of the session issuer.
+ - name: mfa
+ type: boolean
+ - name: uid
+ type: keyword
+ description: The unique identifier of the session.
+ - name: uuid
+ type: keyword
+ description: The universally unique identifier of the session.
+ - name: terminated_time
+ type: date
+ description: The time when the process was terminated.
+ - name: terminated_time_dt
+ type: date
+ description: The time when the process was terminated.
+ - name: tid
+ type: long
+ description: The Identifier of the thread associated with the event, as returned by the operating system.
+ - name: uid
+ type: keyword
+ description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process.
+ - name: user
+ type: group
+ fields:
+ - name: account
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the account (e.g. GCP Account Name).
+ - name: type
+ type: keyword
+ description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.
+ - name: type_id
+ type: keyword
+ description: The normalized account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the account (e.g. AWS Account ID).
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: domain
+ type: keyword
+ description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.'
+ - name: email_addr
+ type: keyword
+ description: The user's email address.
+ - name: full_name
+ type: keyword
+ description: The full name of the person, as per the LDAP Common Name attribute (cn).
+ - name: groups
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: name
+ type: keyword
+ description: The username. For example, janedoe1.
+ - name: org
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the organization. For example, Widget, Inc.
+ - name: ou_name
+ type: keyword
+ description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D.
+ - name: ou_uid
+ type: keyword
+ description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID.
+ - name: type
+ type: keyword
+ description: The type of the user. For example, System, AWS IAM User, etc.
+ - name: type_id
+ type: keyword
+ description: The account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.
+ - name: uid_alt
+ type: keyword
+ description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.
+ - name: xattributes
+ type: flattened
+ description: An unordered collection of zero or more name/value pairs that represent a process extended attribute.
+ - name: session
+ type: group
+ fields:
+ - name: created_time
+ type: date
+ description: The time when the session was created.
+ - name: created_time_dt
+ type: date
+ description: The time when the session was created.
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: expiration_time
+ type: date
+ description: The session expiration time.
+ - name: expiration_time_dt
+ type: date
+ description: The session expiration time.
+ - name: is_remote
+ type: boolean
+ description: The indication of whether the session is remote.
+ - name: issuer
+ type: keyword
+ description: The identifier of the session issuer.
+ - name: mfa
+ type: boolean
+ - name: uid
+ type: keyword
+ description: The unique identifier of the session.
+ - name: uuid
+ type: keyword
+ description: The universally unique identifier of the session.
+ - name: user
+ type: group
+ fields:
+ - name: account
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the account (e.g. GCP Account Name).
+ - name: type
+ type: keyword
+ description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.
+ - name: type_id
+ type: keyword
+ description: The normalized account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the account (e.g. AWS Account ID).
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: domain
+ type: keyword
+ description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.'
+ - name: email_addr
+ type: keyword
+ description: The user's email address.
+ - name: full_name
+ type: keyword
+ description: The full name of the person, as per the LDAP Common Name attribute (cn).
+ - name: groups
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: name
+ type: keyword
+ description: The username. For example, janedoe1.
+ - name: org
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the organization. For example, Widget, Inc.
+ - name: ou_name
+ type: keyword
+ description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D.
+ - name: ou_uid
+ type: keyword
+ description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID.
+ - name: type
+ type: keyword
+ description: The type of the user. For example, System, AWS IAM User, etc.
+ - name: type_id
+ type: keyword
+ description: The account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.
+ - name: uid_alt
+ type: keyword
+ description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.
+ - name: analytic
+ type: group
+ fields:
+ - name: category
+ type: keyword
+ description: The analytic category.
+ - name: desc
+ type: keyword
+ description: The description of the analytic that generated the finding.
+ - name: name
+ type: keyword
+ description: The name of the analytic that generated the finding.
+ - name: related_analytics
+ type: group
+ fields:
+ - name: category
+ type: keyword
+ description: The analytic category.
+ - name: desc
+ type: keyword
+ description: The description of the analytic that generated the finding.
+ - name: name
+ type: keyword
+ description: The name of the analytic that generated the finding.
+ - name: related_analytics
+ type: flattened
+ - name: type
+ type: keyword
+ description: The analytic type.
+ - name: type_id
+ type: keyword
+ description: The analytic type ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the analytic that generated the finding.
+ - name: version
+ type: keyword
+ description: 'The analytic version. For example: 1.1.'
+ - name: type
+ type: keyword
+ description: The analytic type.
+ - name: type_id
+ type: keyword
+ description: The analytic type ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the analytic that generated the finding.
+ - name: version
+ type: keyword
+ description: 'The analytic version. For example: 1.1.'
+ - name: answers
+ type: group
+ fields:
+ - name: class
+ type: keyword
+ description: 'The class of DNS data contained in this resource record. See RFC1035. For example: IN.'
+ - name: flag_ids
+ type: keyword
+ description: The list of DNS answer header flag IDs.
+ - name: flags
+ type: keyword
+ description: The list of DNS answer header flags.
+ - name: packet_uid
+ type: keyword
+ description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+ - name: rdata
+ type: keyword
+ description: The data describing the DNS resource. The meaning of this data depends on the type and class of the resource record.
+ - name: ttl
+ type: long
+ description: The time interval that the resource record may be cached. Zero value means that the resource record can only be used for the transaction in progress, and should not be cached.
+ - name: type
+ type: keyword
+ description: 'The type of data contained in this resource record. See RFC1035. For example: CNAME.'
+ - name: api
+ type: group
+ fields:
+ - name: operation
+ type: keyword
+ description: Verb/Operation associated with the request.
+ - name: request
+ type: group
+ fields:
+ - name: flags
+ type: keyword
+ description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source.
+ - name: uid
+ type: keyword
+ description: The unique request identifier.
+ - name: response
+ type: group
+ fields:
+ - name: code
+ type: long
+ description: The numeric response sent to a request.
+ - name: error
+ type: keyword
+ description: Error Code.
+ - name: error_message
+ type: keyword
+ description: Error Message.
+ - name: flags
+ type: keyword
+ description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source.
+ - name: message
+ type: keyword
+ description: The description of the event, as defined by the event source.
+ - name: service
+ type: group
+ fields:
+ - name: labels
+ type: keyword
+ description: The list of labels associated with the service.
+ - name: name
+ type: keyword
+ description: The name of the service.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the service.
+ - name: version
+ type: keyword
+ description: The version of the service.
+ - name: version
+ type: keyword
+ description: The version of the API service.
+ - name: app_name
+ type: keyword
+ description: The name of the application that is associated with the event or object.
+ - name: attacks
+ type: group
+ fields:
+ - name: tactics
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The tactic name that is associated with the attack technique, as defined by ATT&CK MatrixTM.
+ - name: uid
+ type: keyword
+ description: The tactic ID that is associated with the attack technique, as defined by ATT&CK MatrixTM.
+ - name: technique
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: 'The name of the attack technique, as defined by ATT&CK MatrixTM. For example: Drive-by Compromise.'
+ - name: uid
+ type: keyword
+ description: 'The unique identifier of the attack technique, as defined by ATT&CK MatrixTM. For example: T1189.'
+ - name: version
+ type: keyword
+ description: The ATT&CK Matrix version.
+ - name: auth_protocol
+ type: keyword
+ description: The authentication protocol as defined by the caption of 'auth_protocol_id'. In the case of 'Other', it is defined by the event source.
+ - name: auth_protocol_id
+ type: keyword
+ description: The normalized identifier of the authentication protocol used to create the user session.
+ - name: category_name
+ type: keyword
+ description: 'The event category name, as defined by category_uid value: Identity & Access Management.'
+ - name: category_uid
+ type: keyword
+ description: The category unique identifier of the event.3 Identity & Access ManagementIdentity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc.
+ - name: certificate
+ type: group
+ fields:
+ - name: created_time
+ type: date
+ description: The time when the certificate was created.
+ - name: created_time_dt
+ type: date
+ description: The time when the certificate was created.
+ - name: expiration_time
+ type: date
+ description: The expiration time of the certificate.
+ - name: expiration_time_dt
+ type: date
+ description: The expiration time of the certificate.
+ - name: fingerprints
+ type: group
+ fields:
+ - name: algorithm
+ type: keyword
+ description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.
+ - name: algorithm_id
+ type: keyword
+ description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.
+ - name: value
+ type: keyword
+ description: The digital fingerprint value.
+ - name: issuer
+ type: keyword
+ description: The certificate issuer distinguished name.
+ - name: serial_number
+ type: keyword
+ description: The serial number of the certificate used to create the digital signature.
+ - name: subject
+ type: keyword
+ description: The certificate subject distinguished name.
+ - name: version
+ type: keyword
+ description: The certificate version.
+ - name: cis_csc
+ type: group
+ fields:
+ - name: control
+ type: keyword
+ description: The CIS critical security control.
+ - name: version
+ type: keyword
+ description: The CIS critical security control version.
+ - name: class_name
+ type: keyword
+ description: 'The event class name, as defined by class_uid value: Security Finding.'
+ - name: class_uid
+ type: keyword
+ description: The unique identifier of a class. A Class describes the attributes available in an event.2001 Security FindingSecurity Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products.
+ - name: cloud
+ type: group
+ fields:
+ - name: account
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the account (e.g. GCP Account Name).
+ - name: type
+ type: keyword
+ description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.
+ - name: type_id
+ type: keyword
+ description: The normalized account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the account (e.g. AWS Account ID).
+ - name: org
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the organization. For example, Widget, Inc.
+ - name: ou_name
+ type: keyword
+ description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D.
+ - name: ou_uid
+ type: keyword
+ description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID.
+ - name: project_uid
+ type: keyword
+ description: The unique identifier of a Cloud project.
+ - name: provider
+ type: keyword
+ description: The unique name of the Cloud services provider, such as AWS, MS Azure, GCP, etc.
+ - name: region
+ type: keyword
+ description: The name of the cloud region, as defined by the cloud provider.
+ - name: zone
+ type: keyword
+ description: The availability zone in the cloud region, as defined by the cloud provider.
+ - name: compliance
+ type: group
+ fields:
+ - name: status_detail
+ type: keyword
+ description: The status details contains additional information about the event outcome.
+ - name: requirements
+ type: keyword
+ description: A list of applicable compliance requirements for which this finding is related to.
+ - name: status
+ type: keyword
+ description: The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.
+ - name: confidence
+ type: keyword
+ description: The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.
+ - name: confidence_id
+ type: keyword
+ description: The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.
+ - name: confidence_score
+ type: long
+ description: The confidence score as reported by the event source.
+ - name: connection_info
+ type: group
+ fields:
+ - name: boundary
+ type: keyword
+ description: The boundary of the connection, normalized to the caption of 'boundary_id'. In the case of 'Other', it is defined by the event source.For cloud connections, this translates to the traffic-boundary(same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External.
+ - name: boundary_id
+ type: keyword
+ description: The normalized identifier of the boundary of the connection. For cloud connections, this translates to the traffic-boundary (same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External.
+ - name: direction
+ type: keyword
+ description: The direction of the initiated connection, traffic, or email, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source.
+ - name: direction_id
+ type: keyword
+ description: The normalized identifier of the direction of the initiated connection, traffic, or email.
+ - name: protocol_name
+ type: keyword
+ description: 'The TCP/IP protocol name in lowercase, as defined by the Internet Assigned Numbers Authority (IANA). See Protocol Numbers. For example: tcp or udp.'
+ - name: protocol_num
+ type: keyword
+ description: 'The TCP/IP protocol number, as defined by the Internet Assigned Numbers Authority (IANA). Use -1 if the protocol is not defined by IANA. See Protocol Numbers. For example: 6 for TCP and 17 for UDP.'
+ - name: protocol_ver
+ type: keyword
+ description: The Internet Protocol version.
+ - name: protocol_ver_id
+ type: keyword
+ description: The Internet Protocol version identifier.
+ - name: tcp_flags
+ type: long
+ description: The network connection TCP header flags (i.e., control bits).
+ - name: uid
+ type: keyword
+ description: The unique identifier of the connection.
+ - name: count
+ type: long
+ description: The number of times that events in the same logical group occurred during the event Start Time to End Time period.
+ - name: data_sources
+ type: keyword
+ description: The data sources for the finding.
+ - name: device
+ type: group
+ fields:
+ - name: autoscale_uid
+ type: keyword
+ description: The unique identifier of the cloud autoscale configuration.
+ - name: created_time
+ type: date
+ description: The time when the device was known to have been created.
+ - name: created_time_dt
+ type: date
+ description: TThe time when the device was known to have been created.
+ - name: desc
+ type: keyword
+ description: The description of the device, ordinarily as reported by the operating system.
+ - name: domain
+ type: keyword
+ description: 'The network domain where the device resides. For example: work.example.com.'
+ - name: first_seen_time
+ type: date
+ description: The initial discovery time of the device.
+ - name: first_seen_time_dt
+ type: date
+ description: The initial discovery time of the device.
+ - name: groups
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: hostname
+ type: keyword
+ description: The devicename.
+ - name: hw_info
+ type: group
+ fields:
+ - name: bios_date
+ type: keyword
+ description: 'The BIOS date. For example: 03/31/16.'
+ - name: bios_manufacturer
+ type: keyword
+ description: 'The BIOS manufacturer. For example: LENOVO.'
+ - name: bios_ver
+ type: keyword
+ description: 'The BIOS version. For example: LENOVO G5ETA2WW (2.62).'
+ - name: chassis
+ type: keyword
+ description: The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types.
+ - name: cpu_bits
+ type: long
+ description: 'The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.'
+ - name: cpu_cores
+ type: long
+ description: 'The number of processor cores in all installed processors. For Example: 42.'
+ - name: cpu_count
+ type: long
+ description: 'The number of physical processors on a system. For example: 1.'
+ - name: cpu_speed
+ type: long
+ description: 'The speed of the processor in Mhz. For Example: 4200.'
+ - name: cpu_type
+ type: keyword
+ description: 'The processor type. For example: x86 Family 6 Model 37 Stepping 5.'
+ - name: desktop_display
+ type: group
+ fields:
+ - name: color_depth
+ type: long
+ description: The numeric color depth.
+ - name: physical_height
+ type: long
+ description: The numeric physical height of display.
+ - name: physical_orientation
+ type: long
+ description: The numeric physical orientation of display.
+ - name: physical_width
+ type: long
+ description: The numeric physical width of display.
+ - name: scale_factor
+ type: long
+ description: The numeric scale factor of display.
+ - name: keyboard_info
+ type: group
+ fields:
+ - name: function_keys
+ type: long
+ description: The number of function keys on client keyboard.
+ - name: ime
+ type: keyword
+ description: The Input Method Editor (IME) file name.
+ - name: keyboard_layout
+ type: keyword
+ description: The keyboard locale identifier name (e.g., en-US).
+ - name: keyboard_subtype
+ type: long
+ description: The keyboard numeric code.
+ - name: keyboard_type
+ type: keyword
+ description: The keyboard type (e.g., xt, ico).
+ - name: ram_size
+ type: long
+ description: 'The total amount of installed RAM, in Megabytes. For example: 2048.'
+ - name: serial_number
+ type: keyword
+ description: The device manufacturer serial number.
+ - name: hypervisor
+ type: keyword
+ description: The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc.
+ - name: image
+ type: group
+ fields:
+ - name: labels
+ type: keyword
+ description: The image labels.
+ - name: name
+ type: keyword
+ description: 'The image name. For example: elixir.'
+ - name: path
+ type: keyword
+ description: The full path to the image file.
+ - name: tag
+ type: keyword
+ description: 'The image tag. For example: 1.11-alpine.'
+ - name: uid
+ type: keyword
+ description: 'The unique image ID. For example: 77af4d6b9913.'
+ - name: imei
+ type: keyword
+ description: The International Mobile Station Equipment Identifier that is associated with the device.
+ - name: instance_uid
+ type: keyword
+ description: The unique identifier of a VM instance.
+ - name: interface_name
+ type: keyword
+ description: The name of the network interface (e.g. eth2).
+ - name: interface_uid
+ type: keyword
+ description: The unique identifier of the network interface.
+ - name: ip
+ type: ip
+ description: The device IP address, in either IPv4 or IPv6 format.
+ - name: is_compliant
+ type: boolean
+ description: The event occurred on a compliant device.
+ - name: is_managed
+ type: boolean
+ description: The event occurred on a managed device.
+ - name: is_personal
+ type: boolean
+ description: The event occurred on a personal device.
+ - name: is_trusted
+ type: boolean
+ description: The event occurred on a trusted device.
+ - name: last_seen_time
+ type: date
+ description: The most recent discovery time of the device.
+ - name: last_seen_time_dt
+ type: date
+ description: The most recent discovery time of the device.
+ - name: location
+ type: group
+ fields:
+ - name: city
+ type: keyword
+ description: The name of the city.
+ - name: continent
+ type: keyword
+ description: The name of the continent.
+ - name: coordinates
+ type: geo_point
+ description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON.
+ - name: country
+ type: keyword
+ description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized.
+ - name: desc
+ type: keyword
+ description: The description of the geographical location.
+ - name: is_on_premises
+ type: boolean
+ description: The indication of whether the location is on premises.
+ - name: isp
+ type: keyword
+ description: The name of the Internet Service Provider (ISP).
+ - name: postal_code
+ type: keyword
+ description: The postal code of the location.
+ - name: provider
+ type: keyword
+ description: The provider of the geographical location data.
+ - name: region
+ type: keyword
+ description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US.
+ - name: mac
+ type: keyword
+ description: The device Media Access Control (MAC) address.
+ - name: modified_time
+ type: date
+ description: The time when the device was last known to have been modified.
+ - name: modified_time_dt
+ type: date
+ description: The time when the device was last known to have been modified.
+ - name: name
+ type: keyword
+ description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234.
+ - name: network_interfaces
+ type: group
+ fields:
+ - name: hostname
+ type: keyword
+ description: The hostname associated with the network interface.
+ - name: ip
+ type: ip
+ description: The IP address associated with the network interface.
+ - name: mac
+ type: keyword
+ description: The MAC address of the network interface.
+ - name: name
+ type: keyword
+ description: The name of the network interface.
+ - name: namespace
+ type: keyword
+ description: The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate.
+ - name: type
+ type: keyword
+ description: The type of network interface.
+ - name: type_id
+ type: keyword
+ description: The network interface type identifier.
+ - name: uid
+ type: keyword
+ description: The unique identifier for the network interface.
+ - name: org
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the organization. For example, Widget, Inc.
+ - name: ou_name
+ type: keyword
+ description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D.
+ - name: ou_uid
+ type: keyword
+ description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID.
+ - name: os
+ type: group
+ fields:
+ - name: build
+ type: keyword
+ description: The operating system build number.
+ - name: country
+ type: keyword
+ description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes.
+ - name: cpu_bits
+ type: long
+ description: The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64.
+ - name: edition
+ type: keyword
+ description: The operating system edition. For example, Professional.
+ - name: lang
+ type: keyword
+ description: The two letter lower case language codes, as defined by ISO 639-1.
+ - name: name
+ type: keyword
+ description: The operating system name.
+ - name: sp_name
+ type: keyword
+ description: The name of the latest Service Pack.
+ - name: sp_ver
+ type: keyword
+ description: The version number of the latest Service Pack.
+ - name: type
+ type: keyword
+ description: The type of the operating system.
+ - name: type_id
+ type: keyword
+ description: The type identifier of the operating system.
+ - name: version
+ type: keyword
+ description: The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9".
+ - name: region
+ type: keyword
+ description: The region where the virtual machine is located. For example, an AWS Region.
+ - name: risk_level
+ type: keyword
+ description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source.
+ - name: risk_level_id
+ type: keyword
+ description: The normalized risk level id.
+ - name: risk_score
+ type: long
+ description: The risk score as reported by the event source.
+ - name: subnet
+ type: ip_range
+ description: The subnet mask.
+ - name: subnet_uid
+ type: keyword
+ description: The unique identifier of a virtual subnet.
+ - name: type
+ type: keyword
+ description: The device type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other.
+ - name: type_id
+ type: keyword
+ description: The device type ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN.
+ - name: uid_alt
+ type: keyword
+ description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.
+ - name: vlan_uid
+ type: keyword
+ description: The Virtual LAN identifier.
+ - name: vpc_uid
+ type: keyword
+ description: The unique identifier of the Virtual Private Cloud (VPC).
+ - name: disposition
+ type: keyword
+ description: The event disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.
+ - name: disposition_id
+ type: keyword
+ description: When security issues, such as malware or policy violations, are detected and possibly corrected, then disposition_id describes the action taken by the security product.
+ - name: dst_endpoint
+ type: group
+ fields:
+ - name: domain
+ type: keyword
+ description: The name of the domain.
+ - name: hostname
+ type: keyword
+ description: The fully qualified name of the endpoint.
+ - name: instance_uid
+ type: keyword
+ description: The unique identifier of a VM instance.
+ - name: interface_name
+ type: keyword
+ description: The name of the network interface (e.g. eth2).
+ - name: interface_uid
+ type: keyword
+ description: The unique identifier of the network interface.
+ - name: intermediate_ips
+ type: ip
+ description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header.
+ - name: ip
+ type: ip
+ description: The IP address of the endpoint, in either IPv4 or IPv6 format.
+ - name: location
+ type: group
+ fields:
+ - name: city
+ type: keyword
+ description: The name of the city.
+ - name: continent
+ type: keyword
+ description: The name of the continent.
+ - name: coordinates
+ type: geo_point
+ description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON.
+ - name: country
+ type: keyword
+ description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized.
+ - name: desc
+ type: keyword
+ description: The description of the geographical location.
+ - name: is_on_premises
+ type: boolean
+ description: The indication of whether the location is on premises.
+ - name: isp
+ type: keyword
+ description: The name of the Internet Service Provider (ISP).
+ - name: postal_code
+ type: keyword
+ description: The postal code of the location.
+ - name: provider
+ type: keyword
+ description: The provider of the geographical location data.
+ - name: region
+ type: keyword
+ description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US.
+ - name: mac
+ type: keyword
+ description: The Media Access Control (MAC) address of the endpoint.
+ - name: name
+ type: keyword
+ description: The short name of the endpoint.
+ - name: port
+ type: long
+ description: The port used for communication within the network connection.
+ - name: subnet_uid
+ type: keyword
+ description: The unique identifier of a virtual subnet.
+ - name: svc_name
+ type: keyword
+ description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the endpoint.
+ - name: vlan_uid
+ type: keyword
+ description: The Virtual LAN identifier.
+ - name: vpc_uid
+ type: keyword
+ description: The unique identifier of the Virtual Private Cloud (VPC).
+ - name: duration
+ type: long
+ description: The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.
+ - name: end_time
+ type: date
+ description: The end time of a time period, or the time of the most recent event included in the aggregate event.
+ - name: end_time_dt
+ type: date
+ description: The end time of a time period, or the time of the most recent event included in the aggregate event.
+ - name: enrichments
+ type: group
+ fields:
+ - name: data
+ type: flattened
+ description: The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record.
+ - name: name
+ type: keyword
+ description: The name of the attribute to which the enriched data pertains.
+ - name: provider
+ type: keyword
+ description: The enrichment data provider name.
+ - name: type
+ type: keyword
+ description: The enrichment type. For example, location.
+ - name: value
+ type: keyword
+ description: The value of the attribute to which the enriched data pertains.
+ - name: evidence
+ type: flattened
+ description: The data the finding exposes to the analyst.
+ - name: finding
+ type: group
+ fields:
+ - name: created_time
+ type: date
+ description: The time when the finding was created.
+ - name: created_time_dt
+ type: date
+ description: The time when the finding was created.
+ - name: desc
+ type: keyword
+ description: The description of the reported finding.
+ - name: first_seen_time
+ type: date
+ description: The time when the finding was first observed.
+ - name: first_seen_time_dt
+ type: date
+ description: The time when the finding was first observed.
+ - name: last_seen_time
+ type: date
+ description: The time when the finding was most recently observed.
+ - name: last_seen_time_dt
+ type: date
+ description: The time when the finding was most recently observed.
+ - name: modified_time
+ type: date
+ description: The time when the finding was last modified.
+ - name: modified_time_dt
+ type: date
+ description: The time when the finding was last modified.
+ - name: product_uid
+ type: keyword
+ description: The unique identifier of the product that reported the finding.
+ - name: related_events
+ type: group
+ fields:
+ - name: product_uid
+ type: keyword
+ description: The unique identifier of the product that reported the related event.
+ - name: type
+ type: keyword
+ description: 'The type of the related event. For example: Process Activity: Launch.'
+ - name: type_uid
+ type: keyword
+ description: 'The unique identifier of the related event type. For example: 100701.'
+ - name: uid
+ type: keyword
+ description: The unique identifier of the related event.
+ - name: remediation
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The description of the remediation strategy.
+ - name: kb_articles
+ type: keyword
+ description: The KB article/s related to the entity.
+ - name: src_url
+ type: keyword
+ description: The URL pointing to the source of the finding.
+ - name: supporting_data
+ type: flattened
+ description: Additional data supporting a finding as provided by security tool.
+ - name: title
+ type: keyword
+ description: The title of the reported finding.
+ - name: types
+ type: keyword
+ description: One or more types of the reported finding.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the reported finding.
+ - name: http_request
+ type: group
+ fields:
+ - name: args
+ type: keyword
+ description: The arguments sent along with the HTTP request.
+ - name: http_headers
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the header.
+ - name: value
+ type: keyword
+ description: The value of the header.
+ - name: http_method
+ type: keyword
+ description: The HTTP request method indicates the desired action to be performed for a given resource.
+ - name: referrer
+ type: keyword
+ description: The request header that identifies the address of the previous web page, which is linked to the current web page or resource being requested.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the http request.
+ - name: url
+ type: group
+ fields:
+ - name: categories
+ type: keyword
+ description: The Website categorization names, as defined by category_ids enum values.
+ - name: category_ids
+ type: keyword
+ description: The Website categorization identifies.
+ - name: hostname
+ type: keyword
+ description: The URL host as extracted from the URL. For example, www.example.com from www.example.com/download/trouble.
+ - name: path
+ type: keyword
+ description: The URL path as extracted from the URL. For example, /download/trouble from www.example.com/download/trouble.
+ - name: port
+ type: long
+ description: The URL port. For example, 80.
+ - name: query_string
+ type: keyword
+ description: The query portion of the URL. For example, the query portion of the URL http://www.example.com/search?q=bad&sort=date is q=bad&sort=date.
+ - name: resource_type
+ type: keyword
+ description: The context in which a resource was retrieved in a web request.
+ - name: scheme
+ type: keyword
+ description: The scheme portion of the URL. For example, http, https, ftp, or sftp.
+ - name: subdomain
+ type: keyword
+ description: The subdomain portion of the URL. For example, sub in https://sub.example.com or sub2.sub1 in https://sub2.sub1.example.com.
+ - name: url_string
+ type: keyword
+ description: The URL string. See RFC 1738. For example, http://www.example.com/download/trouble.exe.
+ - name: user_agent
+ type: keyword
+ description: The request header that identifies the operating system and web browser.
+ - name: version
+ type: keyword
+ description: The Hypertext Transfer Protocol (HTTP) version.
+ - name: x_forwarded_for
+ type: ip
+ description: The X-Forwarded-For header identifying the originating IP address(es) of a client connecting to a web server through an HTTP proxy or a load balancer.
+ - name: impact
+ type: keyword
+ description: The impact , normalized to the caption of the impact_id value. In the case of 'Other', it is defined by the event source.
+ - name: impact_id
+ type: keyword
+ description: The normalized impact of the finding.
+ - name: impact_score
+ type: long
+ description: The impact of the finding, valid range 0-100.
+ - name: is_cleartext
+ type: boolean
+ description: 'Indicates whether the credentials were passed in clear text.Note: True if the credentials were passed in a clear text protocol such as FTP or TELNET, or if Windows detected that a user''s logon password was passed to the authentication package in clear text.'
+ - name: is_mfa
+ type: boolean
+ description: Indicates whether Multi Factor Authentication was used during authentication.
+ - name: is_new_logon
+ type: boolean
+ description: Indicates logon is from a device not seen before or a first time account logon.
+ - name: is_remote
+ type: boolean
+ description: The attempted authentication is over a remote connection.
+ - name: kill_chain
+ type: group
+ fields:
+ - name: phase
+ type: keyword
+ description: The cyber kill chain phase.
+ - name: phase_id
+ type: keyword
+ description: The cyber kill chain phase identifier.
+ - name: logon_process
+ type: group
+ fields:
+ - name: auid
+ type: keyword
+ description: The audit user assigned at login by the audit subsystem.
+ - name: cmd_line
+ type: keyword
+ description: 'The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '''' is to be used.'
+ - name: container
+ type: group
+ fields:
+ - name: hash
+ type: group
+ fields:
+ - name: algorithm
+ type: keyword
+ description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.
+ - name: algorithm_id
+ type: keyword
+ description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.
+ - name: value
+ type: keyword
+ description: The digital fingerprint value.
+ - name: image
+ type: group
+ fields:
+ - name: labels
+ type: keyword
+ description: The image labels.
+ - name: name
+ type: keyword
+ description: 'The image name. For example: elixir.'
+ - name: path
+ type: keyword
+ description: The full path to the image file.
+ - name: tag
+ type: keyword
+ description: 'The image tag. For example: 1.11-alpine.'
+ - name: uid
+ type: keyword
+ description: 'The unique image ID. For example: 77af4d6b9913.'
+ - name: name
+ type: keyword
+ description: The container name.
+ - name: network_driver
+ type: keyword
+ description: The network driver used by the container. For example, bridge, overlay, host, none, etc.
+ - name: orchestrator
+ type: keyword
+ description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift.
+ - name: pod_uuid
+ type: keyword
+ description: The unique identifier of the pod (or equivalent) that the container is executing on.
+ - name: runtime
+ type: keyword
+ description: The backend running the container, such as containerd or cri-o.
+ - name: size
+ type: long
+ description: The size of the container image.
+ - name: tag
+ type: keyword
+ description: The tag used by the container. It can indicate version, format, OS.
+ - name: uid
+ type: keyword
+ description: 'The full container unique identifier for this instantiation of the container. For example: ac2ea168264a08f9aaca0dfc82ff3551418dfd22d02b713142a6843caa2f61bf.'
+ - name: created_time
+ type: date
+ description: The time when the process was created/started.
+ - name: created_time_dt
+ type: date
+ description: The time when the process was created/started.
+ - name: egid
+ type: keyword
+ description: The effective group under which this process is running.
+ - name: euid
+ type: keyword
+ description: The effective user under which this process is running.
+ - name: file
+ type: group
+ fields:
+ - name: accessed_time
+ type: date
+ description: The time when the file was last accessed.
+ - name: accessed_time_dt
+ type: date
+ description: The time when the file was last accessed.
+ - name: accessor
+ type: group
+ fields:
+ - name: account
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the account (e.g. GCP Account Name).
+ - name: type
+ type: keyword
+ description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.
+ - name: type_id
+ type: keyword
+ description: The normalized account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the account (e.g. AWS Account ID).
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: domain
+ type: keyword
+ description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.'
+ - name: email_addr
+ type: keyword
+ description: The user's email address.
+ - name: full_name
+ type: keyword
+ description: The full name of the person, as per the LDAP Common Name attribute (cn).
+ - name: groups
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: name
+ type: keyword
+ description: The username. For example, janedoe1.
+ - name: org
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the organization. For example, Widget, Inc.
+ - name: ou_name
+ type: keyword
+ description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D.
+ - name: ou_uid
+ type: keyword
+ description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID.
+ - name: type
+ type: keyword
+ description: The type of the user. For example, System, AWS IAM User, etc.
+ - name: type_id
+ type: keyword
+ description: The account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.
+ - name: uid_alt
+ type: keyword
+ description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.
+ - name: attributes
+ type: long
+ description: The Bitmask value that represents the file attributes.
+ - name: company_name
+ type: keyword
+ description: 'The name of the company that published the file. For example: Microsoft Corporation.'
+ - name: confidentiality
+ type: keyword
+ description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source.
+ - name: confidentiality_id
+ type: keyword
+ description: The normalized identifier of the file content confidentiality indicator.
+ - name: created_time
+ type: date
+ description: The time when the file was created.
+ - name: created_time_dt
+ type: date
+ description: The time when the file was created.
+ - name: creator
+ type: group
+ fields:
+ - name: account
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the account (e.g. GCP Account Name).
+ - name: type
+ type: keyword
+ description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.
+ - name: type_id
+ type: keyword
+ description: The normalized account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the account (e.g. AWS Account ID).
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: domain
+ type: keyword
+ description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.'
+ - name: email_addr
+ type: keyword
+ description: The user's email address.
+ - name: full_name
+ type: keyword
+ description: The full name of the person, as per the LDAP Common Name attribute (cn).
+ - name: groups
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: name
+ type: keyword
+ description: The username. For example, janedoe1.
+ - name: org
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the organization. For example, Widget, Inc.
+ - name: ou_name
+ type: keyword
+ description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D.
+ - name: ou_uid
+ type: keyword
+ description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID.
+ - name: type
+ type: keyword
+ description: The type of the user. For example, System, AWS IAM User, etc.
+ - name: type_id
+ type: keyword
+ description: The account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.
+ - name: uid_alt
+ type: keyword
+ description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.
+ - name: desc
+ type: keyword
+ description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.'
+ - name: hashes
+ type: group
+ fields:
+ - name: algorithm
+ type: keyword
+ description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.
+ - name: algorithm_id
+ type: keyword
+ description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.
+ - name: value
+ type: keyword
+ description: The digital fingerprint value.
+ - name: is_system
+ type: boolean
+ description: The indication of whether the object is part of the operating system.
+ - name: mime_type
+ type: keyword
+ description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable.
+ - name: modified_time
+ type: date
+ description: The time when the file was last modified.
+ - name: modified_time_dt
+ type: date
+ description: The time when the file was last modified.
+ - name: modifier
+ type: group
+ fields:
+ - name: account
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the account (e.g. GCP Account Name).
+ - name: type
+ type: keyword
+ description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.
+ - name: type_id
+ type: keyword
+ description: The normalized account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the account (e.g. AWS Account ID).
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: domain
+ type: keyword
+ description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.'
+ - name: email_addr
+ type: keyword
+ description: The user's email address.
+ - name: full_name
+ type: keyword
+ description: The full name of the person, as per the LDAP Common Name attribute (cn).
+ - name: groups
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: name
+ type: keyword
+ description: The username. For example, janedoe1.
+ - name: org
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the organization. For example, Widget, Inc.
+ - name: ou_name
+ type: keyword
+ description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D.
+ - name: ou_uid
+ type: keyword
+ description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID.
+ - name: type
+ type: keyword
+ description: The type of the user. For example, System, AWS IAM User, etc.
+ - name: type_id
+ type: keyword
+ description: The account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.
+ - name: uid_alt
+ type: keyword
+ description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.
+ - name: name
+ type: keyword
+ description: 'The name of the file. For example: svchost.exe.'
+ - name: owner
+ type: group
+ fields:
+ - name: account
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the account (e.g. GCP Account Name).
+ - name: type
+ type: keyword
+ description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.
+ - name: type_id
+ type: keyword
+ description: The normalized account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the account (e.g. AWS Account ID).
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: domain
+ type: keyword
+ description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.'
+ - name: email_addr
+ type: keyword
+ description: The user's email address.
+ - name: full_name
+ type: keyword
+ description: The full name of the person, as per the LDAP Common Name attribute (cn).
+ - name: groups
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: name
+ type: keyword
+ description: The username. For example, janedoe1.
+ - name: org
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the organization. For example, Widget, Inc.
+ - name: ou_name
+ type: keyword
+ description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D.
+ - name: ou_uid
+ type: keyword
+ description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID.
+ - name: type
+ type: keyword
+ description: The type of the user. For example, System, AWS IAM User, etc.
+ - name: type_id
+ type: keyword
+ description: The account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.
+ - name: uid_alt
+ type: keyword
+ description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.
+ - name: parent_folder
+ type: keyword
+ description: 'The parent folder in which the file resides. For example: c:\windows\system32.'
+ - name: path
+ type: keyword
+ description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.'
+ - name: product
+ type: group
+ fields:
+ - name: feature
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the feature.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the feature.
+ - name: version
+ type: keyword
+ description: The version of the feature.
+ - name: lang
+ type: keyword
+ description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).'
+ - name: name
+ type: keyword
+ description: The name of the product.
+ - name: path
+ type: keyword
+ description: The installation path of the product.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the product.
+ - name: vendor_name
+ type: keyword
+ description: The name of the vendor of the product.
+ - name: version
+ type: keyword
+ description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.'
+ - name: security_descriptor
+ type: keyword
+ description: The object security descriptor.
+ - name: signature
+ type: group
+ fields:
+ - name: algorithm
+ type: keyword
+ description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.
+ - name: algorithm_id
+ type: keyword
+ description: The identifier of the normalized digital signature algorithm.
+ - name: certificate
+ type: group
+ fields:
+ - name: created_time
+ type: date
+ description: The time when the certificate was created.
+ - name: created_time_dt
+ type: date
+ description: The time when the certificate was created.
+ - name: expiration_time
+ type: date
+ description: The expiration time of the certificate.
+ - name: expiration_time_dt
+ type: date
+ description: The expiration time of the certificate.
+ - name: fingerprints
+ type: group
+ fields:
+ - name: algorithm
+ type: keyword
+ description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.
+ - name: algorithm_id
+ type: keyword
+ description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.
+ - name: value
+ type: keyword
+ description: The digital fingerprint value.
+ - name: issuer
+ type: keyword
+ description: The certificate issuer distinguished name.
+ - name: serial_number
+ type: keyword
+ description: The serial number of the certificate used to create the digital signature.
+ - name: subject
+ type: keyword
+ description: The certificate subject distinguished name.
+ - name: version
+ type: keyword
+ description: The certificate version.
+ - name: created_time
+ type: date
+ description: The time when the digital signature was created.
+ - name: created_time_dt
+ type: date
+ description: The time when the digital signature was created.
+ - name: developer_uid
+ type: keyword
+ description: The developer ID on the certificate that signed the file.
+ - name: digest
+ type: group
+ fields:
+ - name: algorithm
+ type: keyword
+ description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.
+ - name: algorithm_id
+ type: keyword
+ description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.
+ - name: value
+ type: keyword
+ description: The digital fingerprint value.
+ - name: size
+ type: long
+ description: The size of data, in bytes.
+ - name: type
+ type: keyword
+ description: The file type.
+ - name: type_id
+ type: keyword
+ description: The file type ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the file as defined by the storage system, such the file system file ID.
+ - name: version
+ type: keyword
+ description: 'The file version. For example: 8.0.7601.17514.'
+ - name: xattributes
+ type: flattened
+ description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute.
+ - name: group
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: integrity
+ type: keyword
+ description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only).
+ - name: integrity_id
+ type: keyword
+ description: The normalized identifier of the process integrity level (Windows only).
+ - name: lineage
+ type: keyword
+ description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].'
+ - name: loaded_modules
+ type: keyword
+ description: The list of loaded module names.
+ - name: name
+ type: keyword
+ description: 'The friendly name of the process, for example: Notepad++.'
+ - name: namespace_pid
+ type: long
+ description: If running under a process namespace (such as in a container), the process identifier within that process namespace.
+ - name: parent_process
+ type: group
+ fields:
+ - name: auid
+ type: keyword
+ description: The audit user assigned at login by the audit subsystem.
+ - name: cmd_line
+ type: keyword
+ description: 'The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '''' is to be used.'
+ - name: container
+ type: group
+ fields:
+ - name: hash
+ type: group
+ fields:
+ - name: algorithm
+ type: keyword
+ description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.
+ - name: algorithm_id
+ type: keyword
+ description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.
+ - name: value
+ type: keyword
+ description: The digital fingerprint value.
+ - name: image
+ type: group
+ fields:
+ - name: labels
+ type: keyword
+ description: The image labels.
+ - name: name
+ type: keyword
+ description: 'The image name. For example: elixir.'
+ - name: path
+ type: keyword
+ description: The full path to the image file.
+ - name: tag
+ type: keyword
+ description: 'The image tag. For example: 1.11-alpine.'
+ - name: uid
+ type: keyword
+ description: 'The unique image ID. For example: 77af4d6b9913.'
+ - name: name
+ type: keyword
+ description: The container name.
+ - name: network_driver
+ type: keyword
+ description: The network driver used by the container. For example, bridge, overlay, host, none, etc.
+ - name: orchestrator
+ type: keyword
+ description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift.
+ - name: pod_uuid
+ type: keyword
+ description: The unique identifier of the pod (or equivalent) that the container is executing on.
+ - name: runtime
+ type: keyword
+ description: The backend running the container, such as containerd or cri-o.
+ - name: size
+ type: long
+ description: The size of the container image.
+ - name: tag
+ type: keyword
+ description: The tag used by the container. It can indicate version, format, OS.
+ - name: uid
+ type: keyword
+ description: 'The full container unique identifier for this instantiation of the container. For example: ac2ea168264a08f9aaca0dfc82ff3551418dfd22d02b713142a6843caa2f61bf.'
+ - name: created_time
+ type: date
+ description: The time when the process was created/started.
+ - name: created_time_dt
+ type: date
+ description: The time when the process was created/started.
+ - name: egid
+ type: keyword
+ description: The effective group under which this process is running.
+ - name: euid
+ type: keyword
+ description: The effective user under which this process is running.
+ - name: file
+ type: group
+ fields:
+ - name: accessed_time
+ type: date
+ description: The time when the file was last accessed.
+ - name: accessed_time_dt
+ type: date
+ description: The time when the file was last accessed.
+ - name: accessor
+ type: group
+ fields:
+ - name: account
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the account (e.g. GCP Account Name).
+ - name: type
+ type: keyword
+ description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.
+ - name: type_id
+ type: keyword
+ description: The normalized account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the account (e.g. AWS Account ID).
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: domain
+ type: keyword
+ description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.'
+ - name: email_addr
+ type: keyword
+ description: The user's email address.
+ - name: full_name
+ type: keyword
+ description: The full name of the person, as per the LDAP Common Name attribute (cn).
+ - name: groups
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: name
+ type: keyword
+ description: The username. For example, janedoe1.
+ - name: org
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the organization. For example, Widget, Inc.
+ - name: ou_name
+ type: keyword
+ description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D.
+ - name: ou_uid
+ type: keyword
+ description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID.
+ - name: type
+ type: keyword
+ description: The type of the user. For example, System, AWS IAM User, etc.
+ - name: type_id
+ type: keyword
+ description: The account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.
+ - name: uid_alt
+ type: keyword
+ description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.
+ - name: attributes
+ type: long
+ description: The Bitmask value that represents the file attributes.
+ - name: company_name
+ type: keyword
+ description: 'The name of the company that published the file. For example: Microsoft Corporation.'
+ - name: confidentiality
+ type: keyword
+ description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source.
+ - name: confidentiality_id
+ type: keyword
+ description: The normalized identifier of the file content confidentiality indicator.
+ - name: created_time
+ type: date
+ description: The time when the file was created.
+ - name: created_time_dt
+ type: date
+ description: The time when the file was created.
+ - name: creator
+ type: group
+ fields:
+ - name: account
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the account (e.g. GCP Account Name).
+ - name: type
+ type: keyword
+ description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.
+ - name: type_id
+ type: keyword
+ description: The normalized account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the account (e.g. AWS Account ID).
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: domain
+ type: keyword
+ description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.'
+ - name: email_addr
+ type: keyword
+ description: The user's email address.
+ - name: full_name
+ type: keyword
+ description: The full name of the person, as per the LDAP Common Name attribute (cn).
+ - name: groups
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: name
+ type: keyword
+ description: The username. For example, janedoe1.
+ - name: org
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the organization. For example, Widget, Inc.
+ - name: ou_name
+ type: keyword
+ description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D.
+ - name: ou_uid
+ type: keyword
+ description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID.
+ - name: type
+ type: keyword
+ description: The type of the user. For example, System, AWS IAM User, etc.
+ - name: type_id
+ type: keyword
+ description: The account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.
+ - name: uid_alt
+ type: keyword
+ description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.
+ - name: desc
+ type: keyword
+ description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.'
+ - name: hashes
+ type: group
+ fields:
+ - name: algorithm
+ type: keyword
+ description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.
+ - name: algorithm_id
+ type: keyword
+ description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.
+ - name: value
+ type: keyword
+ description: The digital fingerprint value.
+ - name: is_system
+ type: boolean
+ description: The indication of whether the object is part of the operating system.
+ - name: mime_type
+ type: keyword
+ description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable.
+ - name: modified_time
+ type: date
+ description: The time when the file was last modified.
+ - name: modified_time_dt
+ type: date
+ description: The time when the file was last modified.
+ - name: modifier
+ type: group
+ fields:
+ - name: account
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the account (e.g. GCP Account Name).
+ - name: type
+ type: keyword
+ description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.
+ - name: type_id
+ type: keyword
+ description: The normalized account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the account (e.g. AWS Account ID).
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: domain
+ type: keyword
+ description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.'
+ - name: email_addr
+ type: keyword
+ description: The user's email address.
+ - name: full_name
+ type: keyword
+ description: The full name of the person, as per the LDAP Common Name attribute (cn).
+ - name: groups
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: name
+ type: keyword
+ description: The username. For example, janedoe1.
+ - name: org
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the organization. For example, Widget, Inc.
+ - name: ou_name
+ type: keyword
+ description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D.
+ - name: ou_uid
+ type: keyword
+ description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID.
+ - name: type
+ type: keyword
+ description: The type of the user. For example, System, AWS IAM User, etc.
+ - name: type_id
+ type: keyword
+ description: The account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.
+ - name: uid_alt
+ type: keyword
+ description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.
+ - name: name
+ type: keyword
+ description: 'The name of the file. For example: svchost.exe.'
+ - name: owner
+ type: group
+ fields:
+ - name: account
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the account (e.g. GCP Account Name).
+ - name: type
+ type: keyword
+ description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.
+ - name: type_id
+ type: keyword
+ description: The normalized account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the account (e.g. AWS Account ID).
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: domain
+ type: keyword
+ description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.'
+ - name: email_addr
+ type: keyword
+ description: The user's email address.
+ - name: full_name
+ type: keyword
+ description: The full name of the person, as per the LDAP Common Name attribute (cn).
+ - name: groups
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: name
+ type: keyword
+ description: The username. For example, janedoe1.
+ - name: org
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the organization. For example, Widget, Inc.
+ - name: ou_name
+ type: keyword
+ description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D.
+ - name: ou_uid
+ type: keyword
+ description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID.
+ - name: type
+ type: keyword
+ description: The type of the user. For example, System, AWS IAM User, etc.
+ - name: type_id
+ type: keyword
+ description: The account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.
+ - name: uid_alt
+ type: keyword
+ description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.
+ - name: parent_folder
+ type: keyword
+ description: 'The parent folder in which the file resides. For example: c:\windows\system32.'
+ - name: path
+ type: keyword
+ description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.'
+ - name: product
+ type: group
+ fields:
+ - name: feature
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the feature.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the feature.
+ - name: version
+ type: keyword
+ description: The version of the feature.
+ - name: lang
+ type: keyword
+ description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).'
+ - name: name
+ type: keyword
+ description: The name of the product.
+ - name: path
+ type: keyword
+ description: The installation path of the product.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the product.
+ - name: vendor_name
+ type: keyword
+ description: The name of the vendor of the product.
+ - name: version
+ type: keyword
+ description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.'
+ - name: security_descriptor
+ type: keyword
+ description: The object security descriptor.
+ - name: signature
+ type: group
+ fields:
+ - name: algorithm
+ type: keyword
+ description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.
+ - name: algorithm_id
+ type: keyword
+ description: The identifier of the normalized digital signature algorithm.
+ - name: certificate
+ type: group
+ fields:
+ - name: created_time
+ type: date
+ description: The time when the certificate was created.
+ - name: created_time_dt
+ type: date
+ description: The time when the certificate was created.
+ - name: expiration_time
+ type: date
+ description: The expiration time of the certificate.
+ - name: expiration_time_dt
+ type: date
+ description: The expiration time of the certificate.
+ - name: fingerprints
+ type: group
+ fields:
+ - name: algorithm
+ type: keyword
+ description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.
+ - name: algorithm_id
+ type: keyword
+ description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.
+ - name: value
+ type: keyword
+ description: The digital fingerprint value.
+ - name: issuer
+ type: keyword
+ description: The certificate issuer distinguished name.
+ - name: serial_number
+ type: keyword
+ description: The serial number of the certificate used to create the digital signature.
+ - name: subject
+ type: keyword
+ description: The certificate subject distinguished name.
+ - name: version
+ type: keyword
+ description: The certificate version.
+ - name: created_time
+ type: date
+ description: The time when the digital signature was created.
+ - name: created_time_dt
+ type: date
+ description: The time when the digital signature was created.
+ - name: developer_uid
+ type: keyword
+ description: The developer ID on the certificate that signed the file.
+ - name: digest
+ type: group
+ fields:
+ - name: algorithm
+ type: keyword
+ description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.
+ - name: algorithm_id
+ type: keyword
+ description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.
+ - name: value
+ type: keyword
+ description: The digital fingerprint value.
+ - name: size
+ type: long
+ description: The size of data, in bytes.
+ - name: type
+ type: keyword
+ description: The file type.
+ - name: type_id
+ type: keyword
+ description: The file type ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the file as defined by the storage system, such the file system file ID.
+ - name: version
+ type: keyword
+ description: 'The file version. For example: 8.0.7601.17514.'
+ - name: xattributes
+ type: flattened
+ description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute.
+ - name: group
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: integrity
+ type: keyword
+ description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only).
+ - name: integrity_id
+ type: keyword
+ description: The normalized identifier of the process integrity level (Windows only).
+ - name: lineage
+ type: keyword
+ description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].'
+ - name: loaded_modules
+ type: keyword
+ description: The list of loaded module names.
+ - name: name
+ type: keyword
+ description: 'The friendly name of the process, for example: Notepad++.'
+ - name: namespace_pid
+ type: long
+ description: If running under a process namespace (such as in a container), the process identifier within that process namespace.
+ - name: parent_process
+ type: flattened
+ description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting.
+ - name: parent_process_keyword
+ type: keyword
+ ignore_above: 1024
+ - name: pid
+ type: long
+ description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process.
+ - name: sandbox
+ type: keyword
+ description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps.
+ - name: session
+ type: group
+ fields:
+ - name: created_time
+ type: date
+ description: The time when the session was created.
+ - name: created_time_dt
+ type: date
+ description: The time when the session was created.
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: expiration_time
+ type: date
+ description: The session expiration time.
+ - name: expiration_time_dt
+ type: date
+ description: The session expiration time.
+ - name: is_remote
+ type: boolean
+ description: The indication of whether the session is remote.
+ - name: issuer
+ type: keyword
+ description: The identifier of the session issuer.
+ - name: mfa
+ type: boolean
+ - name: uid
+ type: keyword
+ description: The unique identifier of the session.
+ - name: uuid
+ type: keyword
+ description: The universally unique identifier of the session.
+ - name: terminated_time
+ type: date
+ description: The time when the process was terminated.
+ - name: terminated_time_dt
+ type: date
+ description: The time when the process was terminated.
+ - name: tid
+ type: long
+ description: The Identifier of the thread associated with the event, as returned by the operating system.
+ - name: uid
+ type: keyword
+ description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process.
+ - name: user
+ type: group
+ fields:
+ - name: account
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the account (e.g. GCP Account Name).
+ - name: type
+ type: keyword
+ description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.
+ - name: type_id
+ type: keyword
+ description: The normalized account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the account (e.g. AWS Account ID).
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: domain
+ type: keyword
+ description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.'
+ - name: email_addr
+ type: keyword
+ description: The user's email address.
+ - name: full_name
+ type: keyword
+ description: The full name of the person, as per the LDAP Common Name attribute (cn).
+ - name: groups
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: name
+ type: keyword
+ description: The username. For example, janedoe1.
+ - name: org
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the organization. For example, Widget, Inc.
+ - name: ou_name
+ type: keyword
+ description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D.
+ - name: ou_uid
+ type: keyword
+ description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID.
+ - name: type
+ type: keyword
+ description: The type of the user. For example, System, AWS IAM User, etc.
+ - name: type_id
+ type: keyword
+ description: The account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.
+ - name: uid_alt
+ type: keyword
+ description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.
+ - name: xattributes
+ type: flattened
+ description: An unordered collection of zero or more name/value pairs that represent a process extended attribute.
+ - name: pid
+ type: long
+ description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process.
+ - name: sandbox
+ type: keyword
+ description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps.
+ - name: session
+ type: group
+ fields:
+ - name: created_time
+ type: date
+ description: The time when the session was created.
+ - name: created_time_dt
+ type: date
+ description: The time when the session was created.
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: expiration_time
+ type: date
+ description: The session expiration time.
+ - name: expiration_time_dt
+ type: date
+ description: The session expiration time.
+ - name: is_remote
+ type: boolean
+ description: The indication of whether the session is remote.
+ - name: issuer
+ type: keyword
+ description: The identifier of the session issuer.
+ - name: mfa
+ type: boolean
+ - name: uid
+ type: keyword
+ description: The unique identifier of the session.
+ - name: uuid
+ type: keyword
+ description: The universally unique identifier of the session.
+ - name: terminated_time
+ type: date
+ description: The time when the process was terminated.
+ - name: terminated_time_dt
+ type: date
+ description: The time when the process was terminated.
+ - name: tid
+ type: long
+ description: The Identifier of the thread associated with the event, as returned by the operating system.
+ - name: uid
+ type: keyword
+ description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process.
+ - name: user
+ type: group
+ fields:
+ - name: account
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the account (e.g. GCP Account Name).
+ - name: type
+ type: keyword
+ description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.
+ - name: type_id
+ type: keyword
+ description: The normalized account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the account (e.g. AWS Account ID).
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: domain
+ type: keyword
+ description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.'
+ - name: email_addr
+ type: keyword
+ description: The user's email address.
+ - name: full_name
+ type: keyword
+ description: The full name of the person, as per the LDAP Common Name attribute (cn).
+ - name: groups
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: name
+ type: keyword
+ description: The username. For example, janedoe1.
+ - name: org
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the organization. For example, Widget, Inc.
+ - name: ou_name
+ type: keyword
+ description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D.
+ - name: ou_uid
+ type: keyword
+ description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID.
+ - name: type
+ type: keyword
+ description: The type of the user. For example, System, AWS IAM User, etc.
+ - name: type_id
+ type: keyword
+ description: The account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.
+ - name: uid_alt
+ type: keyword
+ description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.
+ - name: xattributes
+ type: flattened
+ description: An unordered collection of zero or more name/value pairs that represent a process extended attribute.
+ - name: logon_type
+ type: keyword
+ description: The logon type, normalized to the caption of the logon_type_id value. In the case of 'Other', it is defined by the event source.
+ - name: logon_type_id
+ type: keyword
+ description: The normalized logon type identifier
+ - name: malware
+ type: group
+ fields:
+ - name: classification_ids
+ type: keyword
+ description: The list of normalized identifiers of the malware classifications.
+ - name: classifications
+ type: keyword
+ description: The list of malware classifications, normalized to the captions of the classification_id values. In the case of 'Other', they are defined by the event source.
+ - name: cves
+ type: group
+ fields:
+ - name: created_time
+ type: date
+ description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
+ - name: created_time_dt
+ type: date
+ description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
+ - name: cvss
+ type: group
+ fields:
+ - name: base_score
+ type: double
+ description: The CVSS base score.
+ - name: depth
+ type: keyword
+ description: The CVSS depth represents a depth of the equation used to calculate CVSS score.
+ - name: metrics
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the metric.
+ - name: value
+ type: keyword
+ description: The value of the metric.
+ - name: overall_score
+ type: double
+ description: The CVSS overall score, impacted by base, temporal, and environmental metrics.
+ - name: severity
+ type: keyword
+ description: The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. A textual representation of the numeric score.
+ - name: vector_string
+ type: keyword
+ description: 'The CVSS vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H.'
+ - name: version
+ type: keyword
+ description: The CVSS version.
+ - name: cwe_uid
+ type: keyword
+ description: 'The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787.'
+ - name: cwe_url
+ type: keyword
+ description: Common Weakness Enumeration (CWE) definition URL.
+ - name: modified_time
+ type: date
+ description: The Record Modified Date identifies when the CVE record was last updated.
+ - name: modified_time_dt
+ type: date
+ description: The Record Modified Date identifies when the CVE record was last updated.
+ - name: product
+ type: group
+ fields:
+ - name: feature
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the feature.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the feature.
+ - name: version
+ type: keyword
+ description: The version of the feature.
+ - name: lang
+ type: keyword
+ description: The two letter lower case language codes, as defined by ISO 639-1.
+ - name: name
+ type: keyword
+ description: The name of the product.
+ - name: path
+ type: keyword
+ description: The installation path of the product.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the product.
+ - name: vendor_name
+ type: keyword
+ description: The name of the vendor of the product.
+ - name: version
+ type: keyword
+ description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.'
+ - name: type
+ type: keyword
+ description: The vulnerability type as selected from a large dropdown menu during CVE refinement.
+ - name: uid
+ type: keyword
+ description: 'The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: CVE-2021-12345.'
+ - name: name
+ type: keyword
+ description: The malware name, as reported by the detection engine.
+ - name: path
+ type: keyword
+ description: The filesystem path of the malware that was observed.
+ - name: provider
+ type: keyword
+ description: The provider of the malware information.
+ - name: uid
+ type: keyword
+ description: The malware unique identifier, as reported by the detection engine. For example a virus id or an IPS signature id.
+ - name: message
+ type: keyword
+ description: The description of the event, as defined by the event source.
+ - name: metadata
+ type: group
+ fields:
+ - name: correlation_uid
+ type: keyword
+ description: The unique identifier used to correlate events.
+ - name: event_code
+ type: keyword
+ description: The Event ID or Code that the product uses to describe the event.
+ - name: extension
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: 'The schema extension name. For example: dev.'
+ - name: uid
+ type: keyword
+ description: 'The schema extension unique identifier. For example: 999.'
+ - name: version
+ type: keyword
+ description: 'The schema extension version. For example: 1.0.0-alpha.2.'
+ - name: labels
+ type: keyword
+ description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time.
+ - name: log_name
+ type: keyword
+ description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.'
+ - name: log_provider
+ type: keyword
+ description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.
+ - name: log_version
+ type: keyword
+ description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.
+ - name: logged_time
+ type: date
+ description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.
+ - name: logged_time_dt
+ type: date
+ description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.
+ - name: modified_time
+ type: date
+ description: The time when the event was last modified or enriched.
+ - name: modified_time_dt
+ type: date
+ description: The time when the event was last modified or enriched.
+ - name: original_time
+ type: keyword
+ description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.
+ - name: processed_time
+ type: date
+ description: The event processed time, such as an ETL operation.
+ - name: processed_time_dt
+ type: date
+ description: The event processed time, such as an ETL operation.
+ - name: product
+ type: group
+ fields:
+ - name: feature
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the feature.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the feature.
+ - name: version
+ type: keyword
+ description: The version of the feature.
+ - name: lang
+ type: keyword
+ description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).'
+ - name: name
+ type: keyword
+ description: The name of the product.
+ - name: path
+ type: keyword
+ description: The installation path of the product.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the product.
+ - name: vendor_name
+ type: keyword
+ description: The name of the vendor of the product.
+ - name: version
+ type: keyword
+ description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.'
+ - name: profiles
+ type: keyword
+ description: The list of profiles used to create the event.
+ - name: sequence
+ type: long
+ description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.
+ - name: uid
+ type: keyword
+ description: The logging system-assigned unique identifier of an event instance.
+ - name: version
+ type: keyword
+ description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.'
+ - name: nist
+ type: keyword
+ description: The NIST Cybersecurity Framework recommendations for managing the cybersecurity risk.
+ - name: observables
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: 'The full name of the observable attribute. The name is a pointer/reference to an attribute within the event data. For example: file.name.'
+ - name: reputation
+ type: group
+ fields:
+ - name: base_score
+ type: double
+ description: The reputation score as reported by the event source.
+ - name: provider
+ type: keyword
+ description: The provider of the reputation information.
+ - name: score
+ type: keyword
+ description: The reputation score, normalized to the caption of the score_id value. In the case of 'Other', it is defined by the event source.
+ - name: score_id
+ type: keyword
+ description: The normalized reputation score identifier.
+ - name: type
+ type: keyword
+ description: The observable value type name.
+ - name: type_id
+ type: keyword
+ description: The observable value type identifier.
+ - name: value
+ type: keyword
+ description: The value associated with the observable attribute.
+ - name: process
+ type: group
+ fields:
+ - name: auid
+ type: keyword
+ description: The audit user assigned at login by the audit subsystem.
+ - name: cmd_line
+ type: keyword
+ description: 'The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '''' is to be used.'
+ - name: container
+ type: group
+ fields:
+ - name: hash
+ type: group
+ fields:
+ - name: algorithm
+ type: keyword
+ description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.
+ - name: algorithm_id
+ type: keyword
+ description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.
+ - name: value
+ type: keyword
+ description: The digital fingerprint value.
+ - name: image
+ type: group
+ fields:
+ - name: labels
+ type: keyword
+ description: The image labels.
+ - name: name
+ type: keyword
+ description: 'The image name. For example: elixir.'
+ - name: path
+ type: keyword
+ description: The full path to the image file.
+ - name: tag
+ type: keyword
+ description: 'The image tag. For example: 1.11-alpine.'
+ - name: uid
+ type: keyword
+ description: 'The unique image ID. For example: 77af4d6b9913.'
+ - name: name
+ type: keyword
+ description: The container name.
+ - name: network_driver
+ type: keyword
+ description: The network driver used by the container. For example, bridge, overlay, host, none, etc.
+ - name: orchestrator
+ type: keyword
+ description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift.
+ - name: pod_uuid
+ type: keyword
+ description: The unique identifier of the pod (or equivalent) that the container is executing on.
+ - name: runtime
+ type: keyword
+ description: The backend running the container, such as containerd or cri-o.
+ - name: size
+ type: long
+ description: The size of the container image.
+ - name: tag
+ type: keyword
+ description: The tag used by the container. It can indicate version, format, OS.
+ - name: uid
+ type: keyword
+ description: 'The full container unique identifier for this instantiation of the container. For example: ac2ea168264a08f9aaca0dfc82ff3551418dfd22d02b713142a6843caa2f61bf.'
+ - name: created_time
+ type: date
+ description: The time when the process was created/started.
+ - name: created_time_dt
+ type: date
+ description: The time when the process was created/started.
+ - name: egid
+ type: keyword
+ description: The effective group under which this process is running.
+ - name: euid
+ type: keyword
+ description: The effective user under which this process is running.
+ - name: file
+ type: group
+ fields:
+ - name: accessed_time
+ type: date
+ description: The time when the file was last accessed.
+ - name: accessed_time_dt
+ type: date
+ description: The time when the file was last accessed.
+ - name: accessor
+ type: group
+ fields:
+ - name: account
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the account (e.g. GCP Account Name).
+ - name: type
+ type: keyword
+ description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.
+ - name: type_id
+ type: keyword
+ description: The normalized account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the account (e.g. AWS Account ID).
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: domain
+ type: keyword
+ description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.'
+ - name: email_addr
+ type: keyword
+ description: The user's email address.
+ - name: full_name
+ type: keyword
+ description: The full name of the person, as per the LDAP Common Name attribute (cn).
+ - name: groups
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: name
+ type: keyword
+ description: The username. For example, janedoe1.
+ - name: org
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the organization. For example, Widget, Inc.
+ - name: ou_name
+ type: keyword
+ description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D.
+ - name: ou_uid
+ type: keyword
+ description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID.
+ - name: type
+ type: keyword
+ description: The type of the user. For example, System, AWS IAM User, etc.
+ - name: type_id
+ type: keyword
+ description: The account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.
+ - name: uid_alt
+ type: keyword
+ description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.
+ - name: attributes
+ type: long
+ description: The Bitmask value that represents the file attributes.
+ - name: company_name
+ type: keyword
+ description: 'The name of the company that published the file. For example: Microsoft Corporation.'
+ - name: confidentiality
+ type: keyword
+ description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source.
+ - name: confidentiality_id
+ type: keyword
+ description: The normalized identifier of the file content confidentiality indicator.
+ - name: created_time
+ type: date
+ description: The time when the file was created.
+ - name: created_time_dt
+ type: date
+ description: The time when the file was created.
+ - name: creator
+ type: group
+ fields:
+ - name: account
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the account (e.g. GCP Account Name).
+ - name: type
+ type: keyword
+ description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.
+ - name: type_id
+ type: keyword
+ description: The normalized account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the account (e.g. AWS Account ID).
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: domain
+ type: keyword
+ description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.'
+ - name: email_addr
+ type: keyword
+ description: The user's email address.
+ - name: full_name
+ type: keyword
+ description: The full name of the person, as per the LDAP Common Name attribute (cn).
+ - name: groups
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: name
+ type: keyword
+ description: The username. For example, janedoe1.
+ - name: org
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the organization. For example, Widget, Inc.
+ - name: ou_name
+ type: keyword
+ description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D.
+ - name: ou_uid
+ type: keyword
+ description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID.
+ - name: type
+ type: keyword
+ description: The type of the user. For example, System, AWS IAM User, etc.
+ - name: type_id
+ type: keyword
+ description: The account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.
+ - name: uid_alt
+ type: keyword
+ description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.
+ - name: desc
+ type: keyword
+ description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.'
+ - name: hashes
+ type: group
+ fields:
+ - name: algorithm
+ type: keyword
+ description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.
+ - name: algorithm_id
+ type: keyword
+ description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.
+ - name: value
+ type: keyword
+ description: The digital fingerprint value.
+ - name: is_system
+ type: boolean
+ description: The indication of whether the object is part of the operating system.
+ - name: mime_type
+ type: keyword
+ description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable.
+ - name: modified_time
+ type: date
+ description: The time when the file was last modified.
+ - name: modified_time_dt
+ type: date
+ description: The time when the file was last modified.
+ - name: modifier
+ type: group
+ fields:
+ - name: account
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the account (e.g. GCP Account Name).
+ - name: type
+ type: keyword
+ description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.
+ - name: type_id
+ type: keyword
+ description: The normalized account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the account (e.g. AWS Account ID).
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: domain
+ type: keyword
+ description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.'
+ - name: email_addr
+ type: keyword
+ description: The user's email address.
+ - name: full_name
+ type: keyword
+ description: The full name of the person, as per the LDAP Common Name attribute (cn).
+ - name: groups
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: name
+ type: keyword
+ description: The username. For example, janedoe1.
+ - name: org
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the organization. For example, Widget, Inc.
+ - name: ou_name
+ type: keyword
+ description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D.
+ - name: ou_uid
+ type: keyword
+ description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID.
+ - name: type
+ type: keyword
+ description: The type of the user. For example, System, AWS IAM User, etc.
+ - name: type_id
+ type: keyword
+ description: The account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.
+ - name: uid_alt
+ type: keyword
+ description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.
+ - name: name
+ type: keyword
+ description: 'The name of the file. For example: svchost.exe.'
+ - name: owner
+ type: group
+ fields:
+ - name: account
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the account (e.g. GCP Account Name).
+ - name: type
+ type: keyword
+ description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.
+ - name: type_id
+ type: keyword
+ description: The normalized account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the account (e.g. AWS Account ID).
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: domain
+ type: keyword
+ description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.'
+ - name: email_addr
+ type: keyword
+ description: The user's email address.
+ - name: full_name
+ type: keyword
+ description: The full name of the person, as per the LDAP Common Name attribute (cn).
+ - name: groups
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: name
+ type: keyword
+ description: The username. For example, janedoe1.
+ - name: org
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the organization. For example, Widget, Inc.
+ - name: ou_name
+ type: keyword
+ description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D.
+ - name: ou_uid
+ type: keyword
+ description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID.
+ - name: type
+ type: keyword
+ description: The type of the user. For example, System, AWS IAM User, etc.
+ - name: type_id
+ type: keyword
+ description: The account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.
+ - name: uid_alt
+ type: keyword
+ description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.
+ - name: parent_folder
+ type: keyword
+ description: 'The parent folder in which the file resides. For example: c:\windows\system32.'
+ - name: path
+ type: keyword
+ description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.'
+ - name: product
+ type: group
+ fields:
+ - name: feature
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the feature.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the feature.
+ - name: version
+ type: keyword
+ description: The version of the feature.
+ - name: lang
+ type: keyword
+ description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).'
+ - name: name
+ type: keyword
+ description: The name of the product.
+ - name: path
+ type: keyword
+ description: The installation path of the product.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the product.
+ - name: vendor_name
+ type: keyword
+ description: The name of the vendor of the product.
+ - name: version
+ type: keyword
+ description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.'
+ - name: security_descriptor
+ type: keyword
+ description: The object security descriptor.
+ - name: signature
+ type: group
+ fields:
+ - name: algorithm
+ type: keyword
+ description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.
+ - name: algorithm_id
+ type: keyword
+ description: The identifier of the normalized digital signature algorithm.
+ - name: certificate
+ type: group
+ fields:
+ - name: created_time
+ type: date
+ description: The time when the certificate was created.
+ - name: created_time_dt
+ type: date
+ description: The time when the certificate was created.
+ - name: expiration_time
+ type: date
+ description: The expiration time of the certificate.
+ - name: expiration_time_dt
+ type: date
+ description: The expiration time of the certificate.
+ - name: fingerprints
+ type: group
+ fields:
+ - name: algorithm
+ type: keyword
+ description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.
+ - name: algorithm_id
+ type: keyword
+ description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.
+ - name: value
+ type: keyword
+ description: The digital fingerprint value.
+ - name: issuer
+ type: keyword
+ description: The certificate issuer distinguished name.
+ - name: serial_number
+ type: keyword
+ description: The serial number of the certificate used to create the digital signature.
+ - name: subject
+ type: keyword
+ description: The certificate subject distinguished name.
+ - name: version
+ type: keyword
+ description: The certificate version.
+ - name: created_time
+ type: date
+ description: The time when the digital signature was created.
+ - name: created_time_dt
+ type: date
+ description: The time when the digital signature was created.
+ - name: developer_uid
+ type: keyword
+ description: The developer ID on the certificate that signed the file.
+ - name: digest
+ type: group
+ fields:
+ - name: algorithm
+ type: keyword
+ description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.
+ - name: algorithm_id
+ type: keyword
+ description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.
+ - name: value
+ type: keyword
+ description: The digital fingerprint value.
+ - name: size
+ type: long
+ description: The size of data, in bytes.
+ - name: type
+ type: keyword
+ description: The file type.
+ - name: type_id
+ type: keyword
+ description: The file type ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the file as defined by the storage system, such the file system file ID.
+ - name: version
+ type: keyword
+ description: 'The file version. For example: 8.0.7601.17514.'
+ - name: xattributes
+ type: flattened
+ description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute.
+ - name: group
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: integrity
+ type: keyword
+ description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only).
+ - name: integrity_id
+ type: keyword
+ description: The normalized identifier of the process integrity level (Windows only).
+ - name: lineage
+ type: keyword
+ description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].'
+ - name: loaded_modules
+ type: keyword
+ description: The list of loaded module names.
+ - name: name
+ type: keyword
+ description: 'The friendly name of the process, for example: Notepad++.'
+ - name: namespace_pid
+ type: long
+ description: If running under a process namespace (such as in a container), the process identifier within that process namespace.
+ - name: parent_process
+ type: group
+ fields:
+ - name: auid
+ type: keyword
+ description: The audit user assigned at login by the audit subsystem.
+ - name: cmd_line
+ type: keyword
+ description: 'The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '''' is to be used.'
+ - name: container
+ type: group
+ fields:
+ - name: hash
+ type: group
+ fields:
+ - name: algorithm
+ type: keyword
+ description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.
+ - name: algorithm_id
+ type: keyword
+ description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.
+ - name: value
+ type: keyword
+ description: The digital fingerprint value.
+ - name: image
+ type: group
+ fields:
+ - name: labels
+ type: keyword
+ description: The image labels.
+ - name: name
+ type: keyword
+ description: 'The image name. For example: elixir.'
+ - name: path
+ type: keyword
+ description: The full path to the image file.
+ - name: tag
+ type: keyword
+ description: 'The image tag. For example: 1.11-alpine.'
+ - name: uid
+ type: keyword
+ description: 'The unique image ID. For example: 77af4d6b9913.'
+ - name: name
+ type: keyword
+ description: The container name.
+ - name: network_driver
+ type: keyword
+ description: The network driver used by the container. For example, bridge, overlay, host, none, etc.
+ - name: orchestrator
+ type: keyword
+ description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift.
+ - name: pod_uuid
+ type: keyword
+ description: The unique identifier of the pod (or equivalent) that the container is executing on.
+ - name: runtime
+ type: keyword
+ description: The backend running the container, such as containerd or cri-o.
+ - name: size
+ type: long
+ description: The size of the container image.
+ - name: tag
+ type: keyword
+ description: The tag used by the container. It can indicate version, format, OS.
+ - name: uid
+ type: keyword
+ description: 'The full container unique identifier for this instantiation of the container. For example: ac2ea168264a08f9aaca0dfc82ff3551418dfd22d02b713142a6843caa2f61bf.'
+ - name: created_time
+ type: date
+ description: The time when the process was created/started.
+ - name: created_time_dt
+ type: date
+ description: The time when the process was created/started.
+ - name: egid
+ type: keyword
+ description: The effective group under which this process is running.
+ - name: euid
+ type: keyword
+ description: The effective user under which this process is running.
+ - name: file
+ type: group
+ fields:
+ - name: accessed_time
+ type: date
+ description: The time when the file was last accessed.
+ - name: accessed_time_dt
+ type: date
+ description: The time when the file was last accessed.
+ - name: accessor
+ type: group
+ fields:
+ - name: account
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the account (e.g. GCP Account Name).
+ - name: type
+ type: keyword
+ description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.
+ - name: type_id
+ type: keyword
+ description: The normalized account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the account (e.g. AWS Account ID).
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: domain
+ type: keyword
+ description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.'
+ - name: email_addr
+ type: keyword
+ description: The user's email address.
+ - name: full_name
+ type: keyword
+ description: The full name of the person, as per the LDAP Common Name attribute (cn).
+ - name: groups
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: name
+ type: keyword
+ description: The username. For example, janedoe1.
+ - name: org
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the organization. For example, Widget, Inc.
+ - name: ou_name
+ type: keyword
+ description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D.
+ - name: ou_uid
+ type: keyword
+ description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID.
+ - name: type
+ type: keyword
+ description: The type of the user. For example, System, AWS IAM User, etc.
+ - name: type_id
+ type: keyword
+ description: The account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.
+ - name: uid_alt
+ type: keyword
+ description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.
+ - name: attributes
+ type: long
+ description: The Bitmask value that represents the file attributes.
+ - name: company_name
+ type: keyword
+ description: 'The name of the company that published the file. For example: Microsoft Corporation.'
+ - name: confidentiality
+ type: keyword
+ description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source.
+ - name: confidentiality_id
+ type: keyword
+ description: The normalized identifier of the file content confidentiality indicator.
+ - name: created_time
+ type: date
+ description: The time when the file was created.
+ - name: created_time_dt
+ type: date
+ description: The time when the file was created.
+ - name: creator
+ type: group
+ fields:
+ - name: account
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the account (e.g. GCP Account Name).
+ - name: type
+ type: keyword
+ description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.
+ - name: type_id
+ type: keyword
+ description: The normalized account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the account (e.g. AWS Account ID).
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: domain
+ type: keyword
+ description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.'
+ - name: email_addr
+ type: keyword
+ description: The user's email address.
+ - name: full_name
+ type: keyword
+ description: The full name of the person, as per the LDAP Common Name attribute (cn).
+ - name: groups
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: name
+ type: keyword
+ description: The username. For example, janedoe1.
+ - name: org
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the organization. For example, Widget, Inc.
+ - name: ou_name
+ type: keyword
+ description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D.
+ - name: ou_uid
+ type: keyword
+ description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID.
+ - name: type
+ type: keyword
+ description: The type of the user. For example, System, AWS IAM User, etc.
+ - name: type_id
+ type: keyword
+ description: The account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.
+ - name: uid_alt
+ type: keyword
+ description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.
+ - name: desc
+ type: keyword
+ description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.'
+ - name: hashes
+ type: group
+ fields:
+ - name: algorithm
+ type: keyword
+ description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.
+ - name: algorithm_id
+ type: keyword
+ description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.
+ - name: value
+ type: keyword
+ description: The digital fingerprint value.
+ - name: is_system
+ type: boolean
+ description: The indication of whether the object is part of the operating system.
+ - name: mime_type
+ type: keyword
+ description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable.
+ - name: modified_time
+ type: date
+ description: The time when the file was last modified.
+ - name: modified_time_dt
+ type: date
+ description: The time when the file was last modified.
+ - name: modifier
+ type: group
+ fields:
+ - name: account
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the account (e.g. GCP Account Name).
+ - name: type
+ type: keyword
+ description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.
+ - name: type_id
+ type: keyword
+ description: The normalized account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the account (e.g. AWS Account ID).
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: domain
+ type: keyword
+ description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.'
+ - name: email_addr
+ type: keyword
+ description: The user's email address.
+ - name: full_name
+ type: keyword
+ description: The full name of the person, as per the LDAP Common Name attribute (cn).
+ - name: groups
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: name
+ type: keyword
+ description: The username. For example, janedoe1.
+ - name: org
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the organization. For example, Widget, Inc.
+ - name: ou_name
+ type: keyword
+ description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D.
+ - name: ou_uid
+ type: keyword
+ description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID.
+ - name: type
+ type: keyword
+ description: The type of the user. For example, System, AWS IAM User, etc.
+ - name: type_id
+ type: keyword
+ description: The account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.
+ - name: uid_alt
+ type: keyword
+ description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.
+ - name: name
+ type: keyword
+ description: 'The name of the file. For example: svchost.exe.'
+ - name: owner
+ type: group
+ fields:
+ - name: account
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the account (e.g. GCP Account Name).
+ - name: type
+ type: keyword
+ description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.
+ - name: type_id
+ type: keyword
+ description: The normalized account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the account (e.g. AWS Account ID).
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: domain
+ type: keyword
+ description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.'
+ - name: email_addr
+ type: keyword
+ description: The user's email address.
+ - name: full_name
+ type: keyword
+ description: The full name of the person, as per the LDAP Common Name attribute (cn).
+ - name: groups
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: name
+ type: keyword
+ description: The username. For example, janedoe1.
+ - name: org
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the organization. For example, Widget, Inc.
+ - name: ou_name
+ type: keyword
+ description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D.
+ - name: ou_uid
+ type: keyword
+ description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID.
+ - name: type
+ type: keyword
+ description: The type of the user. For example, System, AWS IAM User, etc.
+ - name: type_id
+ type: keyword
+ description: The account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.
+ - name: uid_alt
+ type: keyword
+ description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.
+ - name: parent_folder
+ type: keyword
+ description: 'The parent folder in which the file resides. For example: c:\windows\system32.'
+ - name: path
+ type: keyword
+ description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.'
+ - name: product
+ type: group
+ fields:
+ - name: feature
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the feature.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the feature.
+ - name: version
+ type: keyword
+ description: The version of the feature.
+ - name: lang
+ type: keyword
+ description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).'
+ - name: name
+ type: keyword
+ description: The name of the product.
+ - name: path
+ type: keyword
+ description: The installation path of the product.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the product.
+ - name: vendor_name
+ type: keyword
+ description: The name of the vendor of the product.
+ - name: version
+ type: keyword
+ description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.'
+ - name: security_descriptor
+ type: keyword
+ description: The object security descriptor.
+ - name: signature
+ type: group
+ fields:
+ - name: algorithm
+ type: keyword
+ description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.
+ - name: algorithm_id
+ type: keyword
+ description: The identifier of the normalized digital signature algorithm.
+ - name: certificate
+ type: group
+ fields:
+ - name: created_time
+ type: date
+ description: The time when the certificate was created.
+ - name: created_time_dt
+ type: date
+ description: The time when the certificate was created.
+ - name: expiration_time
+ type: date
+ description: The expiration time of the certificate.
+ - name: expiration_time_dt
+ type: date
+ description: The expiration time of the certificate.
+ - name: fingerprints
+ type: group
+ fields:
+ - name: algorithm
+ type: keyword
+ description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.
+ - name: algorithm_id
+ type: keyword
+ description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.
+ - name: value
+ type: keyword
+ description: The digital fingerprint value.
+ - name: issuer
+ type: keyword
+ description: The certificate issuer distinguished name.
+ - name: serial_number
+ type: keyword
+ description: The serial number of the certificate used to create the digital signature.
+ - name: subject
+ type: keyword
+ description: The certificate subject distinguished name.
+ - name: version
+ type: keyword
+ description: The certificate version.
+ - name: created_time
+ type: date
+ description: The time when the digital signature was created.
+ - name: created_time_dt
+ type: date
+ description: The time when the digital signature was created.
+ - name: developer_uid
+ type: keyword
+ description: The developer ID on the certificate that signed the file.
+ - name: digest
+ type: group
+ fields:
+ - name: algorithm
+ type: keyword
+ description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.
+ - name: algorithm_id
+ type: keyword
+ description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.
+ - name: value
+ type: keyword
+ description: The digital fingerprint value.
+ - name: size
+ type: long
+ description: The size of data, in bytes.
+ - name: type
+ type: keyword
+ description: The file type.
+ - name: type_id
+ type: keyword
+ description: The file type ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the file as defined by the storage system, such the file system file ID.
+ - name: version
+ type: keyword
+ description: 'The file version. For example: 8.0.7601.17514.'
+ - name: xattributes
+ type: flattened
+ description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute.
+ - name: group
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: integrity
+ type: keyword
+ description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only).
+ - name: integrity_id
+ type: keyword
+ description: The normalized identifier of the process integrity level (Windows only).
+ - name: lineage
+ type: keyword
+ description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].'
+ - name: loaded_modules
+ type: keyword
+ description: The list of loaded module names.
+ - name: name
+ type: keyword
+ description: 'The friendly name of the process, for example: Notepad++.'
+ - name: namespace_pid
+ type: long
+ description: If running under a process namespace (such as in a container), the process identifier within that process namespace.
+ - name: parent_process
+ type: flattened
+ description: The parent process of this process object.
+ - name: parent_process_keyword
+ type: keyword
+ ignore_above: 1024
+ - name: pid
+ type: long
+ description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process.
+ - name: sandbox
+ type: keyword
+ description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps.
+ - name: session
+ type: group
+ fields:
+ - name: created_time
+ type: date
+ description: The time when the session was created.
+ - name: created_time_dt
+ type: date
+ description: The short name of the endpoint.
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: expiration_time
+ type: date
+ description: The session expiration time.
+ - name: expiration_time_dt
+ type: date
+ description: The name of the network interface (e.g. eth2).
+ - name: is_remote
+ type: boolean
+ description: The indication of whether the session is remote.
+ - name: issuer
+ type: keyword
+ description: The identifier of the session issuer.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the session.
+ - name: uuid
+ type: keyword
+ description: The universally unique identifier of the session.
+ - name: terminated_time
+ type: date
+ description: The time when the process was terminated.
+ - name: terminated_time_dt
+ type: date
+ description: The time when the process was terminated.
+ - name: tid
+ type: long
+ description: The Identifier of the thread associated with the event, as returned by the operating system.
+ - name: uid
+ type: keyword
+ description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process.
+ - name: user
+ type: group
+ fields:
+ - name: account
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the account (e.g. GCP Account Name).
+ - name: type
+ type: keyword
+ description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.
+ - name: type_id
+ type: keyword
+ description: The normalized account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the account (e.g. AWS Account ID).
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: domain
+ type: keyword
+ description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.'
+ - name: email_addr
+ type: keyword
+ description: The user's email address.
+ - name: full_name
+ type: keyword
+ description: The full name of the person, as per the LDAP Common Name attribute (cn).
+ - name: groups
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: name
+ type: keyword
+ description: The username. For example, janedoe1.
+ - name: org
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the organization. For example, Widget, Inc.
+ - name: ou_name
+ type: keyword
+ description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D.
+ - name: ou_uid
+ type: keyword
+ description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID.
+ - name: type
+ type: keyword
+ description: The type of the user. For example, System, AWS IAM User, etc.
+ - name: type_id
+ type: keyword
+ description: The account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.
+ - name: uid_alt
+ type: keyword
+ description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.
+ - name: xattributes
+ type: flattened
+ description: An unordered collection of zero or more name/value pairs that represent a process extended attribute.
+ - name: pid
+ type: long
+ description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process.
+ - name: sandbox
+ type: keyword
+ description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps.
+ - name: session
+ type: group
+ fields:
+ - name: created_time
+ type: date
+ description: The time when the session was created.
+ - name: created_time_dt
+ type: date
+ description: The short name of the endpoint.
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: expiration_time
+ type: date
+ description: The session expiration time.
+ - name: expiration_time_dt
+ type: date
+ description: The name of the network interface (e.g. eth2).
+ - name: is_remote
+ type: boolean
+ description: The indication of whether the session is remote.
+ - name: issuer
+ type: keyword
+ description: The identifier of the session issuer.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the session.
+ - name: uuid
+ type: keyword
+ description: The universally unique identifier of the session.
+ - name: terminated_time
+ type: date
+ description: The time when the process was terminated.
+ - name: terminated_time_dt
+ type: date
+ description: The time when the process was terminated.
+ - name: tid
+ type: long
+ description: The Identifier of the thread associated with the event, as returned by the operating system.
+ - name: uid
+ type: keyword
+ description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process.
+ - name: user
+ type: group
+ fields:
+ - name: account
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the account (e.g. GCP Account Name).
+ - name: type
+ type: keyword
+ description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.
+ - name: type_id
+ type: keyword
+ description: The normalized account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the account (e.g. AWS Account ID).
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: domain
+ type: keyword
+ description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.'
+ - name: email_addr
+ type: keyword
+ description: The user's email address.
+ - name: full_name
+ type: keyword
+ description: The full name of the person, as per the LDAP Common Name attribute (cn).
+ - name: groups
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: name
+ type: keyword
+ description: The username. For example, janedoe1.
+ - name: org
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the organization. For example, Widget, Inc.
+ - name: ou_name
+ type: keyword
+ description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D.
+ - name: ou_uid
+ type: keyword
+ description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID.
+ - name: type
+ type: keyword
+ description: The type of the user. For example, System, AWS IAM User, etc.
+ - name: type_id
+ type: keyword
+ description: The account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.
+ - name: uid_alt
+ type: keyword
+ description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.
+ - name: xattributes
+ type: flattened
+ description: An unordered collection of zero or more name/value pairs that represent a process extended attribute.
+ - name: proxy
+ type: group
+ fields:
+ - name: domain
+ type: keyword
+ description: The name of the domain.
+ - name: hostname
+ type: keyword
+ description: The fully qualified name of the endpoint.
+ - name: instance_uid
+ type: keyword
+ description: The unique identifier of a VM instance.
+ - name: interface_name
+ type: keyword
+ description: The name of the network interface (e.g. eth2).
+ - name: interface_uid
+ type: keyword
+ description: The unique identifier of the network interface.
+ - name: intermediate_ips
+ type: ip
+ description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header.
+ - name: ip
+ type: ip
+ description: The IP address of the endpoint, in either IPv4 or IPv6 format.
+ - name: location
+ type: group
+ fields:
+ - name: city
+ type: keyword
+ description: The name of the city.
+ - name: continent
+ type: keyword
+ description: The name of the continent.
+ - name: coordinates
+ type: geo_point
+ description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON.
+ - name: country
+ type: keyword
+ description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized.
+ - name: desc
+ type: keyword
+ description: The description of the geographical location.
+ - name: is_on_premises
+ type: boolean
+ description: The indication of whether the location is on premises.
+ - name: isp
+ type: keyword
+ description: The name of the Internet Service Provider (ISP).
+ - name: postal_code
+ type: keyword
+ description: The postal code of the location.
+ - name: provider
+ type: keyword
+ description: The provider of the geographical location data.
+ - name: region
+ type: keyword
+ description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US.
+ - name: mac
+ type: keyword
+ description: The Media Access Control (MAC) address of the endpoint.
+ - name: name
+ type: keyword
+ description: The short name of the endpoint.
+ - name: port
+ type: long
+ description: The port used for communication within the network connection.
+ - name: subnet_uid
+ type: keyword
+ description: The unique identifier of a virtual subnet.
+ - name: svc_name
+ type: keyword
+ description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the endpoint.
+ - name: vlan_uid
+ type: keyword
+ description: The Virtual LAN identifier.
+ - name: vpc_uid
+ type: keyword
+ description: The unique identifier of the Virtual Private Cloud (VPC).
+ - name: query
+ type: group
+ fields:
+ - name: class
+ type: keyword
+ description: 'The class of resource records being queried. See RFC1035. For example: IN.'
+ - name: hostname
+ type: keyword
+ description: 'The hostname or domain being queried. For example: www.example.com'
+ - name: opcode
+ type: keyword
+ description: The DNS opcode specifies the type of the query message.
+ - name: opcode_id
+ type: keyword
+ description: The DNS opcode ID specifies the normalized query message type.
+ - name: packet_uid
+ type: keyword
+ description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+ - name: type
+ type: keyword
+ description: 'The type of resource records being queried. See RFC1035. For example: A, AAAA, CNAME, MX, and NS.'
+ - name: query_time
+ type: date
+ description: The Domain Name System (DNS) query time.
+ - name: query_time_dt
+ type: date
+ description: The Domain Name System (DNS) query time.
+ - name: raw_data
+ type: flattened
+ description: The event data as received from the event source.
+ - name: raw_data_keyword
+ type: keyword
+ - name: rcode
+ type: keyword
+ description: The DNS server response code, normalized to the caption of the rcode_id value. In the case of 'Other', it is defined by the event source.
+ - name: rcode_id
+ type: keyword
+ description: The normalized identifier of the DNS server response code.
+ - name: resources
+ type: group
+ fields:
+ - name: cloud_partition
+ type: keyword
+ description: 'The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov).'
+ - name: criticality
+ type: keyword
+ description: The criticality of the resource as defined by the event source.
+ - name: data
+ type: flattened
+ description: Additional data describing the resource.
+ - name: group
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: labels
+ type: keyword
+ description: The list of labels/tags associated to a resource.
+ - name: name
+ type: keyword
+ description: The name of the resource.
+ - name: owner
+ type: group
+ fields:
+ - name: account
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the account (e.g. GCP Account Name).
+ - name: type
+ type: keyword
+ description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.
+ - name: type_id
+ type: keyword
+ description: The normalized account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the account (e.g. AWS Account ID).
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: domain
+ type: keyword
+ description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.'
+ - name: email_addr
+ type: keyword
+ description: The user's email address.
+ - name: full_name
+ type: keyword
+ description: The full name of the person, as per the LDAP Common Name attribute (cn).
+ - name: groups
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: name
+ type: keyword
+ description: The username. For example, janedoe1.
+ - name: org
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the organization. For example, Widget, Inc.
+ - name: ou_name
+ type: keyword
+ description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D.
+ - name: ou_uid
+ type: keyword
+ description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID.
+ - name: type
+ type: keyword
+ description: The type of the user. For example, System, AWS IAM User, etc.
+ - name: type_id
+ type: keyword
+ description: The account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.
+ - name: uid_alt
+ type: keyword
+ description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.
+ - name: region
+ type: keyword
+ description: The cloud region of the resource.
+ - name: type
+ type: keyword
+ description: The resource type as defined by the event source.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the resource.
+ - name: version
+ type: keyword
+ description: The version of the resource. For example 1.2.3.
+ - name: response_time
+ type: date
+ description: The Domain Name System (DNS) response time.
+ - name: response_time_dt
+ type: date
+ description: The Domain Name System (DNS) response time.
+ - name: risk_level
+ type: keyword
+ description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source.
+ - name: risk_level_id
+ type: keyword
+ description: The normalized risk level id.
+ - name: risk_score
+ type: long
+ description: The risk score as reported by the event source.
+ - name: service
+ type: group
+ fields:
+ - name: labels
+ type: keyword
+ description: The list of labels associated with the service.
+ - name: name
+ type: keyword
+ description: The name of the service.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the service.
+ - name: version
+ type: keyword
+ description: The version of the service.
+ - name: session
+ type: group
+ fields:
+ - name: created_time
+ type: date
+ description: The time when the session was created.
+ - name: created_time_dt
+ type: date
+ description: The time when the session was created.
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: expiration_time
+ type: date
+ description: The session expiration time.
+ - name: expiration_time_dt
+ type: date
+ description: The session expiration time.
+ - name: is_remote
+ type: boolean
+ description: The indication of whether the session is remote.
+ - name: issuer
+ type: keyword
+ description: The identifier of the session issuer.
+ - name: mfa
+ type: boolean
+ - name: uid
+ type: keyword
+ description: The unique identifier of the session.
+ - name: uuid
+ type: keyword
+ description: The universally unique identifier of the session.
+ - name: severity
+ type: keyword
+ description: The event severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the event source.
+ - name: severity_id
+ type: long
+ description: The normalized identifier of the event severity. The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.
+ - name: src_endpoint
+ type: group
+ fields:
+ - name: domain
+ type: keyword
+ description: The name of the domain.
+ - name: hostname
+ type: keyword
+ description: The fully qualified name of the endpoint.
+ - name: instance_uid
+ type: keyword
+ description: The unique identifier of a VM instance.
+ - name: interface_name
+ type: keyword
+ description: The name of the network interface (e.g. eth2).
+ - name: interface_uid
+ type: keyword
+ description: The unique identifier of the network interface.
+ - name: intermediate_ips
+ type: ip
+ description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header.
+ - name: ip
+ type: ip
+ description: The IP address of the endpoint, in either IPv4 or IPv6 format.
+ - name: location
+ type: group
+ fields:
+ - name: city
+ type: keyword
+ description: The name of the city.
+ - name: continent
+ type: keyword
+ description: The name of the continent.
+ - name: coordinates
+ type: geo_point
+ description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON.
+ - name: country
+ type: keyword
+ description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized.
+ - name: desc
+ type: keyword
+ description: The description of the geographical location.
+ - name: is_on_premises
+ type: boolean
+ description: The indication of whether the location is on premises.
+ - name: isp
+ type: keyword
+ description: The name of the Internet Service Provider (ISP).
+ - name: postal_code
+ type: keyword
+ description: The postal code of the location.
+ - name: provider
+ type: keyword
+ description: The provider of the geographical location data.
+ - name: region
+ type: keyword
+ description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US.
+ - name: mac
+ type: keyword
+ description: The Media Access Control (MAC) address of the endpoint.
+ - name: name
+ type: keyword
+ description: The short name of the endpoint.
+ - name: port
+ type: long
+ description: The port used for communication within the network connection.
+ - name: subnet_uid
+ type: keyword
+ description: The unique identifier of a virtual subnet.
+ - name: svc_name
+ type: keyword
+ description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the endpoint.
+ - name: vlan_uid
+ type: keyword
+ description: The Virtual LAN identifier.
+ - name: vpc_uid
+ type: keyword
+ description: The unique identifier of the Virtual Private Cloud (VPC).
+ - name: start_time
+ type: date
+ description: The start time of a time period, or the time of the least recent event included in the aggregate event.
+ - name: start_time_dt
+ type: date
+ description: The start time of a time period, or the time of the least recent event included in the aggregate event.
+ - name: state
+ type: keyword
+ description: The normalized state of a security finding.
+ - name: state_id
+ type: keyword
+ description: The normalized state identifier of a security finding.
+ - name: status
+ type: keyword
+ description: The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.
+ - name: status_code
+ type: keyword
+ description: The event status code, as reported by the event source. For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.
+ - name: status_detail
+ type: keyword
+ description: The status details contains additional information about the event outcome.
+ - name: status_id
+ type: keyword
+ description: The normalized identifier of the event status.
+ - name: time
+ type: date
+ description: The normalized event occurrence time.
+ - name: time_dt
+ type: date
+ description: The normalized event occurrence time.
+ - name: timezone_offset
+ type: long
+ description: The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.
+ - name: tls
+ type: group
+ fields:
+ - name: alert
+ type: long
+ description: The integer value of TLS alert if present. The alerts are defined in the TLS specification in RFC-2246.
+ - name: certificate
+ type: group
+ fields:
+ - name: created_time
+ type: date
+ description: The time when the certificate was created.
+ - name: created_time_dt
+ type: date
+ description: The time when the certificate was created.
+ - name: expiration_time
+ type: date
+ description: The expiration time of the certificate.
+ - name: expiration_time_dt
+ type: date
+ description: The expiration time of the certificate.
+ - name: fingerprints
+ type: group
+ fields:
+ - name: algorithm
+ type: keyword
+ description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.
+ - name: algorithm_id
+ type: keyword
+ description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.
+ - name: value
+ type: keyword
+ description: The digital fingerprint value.
+ - name: issuer
+ type: keyword
+ description: The certificate issuer distinguished name.
+ - name: serial_number
+ type: keyword
+ description: The serial number of the certificate used to create the digital signature.
+ - name: subject
+ type: keyword
+ description: The certificate subject distinguished name.
+ - name: version
+ type: keyword
+ description: The certificate version.
+ - name: certificate_chain
+ type: keyword
+ description: The Chain of Certificate Serial Numbers field provides a chain of Certificate Issuer Serial Numbers leading to the Root Certificate Issuer.
+ - name: cipher
+ type: keyword
+ description: The negotiated cipher suite.
+ - name: client_ciphers
+ type: keyword
+ description: The client cipher suites that were exchanged during the TLS handshake negotiation.
+ - name: extension_list
+ type: group
+ fields:
+ - name: data
+ type: flattened
+ description: The data contains information specific to the particular extension type.
+ - name: type
+ type: keyword
+ description: 'The TLS extension type. For example: Server Name.'
+ - name: type_id
+ type: keyword
+ description: The TLS extension type identifier. See The Transport Layer Security (TLS) extension page.
+ - name: handshake_dur
+ type: long
+ description: The amount of total time for the TLS handshake to complete after the TCP connection is established, including client-side delays, in milliseconds.
+ - name: ja3_hash
+ type: group
+ fields:
+ - name: algorithm
+ type: keyword
+ description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.
+ - name: algorithm_id
+ type: keyword
+ description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.
+ - name: value
+ type: keyword
+ description: The digital fingerprint value.
+ - name: ja3s_hash
+ type: group
+ fields:
+ - name: algorithm
+ type: keyword
+ description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.
+ - name: algorithm_id
+ type: keyword
+ description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.
+ - name: value
+ type: keyword
+ description: The digital fingerprint value.
+ - name: key_length
+ type: long
+ description: The length of the encryption key.
+ - name: sans
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: Name of SAN (e.g. The actual IP Address or domain.)
+ - name: type
+ type: keyword
+ description: Type descriptor of SAN (e.g. IP Address/domain/etc.)
+ - name: server_ciphers
+ type: keyword
+ description: The server cipher suites that were exchanged during the TLS handshake negotiation.
+ - name: sni
+ type: keyword
+ description: The Server Name Indication (SNI) extension sent by the client.
+ - name: version
+ type: keyword
+ description: The TLS protocol version.
+ - name: traffic
+ type: group
+ fields:
+ - name: bytes
+ type: long
+ description: The total number of bytes (in and out).
+ - name: bytes_in
+ type: long
+ description: The number of bytes sent from the destination to the source.
+ - name: bytes_out
+ type: long
+ description: The number of bytes sent from the source to the destination.
+ - name: packets
+ type: long
+ description: The total number of packets (in and out).
+ - name: packets_in
+ type: long
+ description: The number of packets sent from the destination to the source.
+ - name: packets_out
+ type: long
+ description: The number of packets sent from the source to the destination.
+ - name: type_name
+ type: keyword
+ description: The event type name, as defined by the type_uid.
+ - name: type_uid
+ type: keyword
+ description: 'The event type ID. It identifies the events semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.'
+ - name: unmapped
+ type: flattened
+ description: The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.
+ - name: user
+ type: group
+ fields:
+ - name: account
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the account (e.g. GCP Account Name).
+ - name: type
+ type: keyword
+ description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.
+ - name: type_id
+ type: keyword
+ description: The normalized account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the account (e.g. AWS Account ID).
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: domain
+ type: keyword
+ description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.'
+ - name: email_addr
+ type: keyword
+ description: The user's email address.
+ - name: full_name
+ type: keyword
+ description: The full name of the person, as per the LDAP Common Name attribute (cn).
+ - name: groups
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: name
+ type: keyword
+ description: The username. For example, janedoe1.
+ - name: org
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the organization. For example, Widget, Inc.
+ - name: ou_name
+ type: keyword
+ description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D.
+ - name: ou_uid
+ type: keyword
+ description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID.
+ - name: type
+ type: keyword
+ description: The type of the user. For example, System, AWS IAM User, etc.
+ - name: type_id
+ type: keyword
+ description: The account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.
+ - name: uid_alt
+ type: keyword
+ description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.
+ - name: user_result
+ type: group
+ fields:
+ - name: account
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the account (e.g. GCP Account Name).
+ - name: type
+ type: keyword
+ description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.
+ - name: type_id
+ type: keyword
+ description: The normalized account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the account (e.g. AWS Account ID).
+ - name: credential_uid
+ type: keyword
+ description: The unique identifier of the user's credential. For example, AWS Access Key ID.
+ - name: domain
+ type: keyword
+ description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.'
+ - name: email_addr
+ type: keyword
+ description: The user's email address.
+ - name: full_name
+ type: keyword
+ description: The full name of the person, as per the LDAP Common Name attribute (cn).
+ - name: groups
+ type: group
+ fields:
+ - name: desc
+ type: keyword
+ description: The group description.
+ - name: name
+ type: keyword
+ description: The group name.
+ - name: privileges
+ type: keyword
+ description: The group privileges.
+ - name: type
+ type: keyword
+ description: The type of the group or account.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
+ - name: name
+ type: keyword
+ description: The username. For example, janedoe1.
+ - name: org
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the organization. For example, Widget, Inc.
+ - name: ou_name
+ type: keyword
+ description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D.
+ - name: ou_uid
+ type: keyword
+ description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID.
+ - name: type
+ type: keyword
+ description: The type of the user. For example, System, AWS IAM User, etc.
+ - name: type_id
+ type: keyword
+ description: The account type identifier.
+ - name: uid
+ type: keyword
+ description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.
+ - name: uid_alt
+ type: keyword
+ description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.
+ - name: vulnerabilities
+ type: group
+ fields:
+ - name: cve
+ type: group
+ fields:
+ - name: created_time
+ type: date
+ description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
+ - name: created_time_dt
+ type: date
+ description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
+ - name: cvss
+ type: group
+ fields:
+ - name: base_score
+ type: double
+ description: 'The CVSS base score. For example: 9.1.'
+ - name: depth
+ type: keyword
+ description: The CVSS depth represents a depth of the equation used to calculate CVSS score.
+ - name: metrics
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the metric.
+ - name: value
+ type: keyword
+ description: The value of the metric.
+ - name: overall_score
+ type: double
+ description: 'The CVSS overall score, impacted by base, temporal, and environmental metrics. For example: 9.1.'
+ - name: severity
+ type: keyword
+ description: The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. A textual representation of the numeric score.
+ - name: vector_string
+ type: keyword
+ description: 'The CVSS vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H.'
+ - name: version
+ type: keyword
+ description: 'The CVSS version. For example: 3.1.'
+ - name: cwe_uid
+ type: keyword
+ description: 'The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787.'
+ - name: cwe_url
+ type: keyword
+ description: 'Common Weakness Enumeration (CWE) definition URL. For example: https://cwe.mitre.org/data/definitions/787.html.'
+ - name: modified_time
+ type: date
+ description: The Record Modified Date identifies when the CVE record was last updated.
+ - name: modified_time_dt
+ type: date
+ description: The Record Modified Date identifies when the CVE record was last updated.
+ - name: product
+ type: group
+ fields:
+ - name: feature
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the feature.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the feature.
+ - name: version
+ type: keyword
+ description: The version of the feature.
+ - name: lang
+ type: keyword
+ description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).'
+ - name: name
+ type: keyword
+ description: The name of the product.
+ - name: path
+ type: keyword
+ description: The installation path of the product.
+ - name: uid
+ type: keyword
+ description: The unique identifier of the product.
+ - name: vendor_name
+ type: keyword
+ description: The name of the vendor of the product.
+ - name: version
+ type: keyword
+ description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.'
+ - name: type
+ type: keyword
+ description: The vulnerability type as selected from a large dropdown menu during CVE refinement.
+ - name: uid
+ type: keyword
+ description: 'The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: CVE-2021-12345.'
+ - name: desc
+ type: keyword
+ description: The description of the vulnerability.
+ - name: fix_available
+ type: boolean
+ description: Indicates if a fix is available for the reported vulnerability.
+ - name: kb_articles
+ type: keyword
+ description: The KB article/s related to the entity.
+ - name: packages
+ type: group
+ fields:
+ - name: architecture
+ type: keyword
+ description: Architecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on.
+ - name: epoch
+ type: long
+ description: The software package epoch. Epoch is a way to define weighted dependencies based on version numbers.
+ - name: license
+ type: keyword
+ description: The software license applied to this package.
+ - name: name
+ type: keyword
+ description: The software package name.
+ - name: release
+ type: keyword
+ description: Release is the number of times a version of the software has been packaged.
+ - name: version
+ type: keyword
+ description: The software package version.
+ - name: references
+ type: keyword
+ description: Supporting reference URLs.
+ - name: related_vulnerabilities
+ type: keyword
+ description: List of vulnerabilities that are related to this vulnerability.
+ - name: severity
+ type: keyword
+ description: The event severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the event source.
+ - name: title
+ type: keyword
+ description: The title of the vulnerability.
+ - name: vendor_name
+ type: keyword
+ description: The vendor who identified the vulnerability.
diff --git a/packages/amazon_security_lake/data_stream/event/manifest.yml b/packages/amazon_security_lake/data_stream/event/manifest.yml
new file mode 100644
index 00000000000..ab3f0c7aa2b
--- /dev/null
+++ b/packages/amazon_security_lake/data_stream/event/manifest.yml
@@ -0,0 +1,240 @@
+title: Collect Amazon Security Lake Events
+type: logs
+streams:
+ - input: aws-s3
+ title: Amazon Security Lake Events
+ description: Collect Amazon Security Lake Events via AWS S3 input.
+ template_path: aws-s3.yml.hbs
+ vars:
+ - name: collect_s3_logs
+ required: true
+ show_user: true
+ title: Collect logs via S3 Bucket
+ description: To Collect logs via S3 bucket enable the toggle switch. By default, it will collect logs via SQS Queue.
+ type: bool
+ multi: false
+ default: false
+ - name: access_key_id
+ type: password
+ title: Access Key ID
+ multi: false
+ required: false
+ show_user: true
+ description: First part of access key.
+ - name: secret_access_key
+ type: password
+ title: Secret Access Key
+ multi: false
+ required: false
+ show_user: true
+ description: Second part of access key.
+ - name: session_token
+ type: text
+ title: Session Token
+ multi: false
+ required: false
+ show_user: true
+ description: Required when using temporary security credentials.
+ - name: decoding_batch_size
+ type: integer
+ title: Batch Size of Parquet Decoding
+ multi: false
+ required: false
+ show_user: false
+ default: 1
+ description: The batch_size attribute can be used to specify the number of records to read from the parquet stream at a time.
+ - name: decoding_process_parallel
+ required: false
+ show_user: false
+ title: Process Parellel of Parquet Decoding
+ type: bool
+ multi: false
+ default: false
+ description: If the process_parallel attribute is set to true then functions which read multiple columns will read those columns in parallel from the parquet stream with a number of readers equal to the number of columns.
+ - name: bucket_arn
+ type: text
+ title: "[S3] Bucket ARN"
+ multi: false
+ required: false
+ show_user: true
+ description: ARN of the AWS S3 bucket that will be polled for list operation. It is a required parameter for collecting logs via the AWS S3 Bucket.
+ - name: bucket_list_prefix
+ type: text
+ title: "[S3] Bucket Prefix"
+ multi: false
+ required: false
+ show_user: true
+ description: Prefix to apply for the list request to the S3 bucket.
+ - name: interval
+ type: text
+ title: "[S3] Interval"
+ multi: false
+ required: false
+ show_user: true
+ default: 6m
+ description: Time interval for polling listing of the S3 bucket. It should be greater than 5m. Supported units are h/m/s.
+ - name: number_of_workers
+ type: integer
+ title: "[S3] Number of Workers"
+ multi: false
+ required: false
+ show_user: true
+ default: 5
+ description: Number of workers that will process the S3 objects listed. It is a required parameter for collecting logs via the AWS S3 Bucket.
+ - name: queue_url
+ type: text
+ title: "[SQS] Queue URL"
+ multi: false
+ required: false
+ show_user: true
+ description: URL of the AWS SQS queue that messages will be received from. It is a required parameter for collecting logs via the AWS SQS.
+ - name: visibility_timeout
+ type: text
+ title: "[SQS] Visibility Timeout"
+ multi: false
+ required: false
+ show_user: true
+ default: 300s
+ description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. Supported units for this parameter are h/m/s.
+ - name: api_timeout
+ type: text
+ title: "[SQS] API Timeout"
+ multi: false
+ required: false
+ show_user: true
+ default: 120s
+ description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. Supported units for this parameter are h/m/s.
+ - name: max_number_of_messages
+ type: integer
+ title: "[SQS] Maximum Concurrent SQS Messages"
+ required: false
+ show_user: true
+ default: 5
+ description: The maximum number of SQS messages that can be inflight at any time.
+ - name: file_selectors
+ type: yaml
+ title: "[SQS] File Selectors"
+ multi: false
+ required: false
+ show_user: false
+ description: If the SQS queue will have events that correspond to files that this integration shouldn't process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed.
+ - name: region
+ type: text
+ title: "[SQS] Region"
+ multi: false
+ required: false
+ show_user: true
+ description: The name of the AWS region of the end point. If this option is given it takes precedence over the region name obtained from the queue_url value.
+ - name: fips_enabled
+ type: bool
+ title: Enable S3 FIPS
+ default: false
+ multi: false
+ required: false
+ show_user: false
+ description: Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint.
+ - name: shared_credential_file
+ type: text
+ title: Shared Credential File
+ multi: false
+ required: false
+ show_user: false
+ description: Directory of the shared credentials file
+ - name: credential_profile_name
+ type: text
+ title: Credential Profile Name
+ multi: false
+ required: false
+ show_user: false
+ description: Profile name in shared credentials file.
+ - name: role_arn
+ type: text
+ title: Role ARN
+ multi: false
+ required: false
+ show_user: false
+ description: AWS IAM Role to assume.
+ - name: external_id
+ type: text
+ title: External ID
+ multi: false
+ required: false
+ show_user: false
+ description: External ID to use when assuming a role in another account.
+ - name: default_region
+ type: text
+ title: Default AWS Region
+ multi: false
+ required: false
+ show_user: false
+ default: ""
+ description: Default region to use prior to connecting to region specific services/endpoints if no AWS region is set from environment variable, credentials or instance profile. If none of the above are set and no default region is set as well, `us-east-1` is used. A region, either from environment variable, credentials or instance profile or from this default region setting, needs to be set when using regions in non-regular AWS environments such as AWS China or US Government Isolated.
+ - name: proxy_url
+ type: text
+ title: Proxy URL
+ multi: false
+ required: false
+ show_user: false
+ description: URL to proxy connections in the form of http\[s\]://:@:
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - amazon_security_lake-event
+ - name: preserve_original_event
+ required: false
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`.
+ type: bool
+ multi: false
+ default: false
+ - name: preserve_duplicate_custom_fields
+ required: false
+ show_user: false
+ title: Preserve duplicate custom fields
+ description: Preserve ocsf fields that were copied to Elastic Common Schema (ECS) fields.
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >-
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+ - name: ssl
+ type: yaml
+ title: SSL Configuration
+ description: i.e. certificate_authorities, supported_protocols, verification_mode etc.
+ multi: false
+ required: false
+ show_user: false
+ default: |
+ #certificate_authorities:
+ # - |
+ # -----BEGIN CERTIFICATE-----
+ # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+ # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+ # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+ # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+ # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+ # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+ # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+ # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+ # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+ # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+ # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+ # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+ # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+ # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+ # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+ # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+ # sxSmbIUfc2SGJGCJD4I=
+ # -----END CERTIFICATE-----
diff --git a/packages/amazon_security_lake/docs/README.md b/packages/amazon_security_lake/docs/README.md
new file mode 100644
index 00000000000..3f726ab2de1
--- /dev/null
+++ b/packages/amazon_security_lake/docs/README.md
@@ -0,0 +1,2068 @@
+# Amazon Security Lake
+
+This [Amazon Security Lake](https://aws.amazon.com/security-lake/) integration helps you analyze security data, so you can get a more complete understanding of your security posture across the entire organization. With Security Lake, you can also improve the protection of your workloads, applications, and data.
+
+Security Lake automates the collection of security-related log and event data from integrated AWS services and third-party services. It also helps you manage the lifecycle of data with customizable retention and replication settings. Security Lake converts ingested data into Apache Parquet format and a standard open-source schema called the Open Cybersecurity Schema Framework (OCSF). With OCSF support, Security Lake normalizes and combines security data from AWS and a broad range of enterprise security data sources.
+
+The Amazon Security Lake integration can be used in two different modes to collect data:
+- AWS S3 polling mode: Amazon Security Lake writes data to S3, and Elastic Agent polls the S3 bucket by listing its contents and reading new files.
+- AWS S3 SQS mode: Amazon Security Lake writes data to S3, S3 sends a notification of a new object to SQS, the Elastic Agent receives the notification from SQS, and then reads the S3 object. Multiple agents can be used in this mode.
+
+## Compatibility
+
+This module follows the latest OCSF Schema Version **v1.0.0-rc.3**.
+
+## Data streams
+
+The Amazon Security Lake integration collects logs for the below [AWS services](https://docs.aws.amazon.com/security-lake/latest/userguide/open-cybersecurity-schema-framework.html) combined in a data stream named event:
+
+| Source | Class Name |
+|-------------------------------------|-----------------------------------------------------|
+| CloudTrail Lambda Data Events | API Activity |
+| CloudTrail Management Events | API Activity, Authentication, or Account Change |
+| CloudTrail S3 Data Events | API Activity |
+| Route 53 | DNS Activity |
+| Security Hub | Security Finding |
+| VPC Flow Logs | Network Activity |
+
+### **NOTE**:
+- The Amazon Security Lake integration supports events collected from [AWS services](https://docs.aws.amazon.com/security-lake/latest/userguide/internal-sources.html).
+
+## Requirements
+
+- Elastic Agent must be installed.
+- You can install only one Elastic Agent per host.
+- Elastic Agent is required to stream data from the S3 bucket and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines.
+
+### Installing and managing an Elastic Agent:
+
+You have a few options for installing and managing an Elastic Agent:
+
+### Install a Fleet-managed Elastic Agent (recommended):
+
+With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier.
+
+### Install Elastic Agent in standalone mode (advanced users):
+
+With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only.
+
+### Install Elastic Agent in a containerized environment:
+
+You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, and we provide deployment manifests for running on Kubernetes.
+
+There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html).
+
+The minimum **kibana.version** required is **8.11.0**.
+
+## Setup
+
+### To collect data from an AWS S3 bucket or AWS SQS, follow the below steps:
+
+1. To enable and start Amazon Security Lake, follow the steps mentioned here: `https://docs.aws.amazon.com/security-lake/latest/userguide/getting-started.html`.
+2. Above steps will create AWS S3 bucket and AWS SQS queue.
+3. Please follow below steps to create [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html#roles-creatingrole-user-console):
+ 1. Sign in to the AWS Management Console and open the [IAM console](https://console.aws.amazon.com/iam/).
+ 2. In the navigation panel, choose Roles and then click on Create role.
+ 3. Choose **AWS account** role type.
+ 
+ 4. To create a role user have two options,
+ - To create a role for your account, choose **This account**.
+ 
+ - To create a role for another account, choose **Another AWS account** and enter the Account ID to which you want to grant access to your resources.
+ 
+ 5. If you are granting permissions to users from an account that you don't control, and the users will assume this role programmatically, select **Require external ID**. The external ID can be any phrase or number that is agreed upon between you and the administrator of the third party account. Then Click Next.
+ 
+ 6. Select **AmazonS3FullAccess** and **AmazonSQSFullAccess** from Permissions policies. Then Click Next.
+ 
+ 
+ 7. For Role name, enter a name for your role. Role name must be unique within your AWS account.
+ 8. Preview the role and then choose Create role.
+
+### Enabling the integration in Elastic:
+
+1. In Kibana go to Management > Integrations.
+2. In "Search for integrations" search bar, type Amazon Security Lake.
+3. Click on the "Amazon Security Lake" integration from the search results.
+4. Click on the Add Amazon Security Lake Integration button to add the integration.
+5. By default collect logs via S3 Bucket toggle will be off and collect logs for AWS SQS.
+6. While adding the integration, if you want to collect logs via AWS SQS, then you have to put the following details:
+ - queue url
+ - collect logs via S3 Bucket toggled off
+ - Shared Credential File Path and Credential Profile Name / Access Key Id and Secret Access Key
+
+ or if you want to collect logs via AWS S3, then you have to put the following details:
+ - bucket arn
+ - collect logs via S3 Bucket toggled on
+ - Shared Credential File Path and Credential Profile Name / Access Key Id and Secret Access Key
+7. If user wants to access security lake by Assuming Role then add Role ARN or if user want to access resources of another account using Role ARN then add Role ARN and external ID.
+
+**NOTE**: There are other input combination options available, please check [here](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-aws-s3.html).
+
+## Logs reference
+
+### Event
+
+This is the `Event` dataset.
+
+#### Example
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| event.dataset | Event dataset. | constant_keyword |
+| event.module | Event module. | constant_keyword |
+| input.type | Type of filebeat input. | keyword |
+| log.offset | Log offset. | long |
+| ocsf.activity_id | The normalized identifier of the activity that triggered the event. | keyword |
+| ocsf.activity_name | The event activity name, as defined by the activity_id. | keyword |
+| ocsf.actor.authorizations.decision | Authorization Result/outcome, e.g. allowed, denied. | keyword |
+| ocsf.actor.authorizations.policy.desc | The description of the policy. | keyword |
+| ocsf.actor.authorizations.policy.group.desc | The group description. | keyword |
+| ocsf.actor.authorizations.policy.group.name | The group name. | keyword |
+| ocsf.actor.authorizations.policy.group.privileges | The group privileges. | keyword |
+| ocsf.actor.authorizations.policy.group.type | The type of the group or account. | keyword |
+| ocsf.actor.authorizations.policy.group.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.actor.authorizations.policy.name | The policy name. For example: IAM Policy. | keyword |
+| ocsf.actor.authorizations.policy.uid | A unique identifier of the policy instance. | keyword |
+| ocsf.actor.authorizations.policy.version | The policy version number. | keyword |
+| ocsf.actor.idp.name | The name of the identity provider. | keyword |
+| ocsf.actor.idp.uid | The unique identifier of the identity provider. | keyword |
+| ocsf.actor.invoked_by | The name of the service that invoked the activity as described in the event. | keyword |
+| ocsf.actor.process.auid | The audit user assigned at login by the audit subsystem. | keyword |
+| ocsf.actor.process.cmd_line | The full command line used to launch an application, service, process, or job. | keyword |
+| ocsf.actor.process.container.hash.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.actor.process.container.hash.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword |
+| ocsf.actor.process.container.hash.value | The digital fingerprint value. | keyword |
+| ocsf.actor.process.container.image.labels | The image labels. | keyword |
+| ocsf.actor.process.container.image.name | The image name. | keyword |
+| ocsf.actor.process.container.image.path | The full path to the image file. | keyword |
+| ocsf.actor.process.container.image.tag | The tag used by the container. It can indicate version, format, OS. | keyword |
+| ocsf.actor.process.container.image.uid | The unique image ID. | keyword |
+| ocsf.actor.process.container.name | The container name. | keyword |
+| ocsf.actor.process.container.network_driver | The network driver used by the container. For example, bridge, overlay, host, none, etc. | keyword |
+| ocsf.actor.process.container.orchestrator | The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. | keyword |
+| ocsf.actor.process.container.pod_uuid | The unique identifier of the pod (or equivalent) that the container is executing on. | keyword |
+| ocsf.actor.process.container.runtime | The backend running the container, such as containerd or cri-o. | keyword |
+| ocsf.actor.process.container.size | The size of the container image. | long |
+| ocsf.actor.process.container.tag | The tag used by the container. It can indicate version, format, OS. | keyword |
+| ocsf.actor.process.container.uid | The full container unique identifier for this instantiation of the container. | keyword |
+| ocsf.actor.process.created_time | The time when the process was created/started. | date |
+| ocsf.actor.process.created_time_dt | The time when the process was created/started. | date |
+| ocsf.actor.process.egid | The effective group under which this process is running. | keyword |
+| ocsf.actor.process.euid | The effective user under which this process is running. | keyword |
+| ocsf.actor.process.file.accessed_time | The time when the file was last accessed. | date |
+| ocsf.actor.process.file.accessed_time_dt | The time when the file was last accessed. | date |
+| ocsf.actor.process.file.accessor.account.name | The name of the account (e.g. GCP Account Name). | keyword |
+| ocsf.actor.process.file.accessor.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.actor.process.file.accessor.account.type_id | The normalized account type identifier. | keyword |
+| ocsf.actor.process.file.accessor.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword |
+| ocsf.actor.process.file.accessor.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.actor.process.file.accessor.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword |
+| ocsf.actor.process.file.accessor.email_addr | The user's email address. | keyword |
+| ocsf.actor.process.file.accessor.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword |
+| ocsf.actor.process.file.accessor.groups.desc | The group description. | keyword |
+| ocsf.actor.process.file.accessor.groups.name | The group name. | keyword |
+| ocsf.actor.process.file.accessor.groups.privileges | The group privileges. | keyword |
+| ocsf.actor.process.file.accessor.groups.type | The type of the group or account. | keyword |
+| ocsf.actor.process.file.accessor.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.actor.process.file.accessor.name | The username. For example, janedoe1. | keyword |
+| ocsf.actor.process.file.accessor.org.name | The name of the organization. For example, Widget, Inc. | keyword |
+| ocsf.actor.process.file.accessor.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword |
+| ocsf.actor.process.file.accessor.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword |
+| ocsf.actor.process.file.accessor.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword |
+| ocsf.actor.process.file.accessor.type | The type of the user. For example, System, AWS IAM User, etc. | keyword |
+| ocsf.actor.process.file.accessor.type_id | The account type identifier. | keyword |
+| ocsf.actor.process.file.accessor.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword |
+| ocsf.actor.process.file.accessor.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword |
+| ocsf.actor.process.file.attributes | The Bitmask value that represents the file attributes. | long |
+| ocsf.actor.process.file.company_name | The name of the company that published the file. For example: Microsoft Corporation. | keyword |
+| ocsf.actor.process.file.confidentiality | The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.actor.process.file.confidentiality_id | The normalized identifier of the file content confidentiality indicator. | keyword |
+| ocsf.actor.process.file.created_time | The time when the file was created. | date |
+| ocsf.actor.process.file.created_time_dt | The time when the file was created. | date |
+| ocsf.actor.process.file.creator.account.name | The name of the account (e.g. GCP Account Name). | keyword |
+| ocsf.actor.process.file.creator.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.actor.process.file.creator.account.type_id | The normalized account type identifier. | keyword |
+| ocsf.actor.process.file.creator.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword |
+| ocsf.actor.process.file.creator.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.actor.process.file.creator.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword |
+| ocsf.actor.process.file.creator.email_addr | The user's email address. | keyword |
+| ocsf.actor.process.file.creator.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword |
+| ocsf.actor.process.file.creator.groups.desc | The group description. | keyword |
+| ocsf.actor.process.file.creator.groups.name | The group name. | keyword |
+| ocsf.actor.process.file.creator.groups.privileges | The group privileges. | keyword |
+| ocsf.actor.process.file.creator.groups.type | The type of the group or account. | keyword |
+| ocsf.actor.process.file.creator.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.actor.process.file.creator.name | The name of the city. | keyword |
+| ocsf.actor.process.file.creator.org.name | The name of the organization. For example, Widget, Inc. | keyword |
+| ocsf.actor.process.file.creator.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword |
+| ocsf.actor.process.file.creator.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword |
+| ocsf.actor.process.file.creator.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword |
+| ocsf.actor.process.file.creator.type | The type of the user. For example, System, AWS IAM User, etc. | keyword |
+| ocsf.actor.process.file.creator.type_id | The account type identifier. | keyword |
+| ocsf.actor.process.file.creator.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword |
+| ocsf.actor.process.file.creator.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword |
+| ocsf.actor.process.file.desc | The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type. | keyword |
+| ocsf.actor.process.file.hashes.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.actor.process.file.hashes.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword |
+| ocsf.actor.process.file.hashes.value | The digital fingerprint value. | keyword |
+| ocsf.actor.process.file.is_system | The indication of whether the object is part of the operating system. | boolean |
+| ocsf.actor.process.file.mime_type | The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. | keyword |
+| ocsf.actor.process.file.modified_time | The time when the file was last modified. | date |
+| ocsf.actor.process.file.modified_time_dt | The time when the file was last modified. | date |
+| ocsf.actor.process.file.modifier.account.name | The name of the account (e.g. GCP Account Name). | keyword |
+| ocsf.actor.process.file.modifier.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.actor.process.file.modifier.account.type_id | The normalized account type identifier. | keyword |
+| ocsf.actor.process.file.modifier.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword |
+| ocsf.actor.process.file.modifier.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.actor.process.file.modifier.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword |
+| ocsf.actor.process.file.modifier.email_addr | The image name. For example: elixir. | keyword |
+| ocsf.actor.process.file.modifier.full_name | The user's email address. | keyword |
+| ocsf.actor.process.file.modifier.groups.desc | The group description. | keyword |
+| ocsf.actor.process.file.modifier.groups.name | The group name. | keyword |
+| ocsf.actor.process.file.modifier.groups.privileges | The group privileges. | keyword |
+| ocsf.actor.process.file.modifier.groups.type | The type of the group or account. | keyword |
+| ocsf.actor.process.file.modifier.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.actor.process.file.modifier.name | The username. For example, janedoe1. | keyword |
+| ocsf.actor.process.file.modifier.org.name | The name of the organization. For example, Widget, Inc. | keyword |
+| ocsf.actor.process.file.modifier.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword |
+| ocsf.actor.process.file.modifier.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword |
+| ocsf.actor.process.file.modifier.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword |
+| ocsf.actor.process.file.modifier.type | The type of the user. For example, System, AWS IAM User, etc. | keyword |
+| ocsf.actor.process.file.modifier.type_id | The account type identifier. | keyword |
+| ocsf.actor.process.file.modifier.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword |
+| ocsf.actor.process.file.modifier.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword |
+| ocsf.actor.process.file.name | The name of the file. For example: svchost.exe. | keyword |
+| ocsf.actor.process.file.owner.account.name | The name of the account (e.g. GCP Account Name). | keyword |
+| ocsf.actor.process.file.owner.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.actor.process.file.owner.account.type_id | The normalized account type identifier. | keyword |
+| ocsf.actor.process.file.owner.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword |
+| ocsf.actor.process.file.owner.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.actor.process.file.owner.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword |
+| ocsf.actor.process.file.owner.email_addr | The user's email address. | keyword |
+| ocsf.actor.process.file.owner.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword |
+| ocsf.actor.process.file.owner.groups.desc | The group description. | keyword |
+| ocsf.actor.process.file.owner.groups.name | The group name. | keyword |
+| ocsf.actor.process.file.owner.groups.privileges | The group privileges. | keyword |
+| ocsf.actor.process.file.owner.groups.type | The type of the group or account. | keyword |
+| ocsf.actor.process.file.owner.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.actor.process.file.owner.name | The username. For example, janedoe1. | keyword |
+| ocsf.actor.process.file.owner.org.name | The name of the organization. For example, Widget, Inc. | keyword |
+| ocsf.actor.process.file.owner.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword |
+| ocsf.actor.process.file.owner.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword |
+| ocsf.actor.process.file.owner.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword |
+| ocsf.actor.process.file.owner.type | The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. | keyword |
+| ocsf.actor.process.file.owner.type_id | The account type identifier. | keyword |
+| ocsf.actor.process.file.owner.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword |
+| ocsf.actor.process.file.owner.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword |
+| ocsf.actor.process.file.parent_folder | The parent folder in which the file resides. For example: c:\windows\system32. | keyword |
+| ocsf.actor.process.file.path | The full path to the file. For example: c:\windows\system32\svchost.exe. | keyword |
+| ocsf.actor.process.file.product.feature.name | The name of the feature. | keyword |
+| ocsf.actor.process.file.product.feature.uid | The unique identifier of the feature. | keyword |
+| ocsf.actor.process.file.product.feature.version | The version of the feature. | keyword |
+| ocsf.actor.process.file.product.lang | The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French). | keyword |
+| ocsf.actor.process.file.product.name | The name of the feature. | keyword |
+| ocsf.actor.process.file.product.path | The installation path of the product. | keyword |
+| ocsf.actor.process.file.product.uid | The unique identifier of the feature. | keyword |
+| ocsf.actor.process.file.product.vendor_name | The name of the vendor of the product. | keyword |
+| ocsf.actor.process.file.product.version | The version of the product, as defined by the event source. For example: 2013.1.3-beta. | keyword |
+| ocsf.actor.process.file.security_descriptor | The object security descriptor. | keyword |
+| ocsf.actor.process.file.signature.algorithm | The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.actor.process.file.signature.algorithm_id | The identifier of the normalized digital signature algorithm. | keyword |
+| ocsf.actor.process.file.signature.certificate.created_time | The time when the certificate was created. | date |
+| ocsf.actor.process.file.signature.certificate.created_time_dt | The time when the certificate was created. | date |
+| ocsf.actor.process.file.signature.certificate.expiration_time | The expiration time of the certificate. | date |
+| ocsf.actor.process.file.signature.certificate.expiration_time_dt | The expiration time of the certificate. | date |
+| ocsf.actor.process.file.signature.certificate.fingerprints.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.actor.process.file.signature.certificate.fingerprints.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword |
+| ocsf.actor.process.file.signature.certificate.fingerprints.value | The digital fingerprint value. | keyword |
+| ocsf.actor.process.file.signature.certificate.issuer | The certificate issuer distinguished name. | keyword |
+| ocsf.actor.process.file.signature.certificate.serial_number | The serial number of the certificate used to create the digital signature. | keyword |
+| ocsf.actor.process.file.signature.certificate.subject | The certificate subject distinguished name. | keyword |
+| ocsf.actor.process.file.signature.certificate.version | The certificate version. | keyword |
+| ocsf.actor.process.file.signature.created_time | The time when the digital signature was created. | date |
+| ocsf.actor.process.file.signature.created_time_dt | The time when the digital signature was created. | date |
+| ocsf.actor.process.file.signature.developer_uid | The developer ID on the certificate that signed the file. | keyword |
+| ocsf.actor.process.file.signature.digest.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.actor.process.file.signature.digest.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword |
+| ocsf.actor.process.file.signature.digest.value | The digital fingerprint value. | keyword |
+| ocsf.actor.process.file.size | The size of data, in bytes. | long |
+| ocsf.actor.process.file.type | The file type. | keyword |
+| ocsf.actor.process.file.type_id | The file type ID. | keyword |
+| ocsf.actor.process.file.uid | The unique identifier of the file as defined by the storage system, such the file system file ID. | keyword |
+| ocsf.actor.process.file.version | The file version. For example: 8.0.7601.17514. | keyword |
+| ocsf.actor.process.file.xattributes | An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. | flattened |
+| ocsf.actor.process.group.desc | The group description. | keyword |
+| ocsf.actor.process.group.name | The group name. | keyword |
+| ocsf.actor.process.group.privileges | The group privileges. | keyword |
+| ocsf.actor.process.group.type | The type of the group or account. | keyword |
+| ocsf.actor.process.group.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.actor.process.integrity | The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). | keyword |
+| ocsf.actor.process.integrity_id | The normalized identifier of the process integrity level (Windows only). | keyword |
+| ocsf.actor.process.lineage | The lineage of the process, represented by a list of paths for each ancestor process. For example: ['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami']. | keyword |
+| ocsf.actor.process.loaded_modules | The list of loaded module names. | keyword |
+| ocsf.actor.process.name | The friendly name of the process, for example: Notepad++. | keyword |
+| ocsf.actor.process.namespace_pid | If running under a process namespace (such as in a container), the process identifier within that process namespace. | long |
+| ocsf.actor.process.parent_process.auid | The audit user assigned at login by the audit subsystem. | keyword |
+| ocsf.actor.process.parent_process.cmd_line | The full command line used to launch an application, service, process, or job. | keyword |
+| ocsf.actor.process.parent_process.container.hash.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.actor.process.parent_process.container.hash.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword |
+| ocsf.actor.process.parent_process.container.hash.value | The digital fingerprint value. | keyword |
+| ocsf.actor.process.parent_process.container.image.labels | The image labels. | keyword |
+| ocsf.actor.process.parent_process.container.image.name | The image name. | keyword |
+| ocsf.actor.process.parent_process.container.image.path | The full path to the image file. | keyword |
+| ocsf.actor.process.parent_process.container.image.tag | The tag used by the container. It can indicate version, format, OS. | keyword |
+| ocsf.actor.process.parent_process.container.image.uid | The unique image ID. | keyword |
+| ocsf.actor.process.parent_process.container.name | The container name. | keyword |
+| ocsf.actor.process.parent_process.container.network_driver | The network driver used by the container. For example, bridge, overlay, host, none, etc. | keyword |
+| ocsf.actor.process.parent_process.container.orchestrator | The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. | keyword |
+| ocsf.actor.process.parent_process.container.pod_uuid | The unique identifier of the pod (or equivalent) that the container is executing on. | keyword |
+| ocsf.actor.process.parent_process.container.runtime | The backend running the container, such as containerd or cri-o. | keyword |
+| ocsf.actor.process.parent_process.container.size | The size of the container image. | long |
+| ocsf.actor.process.parent_process.container.tag | The tag used by the container. It can indicate version, format, OS. | keyword |
+| ocsf.actor.process.parent_process.container.uid | The full container unique identifier for this instantiation of the container. | keyword |
+| ocsf.actor.process.parent_process.created_time | The time when the process was created/started. | date |
+| ocsf.actor.process.parent_process.created_time_dt | The time when the process was created/started. | date |
+| ocsf.actor.process.parent_process.egid | The effective group under which this process is running. | keyword |
+| ocsf.actor.process.parent_process.euid | The effective user under which this process is running. | keyword |
+| ocsf.actor.process.parent_process.file.accessed_time | The time when the file was last accessed. | date |
+| ocsf.actor.process.parent_process.file.accessed_time_dt | The time when the file was last accessed. | date |
+| ocsf.actor.process.parent_process.file.accessor.account.name | The name of the account (e.g. GCP Account Name). | keyword |
+| ocsf.actor.process.parent_process.file.accessor.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.actor.process.parent_process.file.accessor.account.type_id | The normalized account type identifier. | keyword |
+| ocsf.actor.process.parent_process.file.accessor.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword |
+| ocsf.actor.process.parent_process.file.accessor.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.actor.process.parent_process.file.accessor.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword |
+| ocsf.actor.process.parent_process.file.accessor.email_addr | The user's email address. | keyword |
+| ocsf.actor.process.parent_process.file.accessor.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword |
+| ocsf.actor.process.parent_process.file.accessor.groups.desc | The group description. | keyword |
+| ocsf.actor.process.parent_process.file.accessor.groups.name | The group name. | keyword |
+| ocsf.actor.process.parent_process.file.accessor.groups.privileges | The group privileges. | keyword |
+| ocsf.actor.process.parent_process.file.accessor.groups.type | The type of the group or account. | keyword |
+| ocsf.actor.process.parent_process.file.accessor.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.actor.process.parent_process.file.accessor.name | The username. For example, janedoe1. | keyword |
+| ocsf.actor.process.parent_process.file.accessor.org.name | The name of the organization. For example, Widget, Inc. | keyword |
+| ocsf.actor.process.parent_process.file.accessor.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword |
+| ocsf.actor.process.parent_process.file.accessor.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword |
+| ocsf.actor.process.parent_process.file.accessor.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword |
+| ocsf.actor.process.parent_process.file.accessor.type | The type of the user. For example, System, AWS IAM User, etc. | keyword |
+| ocsf.actor.process.parent_process.file.accessor.type_id | The account type identifier. | keyword |
+| ocsf.actor.process.parent_process.file.accessor.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword |
+| ocsf.actor.process.parent_process.file.accessor.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword |
+| ocsf.actor.process.parent_process.file.attributes | The Bitmask value that represents the file attributes. | long |
+| ocsf.actor.process.parent_process.file.company_name | The name of the company that published the file. For example: Microsoft Corporation. | keyword |
+| ocsf.actor.process.parent_process.file.confidentiality | The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.actor.process.parent_process.file.confidentiality_id | The normalized identifier of the file content confidentiality indicator. | keyword |
+| ocsf.actor.process.parent_process.file.created_time | The time when the file was created. | date |
+| ocsf.actor.process.parent_process.file.created_time_dt | The time when the file was created. | date |
+| ocsf.actor.process.parent_process.file.creator.account.name | The name of the account (e.g. GCP Account Name). | keyword |
+| ocsf.actor.process.parent_process.file.creator.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.actor.process.parent_process.file.creator.account.type_id | The normalized account type identifier. | keyword |
+| ocsf.actor.process.parent_process.file.creator.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword |
+| ocsf.actor.process.parent_process.file.creator.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.actor.process.parent_process.file.creator.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword |
+| ocsf.actor.process.parent_process.file.creator.email_addr | The user's email address. | keyword |
+| ocsf.actor.process.parent_process.file.creator.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword |
+| ocsf.actor.process.parent_process.file.creator.groups.desc | The group description. | keyword |
+| ocsf.actor.process.parent_process.file.creator.groups.name | The group name. | keyword |
+| ocsf.actor.process.parent_process.file.creator.groups.privileges | The group privileges. | keyword |
+| ocsf.actor.process.parent_process.file.creator.groups.type | The type of the group or account. | keyword |
+| ocsf.actor.process.parent_process.file.creator.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.actor.process.parent_process.file.creator.name | The name of the city. | keyword |
+| ocsf.actor.process.parent_process.file.creator.org.name | The name of the organization. For example, Widget, Inc. | keyword |
+| ocsf.actor.process.parent_process.file.creator.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword |
+| ocsf.actor.process.parent_process.file.creator.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword |
+| ocsf.actor.process.parent_process.file.creator.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword |
+| ocsf.actor.process.parent_process.file.creator.type | The type of the user. For example, System, AWS IAM User, etc. | keyword |
+| ocsf.actor.process.parent_process.file.creator.type_id | The account type identifier. | keyword |
+| ocsf.actor.process.parent_process.file.creator.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword |
+| ocsf.actor.process.parent_process.file.creator.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword |
+| ocsf.actor.process.parent_process.file.desc | The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type. | keyword |
+| ocsf.actor.process.parent_process.file.hashes.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.actor.process.parent_process.file.hashes.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword |
+| ocsf.actor.process.parent_process.file.hashes.value | The digital fingerprint value. | keyword |
+| ocsf.actor.process.parent_process.file.is_system | The indication of whether the object is part of the operating system. | boolean |
+| ocsf.actor.process.parent_process.file.mime_type | The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. | keyword |
+| ocsf.actor.process.parent_process.file.modified_time | The time when the file was last modified. | date |
+| ocsf.actor.process.parent_process.file.modified_time_dt | The time when the file was last modified. | date |
+| ocsf.actor.process.parent_process.file.modifier.account.name | The name of the account (e.g. GCP Account Name). | keyword |
+| ocsf.actor.process.parent_process.file.modifier.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.actor.process.parent_process.file.modifier.account.type_id | The normalized account type identifier. | keyword |
+| ocsf.actor.process.parent_process.file.modifier.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword |
+| ocsf.actor.process.parent_process.file.modifier.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.actor.process.parent_process.file.modifier.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword |
+| ocsf.actor.process.parent_process.file.modifier.email_addr | The image name. For example: elixir. | keyword |
+| ocsf.actor.process.parent_process.file.modifier.full_name | The user's email address. | keyword |
+| ocsf.actor.process.parent_process.file.modifier.groups.desc | The group description. | keyword |
+| ocsf.actor.process.parent_process.file.modifier.groups.name | The group name. | keyword |
+| ocsf.actor.process.parent_process.file.modifier.groups.privileges | The group privileges. | keyword |
+| ocsf.actor.process.parent_process.file.modifier.groups.type | The type of the group or account. | keyword |
+| ocsf.actor.process.parent_process.file.modifier.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.actor.process.parent_process.file.modifier.name | The username. For example, janedoe1. | keyword |
+| ocsf.actor.process.parent_process.file.modifier.org.name | The name of the organization. For example, Widget, Inc. | keyword |
+| ocsf.actor.process.parent_process.file.modifier.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword |
+| ocsf.actor.process.parent_process.file.modifier.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword |
+| ocsf.actor.process.parent_process.file.modifier.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword |
+| ocsf.actor.process.parent_process.file.modifier.type | The type of the user. For example, System, AWS IAM User, etc. | keyword |
+| ocsf.actor.process.parent_process.file.modifier.type_id | The account type identifier. | keyword |
+| ocsf.actor.process.parent_process.file.modifier.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword |
+| ocsf.actor.process.parent_process.file.modifier.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword |
+| ocsf.actor.process.parent_process.file.name | The name of the file. For example: svchost.exe. | keyword |
+| ocsf.actor.process.parent_process.file.owner.account.name | The name of the account (e.g. GCP Account Name). | keyword |
+| ocsf.actor.process.parent_process.file.owner.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.actor.process.parent_process.file.owner.account.type_id | The normalized account type identifier. | keyword |
+| ocsf.actor.process.parent_process.file.owner.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword |
+| ocsf.actor.process.parent_process.file.owner.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.actor.process.parent_process.file.owner.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword |
+| ocsf.actor.process.parent_process.file.owner.email_addr | The user's email address. | keyword |
+| ocsf.actor.process.parent_process.file.owner.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword |
+| ocsf.actor.process.parent_process.file.owner.groups.desc | The group description. | keyword |
+| ocsf.actor.process.parent_process.file.owner.groups.name | The group name. | keyword |
+| ocsf.actor.process.parent_process.file.owner.groups.privileges | The group privileges. | keyword |
+| ocsf.actor.process.parent_process.file.owner.groups.type | The type of the group or account. | keyword |
+| ocsf.actor.process.parent_process.file.owner.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.actor.process.parent_process.file.owner.name | The username. For example, janedoe1. | keyword |
+| ocsf.actor.process.parent_process.file.owner.org.name | The name of the organization. For example, Widget, Inc. | keyword |
+| ocsf.actor.process.parent_process.file.owner.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword |
+| ocsf.actor.process.parent_process.file.owner.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword |
+| ocsf.actor.process.parent_process.file.owner.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword |
+| ocsf.actor.process.parent_process.file.owner.type | The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. | keyword |
+| ocsf.actor.process.parent_process.file.owner.type_id | The account type identifier. | keyword |
+| ocsf.actor.process.parent_process.file.owner.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword |
+| ocsf.actor.process.parent_process.file.owner.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword |
+| ocsf.actor.process.parent_process.file.parent_folder | The parent folder in which the file resides. For example: c:\windows\system32. | keyword |
+| ocsf.actor.process.parent_process.file.path | The full path to the file. For example: c:\windows\system32\svchost.exe. | keyword |
+| ocsf.actor.process.parent_process.file.product.feature.name | The name of the feature. | keyword |
+| ocsf.actor.process.parent_process.file.product.feature.uid | The unique identifier of the feature. | keyword |
+| ocsf.actor.process.parent_process.file.product.feature.version | The version of the feature. | keyword |
+| ocsf.actor.process.parent_process.file.product.lang | The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French). | keyword |
+| ocsf.actor.process.parent_process.file.product.name | The name of the feature. | keyword |
+| ocsf.actor.process.parent_process.file.product.path | The installation path of the product. | keyword |
+| ocsf.actor.process.parent_process.file.product.uid | The unique identifier of the feature. | keyword |
+| ocsf.actor.process.parent_process.file.product.vendor_name | The name of the vendor of the product. | keyword |
+| ocsf.actor.process.parent_process.file.product.version | The version of the product, as defined by the event source. For example: 2013.1.3-beta. | keyword |
+| ocsf.actor.process.parent_process.file.security_descriptor | The object security descriptor. | keyword |
+| ocsf.actor.process.parent_process.file.signature.algorithm | The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.actor.process.parent_process.file.signature.algorithm_id | The identifier of the normalized digital signature algorithm. | keyword |
+| ocsf.actor.process.parent_process.file.signature.certificate.created_time | The time when the certificate was created. | date |
+| ocsf.actor.process.parent_process.file.signature.certificate.created_time_dt | The time when the certificate was created. | date |
+| ocsf.actor.process.parent_process.file.signature.certificate.expiration_time | The expiration time of the certificate. | date |
+| ocsf.actor.process.parent_process.file.signature.certificate.expiration_time_dt | The expiration time of the certificate. | date |
+| ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword |
+| ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.value | The digital fingerprint value. | keyword |
+| ocsf.actor.process.parent_process.file.signature.certificate.issuer | The certificate issuer distinguished name. | keyword |
+| ocsf.actor.process.parent_process.file.signature.certificate.serial_number | The serial number of the certificate used to create the digital signature. | keyword |
+| ocsf.actor.process.parent_process.file.signature.certificate.subject | The certificate subject distinguished name. | keyword |
+| ocsf.actor.process.parent_process.file.signature.certificate.version | The certificate version. | keyword |
+| ocsf.actor.process.parent_process.file.signature.created_time | The time when the digital signature was created. | date |
+| ocsf.actor.process.parent_process.file.signature.created_time_dt | The time when the digital signature was created. | date |
+| ocsf.actor.process.parent_process.file.signature.developer_uid | The developer ID on the certificate that signed the file. | keyword |
+| ocsf.actor.process.parent_process.file.signature.digest.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.actor.process.parent_process.file.signature.digest.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword |
+| ocsf.actor.process.parent_process.file.signature.digest.value | The digital fingerprint value. | keyword |
+| ocsf.actor.process.parent_process.file.size | The size of data, in bytes. | long |
+| ocsf.actor.process.parent_process.file.type | The file type. | keyword |
+| ocsf.actor.process.parent_process.file.type_id | The file type ID. | keyword |
+| ocsf.actor.process.parent_process.file.uid | The unique identifier of the file as defined by the storage system, such the file system file ID. | keyword |
+| ocsf.actor.process.parent_process.file.version | The file version. For example: 8.0.7601.17514. | keyword |
+| ocsf.actor.process.parent_process.file.xattributes | An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. | flattened |
+| ocsf.actor.process.parent_process.group.desc | The group description. | keyword |
+| ocsf.actor.process.parent_process.group.name | The group name. | keyword |
+| ocsf.actor.process.parent_process.group.privileges | The group privileges. | keyword |
+| ocsf.actor.process.parent_process.group.type | The type of the group or account. | keyword |
+| ocsf.actor.process.parent_process.group.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.actor.process.parent_process.integrity | The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). | keyword |
+| ocsf.actor.process.parent_process.integrity_id | The normalized identifier of the process integrity level (Windows only). | keyword |
+| ocsf.actor.process.parent_process.lineage | The lineage of the process, represented by a list of paths for each ancestor process. For example: ['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami']. | keyword |
+| ocsf.actor.process.parent_process.loaded_modules | The list of loaded module names. | keyword |
+| ocsf.actor.process.parent_process.name | The friendly name of the process, for example: Notepad++. | keyword |
+| ocsf.actor.process.parent_process.namespace_pid | If running under a process namespace (such as in a container), the process identifier within that process namespace. | long |
+| ocsf.actor.process.parent_process.parent_process | The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. | flattened |
+| ocsf.actor.process.parent_process.parent_process_keyword | | keyword |
+| ocsf.actor.process.parent_process.pid | The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. | long |
+| ocsf.actor.process.parent_process.sandbox | The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. | keyword |
+| ocsf.actor.process.parent_process.session.created_time | The time when the session was created. | date |
+| ocsf.actor.process.parent_process.session.created_time_dt | The time when the session was created. | date |
+| ocsf.actor.process.parent_process.session.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.actor.process.parent_process.session.expiration_time | The session expiration time. | date |
+| ocsf.actor.process.parent_process.session.expiration_time_dt | The session expiration time. | date |
+| ocsf.actor.process.parent_process.session.is_remote | The indication of whether the session is remote. | boolean |
+| ocsf.actor.process.parent_process.session.issuer | The identifier of the session issuer. | keyword |
+| ocsf.actor.process.parent_process.session.mfa | | boolean |
+| ocsf.actor.process.parent_process.session.uid | The unique identifier of the session. | keyword |
+| ocsf.actor.process.parent_process.session.uuid | The universally unique identifier of the session. | keyword |
+| ocsf.actor.process.parent_process.terminated_time | The time when the process was terminated. | date |
+| ocsf.actor.process.parent_process.terminated_time_dt | The time when the process was terminated. | date |
+| ocsf.actor.process.parent_process.tid | The Identifier of the thread associated with the event, as returned by the operating system. | long |
+| ocsf.actor.process.parent_process.uid | A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. | keyword |
+| ocsf.actor.process.parent_process.user.account.name | The name of the account (e.g. GCP Account Name). | keyword |
+| ocsf.actor.process.parent_process.user.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.actor.process.parent_process.user.account.type_id | The normalized account type identifier. | keyword |
+| ocsf.actor.process.parent_process.user.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword |
+| ocsf.actor.process.parent_process.user.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.actor.process.parent_process.user.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword |
+| ocsf.actor.process.parent_process.user.email_addr | The user's email address. | keyword |
+| ocsf.actor.process.parent_process.user.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword |
+| ocsf.actor.process.parent_process.user.groups.desc | The group description. | keyword |
+| ocsf.actor.process.parent_process.user.groups.name | The group name. | keyword |
+| ocsf.actor.process.parent_process.user.groups.privileges | The group privileges. | keyword |
+| ocsf.actor.process.parent_process.user.groups.type | The type of the group or account. | keyword |
+| ocsf.actor.process.parent_process.user.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.actor.process.parent_process.user.name | The username. For example, janedoe1. | keyword |
+| ocsf.actor.process.parent_process.user.org.name | The name of the organization. For example, Widget, Inc. | keyword |
+| ocsf.actor.process.parent_process.user.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword |
+| ocsf.actor.process.parent_process.user.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword |
+| ocsf.actor.process.parent_process.user.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword |
+| ocsf.actor.process.parent_process.user.type | The type of the user. For example, System, AWS IAM User, etc. | keyword |
+| ocsf.actor.process.parent_process.user.type_id | The account type identifier. | keyword |
+| ocsf.actor.process.parent_process.user.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword |
+| ocsf.actor.process.parent_process.user.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword |
+| ocsf.actor.process.parent_process.xattributes | An unordered collection of zero or more name/value pairs that represent a process extended attribute. | flattened |
+| ocsf.actor.process.pid | The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. | long |
+| ocsf.actor.process.sandbox | The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. | keyword |
+| ocsf.actor.process.session.created_time | The time when the session was created. | date |
+| ocsf.actor.process.session.created_time_dt | The time when the session was created. | date |
+| ocsf.actor.process.session.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.actor.process.session.expiration_time | The session expiration time. | date |
+| ocsf.actor.process.session.expiration_time_dt | The session expiration time. | date |
+| ocsf.actor.process.session.is_remote | The indication of whether the session is remote. | boolean |
+| ocsf.actor.process.session.issuer | The identifier of the session issuer. | keyword |
+| ocsf.actor.process.session.mfa | | boolean |
+| ocsf.actor.process.session.uid | The unique identifier of the session. | keyword |
+| ocsf.actor.process.session.uuid | The universally unique identifier of the session. | keyword |
+| ocsf.actor.process.terminated_time | The time when the process was terminated. | date |
+| ocsf.actor.process.terminated_time_dt | The time when the process was terminated. | date |
+| ocsf.actor.process.tid | The Identifier of the thread associated with the event, as returned by the operating system. | long |
+| ocsf.actor.process.uid | A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. | keyword |
+| ocsf.actor.process.user.account.name | The name of the account (e.g. GCP Account Name). | keyword |
+| ocsf.actor.process.user.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.actor.process.user.account.type_id | The normalized account type identifier. | keyword |
+| ocsf.actor.process.user.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword |
+| ocsf.actor.process.user.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.actor.process.user.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword |
+| ocsf.actor.process.user.email_addr | The user's email address. | keyword |
+| ocsf.actor.process.user.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword |
+| ocsf.actor.process.user.groups.desc | The group description. | keyword |
+| ocsf.actor.process.user.groups.name | The group name. | keyword |
+| ocsf.actor.process.user.groups.privileges | The group privileges. | keyword |
+| ocsf.actor.process.user.groups.type | The type of the group or account. | keyword |
+| ocsf.actor.process.user.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.actor.process.user.name | The username. For example, janedoe1. | keyword |
+| ocsf.actor.process.user.org.name | The name of the organization. For example, Widget, Inc. | keyword |
+| ocsf.actor.process.user.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword |
+| ocsf.actor.process.user.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword |
+| ocsf.actor.process.user.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword |
+| ocsf.actor.process.user.type | The type of the user. For example, System, AWS IAM User, etc. | keyword |
+| ocsf.actor.process.user.type_id | The account type identifier. | keyword |
+| ocsf.actor.process.user.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword |
+| ocsf.actor.process.user.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword |
+| ocsf.actor.process.xattributes | An unordered collection of zero or more name/value pairs that represent a process extended attribute. | flattened |
+| ocsf.actor.session.created_time | The time when the session was created. | date |
+| ocsf.actor.session.created_time_dt | The time when the session was created. | date |
+| ocsf.actor.session.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.actor.session.expiration_time | The session expiration time. | date |
+| ocsf.actor.session.expiration_time_dt | The session expiration time. | date |
+| ocsf.actor.session.is_remote | The indication of whether the session is remote. | boolean |
+| ocsf.actor.session.issuer | The identifier of the session issuer. | keyword |
+| ocsf.actor.session.mfa | | boolean |
+| ocsf.actor.session.uid | The unique identifier of the session. | keyword |
+| ocsf.actor.session.uuid | The universally unique identifier of the session. | keyword |
+| ocsf.actor.user.account.name | The name of the account (e.g. GCP Account Name). | keyword |
+| ocsf.actor.user.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.actor.user.account.type_id | The normalized account type identifier. | keyword |
+| ocsf.actor.user.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword |
+| ocsf.actor.user.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.actor.user.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword |
+| ocsf.actor.user.email_addr | The user's email address. | keyword |
+| ocsf.actor.user.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword |
+| ocsf.actor.user.groups.desc | The group description. | keyword |
+| ocsf.actor.user.groups.name | The group name. | keyword |
+| ocsf.actor.user.groups.privileges | The group privileges. | keyword |
+| ocsf.actor.user.groups.type | The type of the group or account. | keyword |
+| ocsf.actor.user.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.actor.user.name | The username. For example, janedoe1. | keyword |
+| ocsf.actor.user.org.name | The name of the organization. For example, Widget, Inc. | keyword |
+| ocsf.actor.user.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword |
+| ocsf.actor.user.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword |
+| ocsf.actor.user.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword |
+| ocsf.actor.user.type | The type of the user. For example, System, AWS IAM User, etc. | keyword |
+| ocsf.actor.user.type_id | The account type identifier. | keyword |
+| ocsf.actor.user.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword |
+| ocsf.actor.user.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword |
+| ocsf.analytic.category | The analytic category. | keyword |
+| ocsf.analytic.desc | The description of the analytic that generated the finding. | keyword |
+| ocsf.analytic.name | The name of the analytic that generated the finding. | keyword |
+| ocsf.analytic.related_analytics.category | The analytic category. | keyword |
+| ocsf.analytic.related_analytics.desc | The description of the analytic that generated the finding. | keyword |
+| ocsf.analytic.related_analytics.name | The name of the analytic that generated the finding. | keyword |
+| ocsf.analytic.related_analytics.related_analytics | | flattened |
+| ocsf.analytic.related_analytics.type | The analytic type. | keyword |
+| ocsf.analytic.related_analytics.type_id | The analytic type ID. | keyword |
+| ocsf.analytic.related_analytics.uid | The unique identifier of the analytic that generated the finding. | keyword |
+| ocsf.analytic.related_analytics.version | The analytic version. For example: 1.1. | keyword |
+| ocsf.analytic.type | The analytic type. | keyword |
+| ocsf.analytic.type_id | The analytic type ID. | keyword |
+| ocsf.analytic.uid | The unique identifier of the analytic that generated the finding. | keyword |
+| ocsf.analytic.version | The analytic version. For example: 1.1. | keyword |
+| ocsf.answers.class | The class of DNS data contained in this resource record. See RFC1035. For example: IN. | keyword |
+| ocsf.answers.flag_ids | The list of DNS answer header flag IDs. | keyword |
+| ocsf.answers.flags | The list of DNS answer header flags. | keyword |
+| ocsf.answers.packet_uid | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword |
+| ocsf.answers.rdata | The data describing the DNS resource. The meaning of this data depends on the type and class of the resource record. | keyword |
+| ocsf.answers.ttl | The time interval that the resource record may be cached. Zero value means that the resource record can only be used for the transaction in progress, and should not be cached. | long |
+| ocsf.answers.type | The type of data contained in this resource record. See RFC1035. For example: CNAME. | keyword |
+| ocsf.api.operation | Verb/Operation associated with the request. | keyword |
+| ocsf.api.request.flags | The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. | keyword |
+| ocsf.api.request.uid | The unique request identifier. | keyword |
+| ocsf.api.response.code | The numeric response sent to a request. | long |
+| ocsf.api.response.error | Error Code. | keyword |
+| ocsf.api.response.error_message | Error Message. | keyword |
+| ocsf.api.response.flags | The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. | keyword |
+| ocsf.api.response.message | The description of the event, as defined by the event source. | keyword |
+| ocsf.api.service.labels | The list of labels associated with the service. | keyword |
+| ocsf.api.service.name | The name of the service. | keyword |
+| ocsf.api.service.uid | The unique identifier of the service. | keyword |
+| ocsf.api.service.version | The version of the service. | keyword |
+| ocsf.api.version | The version of the API service. | keyword |
+| ocsf.app_name | The name of the application that is associated with the event or object. | keyword |
+| ocsf.attacks.tactics.name | The tactic name that is associated with the attack technique, as defined by ATT&CK MatrixTM. | keyword |
+| ocsf.attacks.tactics.uid | The tactic ID that is associated with the attack technique, as defined by ATT&CK MatrixTM. | keyword |
+| ocsf.attacks.technique.name | The name of the attack technique, as defined by ATT&CK MatrixTM. For example: Drive-by Compromise. | keyword |
+| ocsf.attacks.technique.uid | The unique identifier of the attack technique, as defined by ATT&CK MatrixTM. For example: T1189. | keyword |
+| ocsf.attacks.version | The ATT&CK Matrix version. | keyword |
+| ocsf.auth_protocol | The authentication protocol as defined by the caption of 'auth_protocol_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.auth_protocol_id | The normalized identifier of the authentication protocol used to create the user session. | keyword |
+| ocsf.category_name | The event category name, as defined by category_uid value: Identity & Access Management. | keyword |
+| ocsf.category_uid | The category unique identifier of the event.3 Identity & Access ManagementIdentity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc. | keyword |
+| ocsf.certificate.created_time | The time when the certificate was created. | date |
+| ocsf.certificate.created_time_dt | The time when the certificate was created. | date |
+| ocsf.certificate.expiration_time | The expiration time of the certificate. | date |
+| ocsf.certificate.expiration_time_dt | The expiration time of the certificate. | date |
+| ocsf.certificate.fingerprints.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.certificate.fingerprints.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword |
+| ocsf.certificate.fingerprints.value | The digital fingerprint value. | keyword |
+| ocsf.certificate.issuer | The certificate issuer distinguished name. | keyword |
+| ocsf.certificate.serial_number | The serial number of the certificate used to create the digital signature. | keyword |
+| ocsf.certificate.subject | The certificate subject distinguished name. | keyword |
+| ocsf.certificate.version | The certificate version. | keyword |
+| ocsf.cis_csc.control | The CIS critical security control. | keyword |
+| ocsf.cis_csc.version | The CIS critical security control version. | keyword |
+| ocsf.class_name | The event class name, as defined by class_uid value: Security Finding. | keyword |
+| ocsf.class_uid | The unique identifier of a class. A Class describes the attributes available in an event.2001 Security FindingSecurity Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products. | keyword |
+| ocsf.cloud.account.name | The name of the account (e.g. GCP Account Name). | keyword |
+| ocsf.cloud.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.cloud.account.type_id | The normalized account type identifier. | keyword |
+| ocsf.cloud.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword |
+| ocsf.cloud.org.name | The name of the organization. For example, Widget, Inc. | keyword |
+| ocsf.cloud.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword |
+| ocsf.cloud.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword |
+| ocsf.cloud.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword |
+| ocsf.cloud.project_uid | The unique identifier of a Cloud project. | keyword |
+| ocsf.cloud.provider | The unique name of the Cloud services provider, such as AWS, MS Azure, GCP, etc. | keyword |
+| ocsf.cloud.region | The name of the cloud region, as defined by the cloud provider. | keyword |
+| ocsf.cloud.zone | The availability zone in the cloud region, as defined by the cloud provider. | keyword |
+| ocsf.compliance.requirements | A list of applicable compliance requirements for which this finding is related to. | keyword |
+| ocsf.compliance.status | The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.compliance.status_detail | The status details contains additional information about the event outcome. | keyword |
+| ocsf.confidence | The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.confidence_id | The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature. | keyword |
+| ocsf.confidence_score | The confidence score as reported by the event source. | long |
+| ocsf.connection_info.boundary | The boundary of the connection, normalized to the caption of 'boundary_id'. In the case of 'Other', it is defined by the event source.For cloud connections, this translates to the traffic-boundary(same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External. | keyword |
+| ocsf.connection_info.boundary_id | The normalized identifier of the boundary of the connection. For cloud connections, this translates to the traffic-boundary (same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External. | keyword |
+| ocsf.connection_info.direction | The direction of the initiated connection, traffic, or email, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.connection_info.direction_id | The normalized identifier of the direction of the initiated connection, traffic, or email. | keyword |
+| ocsf.connection_info.protocol_name | The TCP/IP protocol name in lowercase, as defined by the Internet Assigned Numbers Authority (IANA). See Protocol Numbers. For example: tcp or udp. | keyword |
+| ocsf.connection_info.protocol_num | The TCP/IP protocol number, as defined by the Internet Assigned Numbers Authority (IANA). Use -1 if the protocol is not defined by IANA. See Protocol Numbers. For example: 6 for TCP and 17 for UDP. | keyword |
+| ocsf.connection_info.protocol_ver | The Internet Protocol version. | keyword |
+| ocsf.connection_info.protocol_ver_id | The Internet Protocol version identifier. | keyword |
+| ocsf.connection_info.tcp_flags | The network connection TCP header flags (i.e., control bits). | long |
+| ocsf.connection_info.uid | The unique identifier of the connection. | keyword |
+| ocsf.count | The number of times that events in the same logical group occurred during the event Start Time to End Time period. | long |
+| ocsf.data_sources | The data sources for the finding. | keyword |
+| ocsf.device.autoscale_uid | The unique identifier of the cloud autoscale configuration. | keyword |
+| ocsf.device.created_time | The time when the device was known to have been created. | date |
+| ocsf.device.created_time_dt | TThe time when the device was known to have been created. | date |
+| ocsf.device.desc | The description of the device, ordinarily as reported by the operating system. | keyword |
+| ocsf.device.domain | The network domain where the device resides. For example: work.example.com. | keyword |
+| ocsf.device.first_seen_time | The initial discovery time of the device. | date |
+| ocsf.device.first_seen_time_dt | The initial discovery time of the device. | date |
+| ocsf.device.groups.desc | The group description. | keyword |
+| ocsf.device.groups.name | The group name. | keyword |
+| ocsf.device.groups.privileges | The group privileges. | keyword |
+| ocsf.device.groups.type | The type of the group or account. | keyword |
+| ocsf.device.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.device.hostname | The devicename. | keyword |
+| ocsf.device.hw_info.bios_date | The BIOS date. For example: 03/31/16. | keyword |
+| ocsf.device.hw_info.bios_manufacturer | The BIOS manufacturer. For example: LENOVO. | keyword |
+| ocsf.device.hw_info.bios_ver | The BIOS version. For example: LENOVO G5ETA2WW (2.62). | keyword |
+| ocsf.device.hw_info.chassis | The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types. | keyword |
+| ocsf.device.hw_info.cpu_bits | The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64. | long |
+| ocsf.device.hw_info.cpu_cores | The number of processor cores in all installed processors. For Example: 42. | long |
+| ocsf.device.hw_info.cpu_count | The number of physical processors on a system. For example: 1. | long |
+| ocsf.device.hw_info.cpu_speed | The speed of the processor in Mhz. For Example: 4200. | long |
+| ocsf.device.hw_info.cpu_type | The processor type. For example: x86 Family 6 Model 37 Stepping 5. | keyword |
+| ocsf.device.hw_info.desktop_display.color_depth | The numeric color depth. | long |
+| ocsf.device.hw_info.desktop_display.physical_height | The numeric physical height of display. | long |
+| ocsf.device.hw_info.desktop_display.physical_orientation | The numeric physical orientation of display. | long |
+| ocsf.device.hw_info.desktop_display.physical_width | The numeric physical width of display. | long |
+| ocsf.device.hw_info.desktop_display.scale_factor | The numeric scale factor of display. | long |
+| ocsf.device.hw_info.keyboard_info.function_keys | The number of function keys on client keyboard. | long |
+| ocsf.device.hw_info.keyboard_info.ime | The Input Method Editor (IME) file name. | keyword |
+| ocsf.device.hw_info.keyboard_info.keyboard_layout | The keyboard locale identifier name (e.g., en-US). | keyword |
+| ocsf.device.hw_info.keyboard_info.keyboard_subtype | The keyboard numeric code. | long |
+| ocsf.device.hw_info.keyboard_info.keyboard_type | The keyboard type (e.g., xt, ico). | keyword |
+| ocsf.device.hw_info.ram_size | The total amount of installed RAM, in Megabytes. For example: 2048. | long |
+| ocsf.device.hw_info.serial_number | The device manufacturer serial number. | keyword |
+| ocsf.device.hypervisor | The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. | keyword |
+| ocsf.device.image.labels | The image labels. | keyword |
+| ocsf.device.image.name | The image name. For example: elixir. | keyword |
+| ocsf.device.image.path | The full path to the image file. | keyword |
+| ocsf.device.image.tag | The image tag. For example: 1.11-alpine. | keyword |
+| ocsf.device.image.uid | The unique image ID. For example: 77af4d6b9913. | keyword |
+| ocsf.device.imei | The International Mobile Station Equipment Identifier that is associated with the device. | keyword |
+| ocsf.device.instance_uid | The unique identifier of a VM instance. | keyword |
+| ocsf.device.interface_name | The name of the network interface (e.g. eth2). | keyword |
+| ocsf.device.interface_uid | The unique identifier of the network interface. | keyword |
+| ocsf.device.ip | The device IP address, in either IPv4 or IPv6 format. | ip |
+| ocsf.device.is_compliant | The event occurred on a compliant device. | boolean |
+| ocsf.device.is_managed | The event occurred on a managed device. | boolean |
+| ocsf.device.is_personal | The event occurred on a personal device. | boolean |
+| ocsf.device.is_trusted | The event occurred on a trusted device. | boolean |
+| ocsf.device.last_seen_time | The most recent discovery time of the device. | date |
+| ocsf.device.last_seen_time_dt | The most recent discovery time of the device. | date |
+| ocsf.device.location.city | The name of the city. | keyword |
+| ocsf.device.location.continent | The name of the continent. | keyword |
+| ocsf.device.location.coordinates | A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. | geo_point |
+| ocsf.device.location.country | The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. | keyword |
+| ocsf.device.location.desc | The description of the geographical location. | keyword |
+| ocsf.device.location.is_on_premises | The indication of whether the location is on premises. | boolean |
+| ocsf.device.location.isp | The name of the Internet Service Provider (ISP). | keyword |
+| ocsf.device.location.postal_code | The postal code of the location. | keyword |
+| ocsf.device.location.provider | The provider of the geographical location data. | keyword |
+| ocsf.device.location.region | The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. | keyword |
+| ocsf.device.mac | The device Media Access Control (MAC) address. | keyword |
+| ocsf.device.modified_time | The time when the device was last known to have been modified. | date |
+| ocsf.device.modified_time_dt | The time when the device was last known to have been modified. | date |
+| ocsf.device.name | The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. | keyword |
+| ocsf.device.network_interfaces.hostname | The hostname associated with the network interface. | keyword |
+| ocsf.device.network_interfaces.ip | The IP address associated with the network interface. | ip |
+| ocsf.device.network_interfaces.mac | The MAC address of the network interface. | keyword |
+| ocsf.device.network_interfaces.name | The name of the network interface. | keyword |
+| ocsf.device.network_interfaces.namespace | The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate. | keyword |
+| ocsf.device.network_interfaces.type | The type of network interface. | keyword |
+| ocsf.device.network_interfaces.type_id | The network interface type identifier. | keyword |
+| ocsf.device.network_interfaces.uid | The unique identifier for the network interface. | keyword |
+| ocsf.device.org.name | The name of the organization. For example, Widget, Inc. | keyword |
+| ocsf.device.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword |
+| ocsf.device.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword |
+| ocsf.device.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword |
+| ocsf.device.os.build | The operating system build number. | keyword |
+| ocsf.device.os.country | The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes. | keyword |
+| ocsf.device.os.cpu_bits | The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64. | long |
+| ocsf.device.os.edition | The operating system edition. For example, Professional. | keyword |
+| ocsf.device.os.lang | The two letter lower case language codes, as defined by ISO 639-1. | keyword |
+| ocsf.device.os.name | The operating system name. | keyword |
+| ocsf.device.os.sp_name | The name of the latest Service Pack. | keyword |
+| ocsf.device.os.sp_ver | The version number of the latest Service Pack. | keyword |
+| ocsf.device.os.type | The type of the operating system. | keyword |
+| ocsf.device.os.type_id | The type identifier of the operating system. | keyword |
+| ocsf.device.os.version | The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9". | keyword |
+| ocsf.device.region | The region where the virtual machine is located. For example, an AWS Region. | keyword |
+| ocsf.device.risk_level | The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.device.risk_level_id | The normalized risk level id. | keyword |
+| ocsf.device.risk_score | The risk score as reported by the event source. | long |
+| ocsf.device.subnet | The subnet mask. | ip_range |
+| ocsf.device.subnet_uid | The unique identifier of a virtual subnet. | keyword |
+| ocsf.device.type | The device type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. | keyword |
+| ocsf.device.type_id | The device type ID. | keyword |
+| ocsf.device.uid | The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. | keyword |
+| ocsf.device.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword |
+| ocsf.device.vlan_uid | The Virtual LAN identifier. | keyword |
+| ocsf.device.vpc_uid | The unique identifier of the Virtual Private Cloud (VPC). | keyword |
+| ocsf.disposition | The event disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.disposition_id | When security issues, such as malware or policy violations, are detected and possibly corrected, then disposition_id describes the action taken by the security product. | keyword |
+| ocsf.dst_endpoint.domain | The name of the domain. | keyword |
+| ocsf.dst_endpoint.hostname | The fully qualified name of the endpoint. | keyword |
+| ocsf.dst_endpoint.instance_uid | The unique identifier of a VM instance. | keyword |
+| ocsf.dst_endpoint.interface_name | The name of the network interface (e.g. eth2). | keyword |
+| ocsf.dst_endpoint.interface_uid | The unique identifier of the network interface. | keyword |
+| ocsf.dst_endpoint.intermediate_ips | The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. | ip |
+| ocsf.dst_endpoint.ip | The IP address of the endpoint, in either IPv4 or IPv6 format. | ip |
+| ocsf.dst_endpoint.location.city | The name of the city. | keyword |
+| ocsf.dst_endpoint.location.continent | The name of the continent. | keyword |
+| ocsf.dst_endpoint.location.coordinates | A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. | geo_point |
+| ocsf.dst_endpoint.location.country | The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. | keyword |
+| ocsf.dst_endpoint.location.desc | The description of the geographical location. | keyword |
+| ocsf.dst_endpoint.location.is_on_premises | The indication of whether the location is on premises. | boolean |
+| ocsf.dst_endpoint.location.isp | The name of the Internet Service Provider (ISP). | keyword |
+| ocsf.dst_endpoint.location.postal_code | The postal code of the location. | keyword |
+| ocsf.dst_endpoint.location.provider | The provider of the geographical location data. | keyword |
+| ocsf.dst_endpoint.location.region | The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. | keyword |
+| ocsf.dst_endpoint.mac | The Media Access Control (MAC) address of the endpoint. | keyword |
+| ocsf.dst_endpoint.name | The short name of the endpoint. | keyword |
+| ocsf.dst_endpoint.port | The port used for communication within the network connection. | long |
+| ocsf.dst_endpoint.subnet_uid | The unique identifier of a virtual subnet. | keyword |
+| ocsf.dst_endpoint.svc_name | The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. | keyword |
+| ocsf.dst_endpoint.uid | The unique identifier of the endpoint. | keyword |
+| ocsf.dst_endpoint.vlan_uid | The Virtual LAN identifier. | keyword |
+| ocsf.dst_endpoint.vpc_uid | The unique identifier of the Virtual Private Cloud (VPC). | keyword |
+| ocsf.duration | The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. | long |
+| ocsf.end_time | The end time of a time period, or the time of the most recent event included in the aggregate event. | date |
+| ocsf.end_time_dt | The end time of a time period, or the time of the most recent event included in the aggregate event. | date |
+| ocsf.enrichments.data | The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record. | flattened |
+| ocsf.enrichments.name | The name of the attribute to which the enriched data pertains. | keyword |
+| ocsf.enrichments.provider | The enrichment data provider name. | keyword |
+| ocsf.enrichments.type | The enrichment type. For example, location. | keyword |
+| ocsf.enrichments.value | The value of the attribute to which the enriched data pertains. | keyword |
+| ocsf.evidence | The data the finding exposes to the analyst. | flattened |
+| ocsf.finding.created_time | The time when the finding was created. | date |
+| ocsf.finding.created_time_dt | The time when the finding was created. | date |
+| ocsf.finding.desc | The description of the reported finding. | keyword |
+| ocsf.finding.first_seen_time | The time when the finding was first observed. | date |
+| ocsf.finding.first_seen_time_dt | The time when the finding was first observed. | date |
+| ocsf.finding.last_seen_time | The time when the finding was most recently observed. | date |
+| ocsf.finding.last_seen_time_dt | The time when the finding was most recently observed. | date |
+| ocsf.finding.modified_time | The time when the finding was last modified. | date |
+| ocsf.finding.modified_time_dt | The time when the finding was last modified. | date |
+| ocsf.finding.product_uid | The unique identifier of the product that reported the finding. | keyword |
+| ocsf.finding.related_events.product_uid | The unique identifier of the product that reported the related event. | keyword |
+| ocsf.finding.related_events.type | The type of the related event. For example: Process Activity: Launch. | keyword |
+| ocsf.finding.related_events.type_uid | The unique identifier of the related event type. For example: 100701. | keyword |
+| ocsf.finding.related_events.uid | The unique identifier of the related event. | keyword |
+| ocsf.finding.remediation.desc | The description of the remediation strategy. | keyword |
+| ocsf.finding.remediation.kb_articles | The KB article/s related to the entity. | keyword |
+| ocsf.finding.src_url | The URL pointing to the source of the finding. | keyword |
+| ocsf.finding.supporting_data | Additional data supporting a finding as provided by security tool. | flattened |
+| ocsf.finding.title | The title of the reported finding. | keyword |
+| ocsf.finding.types | One or more types of the reported finding. | keyword |
+| ocsf.finding.uid | The unique identifier of the reported finding. | keyword |
+| ocsf.http_request.args | The arguments sent along with the HTTP request. | keyword |
+| ocsf.http_request.http_headers.name | The name of the header. | keyword |
+| ocsf.http_request.http_headers.value | The value of the header. | keyword |
+| ocsf.http_request.http_method | The HTTP request method indicates the desired action to be performed for a given resource. | keyword |
+| ocsf.http_request.referrer | The request header that identifies the address of the previous web page, which is linked to the current web page or resource being requested. | keyword |
+| ocsf.http_request.uid | The unique identifier of the http request. | keyword |
+| ocsf.http_request.url.categories | The Website categorization names, as defined by category_ids enum values. | keyword |
+| ocsf.http_request.url.category_ids | The Website categorization identifies. | keyword |
+| ocsf.http_request.url.hostname | The URL host as extracted from the URL. For example, www.example.com from www.example.com/download/trouble. | keyword |
+| ocsf.http_request.url.path | The URL path as extracted from the URL. For example, /download/trouble from www.example.com/download/trouble. | keyword |
+| ocsf.http_request.url.port | The URL port. For example, 80. | long |
+| ocsf.http_request.url.query_string | The query portion of the URL. For example, the query portion of the URL http://www.example.com/search?q=bad&sort=date is q=bad&sort=date. | keyword |
+| ocsf.http_request.url.resource_type | The context in which a resource was retrieved in a web request. | keyword |
+| ocsf.http_request.url.scheme | The scheme portion of the URL. For example, http, https, ftp, or sftp. | keyword |
+| ocsf.http_request.url.subdomain | The subdomain portion of the URL. For example, sub in https://sub.example.com or sub2.sub1 in https://sub2.sub1.example.com. | keyword |
+| ocsf.http_request.url.url_string | The URL string. See RFC 1738. For example, http://www.example.com/download/trouble.exe. | keyword |
+| ocsf.http_request.user_agent | The request header that identifies the operating system and web browser. | keyword |
+| ocsf.http_request.version | The Hypertext Transfer Protocol (HTTP) version. | keyword |
+| ocsf.http_request.x_forwarded_for | The X-Forwarded-For header identifying the originating IP address(es) of a client connecting to a web server through an HTTP proxy or a load balancer. | ip |
+| ocsf.impact | The impact , normalized to the caption of the impact_id value. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.impact_id | The normalized impact of the finding. | keyword |
+| ocsf.impact_score | The impact of the finding, valid range 0-100. | long |
+| ocsf.is_cleartext | Indicates whether the credentials were passed in clear text.Note: True if the credentials were passed in a clear text protocol such as FTP or TELNET, or if Windows detected that a user's logon password was passed to the authentication package in clear text. | boolean |
+| ocsf.is_mfa | Indicates whether Multi Factor Authentication was used during authentication. | boolean |
+| ocsf.is_new_logon | Indicates logon is from a device not seen before or a first time account logon. | boolean |
+| ocsf.is_remote | The attempted authentication is over a remote connection. | boolean |
+| ocsf.kill_chain.phase | The cyber kill chain phase. | keyword |
+| ocsf.kill_chain.phase_id | The cyber kill chain phase identifier. | keyword |
+| ocsf.logon_process.auid | The audit user assigned at login by the audit subsystem. | keyword |
+| ocsf.logon_process.cmd_line | The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '' is to be used. | keyword |
+| ocsf.logon_process.container.hash.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.logon_process.container.hash.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword |
+| ocsf.logon_process.container.hash.value | The digital fingerprint value. | keyword |
+| ocsf.logon_process.container.image.labels | The image labels. | keyword |
+| ocsf.logon_process.container.image.name | The image name. For example: elixir. | keyword |
+| ocsf.logon_process.container.image.path | The full path to the image file. | keyword |
+| ocsf.logon_process.container.image.tag | The image tag. For example: 1.11-alpine. | keyword |
+| ocsf.logon_process.container.image.uid | The unique image ID. For example: 77af4d6b9913. | keyword |
+| ocsf.logon_process.container.name | The container name. | keyword |
+| ocsf.logon_process.container.network_driver | The network driver used by the container. For example, bridge, overlay, host, none, etc. | keyword |
+| ocsf.logon_process.container.orchestrator | The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. | keyword |
+| ocsf.logon_process.container.pod_uuid | The unique identifier of the pod (or equivalent) that the container is executing on. | keyword |
+| ocsf.logon_process.container.runtime | The backend running the container, such as containerd or cri-o. | keyword |
+| ocsf.logon_process.container.size | The size of the container image. | long |
+| ocsf.logon_process.container.tag | The tag used by the container. It can indicate version, format, OS. | keyword |
+| ocsf.logon_process.container.uid | The full container unique identifier for this instantiation of the container. For example: ac2ea168264a08f9aaca0dfc82ff3551418dfd22d02b713142a6843caa2f61bf. | keyword |
+| ocsf.logon_process.created_time | The time when the process was created/started. | date |
+| ocsf.logon_process.created_time_dt | The time when the process was created/started. | date |
+| ocsf.logon_process.egid | The effective group under which this process is running. | keyword |
+| ocsf.logon_process.euid | The effective user under which this process is running. | keyword |
+| ocsf.logon_process.file.accessed_time | The time when the file was last accessed. | date |
+| ocsf.logon_process.file.accessed_time_dt | The time when the file was last accessed. | date |
+| ocsf.logon_process.file.accessor.account.name | The name of the account (e.g. GCP Account Name). | keyword |
+| ocsf.logon_process.file.accessor.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.logon_process.file.accessor.account.type_id | The normalized account type identifier. | keyword |
+| ocsf.logon_process.file.accessor.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword |
+| ocsf.logon_process.file.accessor.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.logon_process.file.accessor.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword |
+| ocsf.logon_process.file.accessor.email_addr | The user's email address. | keyword |
+| ocsf.logon_process.file.accessor.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword |
+| ocsf.logon_process.file.accessor.groups.desc | The group description. | keyword |
+| ocsf.logon_process.file.accessor.groups.name | The group name. | keyword |
+| ocsf.logon_process.file.accessor.groups.privileges | The group privileges. | keyword |
+| ocsf.logon_process.file.accessor.groups.type | The type of the group or account. | keyword |
+| ocsf.logon_process.file.accessor.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.logon_process.file.accessor.name | The username. For example, janedoe1. | keyword |
+| ocsf.logon_process.file.accessor.org.name | The name of the organization. For example, Widget, Inc. | keyword |
+| ocsf.logon_process.file.accessor.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword |
+| ocsf.logon_process.file.accessor.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword |
+| ocsf.logon_process.file.accessor.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword |
+| ocsf.logon_process.file.accessor.type | The type of the user. For example, System, AWS IAM User, etc. | keyword |
+| ocsf.logon_process.file.accessor.type_id | The account type identifier. | keyword |
+| ocsf.logon_process.file.accessor.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword |
+| ocsf.logon_process.file.accessor.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword |
+| ocsf.logon_process.file.attributes | The Bitmask value that represents the file attributes. | long |
+| ocsf.logon_process.file.company_name | The name of the company that published the file. For example: Microsoft Corporation. | keyword |
+| ocsf.logon_process.file.confidentiality | The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.logon_process.file.confidentiality_id | The normalized identifier of the file content confidentiality indicator. | keyword |
+| ocsf.logon_process.file.created_time | The time when the file was created. | date |
+| ocsf.logon_process.file.created_time_dt | The time when the file was created. | date |
+| ocsf.logon_process.file.creator.account.name | The name of the account (e.g. GCP Account Name). | keyword |
+| ocsf.logon_process.file.creator.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.logon_process.file.creator.account.type_id | The normalized account type identifier. | keyword |
+| ocsf.logon_process.file.creator.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword |
+| ocsf.logon_process.file.creator.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.logon_process.file.creator.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword |
+| ocsf.logon_process.file.creator.email_addr | The user's email address. | keyword |
+| ocsf.logon_process.file.creator.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword |
+| ocsf.logon_process.file.creator.groups.desc | The group description. | keyword |
+| ocsf.logon_process.file.creator.groups.name | The group name. | keyword |
+| ocsf.logon_process.file.creator.groups.privileges | The group privileges. | keyword |
+| ocsf.logon_process.file.creator.groups.type | The type of the group or account. | keyword |
+| ocsf.logon_process.file.creator.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.logon_process.file.creator.name | The username. For example, janedoe1. | keyword |
+| ocsf.logon_process.file.creator.org.name | The name of the organization. For example, Widget, Inc. | keyword |
+| ocsf.logon_process.file.creator.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword |
+| ocsf.logon_process.file.creator.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword |
+| ocsf.logon_process.file.creator.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword |
+| ocsf.logon_process.file.creator.type | The type of the user. For example, System, AWS IAM User, etc. | keyword |
+| ocsf.logon_process.file.creator.type_id | The account type identifier. | keyword |
+| ocsf.logon_process.file.creator.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword |
+| ocsf.logon_process.file.creator.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword |
+| ocsf.logon_process.file.desc | The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type. | keyword |
+| ocsf.logon_process.file.hashes.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.logon_process.file.hashes.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword |
+| ocsf.logon_process.file.hashes.value | The digital fingerprint value. | keyword |
+| ocsf.logon_process.file.is_system | The indication of whether the object is part of the operating system. | boolean |
+| ocsf.logon_process.file.mime_type | The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. | keyword |
+| ocsf.logon_process.file.modified_time | The time when the file was last modified. | date |
+| ocsf.logon_process.file.modified_time_dt | The time when the file was last modified. | date |
+| ocsf.logon_process.file.modifier.account.name | The name of the account (e.g. GCP Account Name). | keyword |
+| ocsf.logon_process.file.modifier.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.logon_process.file.modifier.account.type_id | The normalized account type identifier. | keyword |
+| ocsf.logon_process.file.modifier.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword |
+| ocsf.logon_process.file.modifier.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.logon_process.file.modifier.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword |
+| ocsf.logon_process.file.modifier.email_addr | The user's email address. | keyword |
+| ocsf.logon_process.file.modifier.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword |
+| ocsf.logon_process.file.modifier.groups.desc | The group description. | keyword |
+| ocsf.logon_process.file.modifier.groups.name | The group name. | keyword |
+| ocsf.logon_process.file.modifier.groups.privileges | The group privileges. | keyword |
+| ocsf.logon_process.file.modifier.groups.type | The type of the group or account. | keyword |
+| ocsf.logon_process.file.modifier.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.logon_process.file.modifier.name | The username. For example, janedoe1. | keyword |
+| ocsf.logon_process.file.modifier.org.name | The name of the organization. For example, Widget, Inc. | keyword |
+| ocsf.logon_process.file.modifier.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword |
+| ocsf.logon_process.file.modifier.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword |
+| ocsf.logon_process.file.modifier.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword |
+| ocsf.logon_process.file.modifier.type | The type of the user. For example, System, AWS IAM User, etc. | keyword |
+| ocsf.logon_process.file.modifier.type_id | The account type identifier. | keyword |
+| ocsf.logon_process.file.modifier.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword |
+| ocsf.logon_process.file.modifier.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword |
+| ocsf.logon_process.file.name | The name of the file. For example: svchost.exe. | keyword |
+| ocsf.logon_process.file.owner.account.name | The name of the account (e.g. GCP Account Name). | keyword |
+| ocsf.logon_process.file.owner.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.logon_process.file.owner.account.type_id | The normalized account type identifier. | keyword |
+| ocsf.logon_process.file.owner.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword |
+| ocsf.logon_process.file.owner.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.logon_process.file.owner.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword |
+| ocsf.logon_process.file.owner.email_addr | The user's email address. | keyword |
+| ocsf.logon_process.file.owner.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword |
+| ocsf.logon_process.file.owner.groups.desc | The group description. | keyword |
+| ocsf.logon_process.file.owner.groups.name | The group name. | keyword |
+| ocsf.logon_process.file.owner.groups.privileges | The group privileges. | keyword |
+| ocsf.logon_process.file.owner.groups.type | The type of the group or account. | keyword |
+| ocsf.logon_process.file.owner.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.logon_process.file.owner.name | The username. For example, janedoe1. | keyword |
+| ocsf.logon_process.file.owner.org.name | The name of the organization. For example, Widget, Inc. | keyword |
+| ocsf.logon_process.file.owner.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword |
+| ocsf.logon_process.file.owner.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword |
+| ocsf.logon_process.file.owner.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword |
+| ocsf.logon_process.file.owner.type | The type of the user. For example, System, AWS IAM User, etc. | keyword |
+| ocsf.logon_process.file.owner.type_id | The account type identifier. | keyword |
+| ocsf.logon_process.file.owner.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword |
+| ocsf.logon_process.file.owner.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword |
+| ocsf.logon_process.file.parent_folder | The parent folder in which the file resides. For example: c:\windows\system32. | keyword |
+| ocsf.logon_process.file.path | The full path to the file. For example: c:\windows\system32\svchost.exe. | keyword |
+| ocsf.logon_process.file.product.feature.name | The name of the feature. | keyword |
+| ocsf.logon_process.file.product.feature.uid | The unique identifier of the feature. | keyword |
+| ocsf.logon_process.file.product.feature.version | The version of the feature. | keyword |
+| ocsf.logon_process.file.product.lang | The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French). | keyword |
+| ocsf.logon_process.file.product.name | The name of the product. | keyword |
+| ocsf.logon_process.file.product.path | The installation path of the product. | keyword |
+| ocsf.logon_process.file.product.uid | The unique identifier of the product. | keyword |
+| ocsf.logon_process.file.product.vendor_name | The name of the vendor of the product. | keyword |
+| ocsf.logon_process.file.product.version | The version of the product, as defined by the event source. For example: 2013.1.3-beta. | keyword |
+| ocsf.logon_process.file.security_descriptor | The object security descriptor. | keyword |
+| ocsf.logon_process.file.signature.algorithm | The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.logon_process.file.signature.algorithm_id | The identifier of the normalized digital signature algorithm. | keyword |
+| ocsf.logon_process.file.signature.certificate.created_time | The time when the certificate was created. | date |
+| ocsf.logon_process.file.signature.certificate.created_time_dt | The time when the certificate was created. | date |
+| ocsf.logon_process.file.signature.certificate.expiration_time | The expiration time of the certificate. | date |
+| ocsf.logon_process.file.signature.certificate.expiration_time_dt | The expiration time of the certificate. | date |
+| ocsf.logon_process.file.signature.certificate.fingerprints.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.logon_process.file.signature.certificate.fingerprints.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword |
+| ocsf.logon_process.file.signature.certificate.fingerprints.value | The digital fingerprint value. | keyword |
+| ocsf.logon_process.file.signature.certificate.issuer | The certificate issuer distinguished name. | keyword |
+| ocsf.logon_process.file.signature.certificate.serial_number | The serial number of the certificate used to create the digital signature. | keyword |
+| ocsf.logon_process.file.signature.certificate.subject | The certificate subject distinguished name. | keyword |
+| ocsf.logon_process.file.signature.certificate.version | The certificate version. | keyword |
+| ocsf.logon_process.file.signature.created_time | The time when the digital signature was created. | date |
+| ocsf.logon_process.file.signature.created_time_dt | The time when the digital signature was created. | date |
+| ocsf.logon_process.file.signature.developer_uid | The developer ID on the certificate that signed the file. | keyword |
+| ocsf.logon_process.file.signature.digest.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.logon_process.file.signature.digest.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword |
+| ocsf.logon_process.file.signature.digest.value | The digital fingerprint value. | keyword |
+| ocsf.logon_process.file.size | The size of data, in bytes. | long |
+| ocsf.logon_process.file.type | The file type. | keyword |
+| ocsf.logon_process.file.type_id | The file type ID. | keyword |
+| ocsf.logon_process.file.uid | The unique identifier of the file as defined by the storage system, such the file system file ID. | keyword |
+| ocsf.logon_process.file.version | The file version. For example: 8.0.7601.17514. | keyword |
+| ocsf.logon_process.file.xattributes | An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. | flattened |
+| ocsf.logon_process.group.desc | The group description. | keyword |
+| ocsf.logon_process.group.name | The group name. | keyword |
+| ocsf.logon_process.group.privileges | The group privileges. | keyword |
+| ocsf.logon_process.group.type | The type of the group or account. | keyword |
+| ocsf.logon_process.group.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.logon_process.integrity | The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). | keyword |
+| ocsf.logon_process.integrity_id | The normalized identifier of the process integrity level (Windows only). | keyword |
+| ocsf.logon_process.lineage | The lineage of the process, represented by a list of paths for each ancestor process. For example: ['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami']. | keyword |
+| ocsf.logon_process.loaded_modules | The list of loaded module names. | keyword |
+| ocsf.logon_process.name | The friendly name of the process, for example: Notepad++. | keyword |
+| ocsf.logon_process.namespace_pid | If running under a process namespace (such as in a container), the process identifier within that process namespace. | long |
+| ocsf.logon_process.parent_process.auid | The audit user assigned at login by the audit subsystem. | keyword |
+| ocsf.logon_process.parent_process.cmd_line | The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '' is to be used. | keyword |
+| ocsf.logon_process.parent_process.container.hash.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.logon_process.parent_process.container.hash.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword |
+| ocsf.logon_process.parent_process.container.hash.value | The digital fingerprint value. | keyword |
+| ocsf.logon_process.parent_process.container.image.labels | The image labels. | keyword |
+| ocsf.logon_process.parent_process.container.image.name | The image name. For example: elixir. | keyword |
+| ocsf.logon_process.parent_process.container.image.path | The full path to the image file. | keyword |
+| ocsf.logon_process.parent_process.container.image.tag | The image tag. For example: 1.11-alpine. | keyword |
+| ocsf.logon_process.parent_process.container.image.uid | The unique image ID. For example: 77af4d6b9913. | keyword |
+| ocsf.logon_process.parent_process.container.name | The container name. | keyword |
+| ocsf.logon_process.parent_process.container.network_driver | The network driver used by the container. For example, bridge, overlay, host, none, etc. | keyword |
+| ocsf.logon_process.parent_process.container.orchestrator | The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. | keyword |
+| ocsf.logon_process.parent_process.container.pod_uuid | The unique identifier of the pod (or equivalent) that the container is executing on. | keyword |
+| ocsf.logon_process.parent_process.container.runtime | The backend running the container, such as containerd or cri-o. | keyword |
+| ocsf.logon_process.parent_process.container.size | The size of the container image. | long |
+| ocsf.logon_process.parent_process.container.tag | The tag used by the container. It can indicate version, format, OS. | keyword |
+| ocsf.logon_process.parent_process.container.uid | The full container unique identifier for this instantiation of the container. For example: ac2ea168264a08f9aaca0dfc82ff3551418dfd22d02b713142a6843caa2f61bf. | keyword |
+| ocsf.logon_process.parent_process.created_time | The time when the process was created/started. | date |
+| ocsf.logon_process.parent_process.created_time_dt | The time when the process was created/started. | date |
+| ocsf.logon_process.parent_process.egid | The effective group under which this process is running. | keyword |
+| ocsf.logon_process.parent_process.euid | The effective user under which this process is running. | keyword |
+| ocsf.logon_process.parent_process.file.accessed_time | The time when the file was last accessed. | date |
+| ocsf.logon_process.parent_process.file.accessed_time_dt | The time when the file was last accessed. | date |
+| ocsf.logon_process.parent_process.file.accessor.account.name | The name of the account (e.g. GCP Account Name). | keyword |
+| ocsf.logon_process.parent_process.file.accessor.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.logon_process.parent_process.file.accessor.account.type_id | The normalized account type identifier. | keyword |
+| ocsf.logon_process.parent_process.file.accessor.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword |
+| ocsf.logon_process.parent_process.file.accessor.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.logon_process.parent_process.file.accessor.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword |
+| ocsf.logon_process.parent_process.file.accessor.email_addr | The user's email address. | keyword |
+| ocsf.logon_process.parent_process.file.accessor.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword |
+| ocsf.logon_process.parent_process.file.accessor.groups.desc | The group description. | keyword |
+| ocsf.logon_process.parent_process.file.accessor.groups.name | The group name. | keyword |
+| ocsf.logon_process.parent_process.file.accessor.groups.privileges | The group privileges. | keyword |
+| ocsf.logon_process.parent_process.file.accessor.groups.type | The type of the group or account. | keyword |
+| ocsf.logon_process.parent_process.file.accessor.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.logon_process.parent_process.file.accessor.name | The username. For example, janedoe1. | keyword |
+| ocsf.logon_process.parent_process.file.accessor.org.name | The name of the organization. For example, Widget, Inc. | keyword |
+| ocsf.logon_process.parent_process.file.accessor.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword |
+| ocsf.logon_process.parent_process.file.accessor.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword |
+| ocsf.logon_process.parent_process.file.accessor.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword |
+| ocsf.logon_process.parent_process.file.accessor.type | The type of the user. For example, System, AWS IAM User, etc. | keyword |
+| ocsf.logon_process.parent_process.file.accessor.type_id | The account type identifier. | keyword |
+| ocsf.logon_process.parent_process.file.accessor.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword |
+| ocsf.logon_process.parent_process.file.accessor.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword |
+| ocsf.logon_process.parent_process.file.attributes | The Bitmask value that represents the file attributes. | long |
+| ocsf.logon_process.parent_process.file.company_name | The name of the company that published the file. For example: Microsoft Corporation. | keyword |
+| ocsf.logon_process.parent_process.file.confidentiality | The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.logon_process.parent_process.file.confidentiality_id | The normalized identifier of the file content confidentiality indicator. | keyword |
+| ocsf.logon_process.parent_process.file.created_time | The time when the file was created. | date |
+| ocsf.logon_process.parent_process.file.created_time_dt | The time when the file was created. | date |
+| ocsf.logon_process.parent_process.file.creator.account.name | The name of the account (e.g. GCP Account Name). | keyword |
+| ocsf.logon_process.parent_process.file.creator.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.logon_process.parent_process.file.creator.account.type_id | The normalized account type identifier. | keyword |
+| ocsf.logon_process.parent_process.file.creator.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword |
+| ocsf.logon_process.parent_process.file.creator.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.logon_process.parent_process.file.creator.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword |
+| ocsf.logon_process.parent_process.file.creator.email_addr | The user's email address. | keyword |
+| ocsf.logon_process.parent_process.file.creator.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword |
+| ocsf.logon_process.parent_process.file.creator.groups.desc | The group description. | keyword |
+| ocsf.logon_process.parent_process.file.creator.groups.name | The group name. | keyword |
+| ocsf.logon_process.parent_process.file.creator.groups.privileges | The group privileges. | keyword |
+| ocsf.logon_process.parent_process.file.creator.groups.type | The type of the group or account. | keyword |
+| ocsf.logon_process.parent_process.file.creator.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.logon_process.parent_process.file.creator.name | The username. For example, janedoe1. | keyword |
+| ocsf.logon_process.parent_process.file.creator.org.name | The name of the organization. For example, Widget, Inc. | keyword |
+| ocsf.logon_process.parent_process.file.creator.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword |
+| ocsf.logon_process.parent_process.file.creator.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword |
+| ocsf.logon_process.parent_process.file.creator.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword |
+| ocsf.logon_process.parent_process.file.creator.type | The type of the user. For example, System, AWS IAM User, etc. | keyword |
+| ocsf.logon_process.parent_process.file.creator.type_id | The account type identifier. | keyword |
+| ocsf.logon_process.parent_process.file.creator.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword |
+| ocsf.logon_process.parent_process.file.creator.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword |
+| ocsf.logon_process.parent_process.file.desc | The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type. | keyword |
+| ocsf.logon_process.parent_process.file.hashes.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.logon_process.parent_process.file.hashes.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword |
+| ocsf.logon_process.parent_process.file.hashes.value | The digital fingerprint value. | keyword |
+| ocsf.logon_process.parent_process.file.is_system | The indication of whether the object is part of the operating system. | boolean |
+| ocsf.logon_process.parent_process.file.mime_type | The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. | keyword |
+| ocsf.logon_process.parent_process.file.modified_time | The time when the file was last modified. | date |
+| ocsf.logon_process.parent_process.file.modified_time_dt | The time when the file was last modified. | date |
+| ocsf.logon_process.parent_process.file.modifier.account.name | The name of the account (e.g. GCP Account Name). | keyword |
+| ocsf.logon_process.parent_process.file.modifier.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.logon_process.parent_process.file.modifier.account.type_id | The normalized account type identifier. | keyword |
+| ocsf.logon_process.parent_process.file.modifier.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword |
+| ocsf.logon_process.parent_process.file.modifier.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.logon_process.parent_process.file.modifier.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword |
+| ocsf.logon_process.parent_process.file.modifier.email_addr | The user's email address. | keyword |
+| ocsf.logon_process.parent_process.file.modifier.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword |
+| ocsf.logon_process.parent_process.file.modifier.groups.desc | The group description. | keyword |
+| ocsf.logon_process.parent_process.file.modifier.groups.name | The group name. | keyword |
+| ocsf.logon_process.parent_process.file.modifier.groups.privileges | The group privileges. | keyword |
+| ocsf.logon_process.parent_process.file.modifier.groups.type | The type of the group or account. | keyword |
+| ocsf.logon_process.parent_process.file.modifier.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.logon_process.parent_process.file.modifier.name | The username. For example, janedoe1. | keyword |
+| ocsf.logon_process.parent_process.file.modifier.org.name | The name of the organization. For example, Widget, Inc. | keyword |
+| ocsf.logon_process.parent_process.file.modifier.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword |
+| ocsf.logon_process.parent_process.file.modifier.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword |
+| ocsf.logon_process.parent_process.file.modifier.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword |
+| ocsf.logon_process.parent_process.file.modifier.type | The type of the user. For example, System, AWS IAM User, etc. | keyword |
+| ocsf.logon_process.parent_process.file.modifier.type_id | The account type identifier. | keyword |
+| ocsf.logon_process.parent_process.file.modifier.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword |
+| ocsf.logon_process.parent_process.file.modifier.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword |
+| ocsf.logon_process.parent_process.file.name | The name of the file. For example: svchost.exe. | keyword |
+| ocsf.logon_process.parent_process.file.owner.account.name | The name of the account (e.g. GCP Account Name). | keyword |
+| ocsf.logon_process.parent_process.file.owner.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.logon_process.parent_process.file.owner.account.type_id | The normalized account type identifier. | keyword |
+| ocsf.logon_process.parent_process.file.owner.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword |
+| ocsf.logon_process.parent_process.file.owner.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.logon_process.parent_process.file.owner.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword |
+| ocsf.logon_process.parent_process.file.owner.email_addr | The user's email address. | keyword |
+| ocsf.logon_process.parent_process.file.owner.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword |
+| ocsf.logon_process.parent_process.file.owner.groups.desc | The group description. | keyword |
+| ocsf.logon_process.parent_process.file.owner.groups.name | The group name. | keyword |
+| ocsf.logon_process.parent_process.file.owner.groups.privileges | The group privileges. | keyword |
+| ocsf.logon_process.parent_process.file.owner.groups.type | The type of the group or account. | keyword |
+| ocsf.logon_process.parent_process.file.owner.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.logon_process.parent_process.file.owner.name | The username. For example, janedoe1. | keyword |
+| ocsf.logon_process.parent_process.file.owner.org.name | The name of the organization. For example, Widget, Inc. | keyword |
+| ocsf.logon_process.parent_process.file.owner.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword |
+| ocsf.logon_process.parent_process.file.owner.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword |
+| ocsf.logon_process.parent_process.file.owner.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword |
+| ocsf.logon_process.parent_process.file.owner.type | The type of the user. For example, System, AWS IAM User, etc. | keyword |
+| ocsf.logon_process.parent_process.file.owner.type_id | The account type identifier. | keyword |
+| ocsf.logon_process.parent_process.file.owner.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword |
+| ocsf.logon_process.parent_process.file.owner.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword |
+| ocsf.logon_process.parent_process.file.parent_folder | The parent folder in which the file resides. For example: c:\windows\system32. | keyword |
+| ocsf.logon_process.parent_process.file.path | The full path to the file. For example: c:\windows\system32\svchost.exe. | keyword |
+| ocsf.logon_process.parent_process.file.product.feature.name | The name of the feature. | keyword |
+| ocsf.logon_process.parent_process.file.product.feature.uid | The unique identifier of the feature. | keyword |
+| ocsf.logon_process.parent_process.file.product.feature.version | The version of the feature. | keyword |
+| ocsf.logon_process.parent_process.file.product.lang | The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French). | keyword |
+| ocsf.logon_process.parent_process.file.product.name | The name of the product. | keyword |
+| ocsf.logon_process.parent_process.file.product.path | The installation path of the product. | keyword |
+| ocsf.logon_process.parent_process.file.product.uid | The unique identifier of the product. | keyword |
+| ocsf.logon_process.parent_process.file.product.vendor_name | The name of the vendor of the product. | keyword |
+| ocsf.logon_process.parent_process.file.product.version | The version of the product, as defined by the event source. For example: 2013.1.3-beta. | keyword |
+| ocsf.logon_process.parent_process.file.security_descriptor | The object security descriptor. | keyword |
+| ocsf.logon_process.parent_process.file.signature.algorithm | The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.logon_process.parent_process.file.signature.algorithm_id | The identifier of the normalized digital signature algorithm. | keyword |
+| ocsf.logon_process.parent_process.file.signature.certificate.created_time | The time when the certificate was created. | date |
+| ocsf.logon_process.parent_process.file.signature.certificate.created_time_dt | The time when the certificate was created. | date |
+| ocsf.logon_process.parent_process.file.signature.certificate.expiration_time | The expiration time of the certificate. | date |
+| ocsf.logon_process.parent_process.file.signature.certificate.expiration_time_dt | The expiration time of the certificate. | date |
+| ocsf.logon_process.parent_process.file.signature.certificate.fingerprints.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.logon_process.parent_process.file.signature.certificate.fingerprints.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword |
+| ocsf.logon_process.parent_process.file.signature.certificate.fingerprints.value | The digital fingerprint value. | keyword |
+| ocsf.logon_process.parent_process.file.signature.certificate.issuer | The certificate issuer distinguished name. | keyword |
+| ocsf.logon_process.parent_process.file.signature.certificate.serial_number | The serial number of the certificate used to create the digital signature. | keyword |
+| ocsf.logon_process.parent_process.file.signature.certificate.subject | The certificate subject distinguished name. | keyword |
+| ocsf.logon_process.parent_process.file.signature.certificate.version | The certificate version. | keyword |
+| ocsf.logon_process.parent_process.file.signature.created_time | The time when the digital signature was created. | date |
+| ocsf.logon_process.parent_process.file.signature.created_time_dt | The time when the digital signature was created. | date |
+| ocsf.logon_process.parent_process.file.signature.developer_uid | The developer ID on the certificate that signed the file. | keyword |
+| ocsf.logon_process.parent_process.file.signature.digest.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.logon_process.parent_process.file.signature.digest.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword |
+| ocsf.logon_process.parent_process.file.signature.digest.value | The digital fingerprint value. | keyword |
+| ocsf.logon_process.parent_process.file.size | The size of data, in bytes. | long |
+| ocsf.logon_process.parent_process.file.type | The file type. | keyword |
+| ocsf.logon_process.parent_process.file.type_id | The file type ID. | keyword |
+| ocsf.logon_process.parent_process.file.uid | The unique identifier of the file as defined by the storage system, such the file system file ID. | keyword |
+| ocsf.logon_process.parent_process.file.version | The file version. For example: 8.0.7601.17514. | keyword |
+| ocsf.logon_process.parent_process.file.xattributes | An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. | flattened |
+| ocsf.logon_process.parent_process.group.desc | The group description. | keyword |
+| ocsf.logon_process.parent_process.group.name | The group name. | keyword |
+| ocsf.logon_process.parent_process.group.privileges | The group privileges. | keyword |
+| ocsf.logon_process.parent_process.group.type | The type of the group or account. | keyword |
+| ocsf.logon_process.parent_process.group.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.logon_process.parent_process.integrity | The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). | keyword |
+| ocsf.logon_process.parent_process.integrity_id | The normalized identifier of the process integrity level (Windows only). | keyword |
+| ocsf.logon_process.parent_process.lineage | The lineage of the process, represented by a list of paths for each ancestor process. For example: ['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami']. | keyword |
+| ocsf.logon_process.parent_process.loaded_modules | The list of loaded module names. | keyword |
+| ocsf.logon_process.parent_process.name | The friendly name of the process, for example: Notepad++. | keyword |
+| ocsf.logon_process.parent_process.namespace_pid | If running under a process namespace (such as in a container), the process identifier within that process namespace. | long |
+| ocsf.logon_process.parent_process.parent_process | The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. | flattened |
+| ocsf.logon_process.parent_process.parent_process_keyword | | keyword |
+| ocsf.logon_process.parent_process.pid | The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. | long |
+| ocsf.logon_process.parent_process.sandbox | The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. | keyword |
+| ocsf.logon_process.parent_process.session.created_time | The time when the session was created. | date |
+| ocsf.logon_process.parent_process.session.created_time_dt | The time when the session was created. | date |
+| ocsf.logon_process.parent_process.session.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.logon_process.parent_process.session.expiration_time | The session expiration time. | date |
+| ocsf.logon_process.parent_process.session.expiration_time_dt | The session expiration time. | date |
+| ocsf.logon_process.parent_process.session.is_remote | The indication of whether the session is remote. | boolean |
+| ocsf.logon_process.parent_process.session.issuer | The identifier of the session issuer. | keyword |
+| ocsf.logon_process.parent_process.session.mfa | | boolean |
+| ocsf.logon_process.parent_process.session.uid | The unique identifier of the session. | keyword |
+| ocsf.logon_process.parent_process.session.uuid | The universally unique identifier of the session. | keyword |
+| ocsf.logon_process.parent_process.terminated_time | The time when the process was terminated. | date |
+| ocsf.logon_process.parent_process.terminated_time_dt | The time when the process was terminated. | date |
+| ocsf.logon_process.parent_process.tid | The Identifier of the thread associated with the event, as returned by the operating system. | long |
+| ocsf.logon_process.parent_process.uid | A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. | keyword |
+| ocsf.logon_process.parent_process.user.account.name | The name of the account (e.g. GCP Account Name). | keyword |
+| ocsf.logon_process.parent_process.user.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.logon_process.parent_process.user.account.type_id | The normalized account type identifier. | keyword |
+| ocsf.logon_process.parent_process.user.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword |
+| ocsf.logon_process.parent_process.user.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.logon_process.parent_process.user.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword |
+| ocsf.logon_process.parent_process.user.email_addr | The user's email address. | keyword |
+| ocsf.logon_process.parent_process.user.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword |
+| ocsf.logon_process.parent_process.user.groups.desc | The group description. | keyword |
+| ocsf.logon_process.parent_process.user.groups.name | The group name. | keyword |
+| ocsf.logon_process.parent_process.user.groups.privileges | The group privileges. | keyword |
+| ocsf.logon_process.parent_process.user.groups.type | The type of the group or account. | keyword |
+| ocsf.logon_process.parent_process.user.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.logon_process.parent_process.user.name | The username. For example, janedoe1. | keyword |
+| ocsf.logon_process.parent_process.user.org.name | The name of the organization. For example, Widget, Inc. | keyword |
+| ocsf.logon_process.parent_process.user.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword |
+| ocsf.logon_process.parent_process.user.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword |
+| ocsf.logon_process.parent_process.user.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword |
+| ocsf.logon_process.parent_process.user.type | The type of the user. For example, System, AWS IAM User, etc. | keyword |
+| ocsf.logon_process.parent_process.user.type_id | The account type identifier. | keyword |
+| ocsf.logon_process.parent_process.user.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword |
+| ocsf.logon_process.parent_process.user.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword |
+| ocsf.logon_process.parent_process.xattributes | An unordered collection of zero or more name/value pairs that represent a process extended attribute. | flattened |
+| ocsf.logon_process.pid | The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. | long |
+| ocsf.logon_process.sandbox | The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. | keyword |
+| ocsf.logon_process.session.created_time | The time when the session was created. | date |
+| ocsf.logon_process.session.created_time_dt | The time when the session was created. | date |
+| ocsf.logon_process.session.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.logon_process.session.expiration_time | The session expiration time. | date |
+| ocsf.logon_process.session.expiration_time_dt | The session expiration time. | date |
+| ocsf.logon_process.session.is_remote | The indication of whether the session is remote. | boolean |
+| ocsf.logon_process.session.issuer | The identifier of the session issuer. | keyword |
+| ocsf.logon_process.session.mfa | | boolean |
+| ocsf.logon_process.session.uid | The unique identifier of the session. | keyword |
+| ocsf.logon_process.session.uuid | The universally unique identifier of the session. | keyword |
+| ocsf.logon_process.terminated_time | The time when the process was terminated. | date |
+| ocsf.logon_process.terminated_time_dt | The time when the process was terminated. | date |
+| ocsf.logon_process.tid | The Identifier of the thread associated with the event, as returned by the operating system. | long |
+| ocsf.logon_process.uid | A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. | keyword |
+| ocsf.logon_process.user.account.name | The name of the account (e.g. GCP Account Name). | keyword |
+| ocsf.logon_process.user.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.logon_process.user.account.type_id | The normalized account type identifier. | keyword |
+| ocsf.logon_process.user.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword |
+| ocsf.logon_process.user.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.logon_process.user.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword |
+| ocsf.logon_process.user.email_addr | The user's email address. | keyword |
+| ocsf.logon_process.user.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword |
+| ocsf.logon_process.user.groups.desc | The group description. | keyword |
+| ocsf.logon_process.user.groups.name | The group name. | keyword |
+| ocsf.logon_process.user.groups.privileges | The group privileges. | keyword |
+| ocsf.logon_process.user.groups.type | The type of the group or account. | keyword |
+| ocsf.logon_process.user.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.logon_process.user.name | The username. For example, janedoe1. | keyword |
+| ocsf.logon_process.user.org.name | The name of the organization. For example, Widget, Inc. | keyword |
+| ocsf.logon_process.user.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword |
+| ocsf.logon_process.user.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword |
+| ocsf.logon_process.user.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword |
+| ocsf.logon_process.user.type | The type of the user. For example, System, AWS IAM User, etc. | keyword |
+| ocsf.logon_process.user.type_id | The account type identifier. | keyword |
+| ocsf.logon_process.user.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword |
+| ocsf.logon_process.user.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword |
+| ocsf.logon_process.xattributes | An unordered collection of zero or more name/value pairs that represent a process extended attribute. | flattened |
+| ocsf.logon_type | The logon type, normalized to the caption of the logon_type_id value. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.logon_type_id | The normalized logon type identifier | keyword |
+| ocsf.malware.classification_ids | The list of normalized identifiers of the malware classifications. | keyword |
+| ocsf.malware.classifications | The list of malware classifications, normalized to the captions of the classification_id values. In the case of 'Other', they are defined by the event source. | keyword |
+| ocsf.malware.cves.created_time | The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. | date |
+| ocsf.malware.cves.created_time_dt | The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. | date |
+| ocsf.malware.cves.cvss.base_score | The CVSS base score. | double |
+| ocsf.malware.cves.cvss.depth | The CVSS depth represents a depth of the equation used to calculate CVSS score. | keyword |
+| ocsf.malware.cves.cvss.metrics.name | The name of the metric. | keyword |
+| ocsf.malware.cves.cvss.metrics.value | The value of the metric. | keyword |
+| ocsf.malware.cves.cvss.overall_score | The CVSS overall score, impacted by base, temporal, and environmental metrics. | double |
+| ocsf.malware.cves.cvss.severity | The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. A textual representation of the numeric score. | keyword |
+| ocsf.malware.cves.cvss.vector_string | The CVSS vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H. | keyword |
+| ocsf.malware.cves.cvss.version | The CVSS version. | keyword |
+| ocsf.malware.cves.cwe_uid | The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787. | keyword |
+| ocsf.malware.cves.cwe_url | Common Weakness Enumeration (CWE) definition URL. | keyword |
+| ocsf.malware.cves.modified_time | The Record Modified Date identifies when the CVE record was last updated. | date |
+| ocsf.malware.cves.modified_time_dt | The Record Modified Date identifies when the CVE record was last updated. | date |
+| ocsf.malware.cves.product.feature.name | The name of the feature. | keyword |
+| ocsf.malware.cves.product.feature.uid | The unique identifier of the feature. | keyword |
+| ocsf.malware.cves.product.feature.version | The version of the feature. | keyword |
+| ocsf.malware.cves.product.lang | The two letter lower case language codes, as defined by ISO 639-1. | keyword |
+| ocsf.malware.cves.product.name | The name of the product. | keyword |
+| ocsf.malware.cves.product.path | The installation path of the product. | keyword |
+| ocsf.malware.cves.product.uid | The unique identifier of the product. | keyword |
+| ocsf.malware.cves.product.vendor_name | The name of the vendor of the product. | keyword |
+| ocsf.malware.cves.product.version | The version of the product, as defined by the event source. For example: 2013.1.3-beta. | keyword |
+| ocsf.malware.cves.type | The vulnerability type as selected from a large dropdown menu during CVE refinement. | keyword |
+| ocsf.malware.cves.uid | The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: CVE-2021-12345. | keyword |
+| ocsf.malware.name | The malware name, as reported by the detection engine. | keyword |
+| ocsf.malware.path | The filesystem path of the malware that was observed. | keyword |
+| ocsf.malware.provider | The provider of the malware information. | keyword |
+| ocsf.malware.uid | The malware unique identifier, as reported by the detection engine. For example a virus id or an IPS signature id. | keyword |
+| ocsf.message | The description of the event, as defined by the event source. | keyword |
+| ocsf.metadata.correlation_uid | The unique identifier used to correlate events. | keyword |
+| ocsf.metadata.event_code | The Event ID or Code that the product uses to describe the event. | keyword |
+| ocsf.metadata.extension.name | The schema extension name. For example: dev. | keyword |
+| ocsf.metadata.extension.uid | The schema extension unique identifier. For example: 999. | keyword |
+| ocsf.metadata.extension.version | The schema extension version. For example: 1.0.0-alpha.2. | keyword |
+| ocsf.metadata.labels | The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. | keyword |
+| ocsf.metadata.log_name | The event log name. For example, syslog file name or Windows logging subsystem: Security. | keyword |
+| ocsf.metadata.log_provider | The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. | keyword |
+| ocsf.metadata.log_version | The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. | keyword |
+| ocsf.metadata.logged_time | The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. | date |
+| ocsf.metadata.logged_time_dt | The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. | date |
+| ocsf.metadata.modified_time | The time when the event was last modified or enriched. | date |
+| ocsf.metadata.modified_time_dt | The time when the event was last modified or enriched. | date |
+| ocsf.metadata.original_time | The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. | keyword |
+| ocsf.metadata.processed_time | The event processed time, such as an ETL operation. | date |
+| ocsf.metadata.processed_time_dt | The event processed time, such as an ETL operation. | date |
+| ocsf.metadata.product.feature.name | The name of the feature. | keyword |
+| ocsf.metadata.product.feature.uid | The unique identifier of the feature. | keyword |
+| ocsf.metadata.product.feature.version | The version of the feature. | keyword |
+| ocsf.metadata.product.lang | The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French). | keyword |
+| ocsf.metadata.product.name | The name of the product. | keyword |
+| ocsf.metadata.product.path | The installation path of the product. | keyword |
+| ocsf.metadata.product.uid | The unique identifier of the product. | keyword |
+| ocsf.metadata.product.vendor_name | The name of the vendor of the product. | keyword |
+| ocsf.metadata.product.version | The version of the product, as defined by the event source. For example: 2013.1.3-beta. | keyword |
+| ocsf.metadata.profiles | The list of profiles used to create the event. | keyword |
+| ocsf.metadata.sequence | Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. | long |
+| ocsf.metadata.uid | The logging system-assigned unique identifier of an event instance. | keyword |
+| ocsf.metadata.version | The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes. | keyword |
+| ocsf.nist | The NIST Cybersecurity Framework recommendations for managing the cybersecurity risk. | keyword |
+| ocsf.observables.name | The full name of the observable attribute. The name is a pointer/reference to an attribute within the event data. For example: file.name. | keyword |
+| ocsf.observables.reputation.base_score | The reputation score as reported by the event source. | double |
+| ocsf.observables.reputation.provider | The provider of the reputation information. | keyword |
+| ocsf.observables.reputation.score | The reputation score, normalized to the caption of the score_id value. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.observables.reputation.score_id | The normalized reputation score identifier. | keyword |
+| ocsf.observables.type | The observable value type name. | keyword |
+| ocsf.observables.type_id | The observable value type identifier. | keyword |
+| ocsf.observables.value | The value associated with the observable attribute. | keyword |
+| ocsf.process.auid | The audit user assigned at login by the audit subsystem. | keyword |
+| ocsf.process.cmd_line | The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '' is to be used. | keyword |
+| ocsf.process.container.hash.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.process.container.hash.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword |
+| ocsf.process.container.hash.value | The digital fingerprint value. | keyword |
+| ocsf.process.container.image.labels | The image labels. | keyword |
+| ocsf.process.container.image.name | The image name. For example: elixir. | keyword |
+| ocsf.process.container.image.path | The full path to the image file. | keyword |
+| ocsf.process.container.image.tag | The image tag. For example: 1.11-alpine. | keyword |
+| ocsf.process.container.image.uid | The unique image ID. For example: 77af4d6b9913. | keyword |
+| ocsf.process.container.name | The container name. | keyword |
+| ocsf.process.container.network_driver | The network driver used by the container. For example, bridge, overlay, host, none, etc. | keyword |
+| ocsf.process.container.orchestrator | The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. | keyword |
+| ocsf.process.container.pod_uuid | The unique identifier of the pod (or equivalent) that the container is executing on. | keyword |
+| ocsf.process.container.runtime | The backend running the container, such as containerd or cri-o. | keyword |
+| ocsf.process.container.size | The size of the container image. | long |
+| ocsf.process.container.tag | The tag used by the container. It can indicate version, format, OS. | keyword |
+| ocsf.process.container.uid | The full container unique identifier for this instantiation of the container. For example: ac2ea168264a08f9aaca0dfc82ff3551418dfd22d02b713142a6843caa2f61bf. | keyword |
+| ocsf.process.created_time | The time when the process was created/started. | date |
+| ocsf.process.created_time_dt | The time when the process was created/started. | date |
+| ocsf.process.egid | The effective group under which this process is running. | keyword |
+| ocsf.process.euid | The effective user under which this process is running. | keyword |
+| ocsf.process.file.accessed_time | The time when the file was last accessed. | date |
+| ocsf.process.file.accessed_time_dt | The time when the file was last accessed. | date |
+| ocsf.process.file.accessor.account.name | The name of the account (e.g. GCP Account Name). | keyword |
+| ocsf.process.file.accessor.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.process.file.accessor.account.type_id | The normalized account type identifier. | keyword |
+| ocsf.process.file.accessor.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword |
+| ocsf.process.file.accessor.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.process.file.accessor.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword |
+| ocsf.process.file.accessor.email_addr | The user's email address. | keyword |
+| ocsf.process.file.accessor.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword |
+| ocsf.process.file.accessor.groups.desc | The group description. | keyword |
+| ocsf.process.file.accessor.groups.name | The group name. | keyword |
+| ocsf.process.file.accessor.groups.privileges | The group privileges. | keyword |
+| ocsf.process.file.accessor.groups.type | The type of the group or account. | keyword |
+| ocsf.process.file.accessor.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.process.file.accessor.name | The username. For example, janedoe1. | keyword |
+| ocsf.process.file.accessor.org.name | The name of the organization. For example, Widget, Inc. | keyword |
+| ocsf.process.file.accessor.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword |
+| ocsf.process.file.accessor.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword |
+| ocsf.process.file.accessor.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword |
+| ocsf.process.file.accessor.type | The type of the user. For example, System, AWS IAM User, etc. | keyword |
+| ocsf.process.file.accessor.type_id | The account type identifier. | keyword |
+| ocsf.process.file.accessor.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword |
+| ocsf.process.file.accessor.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword |
+| ocsf.process.file.attributes | The Bitmask value that represents the file attributes. | long |
+| ocsf.process.file.company_name | The name of the company that published the file. For example: Microsoft Corporation. | keyword |
+| ocsf.process.file.confidentiality | The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.process.file.confidentiality_id | The normalized identifier of the file content confidentiality indicator. | keyword |
+| ocsf.process.file.created_time | The time when the file was created. | date |
+| ocsf.process.file.created_time_dt | The time when the file was created. | date |
+| ocsf.process.file.creator.account.name | The name of the account (e.g. GCP Account Name). | keyword |
+| ocsf.process.file.creator.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.process.file.creator.account.type_id | The normalized account type identifier. | keyword |
+| ocsf.process.file.creator.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword |
+| ocsf.process.file.creator.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.process.file.creator.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword |
+| ocsf.process.file.creator.email_addr | The user's email address. | keyword |
+| ocsf.process.file.creator.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword |
+| ocsf.process.file.creator.groups.desc | The group description. | keyword |
+| ocsf.process.file.creator.groups.name | The group name. | keyword |
+| ocsf.process.file.creator.groups.privileges | The group privileges. | keyword |
+| ocsf.process.file.creator.groups.type | The type of the group or account. | keyword |
+| ocsf.process.file.creator.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.process.file.creator.name | The username. For example, janedoe1. | keyword |
+| ocsf.process.file.creator.org.name | The name of the organization. For example, Widget, Inc. | keyword |
+| ocsf.process.file.creator.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword |
+| ocsf.process.file.creator.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword |
+| ocsf.process.file.creator.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword |
+| ocsf.process.file.creator.type | The type of the user. For example, System, AWS IAM User, etc. | keyword |
+| ocsf.process.file.creator.type_id | The account type identifier. | keyword |
+| ocsf.process.file.creator.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword |
+| ocsf.process.file.creator.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword |
+| ocsf.process.file.desc | The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type. | keyword |
+| ocsf.process.file.hashes.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.process.file.hashes.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword |
+| ocsf.process.file.hashes.value | The digital fingerprint value. | keyword |
+| ocsf.process.file.is_system | The indication of whether the object is part of the operating system. | boolean |
+| ocsf.process.file.mime_type | The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. | keyword |
+| ocsf.process.file.modified_time | The time when the file was last modified. | date |
+| ocsf.process.file.modified_time_dt | The time when the file was last modified. | date |
+| ocsf.process.file.modifier.account.name | The name of the account (e.g. GCP Account Name). | keyword |
+| ocsf.process.file.modifier.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.process.file.modifier.account.type_id | The normalized account type identifier. | keyword |
+| ocsf.process.file.modifier.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword |
+| ocsf.process.file.modifier.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.process.file.modifier.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword |
+| ocsf.process.file.modifier.email_addr | The user's email address. | keyword |
+| ocsf.process.file.modifier.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword |
+| ocsf.process.file.modifier.groups.desc | The group description. | keyword |
+| ocsf.process.file.modifier.groups.name | The group name. | keyword |
+| ocsf.process.file.modifier.groups.privileges | The group privileges. | keyword |
+| ocsf.process.file.modifier.groups.type | The type of the group or account. | keyword |
+| ocsf.process.file.modifier.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.process.file.modifier.name | The username. For example, janedoe1. | keyword |
+| ocsf.process.file.modifier.org.name | The name of the organization. For example, Widget, Inc. | keyword |
+| ocsf.process.file.modifier.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword |
+| ocsf.process.file.modifier.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword |
+| ocsf.process.file.modifier.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword |
+| ocsf.process.file.modifier.type | The type of the user. For example, System, AWS IAM User, etc. | keyword |
+| ocsf.process.file.modifier.type_id | The account type identifier. | keyword |
+| ocsf.process.file.modifier.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword |
+| ocsf.process.file.modifier.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword |
+| ocsf.process.file.name | The name of the file. For example: svchost.exe. | keyword |
+| ocsf.process.file.owner.account.name | The name of the account (e.g. GCP Account Name). | keyword |
+| ocsf.process.file.owner.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.process.file.owner.account.type_id | The normalized account type identifier. | keyword |
+| ocsf.process.file.owner.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword |
+| ocsf.process.file.owner.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.process.file.owner.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword |
+| ocsf.process.file.owner.email_addr | The user's email address. | keyword |
+| ocsf.process.file.owner.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword |
+| ocsf.process.file.owner.groups.desc | The group description. | keyword |
+| ocsf.process.file.owner.groups.name | The group name. | keyword |
+| ocsf.process.file.owner.groups.privileges | The group privileges. | keyword |
+| ocsf.process.file.owner.groups.type | The type of the group or account. | keyword |
+| ocsf.process.file.owner.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.process.file.owner.name | The username. For example, janedoe1. | keyword |
+| ocsf.process.file.owner.org.name | The name of the organization. For example, Widget, Inc. | keyword |
+| ocsf.process.file.owner.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword |
+| ocsf.process.file.owner.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword |
+| ocsf.process.file.owner.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword |
+| ocsf.process.file.owner.type | The type of the user. For example, System, AWS IAM User, etc. | keyword |
+| ocsf.process.file.owner.type_id | The account type identifier. | keyword |
+| ocsf.process.file.owner.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword |
+| ocsf.process.file.owner.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword |
+| ocsf.process.file.parent_folder | The parent folder in which the file resides. For example: c:\windows\system32. | keyword |
+| ocsf.process.file.path | The full path to the file. For example: c:\windows\system32\svchost.exe. | keyword |
+| ocsf.process.file.product.feature.name | The name of the feature. | keyword |
+| ocsf.process.file.product.feature.uid | The unique identifier of the feature. | keyword |
+| ocsf.process.file.product.feature.version | The version of the feature. | keyword |
+| ocsf.process.file.product.lang | The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French). | keyword |
+| ocsf.process.file.product.name | The name of the product. | keyword |
+| ocsf.process.file.product.path | The installation path of the product. | keyword |
+| ocsf.process.file.product.uid | The unique identifier of the product. | keyword |
+| ocsf.process.file.product.vendor_name | The name of the vendor of the product. | keyword |
+| ocsf.process.file.product.version | The version of the product, as defined by the event source. For example: 2013.1.3-beta. | keyword |
+| ocsf.process.file.security_descriptor | The object security descriptor. | keyword |
+| ocsf.process.file.signature.algorithm | The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.process.file.signature.algorithm_id | The identifier of the normalized digital signature algorithm. | keyword |
+| ocsf.process.file.signature.certificate.created_time | The time when the certificate was created. | date |
+| ocsf.process.file.signature.certificate.created_time_dt | The time when the certificate was created. | date |
+| ocsf.process.file.signature.certificate.expiration_time | The expiration time of the certificate. | date |
+| ocsf.process.file.signature.certificate.expiration_time_dt | The expiration time of the certificate. | date |
+| ocsf.process.file.signature.certificate.fingerprints.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.process.file.signature.certificate.fingerprints.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword |
+| ocsf.process.file.signature.certificate.fingerprints.value | The digital fingerprint value. | keyword |
+| ocsf.process.file.signature.certificate.issuer | The certificate issuer distinguished name. | keyword |
+| ocsf.process.file.signature.certificate.serial_number | The serial number of the certificate used to create the digital signature. | keyword |
+| ocsf.process.file.signature.certificate.subject | The certificate subject distinguished name. | keyword |
+| ocsf.process.file.signature.certificate.version | The certificate version. | keyword |
+| ocsf.process.file.signature.created_time | The time when the digital signature was created. | date |
+| ocsf.process.file.signature.created_time_dt | The time when the digital signature was created. | date |
+| ocsf.process.file.signature.developer_uid | The developer ID on the certificate that signed the file. | keyword |
+| ocsf.process.file.signature.digest.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.process.file.signature.digest.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword |
+| ocsf.process.file.signature.digest.value | The digital fingerprint value. | keyword |
+| ocsf.process.file.size | The size of data, in bytes. | long |
+| ocsf.process.file.type | The file type. | keyword |
+| ocsf.process.file.type_id | The file type ID. | keyword |
+| ocsf.process.file.uid | The unique identifier of the file as defined by the storage system, such the file system file ID. | keyword |
+| ocsf.process.file.version | The file version. For example: 8.0.7601.17514. | keyword |
+| ocsf.process.file.xattributes | An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. | flattened |
+| ocsf.process.group.desc | The group description. | keyword |
+| ocsf.process.group.name | The group name. | keyword |
+| ocsf.process.group.privileges | The group privileges. | keyword |
+| ocsf.process.group.type | The type of the group or account. | keyword |
+| ocsf.process.group.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.process.integrity | The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). | keyword |
+| ocsf.process.integrity_id | The normalized identifier of the process integrity level (Windows only). | keyword |
+| ocsf.process.lineage | The lineage of the process, represented by a list of paths for each ancestor process. For example: ['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami']. | keyword |
+| ocsf.process.loaded_modules | The list of loaded module names. | keyword |
+| ocsf.process.name | The friendly name of the process, for example: Notepad++. | keyword |
+| ocsf.process.namespace_pid | If running under a process namespace (such as in a container), the process identifier within that process namespace. | long |
+| ocsf.process.parent_process.auid | The audit user assigned at login by the audit subsystem. | keyword |
+| ocsf.process.parent_process.cmd_line | The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '' is to be used. | keyword |
+| ocsf.process.parent_process.container.hash.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.process.parent_process.container.hash.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword |
+| ocsf.process.parent_process.container.hash.value | The digital fingerprint value. | keyword |
+| ocsf.process.parent_process.container.image.labels | The image labels. | keyword |
+| ocsf.process.parent_process.container.image.name | The image name. For example: elixir. | keyword |
+| ocsf.process.parent_process.container.image.path | The full path to the image file. | keyword |
+| ocsf.process.parent_process.container.image.tag | The image tag. For example: 1.11-alpine. | keyword |
+| ocsf.process.parent_process.container.image.uid | The unique image ID. For example: 77af4d6b9913. | keyword |
+| ocsf.process.parent_process.container.name | The container name. | keyword |
+| ocsf.process.parent_process.container.network_driver | The network driver used by the container. For example, bridge, overlay, host, none, etc. | keyword |
+| ocsf.process.parent_process.container.orchestrator | The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. | keyword |
+| ocsf.process.parent_process.container.pod_uuid | The unique identifier of the pod (or equivalent) that the container is executing on. | keyword |
+| ocsf.process.parent_process.container.runtime | The backend running the container, such as containerd or cri-o. | keyword |
+| ocsf.process.parent_process.container.size | The size of the container image. | long |
+| ocsf.process.parent_process.container.tag | The tag used by the container. It can indicate version, format, OS. | keyword |
+| ocsf.process.parent_process.container.uid | The full container unique identifier for this instantiation of the container. For example: ac2ea168264a08f9aaca0dfc82ff3551418dfd22d02b713142a6843caa2f61bf. | keyword |
+| ocsf.process.parent_process.created_time | The time when the process was created/started. | date |
+| ocsf.process.parent_process.created_time_dt | The time when the process was created/started. | date |
+| ocsf.process.parent_process.egid | The effective group under which this process is running. | keyword |
+| ocsf.process.parent_process.euid | The effective user under which this process is running. | keyword |
+| ocsf.process.parent_process.file.accessed_time | The time when the file was last accessed. | date |
+| ocsf.process.parent_process.file.accessed_time_dt | The time when the file was last accessed. | date |
+| ocsf.process.parent_process.file.accessor.account.name | The name of the account (e.g. GCP Account Name). | keyword |
+| ocsf.process.parent_process.file.accessor.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.process.parent_process.file.accessor.account.type_id | The normalized account type identifier. | keyword |
+| ocsf.process.parent_process.file.accessor.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword |
+| ocsf.process.parent_process.file.accessor.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.process.parent_process.file.accessor.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword |
+| ocsf.process.parent_process.file.accessor.email_addr | The user's email address. | keyword |
+| ocsf.process.parent_process.file.accessor.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword |
+| ocsf.process.parent_process.file.accessor.groups.desc | The group description. | keyword |
+| ocsf.process.parent_process.file.accessor.groups.name | The group name. | keyword |
+| ocsf.process.parent_process.file.accessor.groups.privileges | The group privileges. | keyword |
+| ocsf.process.parent_process.file.accessor.groups.type | The type of the group or account. | keyword |
+| ocsf.process.parent_process.file.accessor.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.process.parent_process.file.accessor.name | The username. For example, janedoe1. | keyword |
+| ocsf.process.parent_process.file.accessor.org.name | The name of the organization. For example, Widget, Inc. | keyword |
+| ocsf.process.parent_process.file.accessor.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword |
+| ocsf.process.parent_process.file.accessor.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword |
+| ocsf.process.parent_process.file.accessor.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword |
+| ocsf.process.parent_process.file.accessor.type | The type of the user. For example, System, AWS IAM User, etc. | keyword |
+| ocsf.process.parent_process.file.accessor.type_id | The account type identifier. | keyword |
+| ocsf.process.parent_process.file.accessor.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword |
+| ocsf.process.parent_process.file.accessor.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword |
+| ocsf.process.parent_process.file.attributes | The Bitmask value that represents the file attributes. | long |
+| ocsf.process.parent_process.file.company_name | The name of the company that published the file. For example: Microsoft Corporation. | keyword |
+| ocsf.process.parent_process.file.confidentiality | The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.process.parent_process.file.confidentiality_id | The normalized identifier of the file content confidentiality indicator. | keyword |
+| ocsf.process.parent_process.file.created_time | The time when the file was created. | date |
+| ocsf.process.parent_process.file.created_time_dt | The time when the file was created. | date |
+| ocsf.process.parent_process.file.creator.account.name | The name of the account (e.g. GCP Account Name). | keyword |
+| ocsf.process.parent_process.file.creator.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.process.parent_process.file.creator.account.type_id | The normalized account type identifier. | keyword |
+| ocsf.process.parent_process.file.creator.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword |
+| ocsf.process.parent_process.file.creator.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.process.parent_process.file.creator.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword |
+| ocsf.process.parent_process.file.creator.email_addr | The user's email address. | keyword |
+| ocsf.process.parent_process.file.creator.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword |
+| ocsf.process.parent_process.file.creator.groups.desc | The group description. | keyword |
+| ocsf.process.parent_process.file.creator.groups.name | The group name. | keyword |
+| ocsf.process.parent_process.file.creator.groups.privileges | The group privileges. | keyword |
+| ocsf.process.parent_process.file.creator.groups.type | The type of the group or account. | keyword |
+| ocsf.process.parent_process.file.creator.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.process.parent_process.file.creator.name | The username. For example, janedoe1. | keyword |
+| ocsf.process.parent_process.file.creator.org.name | The name of the organization. For example, Widget, Inc. | keyword |
+| ocsf.process.parent_process.file.creator.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword |
+| ocsf.process.parent_process.file.creator.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword |
+| ocsf.process.parent_process.file.creator.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword |
+| ocsf.process.parent_process.file.creator.type | The type of the user. For example, System, AWS IAM User, etc. | keyword |
+| ocsf.process.parent_process.file.creator.type_id | The account type identifier. | keyword |
+| ocsf.process.parent_process.file.creator.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword |
+| ocsf.process.parent_process.file.creator.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword |
+| ocsf.process.parent_process.file.desc | The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type. | keyword |
+| ocsf.process.parent_process.file.hashes.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.process.parent_process.file.hashes.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword |
+| ocsf.process.parent_process.file.hashes.value | The digital fingerprint value. | keyword |
+| ocsf.process.parent_process.file.is_system | The indication of whether the object is part of the operating system. | boolean |
+| ocsf.process.parent_process.file.mime_type | The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. | keyword |
+| ocsf.process.parent_process.file.modified_time | The time when the file was last modified. | date |
+| ocsf.process.parent_process.file.modified_time_dt | The time when the file was last modified. | date |
+| ocsf.process.parent_process.file.modifier.account.name | The name of the account (e.g. GCP Account Name). | keyword |
+| ocsf.process.parent_process.file.modifier.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.process.parent_process.file.modifier.account.type_id | The normalized account type identifier. | keyword |
+| ocsf.process.parent_process.file.modifier.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword |
+| ocsf.process.parent_process.file.modifier.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.process.parent_process.file.modifier.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword |
+| ocsf.process.parent_process.file.modifier.email_addr | The user's email address. | keyword |
+| ocsf.process.parent_process.file.modifier.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword |
+| ocsf.process.parent_process.file.modifier.groups.desc | The group description. | keyword |
+| ocsf.process.parent_process.file.modifier.groups.name | The group name. | keyword |
+| ocsf.process.parent_process.file.modifier.groups.privileges | The group privileges. | keyword |
+| ocsf.process.parent_process.file.modifier.groups.type | The type of the group or account. | keyword |
+| ocsf.process.parent_process.file.modifier.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.process.parent_process.file.modifier.name | The username. For example, janedoe1. | keyword |
+| ocsf.process.parent_process.file.modifier.org.name | The name of the organization. For example, Widget, Inc. | keyword |
+| ocsf.process.parent_process.file.modifier.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword |
+| ocsf.process.parent_process.file.modifier.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword |
+| ocsf.process.parent_process.file.modifier.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword |
+| ocsf.process.parent_process.file.modifier.type | The type of the user. For example, System, AWS IAM User, etc. | keyword |
+| ocsf.process.parent_process.file.modifier.type_id | The account type identifier. | keyword |
+| ocsf.process.parent_process.file.modifier.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword |
+| ocsf.process.parent_process.file.modifier.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword |
+| ocsf.process.parent_process.file.name | The name of the file. For example: svchost.exe. | keyword |
+| ocsf.process.parent_process.file.owner.account.name | The name of the account (e.g. GCP Account Name). | keyword |
+| ocsf.process.parent_process.file.owner.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.process.parent_process.file.owner.account.type_id | The normalized account type identifier. | keyword |
+| ocsf.process.parent_process.file.owner.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword |
+| ocsf.process.parent_process.file.owner.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.process.parent_process.file.owner.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword |
+| ocsf.process.parent_process.file.owner.email_addr | The user's email address. | keyword |
+| ocsf.process.parent_process.file.owner.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword |
+| ocsf.process.parent_process.file.owner.groups.desc | The group description. | keyword |
+| ocsf.process.parent_process.file.owner.groups.name | The group name. | keyword |
+| ocsf.process.parent_process.file.owner.groups.privileges | The group privileges. | keyword |
+| ocsf.process.parent_process.file.owner.groups.type | The type of the group or account. | keyword |
+| ocsf.process.parent_process.file.owner.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.process.parent_process.file.owner.name | The username. For example, janedoe1. | keyword |
+| ocsf.process.parent_process.file.owner.org.name | The name of the organization. For example, Widget, Inc. | keyword |
+| ocsf.process.parent_process.file.owner.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword |
+| ocsf.process.parent_process.file.owner.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword |
+| ocsf.process.parent_process.file.owner.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword |
+| ocsf.process.parent_process.file.owner.type | The type of the user. For example, System, AWS IAM User, etc. | keyword |
+| ocsf.process.parent_process.file.owner.type_id | The account type identifier. | keyword |
+| ocsf.process.parent_process.file.owner.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword |
+| ocsf.process.parent_process.file.owner.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword |
+| ocsf.process.parent_process.file.parent_folder | The parent folder in which the file resides. For example: c:\windows\system32. | keyword |
+| ocsf.process.parent_process.file.path | The full path to the file. For example: c:\windows\system32\svchost.exe. | keyword |
+| ocsf.process.parent_process.file.product.feature.name | The name of the feature. | keyword |
+| ocsf.process.parent_process.file.product.feature.uid | The unique identifier of the feature. | keyword |
+| ocsf.process.parent_process.file.product.feature.version | The version of the feature. | keyword |
+| ocsf.process.parent_process.file.product.lang | The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French). | keyword |
+| ocsf.process.parent_process.file.product.name | The name of the product. | keyword |
+| ocsf.process.parent_process.file.product.path | The installation path of the product. | keyword |
+| ocsf.process.parent_process.file.product.uid | The unique identifier of the product. | keyword |
+| ocsf.process.parent_process.file.product.vendor_name | The name of the vendor of the product. | keyword |
+| ocsf.process.parent_process.file.product.version | The version of the product, as defined by the event source. For example: 2013.1.3-beta. | keyword |
+| ocsf.process.parent_process.file.security_descriptor | The object security descriptor. | keyword |
+| ocsf.process.parent_process.file.signature.algorithm | The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.process.parent_process.file.signature.algorithm_id | The identifier of the normalized digital signature algorithm. | keyword |
+| ocsf.process.parent_process.file.signature.certificate.created_time | The time when the certificate was created. | date |
+| ocsf.process.parent_process.file.signature.certificate.created_time_dt | The time when the certificate was created. | date |
+| ocsf.process.parent_process.file.signature.certificate.expiration_time | The expiration time of the certificate. | date |
+| ocsf.process.parent_process.file.signature.certificate.expiration_time_dt | The expiration time of the certificate. | date |
+| ocsf.process.parent_process.file.signature.certificate.fingerprints.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.process.parent_process.file.signature.certificate.fingerprints.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword |
+| ocsf.process.parent_process.file.signature.certificate.fingerprints.value | The digital fingerprint value. | keyword |
+| ocsf.process.parent_process.file.signature.certificate.issuer | The certificate issuer distinguished name. | keyword |
+| ocsf.process.parent_process.file.signature.certificate.serial_number | The serial number of the certificate used to create the digital signature. | keyword |
+| ocsf.process.parent_process.file.signature.certificate.subject | The certificate subject distinguished name. | keyword |
+| ocsf.process.parent_process.file.signature.certificate.version | The certificate version. | keyword |
+| ocsf.process.parent_process.file.signature.created_time | The time when the digital signature was created. | date |
+| ocsf.process.parent_process.file.signature.created_time_dt | The time when the digital signature was created. | date |
+| ocsf.process.parent_process.file.signature.developer_uid | The developer ID on the certificate that signed the file. | keyword |
+| ocsf.process.parent_process.file.signature.digest.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.process.parent_process.file.signature.digest.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword |
+| ocsf.process.parent_process.file.signature.digest.value | The digital fingerprint value. | keyword |
+| ocsf.process.parent_process.file.size | The size of data, in bytes. | long |
+| ocsf.process.parent_process.file.type | The file type. | keyword |
+| ocsf.process.parent_process.file.type_id | The file type ID. | keyword |
+| ocsf.process.parent_process.file.uid | The unique identifier of the file as defined by the storage system, such the file system file ID. | keyword |
+| ocsf.process.parent_process.file.version | The file version. For example: 8.0.7601.17514. | keyword |
+| ocsf.process.parent_process.file.xattributes | An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. | flattened |
+| ocsf.process.parent_process.group.desc | The group description. | keyword |
+| ocsf.process.parent_process.group.name | The group name. | keyword |
+| ocsf.process.parent_process.group.privileges | The group privileges. | keyword |
+| ocsf.process.parent_process.group.type | The type of the group or account. | keyword |
+| ocsf.process.parent_process.group.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.process.parent_process.integrity | The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). | keyword |
+| ocsf.process.parent_process.integrity_id | The normalized identifier of the process integrity level (Windows only). | keyword |
+| ocsf.process.parent_process.lineage | The lineage of the process, represented by a list of paths for each ancestor process. For example: ['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami']. | keyword |
+| ocsf.process.parent_process.loaded_modules | The list of loaded module names. | keyword |
+| ocsf.process.parent_process.name | The friendly name of the process, for example: Notepad++. | keyword |
+| ocsf.process.parent_process.namespace_pid | If running under a process namespace (such as in a container), the process identifier within that process namespace. | long |
+| ocsf.process.parent_process.parent_process | The parent process of this process object. | flattened |
+| ocsf.process.parent_process.parent_process_keyword | | keyword |
+| ocsf.process.parent_process.pid | The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. | long |
+| ocsf.process.parent_process.sandbox | The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. | keyword |
+| ocsf.process.parent_process.session.created_time | The time when the session was created. | date |
+| ocsf.process.parent_process.session.created_time_dt | The short name of the endpoint. | date |
+| ocsf.process.parent_process.session.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.process.parent_process.session.expiration_time | The session expiration time. | date |
+| ocsf.process.parent_process.session.expiration_time_dt | The name of the network interface (e.g. eth2). | date |
+| ocsf.process.parent_process.session.is_remote | The indication of whether the session is remote. | boolean |
+| ocsf.process.parent_process.session.issuer | The identifier of the session issuer. | keyword |
+| ocsf.process.parent_process.session.uid | The unique identifier of the session. | keyword |
+| ocsf.process.parent_process.session.uuid | The universally unique identifier of the session. | keyword |
+| ocsf.process.parent_process.terminated_time | The time when the process was terminated. | date |
+| ocsf.process.parent_process.terminated_time_dt | The time when the process was terminated. | date |
+| ocsf.process.parent_process.tid | The Identifier of the thread associated with the event, as returned by the operating system. | long |
+| ocsf.process.parent_process.uid | A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. | keyword |
+| ocsf.process.parent_process.user.account.name | The name of the account (e.g. GCP Account Name). | keyword |
+| ocsf.process.parent_process.user.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.process.parent_process.user.account.type_id | The normalized account type identifier. | keyword |
+| ocsf.process.parent_process.user.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword |
+| ocsf.process.parent_process.user.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.process.parent_process.user.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword |
+| ocsf.process.parent_process.user.email_addr | The user's email address. | keyword |
+| ocsf.process.parent_process.user.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword |
+| ocsf.process.parent_process.user.groups.desc | The group description. | keyword |
+| ocsf.process.parent_process.user.groups.name | The group name. | keyword |
+| ocsf.process.parent_process.user.groups.privileges | The group privileges. | keyword |
+| ocsf.process.parent_process.user.groups.type | The type of the group or account. | keyword |
+| ocsf.process.parent_process.user.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.process.parent_process.user.name | The username. For example, janedoe1. | keyword |
+| ocsf.process.parent_process.user.org.name | The name of the organization. For example, Widget, Inc. | keyword |
+| ocsf.process.parent_process.user.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword |
+| ocsf.process.parent_process.user.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword |
+| ocsf.process.parent_process.user.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword |
+| ocsf.process.parent_process.user.type | The type of the user. For example, System, AWS IAM User, etc. | keyword |
+| ocsf.process.parent_process.user.type_id | The account type identifier. | keyword |
+| ocsf.process.parent_process.user.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword |
+| ocsf.process.parent_process.user.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword |
+| ocsf.process.parent_process.xattributes | An unordered collection of zero or more name/value pairs that represent a process extended attribute. | flattened |
+| ocsf.process.pid | The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. | long |
+| ocsf.process.sandbox | The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. | keyword |
+| ocsf.process.session.created_time | The time when the session was created. | date |
+| ocsf.process.session.created_time_dt | The short name of the endpoint. | date |
+| ocsf.process.session.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.process.session.expiration_time | The session expiration time. | date |
+| ocsf.process.session.expiration_time_dt | The name of the network interface (e.g. eth2). | date |
+| ocsf.process.session.is_remote | The indication of whether the session is remote. | boolean |
+| ocsf.process.session.issuer | The identifier of the session issuer. | keyword |
+| ocsf.process.session.uid | The unique identifier of the session. | keyword |
+| ocsf.process.session.uuid | The universally unique identifier of the session. | keyword |
+| ocsf.process.terminated_time | The time when the process was terminated. | date |
+| ocsf.process.terminated_time_dt | The time when the process was terminated. | date |
+| ocsf.process.tid | The Identifier of the thread associated with the event, as returned by the operating system. | long |
+| ocsf.process.uid | A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. | keyword |
+| ocsf.process.user.account.name | The name of the account (e.g. GCP Account Name). | keyword |
+| ocsf.process.user.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.process.user.account.type_id | The normalized account type identifier. | keyword |
+| ocsf.process.user.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword |
+| ocsf.process.user.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.process.user.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword |
+| ocsf.process.user.email_addr | The user's email address. | keyword |
+| ocsf.process.user.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword |
+| ocsf.process.user.groups.desc | The group description. | keyword |
+| ocsf.process.user.groups.name | The group name. | keyword |
+| ocsf.process.user.groups.privileges | The group privileges. | keyword |
+| ocsf.process.user.groups.type | The type of the group or account. | keyword |
+| ocsf.process.user.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.process.user.name | The username. For example, janedoe1. | keyword |
+| ocsf.process.user.org.name | The name of the organization. For example, Widget, Inc. | keyword |
+| ocsf.process.user.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword |
+| ocsf.process.user.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword |
+| ocsf.process.user.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword |
+| ocsf.process.user.type | The type of the user. For example, System, AWS IAM User, etc. | keyword |
+| ocsf.process.user.type_id | The account type identifier. | keyword |
+| ocsf.process.user.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword |
+| ocsf.process.user.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword |
+| ocsf.process.xattributes | An unordered collection of zero or more name/value pairs that represent a process extended attribute. | flattened |
+| ocsf.proxy.domain | The name of the domain. | keyword |
+| ocsf.proxy.hostname | The fully qualified name of the endpoint. | keyword |
+| ocsf.proxy.instance_uid | The unique identifier of a VM instance. | keyword |
+| ocsf.proxy.interface_name | The name of the network interface (e.g. eth2). | keyword |
+| ocsf.proxy.interface_uid | The unique identifier of the network interface. | keyword |
+| ocsf.proxy.intermediate_ips | The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. | ip |
+| ocsf.proxy.ip | The IP address of the endpoint, in either IPv4 or IPv6 format. | ip |
+| ocsf.proxy.location.city | The name of the city. | keyword |
+| ocsf.proxy.location.continent | The name of the continent. | keyword |
+| ocsf.proxy.location.coordinates | A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. | geo_point |
+| ocsf.proxy.location.country | The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. | keyword |
+| ocsf.proxy.location.desc | The description of the geographical location. | keyword |
+| ocsf.proxy.location.is_on_premises | The indication of whether the location is on premises. | boolean |
+| ocsf.proxy.location.isp | The name of the Internet Service Provider (ISP). | keyword |
+| ocsf.proxy.location.postal_code | The postal code of the location. | keyword |
+| ocsf.proxy.location.provider | The provider of the geographical location data. | keyword |
+| ocsf.proxy.location.region | The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. | keyword |
+| ocsf.proxy.mac | The Media Access Control (MAC) address of the endpoint. | keyword |
+| ocsf.proxy.name | The short name of the endpoint. | keyword |
+| ocsf.proxy.port | The port used for communication within the network connection. | long |
+| ocsf.proxy.subnet_uid | The unique identifier of a virtual subnet. | keyword |
+| ocsf.proxy.svc_name | The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. | keyword |
+| ocsf.proxy.uid | The unique identifier of the endpoint. | keyword |
+| ocsf.proxy.vlan_uid | The Virtual LAN identifier. | keyword |
+| ocsf.proxy.vpc_uid | The unique identifier of the Virtual Private Cloud (VPC). | keyword |
+| ocsf.query.class | The class of resource records being queried. See RFC1035. For example: IN. | keyword |
+| ocsf.query.hostname | The hostname or domain being queried. For example: www.example.com | keyword |
+| ocsf.query.opcode | The DNS opcode specifies the type of the query message. | keyword |
+| ocsf.query.opcode_id | The DNS opcode ID specifies the normalized query message type. | keyword |
+| ocsf.query.packet_uid | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword |
+| ocsf.query.type | The type of resource records being queried. See RFC1035. For example: A, AAAA, CNAME, MX, and NS. | keyword |
+| ocsf.query_time | The Domain Name System (DNS) query time. | date |
+| ocsf.query_time_dt | The Domain Name System (DNS) query time. | date |
+| ocsf.raw_data | The event data as received from the event source. | flattened |
+| ocsf.raw_data_keyword | | keyword |
+| ocsf.rcode | The DNS server response code, normalized to the caption of the rcode_id value. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.rcode_id | The normalized identifier of the DNS server response code. | keyword |
+| ocsf.resources.cloud_partition | The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov). | keyword |
+| ocsf.resources.criticality | The criticality of the resource as defined by the event source. | keyword |
+| ocsf.resources.data | Additional data describing the resource. | flattened |
+| ocsf.resources.group.desc | The group description. | keyword |
+| ocsf.resources.group.name | The group name. | keyword |
+| ocsf.resources.group.privileges | The group privileges. | keyword |
+| ocsf.resources.group.type | The type of the group or account. | keyword |
+| ocsf.resources.group.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.resources.labels | The list of labels/tags associated to a resource. | keyword |
+| ocsf.resources.name | The name of the resource. | keyword |
+| ocsf.resources.owner.account.name | The name of the account (e.g. GCP Account Name). | keyword |
+| ocsf.resources.owner.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.resources.owner.account.type_id | The normalized account type identifier. | keyword |
+| ocsf.resources.owner.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword |
+| ocsf.resources.owner.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.resources.owner.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword |
+| ocsf.resources.owner.email_addr | The user's email address. | keyword |
+| ocsf.resources.owner.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword |
+| ocsf.resources.owner.groups.desc | The group description. | keyword |
+| ocsf.resources.owner.groups.name | The group name. | keyword |
+| ocsf.resources.owner.groups.privileges | The group privileges. | keyword |
+| ocsf.resources.owner.groups.type | The type of the group or account. | keyword |
+| ocsf.resources.owner.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.resources.owner.name | The username. For example, janedoe1. | keyword |
+| ocsf.resources.owner.org.name | The name of the organization. For example, Widget, Inc. | keyword |
+| ocsf.resources.owner.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword |
+| ocsf.resources.owner.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword |
+| ocsf.resources.owner.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword |
+| ocsf.resources.owner.type | The type of the user. For example, System, AWS IAM User, etc. | keyword |
+| ocsf.resources.owner.type_id | The account type identifier. | keyword |
+| ocsf.resources.owner.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword |
+| ocsf.resources.owner.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword |
+| ocsf.resources.region | The cloud region of the resource. | keyword |
+| ocsf.resources.type | The resource type as defined by the event source. | keyword |
+| ocsf.resources.uid | The unique identifier of the resource. | keyword |
+| ocsf.resources.version | The version of the resource. For example 1.2.3. | keyword |
+| ocsf.response_time | The Domain Name System (DNS) response time. | date |
+| ocsf.response_time_dt | The Domain Name System (DNS) response time. | date |
+| ocsf.risk_level | The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.risk_level_id | The normalized risk level id. | keyword |
+| ocsf.risk_score | The risk score as reported by the event source. | long |
+| ocsf.service.labels | The list of labels associated with the service. | keyword |
+| ocsf.service.name | The name of the service. | keyword |
+| ocsf.service.uid | The unique identifier of the service. | keyword |
+| ocsf.service.version | The version of the service. | keyword |
+| ocsf.session.created_time | The time when the session was created. | date |
+| ocsf.session.created_time_dt | The time when the session was created. | date |
+| ocsf.session.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.session.expiration_time | The session expiration time. | date |
+| ocsf.session.expiration_time_dt | The session expiration time. | date |
+| ocsf.session.is_remote | The indication of whether the session is remote. | boolean |
+| ocsf.session.issuer | The identifier of the session issuer. | keyword |
+| ocsf.session.mfa | | boolean |
+| ocsf.session.uid | The unique identifier of the session. | keyword |
+| ocsf.session.uuid | The universally unique identifier of the session. | keyword |
+| ocsf.severity | The event severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.severity_id | The normalized identifier of the event severity. The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events. | long |
+| ocsf.src_endpoint.domain | The name of the domain. | keyword |
+| ocsf.src_endpoint.hostname | The fully qualified name of the endpoint. | keyword |
+| ocsf.src_endpoint.instance_uid | The unique identifier of a VM instance. | keyword |
+| ocsf.src_endpoint.interface_name | The name of the network interface (e.g. eth2). | keyword |
+| ocsf.src_endpoint.interface_uid | The unique identifier of the network interface. | keyword |
+| ocsf.src_endpoint.intermediate_ips | The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. | ip |
+| ocsf.src_endpoint.ip | The IP address of the endpoint, in either IPv4 or IPv6 format. | ip |
+| ocsf.src_endpoint.location.city | The name of the city. | keyword |
+| ocsf.src_endpoint.location.continent | The name of the continent. | keyword |
+| ocsf.src_endpoint.location.coordinates | A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. | geo_point |
+| ocsf.src_endpoint.location.country | The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. | keyword |
+| ocsf.src_endpoint.location.desc | The description of the geographical location. | keyword |
+| ocsf.src_endpoint.location.is_on_premises | The indication of whether the location is on premises. | boolean |
+| ocsf.src_endpoint.location.isp | The name of the Internet Service Provider (ISP). | keyword |
+| ocsf.src_endpoint.location.postal_code | The postal code of the location. | keyword |
+| ocsf.src_endpoint.location.provider | The provider of the geographical location data. | keyword |
+| ocsf.src_endpoint.location.region | The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. | keyword |
+| ocsf.src_endpoint.mac | The Media Access Control (MAC) address of the endpoint. | keyword |
+| ocsf.src_endpoint.name | The short name of the endpoint. | keyword |
+| ocsf.src_endpoint.port | The port used for communication within the network connection. | long |
+| ocsf.src_endpoint.subnet_uid | The unique identifier of a virtual subnet. | keyword |
+| ocsf.src_endpoint.svc_name | The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. | keyword |
+| ocsf.src_endpoint.uid | The unique identifier of the endpoint. | keyword |
+| ocsf.src_endpoint.vlan_uid | The Virtual LAN identifier. | keyword |
+| ocsf.src_endpoint.vpc_uid | The unique identifier of the Virtual Private Cloud (VPC). | keyword |
+| ocsf.start_time | The start time of a time period, or the time of the least recent event included in the aggregate event. | date |
+| ocsf.start_time_dt | The start time of a time period, or the time of the least recent event included in the aggregate event. | date |
+| ocsf.state | The normalized state of a security finding. | keyword |
+| ocsf.state_id | The normalized state identifier of a security finding. | keyword |
+| ocsf.status | The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.status_code | The event status code, as reported by the event source. For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18. | keyword |
+| ocsf.status_detail | The status details contains additional information about the event outcome. | keyword |
+| ocsf.status_id | The normalized identifier of the event status. | keyword |
+| ocsf.time | The normalized event occurrence time. | date |
+| ocsf.time_dt | The normalized event occurrence time. | date |
+| ocsf.timezone_offset | The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080. | long |
+| ocsf.tls.alert | The integer value of TLS alert if present. The alerts are defined in the TLS specification in RFC-2246. | long |
+| ocsf.tls.certificate.created_time | The time when the certificate was created. | date |
+| ocsf.tls.certificate.created_time_dt | The time when the certificate was created. | date |
+| ocsf.tls.certificate.expiration_time | The expiration time of the certificate. | date |
+| ocsf.tls.certificate.expiration_time_dt | The expiration time of the certificate. | date |
+| ocsf.tls.certificate.fingerprints.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.tls.certificate.fingerprints.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword |
+| ocsf.tls.certificate.fingerprints.value | The digital fingerprint value. | keyword |
+| ocsf.tls.certificate.issuer | The certificate issuer distinguished name. | keyword |
+| ocsf.tls.certificate.serial_number | The serial number of the certificate used to create the digital signature. | keyword |
+| ocsf.tls.certificate.subject | The certificate subject distinguished name. | keyword |
+| ocsf.tls.certificate.version | The certificate version. | keyword |
+| ocsf.tls.certificate_chain | The Chain of Certificate Serial Numbers field provides a chain of Certificate Issuer Serial Numbers leading to the Root Certificate Issuer. | keyword |
+| ocsf.tls.cipher | The negotiated cipher suite. | keyword |
+| ocsf.tls.client_ciphers | The client cipher suites that were exchanged during the TLS handshake negotiation. | keyword |
+| ocsf.tls.extension_list.data | The data contains information specific to the particular extension type. | flattened |
+| ocsf.tls.extension_list.type | The TLS extension type. For example: Server Name. | keyword |
+| ocsf.tls.extension_list.type_id | The TLS extension type identifier. See The Transport Layer Security (TLS) extension page. | keyword |
+| ocsf.tls.handshake_dur | The amount of total time for the TLS handshake to complete after the TCP connection is established, including client-side delays, in milliseconds. | long |
+| ocsf.tls.ja3_hash.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.tls.ja3_hash.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword |
+| ocsf.tls.ja3_hash.value | The digital fingerprint value. | keyword |
+| ocsf.tls.ja3s_hash.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.tls.ja3s_hash.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword |
+| ocsf.tls.ja3s_hash.value | The digital fingerprint value. | keyword |
+| ocsf.tls.key_length | The length of the encryption key. | long |
+| ocsf.tls.sans.name | Name of SAN (e.g. The actual IP Address or domain.) | keyword |
+| ocsf.tls.sans.type | Type descriptor of SAN (e.g. IP Address/domain/etc.) | keyword |
+| ocsf.tls.server_ciphers | The server cipher suites that were exchanged during the TLS handshake negotiation. | keyword |
+| ocsf.tls.sni | The Server Name Indication (SNI) extension sent by the client. | keyword |
+| ocsf.tls.version | The TLS protocol version. | keyword |
+| ocsf.traffic.bytes | The total number of bytes (in and out). | long |
+| ocsf.traffic.bytes_in | The number of bytes sent from the destination to the source. | long |
+| ocsf.traffic.bytes_out | The number of bytes sent from the source to the destination. | long |
+| ocsf.traffic.packets | The total number of packets (in and out). | long |
+| ocsf.traffic.packets_in | The number of packets sent from the destination to the source. | long |
+| ocsf.traffic.packets_out | The number of packets sent from the source to the destination. | long |
+| ocsf.type_name | The event type name, as defined by the type_uid. | keyword |
+| ocsf.type_uid | The event type ID. It identifies the events semantics and structure. The value is calculated by the logging system as: class_uid \* 100 + activity_id. | keyword |
+| ocsf.unmapped | The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. | flattened |
+| ocsf.user.account.name | The name of the account (e.g. GCP Account Name). | keyword |
+| ocsf.user.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.user.account.type_id | The normalized account type identifier. | keyword |
+| ocsf.user.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword |
+| ocsf.user.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.user.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword |
+| ocsf.user.email_addr | The user's email address. | keyword |
+| ocsf.user.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword |
+| ocsf.user.groups.desc | The group description. | keyword |
+| ocsf.user.groups.name | The group name. | keyword |
+| ocsf.user.groups.privileges | The group privileges. | keyword |
+| ocsf.user.groups.type | The type of the group or account. | keyword |
+| ocsf.user.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.user.name | The username. For example, janedoe1. | keyword |
+| ocsf.user.org.name | The name of the organization. For example, Widget, Inc. | keyword |
+| ocsf.user.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword |
+| ocsf.user.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword |
+| ocsf.user.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword |
+| ocsf.user.type | The type of the user. For example, System, AWS IAM User, etc. | keyword |
+| ocsf.user.type_id | The account type identifier. | keyword |
+| ocsf.user.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword |
+| ocsf.user.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword |
+| ocsf.user_result.account.name | The name of the account (e.g. GCP Account Name). | keyword |
+| ocsf.user_result.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.user_result.account.type_id | The normalized account type identifier. | keyword |
+| ocsf.user_result.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword |
+| ocsf.user_result.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword |
+| ocsf.user_result.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword |
+| ocsf.user_result.email_addr | The user's email address. | keyword |
+| ocsf.user_result.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword |
+| ocsf.user_result.groups.desc | The group description. | keyword |
+| ocsf.user_result.groups.name | The group name. | keyword |
+| ocsf.user_result.groups.privileges | The group privileges. | keyword |
+| ocsf.user_result.groups.type | The type of the group or account. | keyword |
+| ocsf.user_result.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword |
+| ocsf.user_result.name | The username. For example, janedoe1. | keyword |
+| ocsf.user_result.org.name | The name of the organization. For example, Widget, Inc. | keyword |
+| ocsf.user_result.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword |
+| ocsf.user_result.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword |
+| ocsf.user_result.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword |
+| ocsf.user_result.type | The type of the user. For example, System, AWS IAM User, etc. | keyword |
+| ocsf.user_result.type_id | The account type identifier. | keyword |
+| ocsf.user_result.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword |
+| ocsf.user_result.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword |
+| ocsf.vulnerabilities.cve.created_time | The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. | date |
+| ocsf.vulnerabilities.cve.created_time_dt | The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. | date |
+| ocsf.vulnerabilities.cve.cvss.base_score | The CVSS base score. For example: 9.1. | double |
+| ocsf.vulnerabilities.cve.cvss.depth | The CVSS depth represents a depth of the equation used to calculate CVSS score. | keyword |
+| ocsf.vulnerabilities.cve.cvss.metrics.name | The name of the metric. | keyword |
+| ocsf.vulnerabilities.cve.cvss.metrics.value | The value of the metric. | keyword |
+| ocsf.vulnerabilities.cve.cvss.overall_score | The CVSS overall score, impacted by base, temporal, and environmental metrics. For example: 9.1. | double |
+| ocsf.vulnerabilities.cve.cvss.severity | The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. A textual representation of the numeric score. | keyword |
+| ocsf.vulnerabilities.cve.cvss.vector_string | The CVSS vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H. | keyword |
+| ocsf.vulnerabilities.cve.cvss.version | The CVSS version. For example: 3.1. | keyword |
+| ocsf.vulnerabilities.cve.cwe_uid | The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787. | keyword |
+| ocsf.vulnerabilities.cve.cwe_url | Common Weakness Enumeration (CWE) definition URL. For example: https://cwe.mitre.org/data/definitions/787.html. | keyword |
+| ocsf.vulnerabilities.cve.modified_time | The Record Modified Date identifies when the CVE record was last updated. | date |
+| ocsf.vulnerabilities.cve.modified_time_dt | The Record Modified Date identifies when the CVE record was last updated. | date |
+| ocsf.vulnerabilities.cve.product.feature.name | The name of the feature. | keyword |
+| ocsf.vulnerabilities.cve.product.feature.uid | The unique identifier of the feature. | keyword |
+| ocsf.vulnerabilities.cve.product.feature.version | The version of the feature. | keyword |
+| ocsf.vulnerabilities.cve.product.lang | The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French). | keyword |
+| ocsf.vulnerabilities.cve.product.name | The name of the product. | keyword |
+| ocsf.vulnerabilities.cve.product.path | The installation path of the product. | keyword |
+| ocsf.vulnerabilities.cve.product.uid | The unique identifier of the product. | keyword |
+| ocsf.vulnerabilities.cve.product.vendor_name | The name of the vendor of the product. | keyword |
+| ocsf.vulnerabilities.cve.product.version | The version of the product, as defined by the event source. For example: 2013.1.3-beta. | keyword |
+| ocsf.vulnerabilities.cve.type | The vulnerability type as selected from a large dropdown menu during CVE refinement. | keyword |
+| ocsf.vulnerabilities.cve.uid | The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: CVE-2021-12345. | keyword |
+| ocsf.vulnerabilities.desc | The description of the vulnerability. | keyword |
+| ocsf.vulnerabilities.fix_available | Indicates if a fix is available for the reported vulnerability. | boolean |
+| ocsf.vulnerabilities.kb_articles | The KB article/s related to the entity. | keyword |
+| ocsf.vulnerabilities.packages.architecture | Architecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on. | keyword |
+| ocsf.vulnerabilities.packages.epoch | The software package epoch. Epoch is a way to define weighted dependencies based on version numbers. | long |
+| ocsf.vulnerabilities.packages.license | The software license applied to this package. | keyword |
+| ocsf.vulnerabilities.packages.name | The software package name. | keyword |
+| ocsf.vulnerabilities.packages.release | Release is the number of times a version of the software has been packaged. | keyword |
+| ocsf.vulnerabilities.packages.version | The software package version. | keyword |
+| ocsf.vulnerabilities.references | Supporting reference URLs. | keyword |
+| ocsf.vulnerabilities.related_vulnerabilities | List of vulnerabilities that are related to this vulnerability. | keyword |
+| ocsf.vulnerabilities.severity | The event severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the event source. | keyword |
+| ocsf.vulnerabilities.title | The title of the vulnerability. | keyword |
+| ocsf.vulnerabilities.vendor_name | The vendor who identified the vulnerability. | keyword |
+| process.group.id | | keyword |
+| process.group.name | | keyword |
+| process.parent.user.domain | | keyword |
+| process.parent.user.email | | keyword |
+| process.parent.user.full_name | | keyword |
+| process.parent.user.group.id | | keyword |
+| process.parent.user.group.name | | keyword |
+| process.user.domain | | keyword |
+| process.user.email | | keyword |
+| process.user.full_name | | keyword |
+| process.user.group.id | | keyword |
+| process.user.group.name | | keyword |
+| tags | User defined tags. | keyword |
diff --git a/packages/amazon_security_lake/img/amazon-security-lake-application-activity-dashboard.png b/packages/amazon_security_lake/img/amazon-security-lake-application-activity-dashboard.png
new file mode 100644
index 00000000000..f0982c4e4fd
Binary files /dev/null and b/packages/amazon_security_lake/img/amazon-security-lake-application-activity-dashboard.png differ
diff --git a/packages/amazon_security_lake/img/amazon-security-lake-dns-activity-dashboard.png b/packages/amazon_security_lake/img/amazon-security-lake-dns-activity-dashboard.png
new file mode 100644
index 00000000000..c5111c2eebd
Binary files /dev/null and b/packages/amazon_security_lake/img/amazon-security-lake-dns-activity-dashboard.png differ
diff --git a/packages/amazon_security_lake/img/amazon-security-lake-findings-dashboard.png b/packages/amazon_security_lake/img/amazon-security-lake-findings-dashboard.png
new file mode 100644
index 00000000000..d7ec67d9038
Binary files /dev/null and b/packages/amazon_security_lake/img/amazon-security-lake-findings-dashboard.png differ
diff --git a/packages/amazon_security_lake/img/amazon-security-lake-identity-and-access-management-dashboard.png b/packages/amazon_security_lake/img/amazon-security-lake-identity-and-access-management-dashboard.png
new file mode 100644
index 00000000000..110b74ef6e1
Binary files /dev/null and b/packages/amazon_security_lake/img/amazon-security-lake-identity-and-access-management-dashboard.png differ
diff --git a/packages/amazon_security_lake/img/amazon-security-lake-logo.svg b/packages/amazon_security_lake/img/amazon-security-lake-logo.svg
new file mode 100644
index 00000000000..4717f407c0d
--- /dev/null
+++ b/packages/amazon_security_lake/img/amazon-security-lake-logo.svg
@@ -0,0 +1,18 @@
+
+
\ No newline at end of file
diff --git a/packages/amazon_security_lake/img/amazon-security-lake-network-activity-dashboard.png b/packages/amazon_security_lake/img/amazon-security-lake-network-activity-dashboard.png
new file mode 100644
index 00000000000..5e3863509bd
Binary files /dev/null and b/packages/amazon_security_lake/img/amazon-security-lake-network-activity-dashboard.png differ
diff --git a/packages/amazon_security_lake/img/amazon-security-lake-overview-dashboard.png b/packages/amazon_security_lake/img/amazon-security-lake-overview-dashboard.png
new file mode 100644
index 00000000000..0d357a308d6
Binary files /dev/null and b/packages/amazon_security_lake/img/amazon-security-lake-overview-dashboard.png differ
diff --git a/packages/amazon_security_lake/img/another_aws_account.png b/packages/amazon_security_lake/img/another_aws_account.png
new file mode 100644
index 00000000000..784f52d5826
Binary files /dev/null and b/packages/amazon_security_lake/img/another_aws_account.png differ
diff --git a/packages/amazon_security_lake/img/external_id.png b/packages/amazon_security_lake/img/external_id.png
new file mode 100644
index 00000000000..66252032cf5
Binary files /dev/null and b/packages/amazon_security_lake/img/external_id.png differ
diff --git a/packages/amazon_security_lake/img/role_type.png b/packages/amazon_security_lake/img/role_type.png
new file mode 100644
index 00000000000..1cf77954789
Binary files /dev/null and b/packages/amazon_security_lake/img/role_type.png differ
diff --git a/packages/amazon_security_lake/img/s3_full_access.png b/packages/amazon_security_lake/img/s3_full_access.png
new file mode 100644
index 00000000000..7b5f11eee20
Binary files /dev/null and b/packages/amazon_security_lake/img/s3_full_access.png differ
diff --git a/packages/amazon_security_lake/img/sqs_full_access.png b/packages/amazon_security_lake/img/sqs_full_access.png
new file mode 100644
index 00000000000..64651a70631
Binary files /dev/null and b/packages/amazon_security_lake/img/sqs_full_access.png differ
diff --git a/packages/amazon_security_lake/img/this_account.png b/packages/amazon_security_lake/img/this_account.png
new file mode 100644
index 00000000000..6ee07ccd07b
Binary files /dev/null and b/packages/amazon_security_lake/img/this_account.png differ
diff --git a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1.json b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1.json
new file mode 100644
index 00000000000..8f415fb059f
--- /dev/null
+++ b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1.json
@@ -0,0 +1,1698 @@
+{
+ "attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
+ "panelsJSON": "{\"ce6530d2-da12-4a80-a1c5-6d8db59eb0e7\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"ce6530d2-da12-4a80-a1c5-6d8db59eb0e7\",\"fieldName\":\"ocsf.class_name\",\"title\":\"Class Name\",\"grow\":false,\"width\":\"medium\",\"enhancements\":{}}},\"086e84d6-0fef-4a48-b5ab-690f9d0ccc53\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"086e84d6-0fef-4a48-b5ab-690f9d0ccc53\",\"fieldName\":\"ocsf.severity\",\"title\":\"Severity\",\"grow\":false,\"width\":\"medium\",\"enhancements\":{}}},\"eb892b38-5d66-4b4d-899a-61337d4d983d\":{\"type\":\"optionsListControl\",\"order\":2,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"eb892b38-5d66-4b4d-899a-61337d4d983d\",\"fieldName\":\"ocsf.status\",\"title\":\"Status\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}},\"e6d7989a-5bfc-4660-9454-bac14f584348\":{\"type\":\"optionsListControl\",\"order\":3,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"e6d7989a-5bfc-4660-9454-bac14f584348\",\"fieldName\":\"ocsf.activity_name\",\"title\":\"Activity Name\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}},\"18f85de7-81ed-410e-85d9-eda519256b5d\":{\"type\":\"optionsListControl\",\"order\":4,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"18f85de7-81ed-410e-85d9-eda519256b5d\",\"fieldName\":\"ocsf.metadata.product.vendor_name\",\"title\":\"Vendor Name\",\"grow\":true,\"width\":\"medium\",\"exclude\":false,\"enhancements\":{}}},\"bb3d6e74-dbc2-4bd4-934f-08f26d059205\":{\"type\":\"optionsListControl\",\"order\":5,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"bb3d6e74-dbc2-4bd4-934f-08f26d059205\",\"fieldName\":\"cloud.account.id\",\"title\":\"Cloud Account ID\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}}}"
+ },
+ "description": "Overview of Application Activity logs collected by the Amazon Security Lake Integration.",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "optionsJSON": {
+ "hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "useMargins": true
+ },
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "hidePanelTitles": false,
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "id": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n- **[Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1)**\n \n\n**Overview**\n\nThis dashboard shows an overview of detailed information about the behavior of applications and services.\n\nPlease visit the [Application Activity](https://schema.ocsf.io/1.0.0-rc.3/categories/application) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)\n",
+ "openLinksInNewTab": false
+ },
+ "title": "",
+ "type": "markdown",
+ "uiState": {}
+ }
+ },
+ "gridData": {
+ "h": 32,
+ "i": "f5b306a1-0dfb-40a3-8f01-897f41098d59",
+ "w": 10,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "f5b306a1-0dfb-40a3-8f01-897f41098d59",
+ "title": "Table of Contents",
+ "type": "visualization",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-60d0347c-d5be-4865-b28a-e7e734fcf811",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "01adfe37-b391-4468-9121-51b8760cf148",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "60d0347c-d5be-4865-b28a-e7e734fcf811": {
+ "columnOrder": [
+ "6df2881f-6923-4191-a978-7756f616bc53",
+ "9d8fa6fa-5a2c-4b5d-bb7c-c21b2e2ef0bb"
+ ],
+ "columns": {
+ "6df2881f-6923-4191-a978-7756f616bc53": {
+ "customLabel": true,
+ "dataType": "ip",
+ "isBucketed": true,
+ "label": "Source IP",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "9d8fa6fa-5a2c-4b5d-bb7c-c21b2e2ef0bb",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "source.ip"
+ },
+ "9d8fa6fa-5a2c-4b5d-bb7c-c21b2e2ef0bb": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "01adfe37-b391-4468-9121-51b8760cf148",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.category_uid",
+ "index": "logs-*",
+ "key": "ocsf.category_uid",
+ "negate": false,
+ "params": {
+ "query": "6"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.category_uid": "6"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "6df2881f-6923-4191-a978-7756f616bc53",
+ "isTransposed": false
+ },
+ {
+ "columnId": "9d8fa6fa-5a2c-4b5d-bb7c-c21b2e2ef0bb",
+ "isTransposed": false
+ }
+ ],
+ "layerId": "60d0347c-d5be-4865-b28a-e7e734fcf811",
+ "layerType": "data",
+ "paging": {
+ "enabled": false,
+ "size": 10
+ },
+ "rowHeight": "single",
+ "rowHeightLines": 1
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "efb41cd8-6a78-461f-8787-a61e80618115",
+ "w": 19,
+ "x": 10,
+ "y": 0
+ },
+ "panelIndex": "efb41cd8-6a78-461f-8787-a61e80618115",
+ "title": "Top 10 Source IP [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-60d0347c-d5be-4865-b28a-e7e734fcf811",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "ff4c9e45-12ea-4b80-a278-9d94f71f2e68",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "60d0347c-d5be-4865-b28a-e7e734fcf811": {
+ "columnOrder": [
+ "6df2881f-6923-4191-a978-7756f616bc53",
+ "9d8fa6fa-5a2c-4b5d-bb7c-c21b2e2ef0bb"
+ ],
+ "columns": {
+ "6df2881f-6923-4191-a978-7756f616bc53": {
+ "customLabel": true,
+ "dataType": "ip",
+ "isBucketed": true,
+ "label": "Destination IP",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "9d8fa6fa-5a2c-4b5d-bb7c-c21b2e2ef0bb",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "destination.ip"
+ },
+ "9d8fa6fa-5a2c-4b5d-bb7c-c21b2e2ef0bb": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "ff4c9e45-12ea-4b80-a278-9d94f71f2e68",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.category_uid",
+ "index": "logs-*",
+ "key": "ocsf.category_uid",
+ "negate": false,
+ "params": {
+ "query": "6"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.category_uid": "6"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "6df2881f-6923-4191-a978-7756f616bc53",
+ "isTransposed": false
+ },
+ {
+ "columnId": "9d8fa6fa-5a2c-4b5d-bb7c-c21b2e2ef0bb",
+ "isTransposed": false
+ }
+ ],
+ "layerId": "60d0347c-d5be-4865-b28a-e7e734fcf811",
+ "layerType": "data",
+ "paging": {
+ "enabled": false,
+ "size": 10
+ }
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "da28d9c3-198a-4986-aee2-f9dd5979d8b2",
+ "w": 19,
+ "x": 29,
+ "y": 0
+ },
+ "panelIndex": "da28d9c3-198a-4986-aee2-f9dd5979d8b2",
+ "title": "Top 10 Destination IP [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-e287bc8c-5332-41e7-ab33-a29f5a2cdcdf",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "f045fe67-6d01-40b4-91a6-e7f5b558e029",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "e287bc8c-5332-41e7-ab33-a29f5a2cdcdf": {
+ "columnOrder": [
+ "35b3e177-74e8-460b-aea5-8ac2d04fb4ef",
+ "b8da9cc8-03a8-4415-96ac-b080dd624e36"
+ ],
+ "columns": {
+ "35b3e177-74e8-460b-aea5-8ac2d04fb4ef": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Resources Name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "b8da9cc8-03a8-4415-96ac-b080dd624e36",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "ocsf.resources.name"
+ },
+ "b8da9cc8-03a8-4415-96ac-b080dd624e36": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "f045fe67-6d01-40b4-91a6-e7f5b558e029",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.category_uid",
+ "index": "logs-*",
+ "key": "ocsf.category_uid",
+ "negate": false,
+ "params": {
+ "query": "6"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.category_uid": "6"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "35b3e177-74e8-460b-aea5-8ac2d04fb4ef"
+ },
+ {
+ "columnId": "b8da9cc8-03a8-4415-96ac-b080dd624e36"
+ }
+ ],
+ "layerId": "e287bc8c-5332-41e7-ab33-a29f5a2cdcdf",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "91e008ad-1307-4cf7-b0d7-b201141160e2",
+ "w": 19,
+ "x": 10,
+ "y": 16
+ },
+ "panelIndex": "91e008ad-1307-4cf7-b0d7-b201141160e2",
+ "title": "Top 10 Affected Resources [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-5da09b6f-a373-4644-a8af-e4ebf0bf185b",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "1d4ea350-d347-42ec-9119-1e0927bdf7f7",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "5da09b6f-a373-4644-a8af-e4ebf0bf185b": {
+ "columnOrder": [
+ "b17bc406-4b46-453c-8cf0-e9bb12a213de",
+ "5fe67885-e1f2-494d-8fc3-ee1d3fba9978"
+ ],
+ "columns": {
+ "5fe67885-e1f2-494d-8fc3-ee1d3fba9978": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "b17bc406-4b46-453c-8cf0-e9bb12a213de": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Activity Name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "5fe67885-e1f2-494d-8fc3-ee1d3fba9978",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "ocsf.activity_name"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "1d4ea350-d347-42ec-9119-1e0927bdf7f7",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.category_uid",
+ "index": "logs-*",
+ "key": "ocsf.category_uid",
+ "negate": false,
+ "params": {
+ "query": "6"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.category_uid": "6"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "accessors": [
+ "5fe67885-e1f2-494d-8fc3-ee1d3fba9978"
+ ],
+ "layerId": "5da09b6f-a373-4644-a8af-e4ebf0bf185b",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_stacked",
+ "showGridlines": false,
+ "xAccessor": "b17bc406-4b46-453c-8cf0-e9bb12a213de"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right",
+ "showSingleSeries": false
+ },
+ "preferredSeriesType": "bar_stacked",
+ "title": "Empty XY chart",
+ "valueLabels": "show"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "1b312846-0250-4c85-b330-35bfbf3daf0a",
+ "w": 19,
+ "x": 29,
+ "y": 16
+ },
+ "panelIndex": "1b312846-0250-4c85-b330-35bfbf3daf0a",
+ "title": "Events by Activity [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-ff268b38-ca7f-414f-a28d-52dc545a0273",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "a5f19bee-ce3a-4213-a865-c257292fce4a",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "ff268b38-ca7f-414f-a28d-52dc545a0273": {
+ "columnOrder": [
+ "25109996-00b3-4602-a3c3-8d0becb6579f",
+ "8031ca52-3058-465b-a173-b9dd340eed7a",
+ "22ab8cfc-6ee9-4279-bc6b-24316e35d212"
+ ],
+ "columns": {
+ "22ab8cfc-6ee9-4279-bc6b-24316e35d212": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "25109996-00b3-4602-a3c3-8d0becb6579f": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Service Name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "22ab8cfc-6ee9-4279-bc6b-24316e35d212",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "ocsf.api.service.name"
+ },
+ "8031ca52-3058-465b-a173-b9dd340eed7a": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "a5f19bee-ce3a-4213-a865-c257292fce4a",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.category_uid",
+ "index": "logs-*",
+ "key": "ocsf.category_uid",
+ "negate": false,
+ "params": {
+ "query": "6"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.category_uid": "6"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "accessors": [
+ "22ab8cfc-6ee9-4279-bc6b-24316e35d212"
+ ],
+ "layerId": "ff268b38-ca7f-414f-a28d-52dc545a0273",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "line",
+ "showGridlines": false,
+ "splitAccessor": "25109996-00b3-4602-a3c3-8d0becb6579f",
+ "xAccessor": "8031ca52-3058-465b-a173-b9dd340eed7a"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "legendSize": "large",
+ "position": "right",
+ "shouldTruncate": false,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "line",
+ "title": "Empty XY chart",
+ "valueLabels": "hide",
+ "valuesInLegend": true
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "45eebc37-b634-45c6-8e06-5c2dca8d2da4",
+ "w": 24,
+ "x": 0,
+ "y": 32
+ },
+ "panelIndex": "45eebc37-b634-45c6-8e06-5c2dca8d2da4",
+ "title": "API Activity by Service over Time [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-be4dcc14-4ee0-44ec-9115-16b830d6edc3",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "096e7c99-543a-40d0-8b19-7ca246d3fd16",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "be4dcc14-4ee0-44ec-9115-16b830d6edc3": {
+ "columnOrder": [
+ "f3c33145-44b3-4ac3-93b6-9579190515a2",
+ "264d5daa-5e07-43dc-a551-fb3e09b3042c",
+ "bfd62117-1ec7-4913-8137-762c04c3c716"
+ ],
+ "columns": {
+ "264d5daa-5e07-43dc-a551-fb3e09b3042c": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Operation",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "bfd62117-1ec7-4913-8137-762c04c3c716",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "ocsf.api.operation"
+ },
+ "bfd62117-1ec7-4913-8137-762c04c3c716": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "f3c33145-44b3-4ac3-93b6-9579190515a2": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Actor Account UID",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "bfd62117-1ec7-4913-8137-762c04c3c716",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "ocsf.actor.user.account.uid"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "096e7c99-543a-40d0-8b19-7ca246d3fd16",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.category_uid",
+ "index": "logs-*",
+ "key": "ocsf.category_uid",
+ "negate": false,
+ "params": {
+ "query": "6"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.category_uid": "6"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "bfd62117-1ec7-4913-8137-762c04c3c716"
+ ],
+ "layerId": "be4dcc14-4ee0-44ec-9115-16b830d6edc3",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_horizontal_stacked",
+ "showGridlines": false,
+ "splitAccessor": "264d5daa-5e07-43dc-a551-fb3e09b3042c",
+ "xAccessor": "f3c33145-44b3-4ac3-93b6-9579190515a2"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right",
+ "shouldTruncate": false,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_horizontal_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "show"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "7047cace-d1ab-4132-b446-80309dcf6563",
+ "w": 24,
+ "x": 24,
+ "y": 32
+ },
+ "panelIndex": "7047cace-d1ab-4132-b446-80309dcf6563",
+ "title": "API Operation by Account ID [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-f1794c60-78b6-41a2-9c74-bf7f932f4710",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "db62012c-71c0-4550-83aa-d7c1e151921c",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "f1794c60-78b6-41a2-9c74-bf7f932f4710": {
+ "columnOrder": [
+ "53fbc38e-ce20-4d9b-b5ee-b716f04ce5b6",
+ "66f7a12f-a5c2-4328-a33f-ea61a931e5fd",
+ "2b254dfb-8e44-465c-8964-cd450f301aab"
+ ],
+ "columns": {
+ "2b254dfb-8e44-465c-8964-cd450f301aab": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "53fbc38e-ce20-4d9b-b5ee-b716f04ce5b6": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Operation",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "2b254dfb-8e44-465c-8964-cd450f301aab",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "ocsf.api.operation"
+ },
+ "66f7a12f-a5c2-4328-a33f-ea61a931e5fd": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Service Name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "2b254dfb-8e44-465c-8964-cd450f301aab",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "ocsf.api.service.name"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "db62012c-71c0-4550-83aa-d7c1e151921c",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.category_uid",
+ "index": "logs-*",
+ "key": "ocsf.category_uid",
+ "negate": false,
+ "params": {
+ "query": "6"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.category_uid": "6"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "gridConfig": {
+ "isCellLabelVisible": true,
+ "isXAxisLabelVisible": true,
+ "isXAxisTitleVisible": true,
+ "isYAxisLabelVisible": true,
+ "isYAxisTitleVisible": false,
+ "type": "heatmap_grid",
+ "xTitle": ""
+ },
+ "layerId": "f1794c60-78b6-41a2-9c74-bf7f932f4710",
+ "layerType": "data",
+ "legend": {
+ "isVisible": true,
+ "position": "right",
+ "shouldTruncate": false,
+ "type": "heatmap_legend"
+ },
+ "palette": {
+ "accessor": "2b254dfb-8e44-465c-8964-cd450f301aab",
+ "name": "custom",
+ "params": {
+ "colorStops": [
+ {
+ "color": "#6092c0",
+ "stop": 0
+ },
+ {
+ "color": "#a8bfda",
+ "stop": 10
+ },
+ {
+ "color": "#ebeff5",
+ "stop": 20
+ },
+ {
+ "color": "#ecb385",
+ "stop": 30
+ },
+ {
+ "color": "#e7664c",
+ "stop": 40
+ },
+ {
+ "color": "#e7664c",
+ "stop": 50
+ },
+ {
+ "color": "#e7664c",
+ "stop": 60
+ },
+ {
+ "color": "#e7664c",
+ "stop": 70
+ },
+ {
+ "color": "#e7664c",
+ "stop": 80
+ },
+ {
+ "color": "#e7664c",
+ "stop": 90
+ }
+ ],
+ "continuity": "above",
+ "name": "custom",
+ "rangeMax": null,
+ "rangeMin": 0,
+ "rangeType": "percent",
+ "steps": 5,
+ "stops": [
+ {
+ "color": "#6092c0",
+ "stop": 10
+ },
+ {
+ "color": "#a8bfda",
+ "stop": 20
+ },
+ {
+ "color": "#ebeff5",
+ "stop": 30
+ },
+ {
+ "color": "#ecb385",
+ "stop": 40
+ },
+ {
+ "color": "#e7664c",
+ "stop": 50
+ },
+ {
+ "color": "#e7664c",
+ "stop": 60
+ },
+ {
+ "color": "#e7664c",
+ "stop": 70
+ },
+ {
+ "color": "#e7664c",
+ "stop": 80
+ },
+ {
+ "color": "#e7664c",
+ "stop": 90
+ },
+ {
+ "color": "#e7664c",
+ "stop": 100
+ }
+ ]
+ },
+ "type": "palette"
+ },
+ "shape": "heatmap",
+ "valueAccessor": "2b254dfb-8e44-465c-8964-cd450f301aab",
+ "xAccessor": "53fbc38e-ce20-4d9b-b5ee-b716f04ce5b6",
+ "yAccessor": "66f7a12f-a5c2-4328-a33f-ea61a931e5fd"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsHeatmap"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "96e95a12-c91a-4ecb-aa52-52884e5af866",
+ "w": 48,
+ "x": 0,
+ "y": 47
+ },
+ "panelIndex": "96e95a12-c91a-4ecb-aa52-52884e5af866",
+ "title": "API Operation by Service [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 15,
+ "i": "bafa4a84-cd88-474c-b184-abf585029430",
+ "w": 48,
+ "x": 0,
+ "y": 62
+ },
+ "panelIndex": "bafa4a84-cd88-474c-b184-abf585029430",
+ "panelRefName": "panel_bafa4a84-cd88-474c-b184-abf585029430",
+ "type": "search",
+ "version": "8.9.0"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[Logs Amazon Security Lake] Application Activity",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2023-07-25T12:38:16.057Z",
+ "id": "amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1",
+ "managed": false,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "efb41cd8-6a78-461f-8787-a61e80618115:indexpattern-datasource-layer-60d0347c-d5be-4865-b28a-e7e734fcf811",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "efb41cd8-6a78-461f-8787-a61e80618115:01adfe37-b391-4468-9121-51b8760cf148",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "da28d9c3-198a-4986-aee2-f9dd5979d8b2:indexpattern-datasource-layer-60d0347c-d5be-4865-b28a-e7e734fcf811",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "da28d9c3-198a-4986-aee2-f9dd5979d8b2:ff4c9e45-12ea-4b80-a278-9d94f71f2e68",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "91e008ad-1307-4cf7-b0d7-b201141160e2:indexpattern-datasource-layer-e287bc8c-5332-41e7-ab33-a29f5a2cdcdf",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "91e008ad-1307-4cf7-b0d7-b201141160e2:f045fe67-6d01-40b4-91a6-e7f5b558e029",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "1b312846-0250-4c85-b330-35bfbf3daf0a:indexpattern-datasource-layer-5da09b6f-a373-4644-a8af-e4ebf0bf185b",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "1b312846-0250-4c85-b330-35bfbf3daf0a:1d4ea350-d347-42ec-9119-1e0927bdf7f7",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "45eebc37-b634-45c6-8e06-5c2dca8d2da4:indexpattern-datasource-layer-ff268b38-ca7f-414f-a28d-52dc545a0273",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "45eebc37-b634-45c6-8e06-5c2dca8d2da4:a5f19bee-ce3a-4213-a865-c257292fce4a",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "7047cace-d1ab-4132-b446-80309dcf6563:indexpattern-datasource-layer-be4dcc14-4ee0-44ec-9115-16b830d6edc3",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "7047cace-d1ab-4132-b446-80309dcf6563:096e7c99-543a-40d0-8b19-7ca246d3fd16",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "96e95a12-c91a-4ecb-aa52-52884e5af866:indexpattern-datasource-layer-f1794c60-78b6-41a2-9c74-bf7f932f4710",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "96e95a12-c91a-4ecb-aa52-52884e5af866:db62012c-71c0-4550-83aa-d7c1e151921c",
+ "type": "index-pattern"
+ },
+ {
+ "id": "amazon_security_lake-81902d50-2538-11ee-9f72-193490b86197",
+ "name": "bafa4a84-cd88-474c-b184-abf585029430:panel_bafa4a84-cd88-474c-b184-abf585029430",
+ "type": "search"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_ce6530d2-da12-4a80-a1c5-6d8db59eb0e7:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_086e84d6-0fef-4a48-b5ab-690f9d0ccc53:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_eb892b38-5d66-4b4d-899a-61337d4d983d:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_e6d7989a-5bfc-4660-9454-bac14f584348:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_18f85de7-81ed-410e-85d9-eda519256b5d:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_bb3d6e74-dbc2-4bd4-934f-08f26d059205:optionsListDataView",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "dashboard",
+ "migrationVersion": {
+ "dashboard": "8.9.0"
+ }
+}
\ No newline at end of file
diff --git a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386.json b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386.json
new file mode 100644
index 00000000000..140c0d3ac01
--- /dev/null
+++ b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386.json
@@ -0,0 +1,2029 @@
+{
+ "attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
+ "panelsJSON": "{\"146b8dc5-7437-4acc-93e1-c568a105be16\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"146b8dc5-7437-4acc-93e1-c568a105be16\",\"fieldName\":\"network.direction\",\"title\":\"Network Direction\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}},\"1fe50755-27ba-41f0-b672-dce437b98557\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"1fe50755-27ba-41f0-b672-dce437b98557\",\"fieldName\":\"ocsf.disposition\",\"title\":\"Disposition\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}},\"5ab63202-e00a-43b6-81df-496939c0007b\":{\"type\":\"optionsListControl\",\"order\":2,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"5ab63202-e00a-43b6-81df-496939c0007b\",\"fieldName\":\"ocsf.status\",\"title\":\"Status\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}},\"324bcb80-53e2-4ae0-8b7d-d6ec8ca2de3d\":{\"type\":\"optionsListControl\",\"order\":3,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"324bcb80-53e2-4ae0-8b7d-d6ec8ca2de3d\",\"fieldName\":\"ocsf.activity_name\",\"title\":\"Activity Name\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}},\"ddd4bf99-1fba-45a6-9e55-6cefd4b269ee\":{\"type\":\"optionsListControl\",\"order\":4,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"ddd4bf99-1fba-45a6-9e55-6cefd4b269ee\",\"fieldName\":\"ocsf.metadata.product.vendor_name\",\"title\":\"Vendor Name\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}},\"c949847f-4ef3-4f46-b1a9-1c3130e3e86e\":{\"type\":\"optionsListControl\",\"order\":5,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"c949847f-4ef3-4f46-b1a9-1c3130e3e86e\",\"fieldName\":\"cloud.account.id\",\"title\":\"Cloud Account ID\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}}}"
+ },
+ "description": "Overview of DNS Activity logs collected by the Amazon Security Lake Integration.",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "optionsJSON": {
+ "hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "useMargins": true
+ },
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "hidePanelTitles": false,
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "id": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - **[DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386)** \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1)\n \n\n**Overview**\n\nThis dashboard shows an overview of DNS queries and answers as seen on the network.\n\nPlease visit the [DNS Activity](https://schema.ocsf.io/1.0.0-rc.3/classes/dns_activity) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)",
+ "openLinksInNewTab": false
+ },
+ "title": "",
+ "type": "markdown",
+ "uiState": {}
+ }
+ },
+ "gridData": {
+ "h": 38,
+ "i": "47b3e796-92a7-4d88-beee-c24d88d89c9c",
+ "w": 9,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "47b3e796-92a7-4d88-beee-c24d88d89c9c",
+ "title": "Table of Contents",
+ "type": "visualization",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-fc30d965-b92e-4e6e-b5b3-6ed82b7644db",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "d15ef038-24a3-4b9a-8cf9-c7b2b9b0ab71",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "fc30d965-b92e-4e6e-b5b3-6ed82b7644db": {
+ "columnOrder": [
+ "f624a888-8bf5-419c-926d-1173ea5d4724"
+ ],
+ "columns": {
+ "f624a888-8bf5-419c-926d-1173ea5d4724": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "DNS Events",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "compact": true,
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "d15ef038-24a3-4b9a-8cf9-c7b2b9b0ab71",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.class_uid",
+ "index": "logs-*",
+ "key": "ocsf.class_uid",
+ "negate": false,
+ "params": {
+ "query": "4003"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.class_uid": "4003"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "#6092C0",
+ "layerId": "fc30d965-b92e-4e6e-b5b3-6ed82b7644db",
+ "layerType": "data",
+ "metricAccessor": "f624a888-8bf5-419c-926d-1173ea5d4724"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": true
+ },
+ "gridData": {
+ "h": 6,
+ "i": "7fd8f250-f076-4e19-b90f-3c6674fe3764",
+ "w": 13,
+ "x": 9,
+ "y": 0
+ },
+ "panelIndex": "7fd8f250-f076-4e19-b90f-3c6674fe3764",
+ "title": "DNS Events [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-fc30d965-b92e-4e6e-b5b3-6ed82b7644db",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "7b2080fa-08dd-4bf5-bb82-ab43d5066168",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "fc30d965-b92e-4e6e-b5b3-6ed82b7644db": {
+ "columnOrder": [
+ "f624a888-8bf5-419c-926d-1173ea5d4724"
+ ],
+ "columns": {
+ "f624a888-8bf5-419c-926d-1173ea5d4724": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Source Bytes",
+ "operationType": "sum",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 2
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "source.bytes"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "7b2080fa-08dd-4bf5-bb82-ab43d5066168",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.class_uid",
+ "index": "logs-*",
+ "key": "ocsf.class_uid",
+ "negate": false,
+ "params": {
+ "query": "4003"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.class_uid": "4003"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "#6092C0",
+ "layerId": "fc30d965-b92e-4e6e-b5b3-6ed82b7644db",
+ "layerType": "data",
+ "metricAccessor": "f624a888-8bf5-419c-926d-1173ea5d4724"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": true
+ },
+ "gridData": {
+ "h": 6,
+ "i": "414d0a8c-750b-4dec-9c89-64a0715c0c12",
+ "w": 13,
+ "x": 22,
+ "y": 0
+ },
+ "panelIndex": "414d0a8c-750b-4dec-9c89-64a0715c0c12",
+ "title": "Source Bytes [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-fc30d965-b92e-4e6e-b5b3-6ed82b7644db",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "f43fcaf6-a153-427f-8cea-276d6bc15a26",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "fc30d965-b92e-4e6e-b5b3-6ed82b7644db": {
+ "columnOrder": [
+ "f624a888-8bf5-419c-926d-1173ea5d4724"
+ ],
+ "columns": {
+ "f624a888-8bf5-419c-926d-1173ea5d4724": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Destination Bytes",
+ "operationType": "sum",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 2
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "destination.bytes"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "f43fcaf6-a153-427f-8cea-276d6bc15a26",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.class_uid",
+ "index": "logs-*",
+ "key": "ocsf.class_uid",
+ "negate": false,
+ "params": {
+ "query": "4003"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.class_uid": "4003"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "#6092C0",
+ "layerId": "fc30d965-b92e-4e6e-b5b3-6ed82b7644db",
+ "layerType": "data",
+ "metricAccessor": "f624a888-8bf5-419c-926d-1173ea5d4724"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": true
+ },
+ "gridData": {
+ "h": 6,
+ "i": "6251f24e-1f8f-4202-84d5-72c52c0c14bb",
+ "w": 13,
+ "x": 35,
+ "y": 0
+ },
+ "panelIndex": "6251f24e-1f8f-4202-84d5-72c52c0c14bb",
+ "title": "Destination Bytes [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-d237115c-7152-49ea-adbb-b88322cab4ef",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "d0942f3c-2022-40eb-a036-8af6cb29ec3e",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "d237115c-7152-49ea-adbb-b88322cab4ef": {
+ "columnOrder": [
+ "d305cb44-9e31-4421-9e8f-167a2e389d7d",
+ "6bf88690-ee2c-418f-9c0b-afafaa27320a"
+ ],
+ "columns": {
+ "6bf88690-ee2c-418f-9c0b-afafaa27320a": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "d305cb44-9e31-4421-9e8f-167a2e389d7d": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "DNS Response Code",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "6bf88690-ee2c-418f-9c0b-afafaa27320a",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "dns.response_code"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "d0942f3c-2022-40eb-a036-8af6cb29ec3e",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.class_uid",
+ "index": "logs-*",
+ "key": "ocsf.class_uid",
+ "negate": false,
+ "params": {
+ "query": "4003"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.class_uid": "4003"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "6bf88690-ee2c-418f-9c0b-afafaa27320a"
+ ],
+ "layerId": "d237115c-7152-49ea-adbb-b88322cab4ef",
+ "layerType": "data",
+ "seriesType": "bar",
+ "xAccessor": "d305cb44-9e31-4421-9e8f-167a2e389d7d"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right",
+ "shouldTruncate": false,
+ "showSingleSeries": false
+ },
+ "preferredSeriesType": "bar",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "show"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "1173f95a-d30e-4c70-81e3-9dd38693df3e",
+ "w": 39,
+ "x": 9,
+ "y": 6
+ },
+ "panelIndex": "1173f95a-d30e-4c70-81e3-9dd38693df3e",
+ "title": "Events by DNS Response Code [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-d237115c-7152-49ea-adbb-b88322cab4ef",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "3b2db439-6ae3-4106-add5-8042eac63aec",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "d237115c-7152-49ea-adbb-b88322cab4ef": {
+ "columnOrder": [
+ "d305cb44-9e31-4421-9e8f-167a2e389d7d",
+ "6bf88690-ee2c-418f-9c0b-afafaa27320a"
+ ],
+ "columns": {
+ "6bf88690-ee2c-418f-9c0b-afafaa27320a": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "d305cb44-9e31-4421-9e8f-167a2e389d7d": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "DNS Name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "6bf88690-ee2c-418f-9c0b-afafaa27320a",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "dns.question.name"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "3b2db439-6ae3-4106-add5-8042eac63aec",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.class_uid",
+ "index": "logs-*",
+ "key": "ocsf.class_uid",
+ "negate": false,
+ "params": {
+ "query": "4003"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.class_uid": "4003"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "d305cb44-9e31-4421-9e8f-167a2e389d7d",
+ "width": 556
+ },
+ {
+ "columnId": "6bf88690-ee2c-418f-9c0b-afafaa27320a"
+ }
+ ],
+ "layerId": "d237115c-7152-49ea-adbb-b88322cab4ef",
+ "layerType": "data",
+ "paging": {
+ "enabled": false,
+ "size": 10
+ }
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "fd7a8891-cbcb-4c47-855f-5a87fbaecf06",
+ "w": 20,
+ "x": 28,
+ "y": 23
+ },
+ "panelIndex": "fd7a8891-cbcb-4c47-855f-5a87fbaecf06",
+ "title": "Top DNS Name [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-d237115c-7152-49ea-adbb-b88322cab4ef",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "da18e980-dcb6-43ae-adfc-bd3906c315b6",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "d237115c-7152-49ea-adbb-b88322cab4ef": {
+ "columnOrder": [
+ "7ce3e25e-ff5b-4dc0-9e2c-ce748b332d2e",
+ "6bf88690-ee2c-418f-9c0b-afafaa27320a"
+ ],
+ "columns": {
+ "6bf88690-ee2c-418f-9c0b-afafaa27320a": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "7ce3e25e-ff5b-4dc0-9e2c-ce748b332d2e": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "DNS OP Code",
+ "operationType": "filters",
+ "params": {
+ "filters": [
+ {
+ "input": {
+ "language": "kuery",
+ "query": "ocsf.query.opcode_id : \"0\""
+ },
+ "label": "Query"
+ },
+ {
+ "input": {
+ "language": "kuery",
+ "query": "ocsf.query.opcode_id : \"1\" "
+ },
+ "label": "Inverse Query"
+ },
+ {
+ "input": {
+ "language": "kuery",
+ "query": "ocsf.query.opcode_id : \"2\" "
+ },
+ "label": "Status"
+ },
+ {
+ "input": {
+ "language": "kuery",
+ "query": "ocsf.query.opcode_id : \"3\" "
+ },
+ "label": "Reserved"
+ },
+ {
+ "input": {
+ "language": "kuery",
+ "query": "ocsf.query.opcode_id : \"4\" "
+ },
+ "label": "Notify"
+ },
+ {
+ "input": {
+ "language": "kuery",
+ "query": "ocsf.query.opcode_id : \"5\" "
+ },
+ "label": "Update"
+ },
+ {
+ "input": {
+ "language": "kuery",
+ "query": "ocsf.query.opcode_id : \"6\" "
+ },
+ "label": "DSO Message"
+ }
+ ]
+ },
+ "scale": "ordinal"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "da18e980-dcb6-43ae-adfc-bd3906c315b6",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.class_uid",
+ "index": "logs-*",
+ "key": "ocsf.class_uid",
+ "negate": false,
+ "params": {
+ "query": "4003"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.class_uid": "4003"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "layerId": "d237115c-7152-49ea-adbb-b88322cab4ef",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "6bf88690-ee2c-418f-9c0b-afafaa27320a"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "7ce3e25e-ff5b-4dc0-9e2c-ce748b332d2e"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "da2d1627-177e-41fe-8de3-5e3401259543",
+ "w": 19,
+ "x": 9,
+ "y": 22
+ },
+ "panelIndex": "da2d1627-177e-41fe-8de3-5e3401259543",
+ "title": "Events by DNS OP Codes [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-d237115c-7152-49ea-adbb-b88322cab4ef",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "dfc51bb8-dbf1-42fc-b464-374b0f921691",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "d237115c-7152-49ea-adbb-b88322cab4ef": {
+ "columnOrder": [
+ "d305cb44-9e31-4421-9e8f-167a2e389d7d",
+ "6bf88690-ee2c-418f-9c0b-afafaa27320a"
+ ],
+ "columns": {
+ "6bf88690-ee2c-418f-9c0b-afafaa27320a": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "d305cb44-9e31-4421-9e8f-167a2e389d7d": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "DNS Question Type",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "6bf88690-ee2c-418f-9c0b-afafaa27320a",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "dns.question.type"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "dfc51bb8-dbf1-42fc-b464-374b0f921691",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.class_uid",
+ "index": "logs-*",
+ "key": "ocsf.class_uid",
+ "negate": false,
+ "params": {
+ "query": "4003"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.class_uid": "4003"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "layerId": "d237115c-7152-49ea-adbb-b88322cab4ef",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "6bf88690-ee2c-418f-9c0b-afafaa27320a"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "d305cb44-9e31-4421-9e8f-167a2e389d7d"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "ca0538b6-d0ee-4105-8dc6-5268799b7ac8",
+ "w": 24,
+ "x": 0,
+ "y": 38
+ },
+ "panelIndex": "ca0538b6-d0ee-4105-8dc6-5268799b7ac8",
+ "title": "Events by DNS Question Types [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-d237115c-7152-49ea-adbb-b88322cab4ef",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "2af5f3cf-6cca-4c14-a4d1-d84b97ba300f",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "d237115c-7152-49ea-adbb-b88322cab4ef": {
+ "columnOrder": [
+ "d305cb44-9e31-4421-9e8f-167a2e389d7d",
+ "6bf88690-ee2c-418f-9c0b-afafaa27320a"
+ ],
+ "columns": {
+ "6bf88690-ee2c-418f-9c0b-afafaa27320a": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "d305cb44-9e31-4421-9e8f-167a2e389d7d": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "DNS Question Class",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "6bf88690-ee2c-418f-9c0b-afafaa27320a",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "dns.question.class"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "2af5f3cf-6cca-4c14-a4d1-d84b97ba300f",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.class_uid",
+ "index": "logs-*",
+ "key": "ocsf.class_uid",
+ "negate": false,
+ "params": {
+ "query": "4003"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.class_uid": "4003"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "layerId": "d237115c-7152-49ea-adbb-b88322cab4ef",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "6bf88690-ee2c-418f-9c0b-afafaa27320a"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "d305cb44-9e31-4421-9e8f-167a2e389d7d"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "6d496e8d-e114-4e71-86a8-864641f166ef",
+ "w": 24,
+ "x": 24,
+ "y": 39
+ },
+ "panelIndex": "6d496e8d-e114-4e71-86a8-864641f166ef",
+ "title": "Events by DNS Question Classes [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-d237115c-7152-49ea-adbb-b88322cab4ef",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "02cdedec-71ea-4ed7-a85e-da7aa584f65f",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "d237115c-7152-49ea-adbb-b88322cab4ef": {
+ "columnOrder": [
+ "d305cb44-9e31-4421-9e8f-167a2e389d7d",
+ "6bf88690-ee2c-418f-9c0b-afafaa27320a"
+ ],
+ "columns": {
+ "6bf88690-ee2c-418f-9c0b-afafaa27320a": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "d305cb44-9e31-4421-9e8f-167a2e389d7d": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "DNS Answers Type",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "6bf88690-ee2c-418f-9c0b-afafaa27320a",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "dns.answers.type"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "02cdedec-71ea-4ed7-a85e-da7aa584f65f",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.class_uid",
+ "index": "logs-*",
+ "key": "ocsf.class_uid",
+ "negate": false,
+ "params": {
+ "query": "4003"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.class_uid": "4003"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "layerId": "d237115c-7152-49ea-adbb-b88322cab4ef",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "6bf88690-ee2c-418f-9c0b-afafaa27320a"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "d305cb44-9e31-4421-9e8f-167a2e389d7d"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "003c1e21-610c-4837-8ee3-629d002477a9",
+ "w": 24,
+ "x": 0,
+ "y": 54
+ },
+ "panelIndex": "003c1e21-610c-4837-8ee3-629d002477a9",
+ "title": "Events by DNS Answer Types [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-d237115c-7152-49ea-adbb-b88322cab4ef",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "05afc905-71b4-4dbc-ac86-13dbc81adbc1",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "d237115c-7152-49ea-adbb-b88322cab4ef": {
+ "columnOrder": [
+ "d305cb44-9e31-4421-9e8f-167a2e389d7d",
+ "6bf88690-ee2c-418f-9c0b-afafaa27320a"
+ ],
+ "columns": {
+ "6bf88690-ee2c-418f-9c0b-afafaa27320a": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "d305cb44-9e31-4421-9e8f-167a2e389d7d": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "DNS Answers Class",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "6bf88690-ee2c-418f-9c0b-afafaa27320a",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "dns.answers.class"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "05afc905-71b4-4dbc-ac86-13dbc81adbc1",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.class_uid",
+ "index": "logs-*",
+ "key": "ocsf.class_uid",
+ "negate": false,
+ "params": {
+ "query": "4003"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.class_uid": "4003"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "layerId": "d237115c-7152-49ea-adbb-b88322cab4ef",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "6bf88690-ee2c-418f-9c0b-afafaa27320a"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "d305cb44-9e31-4421-9e8f-167a2e389d7d"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "b420b9ce-6b5e-44f8-afee-a99582a0c17e",
+ "w": 24,
+ "x": 24,
+ "y": 55
+ },
+ "panelIndex": "b420b9ce-6b5e-44f8-afee-a99582a0c17e",
+ "title": "Events by DNS Answer Classes [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 15,
+ "i": "30811950-e17a-44f3-a7f7-7eb0c25c5b8e",
+ "w": 48,
+ "x": 0,
+ "y": 71
+ },
+ "panelIndex": "30811950-e17a-44f3-a7f7-7eb0c25c5b8e",
+ "panelRefName": "panel_30811950-e17a-44f3-a7f7-7eb0c25c5b8e",
+ "type": "search",
+ "version": "8.9.0"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[Logs Amazon Security Lake] DNS Activity",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2023-07-25T12:23:53.235Z",
+ "id": "amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386",
+ "managed": false,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "7fd8f250-f076-4e19-b90f-3c6674fe3764:indexpattern-datasource-layer-fc30d965-b92e-4e6e-b5b3-6ed82b7644db",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "7fd8f250-f076-4e19-b90f-3c6674fe3764:d15ef038-24a3-4b9a-8cf9-c7b2b9b0ab71",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "414d0a8c-750b-4dec-9c89-64a0715c0c12:indexpattern-datasource-layer-fc30d965-b92e-4e6e-b5b3-6ed82b7644db",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "414d0a8c-750b-4dec-9c89-64a0715c0c12:7b2080fa-08dd-4bf5-bb82-ab43d5066168",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6251f24e-1f8f-4202-84d5-72c52c0c14bb:indexpattern-datasource-layer-fc30d965-b92e-4e6e-b5b3-6ed82b7644db",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6251f24e-1f8f-4202-84d5-72c52c0c14bb:f43fcaf6-a153-427f-8cea-276d6bc15a26",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "1173f95a-d30e-4c70-81e3-9dd38693df3e:indexpattern-datasource-layer-d237115c-7152-49ea-adbb-b88322cab4ef",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "1173f95a-d30e-4c70-81e3-9dd38693df3e:d0942f3c-2022-40eb-a036-8af6cb29ec3e",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "fd7a8891-cbcb-4c47-855f-5a87fbaecf06:indexpattern-datasource-layer-d237115c-7152-49ea-adbb-b88322cab4ef",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "fd7a8891-cbcb-4c47-855f-5a87fbaecf06:3b2db439-6ae3-4106-add5-8042eac63aec",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "da2d1627-177e-41fe-8de3-5e3401259543:indexpattern-datasource-layer-d237115c-7152-49ea-adbb-b88322cab4ef",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "da2d1627-177e-41fe-8de3-5e3401259543:da18e980-dcb6-43ae-adfc-bd3906c315b6",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "ca0538b6-d0ee-4105-8dc6-5268799b7ac8:indexpattern-datasource-layer-d237115c-7152-49ea-adbb-b88322cab4ef",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "ca0538b6-d0ee-4105-8dc6-5268799b7ac8:dfc51bb8-dbf1-42fc-b464-374b0f921691",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6d496e8d-e114-4e71-86a8-864641f166ef:indexpattern-datasource-layer-d237115c-7152-49ea-adbb-b88322cab4ef",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6d496e8d-e114-4e71-86a8-864641f166ef:2af5f3cf-6cca-4c14-a4d1-d84b97ba300f",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "003c1e21-610c-4837-8ee3-629d002477a9:indexpattern-datasource-layer-d237115c-7152-49ea-adbb-b88322cab4ef",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "003c1e21-610c-4837-8ee3-629d002477a9:02cdedec-71ea-4ed7-a85e-da7aa584f65f",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "b420b9ce-6b5e-44f8-afee-a99582a0c17e:indexpattern-datasource-layer-d237115c-7152-49ea-adbb-b88322cab4ef",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "b420b9ce-6b5e-44f8-afee-a99582a0c17e:05afc905-71b4-4dbc-ac86-13dbc81adbc1",
+ "type": "index-pattern"
+ },
+ {
+ "id": "amazon_security_lake-c2472e60-262e-11ee-a94e-bfa24df19b15",
+ "name": "30811950-e17a-44f3-a7f7-7eb0c25c5b8e:panel_30811950-e17a-44f3-a7f7-7eb0c25c5b8e",
+ "type": "search"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_146b8dc5-7437-4acc-93e1-c568a105be16:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_1fe50755-27ba-41f0-b672-dce437b98557:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_5ab63202-e00a-43b6-81df-496939c0007b:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_324bcb80-53e2-4ae0-8b7d-d6ec8ca2de3d:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_ddd4bf99-1fba-45a6-9e55-6cefd4b269ee:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_c949847f-4ef3-4f46-b1a9-1c3130e3e86e:optionsListDataView",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "dashboard",
+ "migrationVersion": {
+ "dashboard": "8.9.0"
+ }
+}
\ No newline at end of file
diff --git a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15.json b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15.json
new file mode 100644
index 00000000000..5ee322fcb46
--- /dev/null
+++ b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15.json
@@ -0,0 +1,2438 @@
+{
+ "attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
+ "panelsJSON": "{\"146b8dc5-7437-4acc-93e1-c568a105be16\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"146b8dc5-7437-4acc-93e1-c568a105be16\",\"fieldName\":\"network.direction\",\"title\":\"Network Direction\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}},\"1fe50755-27ba-41f0-b672-dce437b98557\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"1fe50755-27ba-41f0-b672-dce437b98557\",\"fieldName\":\"ocsf.disposition\",\"title\":\"Disposition\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}},\"5ab63202-e00a-43b6-81df-496939c0007b\":{\"type\":\"optionsListControl\",\"order\":2,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"5ab63202-e00a-43b6-81df-496939c0007b\",\"fieldName\":\"ocsf.status\",\"title\":\"Status\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}},\"324bcb80-53e2-4ae0-8b7d-d6ec8ca2de3d\":{\"type\":\"optionsListControl\",\"order\":3,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"324bcb80-53e2-4ae0-8b7d-d6ec8ca2de3d\",\"fieldName\":\"ocsf.activity_name\",\"title\":\"Activity Name\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}},\"ddd4bf99-1fba-45a6-9e55-6cefd4b269ee\":{\"type\":\"optionsListControl\",\"order\":4,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"ddd4bf99-1fba-45a6-9e55-6cefd4b269ee\",\"fieldName\":\"ocsf.metadata.product.vendor_name\",\"title\":\"Vendor Name\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}},\"c949847f-4ef3-4f46-b1a9-1c3130e3e86e\":{\"type\":\"optionsListControl\",\"order\":5,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"c949847f-4ef3-4f46-b1a9-1c3130e3e86e\",\"fieldName\":\"cloud.account.id\",\"title\":\"Cloud Account ID\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}}}"
+ },
+ "description": "Overview of Network Activity logs collected by the Amazon Security Lake Integration.",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "optionsJSON": {
+ "hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "useMargins": true
+ },
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "hidePanelTitles": false,
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "id": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - **[Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15)** \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1)\n \n\n**Overview**\n\nThis dashboard shows an overview of Network connections and traffic activity.\n\nPlease visit the [Network Activity](https://schema.ocsf.io/1.0.0-rc.3/classes/network_activity) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)",
+ "openLinksInNewTab": false
+ },
+ "title": "",
+ "type": "markdown",
+ "uiState": {}
+ }
+ },
+ "gridData": {
+ "h": 38,
+ "i": "47b3e796-92a7-4d88-beee-c24d88d89c9c",
+ "w": 8,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "47b3e796-92a7-4d88-beee-c24d88d89c9c",
+ "title": "Table of Contents",
+ "type": "visualization",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-fc30d965-b92e-4e6e-b5b3-6ed82b7644db",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "4726e072-a199-415e-a4b0-73bcd5479824",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "fc30d965-b92e-4e6e-b5b3-6ed82b7644db": {
+ "columnOrder": [
+ "f624a888-8bf5-419c-926d-1173ea5d4724"
+ ],
+ "columns": {
+ "f624a888-8bf5-419c-926d-1173ea5d4724": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Source Bytes",
+ "operationType": "sum",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 2
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "source.bytes"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "4726e072-a199-415e-a4b0-73bcd5479824",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.class_uid",
+ "index": "logs-*",
+ "key": "ocsf.class_uid",
+ "negate": false,
+ "params": {
+ "query": "4001"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.class_uid": "4001"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "#6092C0",
+ "layerId": "fc30d965-b92e-4e6e-b5b3-6ed82b7644db",
+ "layerType": "data",
+ "metricAccessor": "f624a888-8bf5-419c-926d-1173ea5d4724"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": true
+ },
+ "gridData": {
+ "h": 6,
+ "i": "414d0a8c-750b-4dec-9c89-64a0715c0c12",
+ "w": 10,
+ "x": 8,
+ "y": 0
+ },
+ "panelIndex": "414d0a8c-750b-4dec-9c89-64a0715c0c12",
+ "title": "Source Bytes [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-fc30d965-b92e-4e6e-b5b3-6ed82b7644db",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "689e71ca-13a6-4664-aeb4-6dadb7b930c1",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "fc30d965-b92e-4e6e-b5b3-6ed82b7644db": {
+ "columnOrder": [
+ "f624a888-8bf5-419c-926d-1173ea5d4724"
+ ],
+ "columns": {
+ "f624a888-8bf5-419c-926d-1173ea5d4724": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Destination Bytes",
+ "operationType": "sum",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 2
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "destination.bytes"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "689e71ca-13a6-4664-aeb4-6dadb7b930c1",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.class_uid",
+ "index": "logs-*",
+ "key": "ocsf.class_uid",
+ "negate": false,
+ "params": {
+ "query": "4001"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.class_uid": "4001"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "#6092C0",
+ "layerId": "fc30d965-b92e-4e6e-b5b3-6ed82b7644db",
+ "layerType": "data",
+ "metricAccessor": "f624a888-8bf5-419c-926d-1173ea5d4724"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": true
+ },
+ "gridData": {
+ "h": 6,
+ "i": "6251f24e-1f8f-4202-84d5-72c52c0c14bb",
+ "w": 10,
+ "x": 18,
+ "y": 0
+ },
+ "panelIndex": "6251f24e-1f8f-4202-84d5-72c52c0c14bb",
+ "title": "Destination Bytes [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-fc30d965-b92e-4e6e-b5b3-6ed82b7644db",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "7f056e4a-3845-420f-9773-04239028f55d",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "fc30d965-b92e-4e6e-b5b3-6ed82b7644db": {
+ "columnOrder": [
+ "f624a888-8bf5-419c-926d-1173ea5d4724"
+ ],
+ "columns": {
+ "f624a888-8bf5-419c-926d-1173ea5d4724": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Source Packets",
+ "operationType": "sum",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 2
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "source.packets"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "7f056e4a-3845-420f-9773-04239028f55d",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.class_uid",
+ "index": "logs-*",
+ "key": "ocsf.class_uid",
+ "negate": false,
+ "params": {
+ "query": "4001"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.class_uid": "4001"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "#6092C0",
+ "layerId": "fc30d965-b92e-4e6e-b5b3-6ed82b7644db",
+ "layerType": "data",
+ "metricAccessor": "f624a888-8bf5-419c-926d-1173ea5d4724"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": true
+ },
+ "gridData": {
+ "h": 6,
+ "i": "87ff7323-e049-494e-bd85-72c1f19ddca2",
+ "w": 10,
+ "x": 28,
+ "y": 0
+ },
+ "panelIndex": "87ff7323-e049-494e-bd85-72c1f19ddca2",
+ "title": "Source Packets [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-fc30d965-b92e-4e6e-b5b3-6ed82b7644db",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "f0d6d8db-0cb9-4fa6-81bf-e2bbcec1d9f8",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "fc30d965-b92e-4e6e-b5b3-6ed82b7644db": {
+ "columnOrder": [
+ "f624a888-8bf5-419c-926d-1173ea5d4724"
+ ],
+ "columns": {
+ "f624a888-8bf5-419c-926d-1173ea5d4724": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Destination Packets",
+ "operationType": "sum",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 2
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "destination.packets"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "f0d6d8db-0cb9-4fa6-81bf-e2bbcec1d9f8",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.class_uid",
+ "index": "logs-*",
+ "key": "ocsf.class_uid",
+ "negate": false,
+ "params": {
+ "query": "4001"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.class_uid": "4001"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "#6092C0",
+ "layerId": "fc30d965-b92e-4e6e-b5b3-6ed82b7644db",
+ "layerType": "data",
+ "metricAccessor": "f624a888-8bf5-419c-926d-1173ea5d4724"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": true
+ },
+ "gridData": {
+ "h": 6,
+ "i": "e1759cdd-d734-408e-a4c4-798d7246ca76",
+ "w": 10,
+ "x": 38,
+ "y": 0
+ },
+ "panelIndex": "e1759cdd-d734-408e-a4c4-798d7246ca76",
+ "title": "Destination Packets [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-dcddf672-7d9c-4bb4-95bc-b1cee460e3eb",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "f7d18b53-ccdb-4f96-b270-3dea624b82d0",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "dcddf672-7d9c-4bb4-95bc-b1cee460e3eb": {
+ "columnOrder": [
+ "baed034e-c9b5-4fad-bc05-6095befed0c8",
+ "283330d2-8238-4361-af3c-87a6f2b3f083"
+ ],
+ "columns": {
+ "283330d2-8238-4361-af3c-87a6f2b3f083": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Bytes",
+ "operationType": "sum",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "network.bytes"
+ },
+ "baed034e-c9b5-4fad-bc05-6095befed0c8": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "f7d18b53-ccdb-4f96-b270-3dea624b82d0",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.class_uid",
+ "index": "logs-*",
+ "key": "ocsf.class_uid",
+ "negate": false,
+ "params": {
+ "query": "4001"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.class_uid": "4001"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "curveType": "LINEAR",
+ "emphasizeFitting": false,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "283330d2-8238-4361-af3c-87a6f2b3f083"
+ ],
+ "layerId": "dcddf672-7d9c-4bb4-95bc-b1cee460e3eb",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "line",
+ "showGridlines": false,
+ "xAccessor": "baed034e-c9b5-4fad-bc05-6095befed0c8"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right",
+ "shouldTruncate": false,
+ "showSingleSeries": false
+ },
+ "preferredSeriesType": "line",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "27f78538-3a3c-4f67-a868-94e915a7ddd1",
+ "w": 40,
+ "x": 8,
+ "y": 6
+ },
+ "panelIndex": "27f78538-3a3c-4f67-a868-94e915a7ddd1",
+ "title": "Network Activity Transactions [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-d237115c-7152-49ea-adbb-b88322cab4ef",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "a1f4e021-bbc3-4fe1-8107-80cfacfa768b",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "d237115c-7152-49ea-adbb-b88322cab4ef": {
+ "columnOrder": [
+ "cd86cdd6-64e8-4813-aac4-e40dbe64b79d",
+ "6bf88690-ee2c-418f-9c0b-afafaa27320a"
+ ],
+ "columns": {
+ "6bf88690-ee2c-418f-9c0b-afafaa27320a": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "cd86cdd6-64e8-4813-aac4-e40dbe64b79d": {
+ "customLabel": true,
+ "dataType": "ip",
+ "isBucketed": true,
+ "label": "Source IP",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "6bf88690-ee2c-418f-9c0b-afafaa27320a",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "source.ip"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "a1f4e021-bbc3-4fe1-8107-80cfacfa768b",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.class_uid",
+ "index": "logs-*",
+ "key": "ocsf.class_uid",
+ "negate": false,
+ "params": {
+ "query": "4001"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.class_uid": "4001"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "6bf88690-ee2c-418f-9c0b-afafaa27320a"
+ },
+ {
+ "columnId": "cd86cdd6-64e8-4813-aac4-e40dbe64b79d",
+ "isTransposed": false
+ }
+ ],
+ "layerId": "d237115c-7152-49ea-adbb-b88322cab4ef",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 10
+ }
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 17,
+ "i": "fd7a8891-cbcb-4c47-855f-5a87fbaecf06",
+ "w": 20,
+ "x": 8,
+ "y": 21
+ },
+ "panelIndex": "fd7a8891-cbcb-4c47-855f-5a87fbaecf06",
+ "title": "Top 10 Source IP [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-d237115c-7152-49ea-adbb-b88322cab4ef",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "f6a453c9-2e74-48a0-89c6-9c4b90542e87",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "d237115c-7152-49ea-adbb-b88322cab4ef": {
+ "columnOrder": [
+ "cd86cdd6-64e8-4813-aac4-e40dbe64b79d",
+ "6bf88690-ee2c-418f-9c0b-afafaa27320a"
+ ],
+ "columns": {
+ "6bf88690-ee2c-418f-9c0b-afafaa27320a": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "cd86cdd6-64e8-4813-aac4-e40dbe64b79d": {
+ "customLabel": true,
+ "dataType": "ip",
+ "isBucketed": true,
+ "label": "Destination IP",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "6bf88690-ee2c-418f-9c0b-afafaa27320a",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "destination.ip"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "f6a453c9-2e74-48a0-89c6-9c4b90542e87",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.class_uid",
+ "index": "logs-*",
+ "key": "ocsf.class_uid",
+ "negate": false,
+ "params": {
+ "query": "4001"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.class_uid": "4001"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "6bf88690-ee2c-418f-9c0b-afafaa27320a"
+ },
+ {
+ "columnId": "cd86cdd6-64e8-4813-aac4-e40dbe64b79d",
+ "isTransposed": false
+ }
+ ],
+ "layerId": "d237115c-7152-49ea-adbb-b88322cab4ef",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 10
+ }
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 17,
+ "i": "f239088f-f933-4408-aa56-1c63a2700bfb",
+ "w": 20,
+ "x": 28,
+ "y": 21
+ },
+ "panelIndex": "f239088f-f933-4408-aa56-1c63a2700bfb",
+ "title": "Top 10 Destination IP [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-d237115c-7152-49ea-adbb-b88322cab4ef",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6483fca1-8635-4c75-9e85-14e885d0bd1a",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "d237115c-7152-49ea-adbb-b88322cab4ef": {
+ "columnOrder": [
+ "a2cd27f4-1b52-479b-b5e6-6935e7d3bbd1",
+ "6bf88690-ee2c-418f-9c0b-afafaa27320a"
+ ],
+ "columns": {
+ "6bf88690-ee2c-418f-9c0b-afafaa27320a": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "a2cd27f4-1b52-479b-b5e6-6935e7d3bbd1": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Network Direction",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "6bf88690-ee2c-418f-9c0b-afafaa27320a",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "network.direction"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "6483fca1-8635-4c75-9e85-14e885d0bd1a",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.class_uid",
+ "index": "logs-*",
+ "key": "ocsf.class_uid",
+ "negate": false,
+ "params": {
+ "query": "4001"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.class_uid": "4001"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "layerId": "d237115c-7152-49ea-adbb-b88322cab4ef",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "6bf88690-ee2c-418f-9c0b-afafaa27320a"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "a2cd27f4-1b52-479b-b5e6-6935e7d3bbd1"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "da2d1627-177e-41fe-8de3-5e3401259543",
+ "w": 24,
+ "x": 0,
+ "y": 38
+ },
+ "panelIndex": "da2d1627-177e-41fe-8de3-5e3401259543",
+ "title": "Events by Connection Direction [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-0bcd3589-641f-4fec-aff9-d7138901e1d8",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "d2c2da55-77b9-4b98-aa04-f28206c5177a",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "0bcd3589-641f-4fec-aff9-d7138901e1d8": {
+ "columnOrder": [
+ "7d21f980-098d-4c12-900b-67f4c3a075b5",
+ "35cbe380-eab7-4697-88db-313c43fa1b19"
+ ],
+ "columns": {
+ "35cbe380-eab7-4697-88db-313c43fa1b19": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "7d21f980-098d-4c12-900b-67f4c3a075b5": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Activity Name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "35cbe380-eab7-4697-88db-313c43fa1b19",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "ocsf.activity_name"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "d2c2da55-77b9-4b98-aa04-f28206c5177a",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.class_uid",
+ "index": "logs-*",
+ "key": "ocsf.class_uid",
+ "negate": false,
+ "params": {
+ "query": "4001"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.class_uid": "4001"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "accessors": [
+ "35cbe380-eab7-4697-88db-313c43fa1b19"
+ ],
+ "layerId": "0bcd3589-641f-4fec-aff9-d7138901e1d8",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_stacked",
+ "showGridlines": false,
+ "xAccessor": "7d21f980-098d-4c12-900b-67f4c3a075b5"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "bar_stacked",
+ "title": "Empty XY chart",
+ "valueLabels": "show"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "dd7bc155-8793-4e0c-9055-5a08ea8b55a8",
+ "w": 24,
+ "x": 24,
+ "y": 38
+ },
+ "panelIndex": "dd7bc155-8793-4e0c-9055-5a08ea8b55a8",
+ "title": "Events by Activity [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-ad4ac4f0-9cc2-4a77-bacf-8cc7f99ec77c",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "84427391-beb7-4e36-9ad5-e415813653a1",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "45b3157b-6ad2-4c80-8fda-4aada20a1b0f",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "45b2322c-7045-4e41-95dc-ab1d8e03a1f1",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "93c08461-9faa-450d-b39e-540a5067f5cf",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "ad4ac4f0-9cc2-4a77-bacf-8cc7f99ec77c": {
+ "columnOrder": [
+ "769ade19-445d-43b3-92ee-03e9e00d5599",
+ "4dfa916c-3452-4ea3-8522-85fea4da5aac",
+ "872b5f40-2242-4b5b-889b-e91f0ef40c1e"
+ ],
+ "columns": {
+ "4dfa916c-3452-4ea3-8522-85fea4da5aac": {
+ "customLabel": true,
+ "dataType": "ip",
+ "isBucketed": true,
+ "label": "External Destination IP",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "872b5f40-2242-4b5b-889b-e91f0ef40c1e",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "destination.ip"
+ },
+ "769ade19-445d-43b3-92ee-03e9e00d5599": {
+ "customLabel": true,
+ "dataType": "ip",
+ "isBucketed": true,
+ "label": "Internal Source IP",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "872b5f40-2242-4b5b-889b-e91f0ef40c1e",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "source.ip"
+ },
+ "872b5f40-2242-4b5b-889b-e91f0ef40c1e": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Network Bytes",
+ "operationType": "sum",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 2
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "network.bytes"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "84427391-beb7-4e36-9ad5-e415813653a1",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.class_uid",
+ "index": "logs-*",
+ "key": "ocsf.class_uid",
+ "negate": false,
+ "params": {
+ "query": "4001"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.class_uid": "4001"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "destination.ip",
+ "index": "45b3157b-6ad2-4c80-8fda-4aada20a1b0f",
+ "key": "destination.ip",
+ "negate": true,
+ "params": {
+ "gte": "10.0.0.0",
+ "lt": "10.255.255.255"
+ },
+ "type": "range",
+ "value": {
+ "gte": "10.0.0.0",
+ "lt": "10.255.255.255"
+ }
+ },
+ "query": {
+ "range": {
+ "destination.ip": {
+ "gte": "10.0.0.0",
+ "lt": "10.255.255.255"
+ }
+ }
+ }
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "destination.ip",
+ "index": "45b2322c-7045-4e41-95dc-ab1d8e03a1f1",
+ "key": "destination.ip",
+ "negate": true,
+ "params": {
+ "gte": "172.16.0.0",
+ "lt": "172.31.255.255"
+ },
+ "type": "range",
+ "value": {
+ "gte": "172.16.0.0",
+ "lt": "172.31.255.255"
+ }
+ },
+ "query": {
+ "range": {
+ "destination.ip": {
+ "gte": "172.16.0.0",
+ "lt": "172.31.255.255"
+ }
+ }
+ }
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "destination.ip",
+ "index": "93c08461-9faa-450d-b39e-540a5067f5cf",
+ "key": "destination.ip",
+ "negate": true,
+ "params": {
+ "gte": "192.168.0.0",
+ "lt": "192.168.255.255"
+ },
+ "type": "range",
+ "value": {
+ "gte": "192.168.0.0",
+ "lt": "192.168.255.255"
+ }
+ },
+ "query": {
+ "range": {
+ "destination.ip": {
+ "gte": "192.168.0.0",
+ "lt": "192.168.255.255"
+ }
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "872b5f40-2242-4b5b-889b-e91f0ef40c1e",
+ "summaryRow": "none"
+ },
+ {
+ "alignment": "left",
+ "columnId": "769ade19-445d-43b3-92ee-03e9e00d5599"
+ },
+ {
+ "alignment": "left",
+ "columnId": "4dfa916c-3452-4ea3-8522-85fea4da5aac"
+ }
+ ],
+ "headerRowHeight": "single",
+ "headerRowHeightLines": 1,
+ "layerId": "ad4ac4f0-9cc2-4a77-bacf-8cc7f99ec77c",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 10
+ },
+ "rowHeight": "single"
+ }
+ },
+ "title": "Data table visualization (converted)",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "d7123b4f-9621-4b62-8588-fd9641b45354",
+ "w": 24,
+ "x": 0,
+ "y": 53
+ },
+ "panelIndex": "d7123b4f-9621-4b62-8588-fd9641b45354",
+ "title": "Top Egress Connections [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-ad4ac4f0-9cc2-4a77-bacf-8cc7f99ec77c",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "0ea702d6-08c8-45df-87a2-25c2a90de131",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6680ebc8-d677-487b-b668-2bac02935a0b",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "8aca3960-04da-495f-8e6f-1b72b6baa52b",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "8bd70c79-212b-4e09-a7b3-b01d5f278650",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "ad4ac4f0-9cc2-4a77-bacf-8cc7f99ec77c": {
+ "columnOrder": [
+ "769ade19-445d-43b3-92ee-03e9e00d5599",
+ "4dfa916c-3452-4ea3-8522-85fea4da5aac",
+ "872b5f40-2242-4b5b-889b-e91f0ef40c1e"
+ ],
+ "columns": {
+ "4dfa916c-3452-4ea3-8522-85fea4da5aac": {
+ "customLabel": true,
+ "dataType": "ip",
+ "isBucketed": true,
+ "label": "Internal Destination IP",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "872b5f40-2242-4b5b-889b-e91f0ef40c1e",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "destination.ip"
+ },
+ "769ade19-445d-43b3-92ee-03e9e00d5599": {
+ "customLabel": true,
+ "dataType": "ip",
+ "isBucketed": true,
+ "label": "External Source IP",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "872b5f40-2242-4b5b-889b-e91f0ef40c1e",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "source.ip"
+ },
+ "872b5f40-2242-4b5b-889b-e91f0ef40c1e": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Network Bytes",
+ "operationType": "sum",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 2
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "network.bytes"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "0ea702d6-08c8-45df-87a2-25c2a90de131",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.class_uid",
+ "index": "logs-*",
+ "key": "ocsf.class_uid",
+ "negate": false,
+ "params": {
+ "query": "4001"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.class_uid": "4001"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "source.ip",
+ "index": "6680ebc8-d677-487b-b668-2bac02935a0b",
+ "key": "source.ip",
+ "negate": true,
+ "params": {
+ "gte": "10.0.0.0",
+ "lt": "10.255.255.255"
+ },
+ "type": "range",
+ "value": {
+ "gte": "10.0.0.0",
+ "lt": "10.255.255.255"
+ }
+ },
+ "query": {
+ "range": {
+ "source.ip": {
+ "gte": "10.0.0.0",
+ "lt": "10.255.255.255"
+ }
+ }
+ }
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "source.ip",
+ "index": "8aca3960-04da-495f-8e6f-1b72b6baa52b",
+ "key": "source.ip",
+ "negate": true,
+ "params": {
+ "gte": "172.16.0.0",
+ "lt": "172.31.255.255"
+ },
+ "type": "range",
+ "value": {
+ "gte": "172.16.0.0",
+ "lt": "172.31.255.255"
+ }
+ },
+ "query": {
+ "range": {
+ "source.ip": {
+ "gte": "172.16.0.0",
+ "lt": "172.31.255.255"
+ }
+ }
+ }
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "source.ip",
+ "index": "8bd70c79-212b-4e09-a7b3-b01d5f278650",
+ "key": "source.ip",
+ "negate": true,
+ "params": {
+ "gte": "192.168.0.0",
+ "lt": "192.168.255.255"
+ },
+ "type": "range",
+ "value": {
+ "gte": "192.168.0.0",
+ "lt": "192.168.255.255"
+ }
+ },
+ "query": {
+ "range": {
+ "source.ip": {
+ "gte": "192.168.0.0",
+ "lt": "192.168.255.255"
+ }
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "872b5f40-2242-4b5b-889b-e91f0ef40c1e",
+ "summaryRow": "none"
+ },
+ {
+ "alignment": "left",
+ "columnId": "769ade19-445d-43b3-92ee-03e9e00d5599"
+ },
+ {
+ "alignment": "left",
+ "columnId": "4dfa916c-3452-4ea3-8522-85fea4da5aac"
+ }
+ ],
+ "headerRowHeight": "single",
+ "headerRowHeightLines": 1,
+ "layerId": "ad4ac4f0-9cc2-4a77-bacf-8cc7f99ec77c",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 10
+ },
+ "rowHeight": "single"
+ }
+ },
+ "title": "Data table visualization (converted)",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "9c1e245f-3704-4715-8cfc-b4be7258e8ff",
+ "w": 24,
+ "x": 24,
+ "y": 53
+ },
+ "panelIndex": "9c1e245f-3704-4715-8cfc-b4be7258e8ff",
+ "title": "Top Ingress Connections [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 15,
+ "i": "0d000a88-cc8f-4bca-b86b-364df39c5496",
+ "w": 48,
+ "x": 0,
+ "y": 68
+ },
+ "panelIndex": "0d000a88-cc8f-4bca-b86b-364df39c5496",
+ "panelRefName": "panel_0d000a88-cc8f-4bca-b86b-364df39c5496",
+ "type": "search",
+ "version": "8.9.0"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[Logs Amazon Security Lake] Network Activity",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2023-07-25T12:28:16.666Z",
+ "id": "amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15",
+ "managed": false,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "414d0a8c-750b-4dec-9c89-64a0715c0c12:indexpattern-datasource-layer-fc30d965-b92e-4e6e-b5b3-6ed82b7644db",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "414d0a8c-750b-4dec-9c89-64a0715c0c12:4726e072-a199-415e-a4b0-73bcd5479824",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6251f24e-1f8f-4202-84d5-72c52c0c14bb:indexpattern-datasource-layer-fc30d965-b92e-4e6e-b5b3-6ed82b7644db",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6251f24e-1f8f-4202-84d5-72c52c0c14bb:689e71ca-13a6-4664-aeb4-6dadb7b930c1",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "87ff7323-e049-494e-bd85-72c1f19ddca2:indexpattern-datasource-layer-fc30d965-b92e-4e6e-b5b3-6ed82b7644db",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "87ff7323-e049-494e-bd85-72c1f19ddca2:7f056e4a-3845-420f-9773-04239028f55d",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e1759cdd-d734-408e-a4c4-798d7246ca76:indexpattern-datasource-layer-fc30d965-b92e-4e6e-b5b3-6ed82b7644db",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e1759cdd-d734-408e-a4c4-798d7246ca76:f0d6d8db-0cb9-4fa6-81bf-e2bbcec1d9f8",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "27f78538-3a3c-4f67-a868-94e915a7ddd1:indexpattern-datasource-layer-dcddf672-7d9c-4bb4-95bc-b1cee460e3eb",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "27f78538-3a3c-4f67-a868-94e915a7ddd1:f7d18b53-ccdb-4f96-b270-3dea624b82d0",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "fd7a8891-cbcb-4c47-855f-5a87fbaecf06:indexpattern-datasource-layer-d237115c-7152-49ea-adbb-b88322cab4ef",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "fd7a8891-cbcb-4c47-855f-5a87fbaecf06:a1f4e021-bbc3-4fe1-8107-80cfacfa768b",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "f239088f-f933-4408-aa56-1c63a2700bfb:indexpattern-datasource-layer-d237115c-7152-49ea-adbb-b88322cab4ef",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "f239088f-f933-4408-aa56-1c63a2700bfb:f6a453c9-2e74-48a0-89c6-9c4b90542e87",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "da2d1627-177e-41fe-8de3-5e3401259543:indexpattern-datasource-layer-d237115c-7152-49ea-adbb-b88322cab4ef",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "da2d1627-177e-41fe-8de3-5e3401259543:6483fca1-8635-4c75-9e85-14e885d0bd1a",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "dd7bc155-8793-4e0c-9055-5a08ea8b55a8:indexpattern-datasource-layer-0bcd3589-641f-4fec-aff9-d7138901e1d8",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "dd7bc155-8793-4e0c-9055-5a08ea8b55a8:d2c2da55-77b9-4b98-aa04-f28206c5177a",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "d7123b4f-9621-4b62-8588-fd9641b45354:indexpattern-datasource-layer-ad4ac4f0-9cc2-4a77-bacf-8cc7f99ec77c",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "d7123b4f-9621-4b62-8588-fd9641b45354:84427391-beb7-4e36-9ad5-e415813653a1",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "d7123b4f-9621-4b62-8588-fd9641b45354:45b3157b-6ad2-4c80-8fda-4aada20a1b0f",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "d7123b4f-9621-4b62-8588-fd9641b45354:45b2322c-7045-4e41-95dc-ab1d8e03a1f1",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "d7123b4f-9621-4b62-8588-fd9641b45354:93c08461-9faa-450d-b39e-540a5067f5cf",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "9c1e245f-3704-4715-8cfc-b4be7258e8ff:indexpattern-datasource-layer-ad4ac4f0-9cc2-4a77-bacf-8cc7f99ec77c",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "9c1e245f-3704-4715-8cfc-b4be7258e8ff:0ea702d6-08c8-45df-87a2-25c2a90de131",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "9c1e245f-3704-4715-8cfc-b4be7258e8ff:6680ebc8-d677-487b-b668-2bac02935a0b",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "9c1e245f-3704-4715-8cfc-b4be7258e8ff:8aca3960-04da-495f-8e6f-1b72b6baa52b",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "9c1e245f-3704-4715-8cfc-b4be7258e8ff:8bd70c79-212b-4e09-a7b3-b01d5f278650",
+ "type": "index-pattern"
+ },
+ {
+ "id": "amazon_security_lake-16a0aa00-26dd-11ee-a94e-bfa24df19b15",
+ "name": "0d000a88-cc8f-4bca-b86b-364df39c5496:panel_0d000a88-cc8f-4bca-b86b-364df39c5496",
+ "type": "search"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_146b8dc5-7437-4acc-93e1-c568a105be16:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_1fe50755-27ba-41f0-b672-dce437b98557:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_5ab63202-e00a-43b6-81df-496939c0007b:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_324bcb80-53e2-4ae0-8b7d-d6ec8ca2de3d:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_ddd4bf99-1fba-45a6-9e55-6cefd4b269ee:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_c949847f-4ef3-4f46-b1a9-1c3130e3e86e:optionsListDataView",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "dashboard",
+ "migrationVersion": {
+ "dashboard": "8.9.0"
+ }
+}
\ No newline at end of file
diff --git a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d.json b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d.json
new file mode 100644
index 00000000000..79e2e14cb94
--- /dev/null
+++ b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d.json
@@ -0,0 +1,1140 @@
+{
+ "attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
+ "panelsJSON": "{\"7074e9a5-6114-4da7-bcda-8104441487c1\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"7074e9a5-6114-4da7-bcda-8104441487c1\",\"fieldName\":\"user.target.name\",\"title\":\"User Name\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}},\"c55accdc-ba5b-467d-8886-4e095c3541b6\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"c55accdc-ba5b-467d-8886-4e095c3541b6\",\"fieldName\":\"ocsf.class_name\",\"title\":\"Class Name\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}},\"382759ba-4df2-4ebe-91f9-3f918bdb35b0\":{\"type\":\"optionsListControl\",\"order\":2,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"382759ba-4df2-4ebe-91f9-3f918bdb35b0\",\"fieldName\":\"ocsf.severity\",\"title\":\"Severity\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}},\"e6b905d7-7f36-4536-8dd5-5e9e9c6fcf1b\":{\"type\":\"optionsListControl\",\"order\":3,\"grow\":true,\"width\":\"small\",\"explicitInput\":{\"id\":\"e6b905d7-7f36-4536-8dd5-5e9e9c6fcf1b\",\"fieldName\":\"ocsf.status\",\"title\":\"Status\",\"grow\":true,\"width\":\"small\",\"enhancements\":{}}},\"ad220c7a-d5af-4662-9bcd-cbbbfa82013e\":{\"type\":\"optionsListControl\",\"order\":4,\"grow\":true,\"width\":\"small\",\"explicitInput\":{\"id\":\"ad220c7a-d5af-4662-9bcd-cbbbfa82013e\",\"fieldName\":\"ocsf.activity_name\",\"title\":\"Activity Name\",\"grow\":true,\"width\":\"small\",\"enhancements\":{}}},\"cc433e72-f5b3-4144-b157-465bcb175e1c\":{\"type\":\"optionsListControl\",\"order\":5,\"grow\":true,\"width\":\"small\",\"explicitInput\":{\"id\":\"cc433e72-f5b3-4144-b157-465bcb175e1c\",\"fieldName\":\"ocsf.metadata.product.vendor_name\",\"title\":\"Vendor Name\",\"grow\":true,\"width\":\"small\",\"enhancements\":{}}},\"03a40e7b-86e7-4ad3-8cd8-798446df8edd\":{\"type\":\"optionsListControl\",\"order\":6,\"grow\":true,\"width\":\"small\",\"explicitInput\":{\"id\":\"03a40e7b-86e7-4ad3-8cd8-798446df8edd\",\"fieldName\":\"cloud.account.id\",\"title\":\"Cloud Account ID\",\"grow\":true,\"width\":\"small\",\"enhancements\":{}}}}"
+ },
+ "description": "Overview of Identity and Access Management logs collected by the Amazon Security Lake Integration.",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "optionsJSON": {
+ "hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "useMargins": true
+ },
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "hidePanelTitles": false,
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "id": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- **[Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d)** \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1)\n \n\n**Overview**\n\nThis dashboard shows an overview of Identity \u0026 Access Management (IAM) events relate to the supervision of the system's authentication and access control model.\n\nPlease visit the [Identity \u0026 Access Management](https://schema.ocsf.io/1.0.0-rc.3/categories/iam) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)",
+ "openLinksInNewTab": false
+ },
+ "title": "",
+ "type": "markdown",
+ "uiState": {}
+ }
+ },
+ "gridData": {
+ "h": 30,
+ "i": "3c7ec6ae-1f85-408e-9ec9-57348929b969",
+ "w": 10,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "3c7ec6ae-1f85-408e-9ec9-57348929b969",
+ "title": "Table of Contents",
+ "type": "visualization",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-85721088-ba45-4ce1-8f35-b09e86a17c40",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "10120f61-06a4-45bf-9045-5ee5ce0ccd5c",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "85721088-ba45-4ce1-8f35-b09e86a17c40": {
+ "columnOrder": [
+ "1487a391-8797-4ff1-ab46-710549b79947",
+ "53f1d56e-ca59-46f1-af85-db2d3df0226a"
+ ],
+ "columns": {
+ "1487a391-8797-4ff1-ab46-710549b79947": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Authentication Protocol",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "53f1d56e-ca59-46f1-af85-db2d3df0226a",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "ocsf.auth_protocol"
+ },
+ "53f1d56e-ca59-46f1-af85-db2d3df0226a": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "10120f61-06a4-45bf-9045-5ee5ce0ccd5c",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.category_uid",
+ "index": "logs-*",
+ "key": "ocsf.category_uid",
+ "negate": false,
+ "params": {
+ "query": "3"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.category_uid": "3"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "accessors": [
+ "53f1d56e-ca59-46f1-af85-db2d3df0226a"
+ ],
+ "layerId": "85721088-ba45-4ce1-8f35-b09e86a17c40",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_stacked",
+ "showGridlines": false,
+ "xAccessor": "1487a391-8797-4ff1-ab46-710549b79947"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "bar_stacked",
+ "title": "Empty XY chart",
+ "valueLabels": "show"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "07aab5df-fd5d-41f2-ba49-82e794b27574",
+ "w": 38,
+ "x": 10,
+ "y": 0
+ },
+ "panelIndex": "07aab5df-fd5d-41f2-ba49-82e794b27574",
+ "title": "Events by Authentication Protocol [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-9b1aa845-a88e-4092-8729-a888ef1bfb5c",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "321c2663-d5ba-4081-b623-c3424f9e114f",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "9b1aa845-a88e-4092-8729-a888ef1bfb5c": {
+ "columnOrder": [
+ "919992f5-c733-4740-9723-0ab9c2eed664",
+ "a9433bf4-96af-41e8-a33d-3730fe5e5b1d"
+ ],
+ "columns": {
+ "919992f5-c733-4740-9723-0ab9c2eed664": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Logon Type",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "a9433bf4-96af-41e8-a33d-3730fe5e5b1d",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "ocsf.logon_type"
+ },
+ "a9433bf4-96af-41e8-a33d-3730fe5e5b1d": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "321c2663-d5ba-4081-b623-c3424f9e114f",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.category_uid",
+ "index": "logs-*",
+ "key": "ocsf.category_uid",
+ "negate": false,
+ "params": {
+ "query": "3"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.category_uid": "3"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "accessors": [
+ "a9433bf4-96af-41e8-a33d-3730fe5e5b1d"
+ ],
+ "layerId": "9b1aa845-a88e-4092-8729-a888ef1bfb5c",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_stacked",
+ "showGridlines": false,
+ "xAccessor": "919992f5-c733-4740-9723-0ab9c2eed664"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "bar_stacked",
+ "title": "Empty XY chart",
+ "valueLabels": "show"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "307724f4-f08c-4693-8c11-d2a9db738c41",
+ "w": 19,
+ "x": 10,
+ "y": 15
+ },
+ "panelIndex": "307724f4-f08c-4693-8c11-d2a9db738c41",
+ "title": "Events by Logon Type [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-43f8e5cc-a2cc-478d-bb00-102e930acc3e",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "28cb6047-5cc1-4786-9107-2457f6decd9c",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "5936baf9-7cdc-4350-9be0-56d5142e5872",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "43f8e5cc-a2cc-478d-bb00-102e930acc3e": {
+ "columnOrder": [
+ "b2f78e94-f4c5-47a8-8ae9-98dc74f0ba7a",
+ "6df69c86-c6c4-4a3f-a7c5-bbcfc47c794c"
+ ],
+ "columns": {
+ "6df69c86-c6c4-4a3f-a7c5-bbcfc47c794c": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "b2f78e94-f4c5-47a8-8ae9-98dc74f0ba7a": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Actor User Name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "6df69c86-c6c4-4a3f-a7c5-bbcfc47c794c",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "user.name"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "28cb6047-5cc1-4786-9107-2457f6decd9c",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.category_uid",
+ "index": "logs-*",
+ "key": "ocsf.category_uid",
+ "negate": false,
+ "params": {
+ "query": "3"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.category_uid": "3"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.status_id",
+ "index": "5936baf9-7cdc-4350-9be0-56d5142e5872",
+ "key": "ocsf.status_id",
+ "negate": false,
+ "params": {
+ "query": "2"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.status_id": "2"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "b2f78e94-f4c5-47a8-8ae9-98dc74f0ba7a"
+ },
+ {
+ "columnId": "6df69c86-c6c4-4a3f-a7c5-bbcfc47c794c"
+ }
+ ],
+ "layerId": "43f8e5cc-a2cc-478d-bb00-102e930acc3e",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "60af478a-8172-44f1-9e32-411ab20c6c3c",
+ "w": 19,
+ "x": 29,
+ "y": 15
+ },
+ "panelIndex": "60af478a-8172-44f1-9e32-411ab20c6c3c",
+ "title": "Top 10 Users with Highest Failure Status [Logs Amazon Security Lake] ",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-954220ab-66ee-407c-9f6c-65c6e2866f7a",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "1ecfd15e-c038-4d1e-a1fa-572363c5af4d",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "954220ab-66ee-407c-9f6c-65c6e2866f7a": {
+ "columnOrder": [
+ "315efd6e-70ab-4329-8d9d-28695f5c75b3",
+ "ea5d2adc-1cca-4b2a-b409-88bfc1debe64"
+ ],
+ "columns": {
+ "315efd6e-70ab-4329-8d9d-28695f5c75b3": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Activity Name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "ea5d2adc-1cca-4b2a-b409-88bfc1debe64",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "ocsf.activity_name"
+ },
+ "ea5d2adc-1cca-4b2a-b409-88bfc1debe64": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "1ecfd15e-c038-4d1e-a1fa-572363c5af4d",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.category_uid",
+ "index": "logs-*",
+ "key": "ocsf.category_uid",
+ "negate": false,
+ "params": {
+ "query": "3"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.category_uid": "3"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "accessors": [
+ "ea5d2adc-1cca-4b2a-b409-88bfc1debe64"
+ ],
+ "layerId": "954220ab-66ee-407c-9f6c-65c6e2866f7a",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_stacked",
+ "showGridlines": false,
+ "xAccessor": "315efd6e-70ab-4329-8d9d-28695f5c75b3"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "bar_stacked",
+ "title": "Empty XY chart",
+ "valueLabels": "show"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "6f832beb-50cc-4016-832e-01ba7c570a69",
+ "w": 24,
+ "x": 0,
+ "y": 30
+ },
+ "panelIndex": "6f832beb-50cc-4016-832e-01ba7c570a69",
+ "title": "Events by Activity [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-a38a7754-5b7a-4f8c-8676-dd49954f62ae",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "9490fb53-2671-499e-9c59-43d01e3bc769",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "a38a7754-5b7a-4f8c-8676-dd49954f62ae": {
+ "columnOrder": [
+ "dc9db0f0-9199-40b5-bc0c-6454523be55f",
+ "2f05a408-67f3-47af-8169-232ff383bb6b"
+ ],
+ "columns": {
+ "2f05a408-67f3-47af-8169-232ff383bb6b": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "dc9db0f0-9199-40b5-bc0c-6454523be55f": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "User Name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "2f05a408-67f3-47af-8169-232ff383bb6b",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "user.name"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "9490fb53-2671-499e-9c59-43d01e3bc769",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.category_uid",
+ "index": "logs-*",
+ "key": "ocsf.category_uid",
+ "negate": false,
+ "params": {
+ "query": "3"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.category_uid": "3"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "dc9db0f0-9199-40b5-bc0c-6454523be55f"
+ },
+ {
+ "columnId": "2f05a408-67f3-47af-8169-232ff383bb6b",
+ "isTransposed": false
+ }
+ ],
+ "layerId": "a38a7754-5b7a-4f8c-8676-dd49954f62ae",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "cf249bbf-1849-4f71-884d-95044132d36c",
+ "w": 24,
+ "x": 24,
+ "y": 30
+ },
+ "panelIndex": "cf249bbf-1849-4f71-884d-95044132d36c",
+ "title": "Top Users [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 15,
+ "i": "55cf65c6-d2f7-4303-9a7f-cc3976475ef1",
+ "w": 48,
+ "x": 0,
+ "y": 45
+ },
+ "panelIndex": "55cf65c6-d2f7-4303-9a7f-cc3976475ef1",
+ "panelRefName": "panel_55cf65c6-d2f7-4303-9a7f-cc3976475ef1",
+ "type": "search",
+ "version": "8.9.0"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[Logs Amazon Security Lake] Identity and Access Management",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2023-07-25T12:29:58.878Z",
+ "id": "amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d",
+ "managed": false,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "07aab5df-fd5d-41f2-ba49-82e794b27574:indexpattern-datasource-layer-85721088-ba45-4ce1-8f35-b09e86a17c40",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "07aab5df-fd5d-41f2-ba49-82e794b27574:10120f61-06a4-45bf-9045-5ee5ce0ccd5c",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "307724f4-f08c-4693-8c11-d2a9db738c41:indexpattern-datasource-layer-9b1aa845-a88e-4092-8729-a888ef1bfb5c",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "307724f4-f08c-4693-8c11-d2a9db738c41:321c2663-d5ba-4081-b623-c3424f9e114f",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "60af478a-8172-44f1-9e32-411ab20c6c3c:indexpattern-datasource-layer-43f8e5cc-a2cc-478d-bb00-102e930acc3e",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "60af478a-8172-44f1-9e32-411ab20c6c3c:28cb6047-5cc1-4786-9107-2457f6decd9c",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "60af478a-8172-44f1-9e32-411ab20c6c3c:5936baf9-7cdc-4350-9be0-56d5142e5872",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6f832beb-50cc-4016-832e-01ba7c570a69:indexpattern-datasource-layer-954220ab-66ee-407c-9f6c-65c6e2866f7a",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6f832beb-50cc-4016-832e-01ba7c570a69:1ecfd15e-c038-4d1e-a1fa-572363c5af4d",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "cf249bbf-1849-4f71-884d-95044132d36c:indexpattern-datasource-layer-a38a7754-5b7a-4f8c-8676-dd49954f62ae",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "cf249bbf-1849-4f71-884d-95044132d36c:9490fb53-2671-499e-9c59-43d01e3bc769",
+ "type": "index-pattern"
+ },
+ {
+ "id": "amazon_security_lake-ab4090f0-2618-11ee-983a-17fb20a3b25d",
+ "name": "55cf65c6-d2f7-4303-9a7f-cc3976475ef1:panel_55cf65c6-d2f7-4303-9a7f-cc3976475ef1",
+ "type": "search"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_7074e9a5-6114-4da7-bcda-8104441487c1:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_c55accdc-ba5b-467d-8886-4e095c3541b6:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_382759ba-4df2-4ebe-91f9-3f918bdb35b0:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_e6b905d7-7f36-4536-8dd5-5e9e9c6fcf1b:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_ad220c7a-d5af-4662-9bcd-cbbbfa82013e:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_cc433e72-f5b3-4144-b157-465bcb175e1c:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_03a40e7b-86e7-4ad3-8cd8-798446df8edd:optionsListDataView",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "dashboard",
+ "migrationVersion": {
+ "dashboard": "8.9.0"
+ }
+}
\ No newline at end of file
diff --git a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c.json b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c.json
new file mode 100644
index 00000000000..de5a625ae67
--- /dev/null
+++ b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c.json
@@ -0,0 +1,2194 @@
+{
+ "attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
+ "panelsJSON": "{\"a9902929-fb15-4000-a8f5-68d5e9589426\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"small\",\"explicitInput\":{\"id\":\"a9902929-fb15-4000-a8f5-68d5e9589426\",\"fieldName\":\"ocsf.confidence\",\"title\":\"Confidence\",\"grow\":true,\"width\":\"small\",\"enhancements\":{}}},\"a8bbda91-8b1d-44a3-b504-842dfb9e77ed\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"small\",\"explicitInput\":{\"id\":\"a8bbda91-8b1d-44a3-b504-842dfb9e77ed\",\"fieldName\":\"ocsf.risk_level\",\"title\":\"Risk Level\",\"grow\":true,\"width\":\"small\",\"enhancements\":{}}},\"e62b5356-0c7e-4273-ba74-1a792810bdea\":{\"type\":\"optionsListControl\",\"order\":2,\"grow\":true,\"width\":\"small\",\"explicitInput\":{\"id\":\"e62b5356-0c7e-4273-ba74-1a792810bdea\",\"fieldName\":\"ocsf.impact\",\"title\":\"Impact\",\"grow\":true,\"width\":\"small\",\"enhancements\":{}}},\"65ce75bf-9eab-49d7-9232-e44895885e97\":{\"type\":\"optionsListControl\",\"order\":3,\"grow\":true,\"width\":\"small\",\"explicitInput\":{\"id\":\"65ce75bf-9eab-49d7-9232-e44895885e97\",\"fieldName\":\"ocsf.severity\",\"title\":\"Severity\",\"grow\":true,\"width\":\"small\",\"enhancements\":{}}},\"dd9a9c7e-b17b-40aa-98b0-5275105b2c91\":{\"type\":\"optionsListControl\",\"order\":4,\"grow\":true,\"width\":\"small\",\"explicitInput\":{\"id\":\"dd9a9c7e-b17b-40aa-98b0-5275105b2c91\",\"fieldName\":\"ocsf.status\",\"title\":\"Status\",\"grow\":true,\"width\":\"small\",\"enhancements\":{}}},\"65c05770-1197-4f82-8a0b-577316a13f82\":{\"type\":\"optionsListControl\",\"order\":5,\"grow\":true,\"width\":\"small\",\"explicitInput\":{\"id\":\"65c05770-1197-4f82-8a0b-577316a13f82\",\"fieldName\":\"ocsf.activity_name\",\"title\":\"Activity Name\",\"grow\":true,\"width\":\"small\",\"enhancements\":{}}},\"a4235b9e-98ae-4992-93eb-5e65aefd93d5\":{\"type\":\"optionsListControl\",\"order\":6,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"a4235b9e-98ae-4992-93eb-5e65aefd93d5\",\"fieldName\":\"ocsf.metadata.product.vendor_name\",\"title\":\"Vendor Name\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}},\"061d39e5-3fba-405c-a829-83a8adf60717\":{\"type\":\"optionsListControl\",\"order\":7,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"061d39e5-3fba-405c-a829-83a8adf60717\",\"fieldName\":\"cloud.account.id\",\"title\":\"Cloud Account ID\",\"grow\":true,\"width\":\"small\",\"enhancements\":{}}}}"
+ },
+ "description": "Overview of Findings logs collected by the Amazon Security Lake Integration.",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "optionsJSON": {
+ "hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "useMargins": true
+ },
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "hidePanelTitles": false,
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "id": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- **[Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c)** \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1)\n \n\n**Overview**\n\nThis dashboard shows an overview of findings, detections, anomalies, alerts, and/or actions performed by security products.\n\nPlease visit the [Findings](https://schema.ocsf.io/1.0.0-rc.3/categories/findings) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)",
+ "openLinksInNewTab": false
+ },
+ "title": "",
+ "type": "markdown",
+ "uiState": {}
+ }
+ },
+ "gridData": {
+ "h": 31,
+ "i": "be886af6-e16e-4285-8b9e-58d56630a7af",
+ "w": 10,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "be886af6-e16e-4285-8b9e-58d56630a7af",
+ "title": "Table of Contents",
+ "type": "visualization",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-1cc05391-c5a8-4a13-9ae4-bcffba57b040",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "0e8db665-7da4-405f-8076-08ae60909d36",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "1cc05391-c5a8-4a13-9ae4-bcffba57b040": {
+ "columnOrder": [
+ "c7504c19-f6a6-4e3c-a2ca-f3a1afa2c521",
+ "4b66482a-d909-4317-aaab-f1d131268af3"
+ ],
+ "columns": {
+ "4b66482a-d909-4317-aaab-f1d131268af3": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "c7504c19-f6a6-4e3c-a2ca-f3a1afa2c521": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "State",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "4b66482a-d909-4317-aaab-f1d131268af3",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "ocsf.state"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "0e8db665-7da4-405f-8076-08ae60909d36",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.category_uid",
+ "index": "logs-*",
+ "key": "ocsf.category_uid",
+ "negate": false,
+ "params": {
+ "query": "2"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.category_uid": "2"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "layerId": "1cc05391-c5a8-4a13-9ae4-bcffba57b040",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "4b66482a-d909-4317-aaab-f1d131268af3"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "c7504c19-f6a6-4e3c-a2ca-f3a1afa2c521"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "772e49a3-3da9-4d70-a2b4-922375ec283a",
+ "w": 19,
+ "x": 10,
+ "y": 0
+ },
+ "panelIndex": "772e49a3-3da9-4d70-a2b4-922375ec283a",
+ "title": "Events by State [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-4cab14b9-ca69-44a2-b928-bbf788e859d4",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "2f81d806-50ec-4aae-a5c5-1a96e22561bb",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "4cab14b9-ca69-44a2-b928-bbf788e859d4": {
+ "columnOrder": [
+ "4964978d-8bad-4415-8d52-e68606f0866c",
+ "75df3c1f-63fa-4154-8ffb-e33403d73d8a"
+ ],
+ "columns": {
+ "4964978d-8bad-4415-8d52-e68606f0866c": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Analytic Type",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "75df3c1f-63fa-4154-8ffb-e33403d73d8a",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "ocsf.analytic.type"
+ },
+ "75df3c1f-63fa-4154-8ffb-e33403d73d8a": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "2f81d806-50ec-4aae-a5c5-1a96e22561bb",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.category_uid",
+ "index": "logs-*",
+ "key": "ocsf.category_uid",
+ "negate": false,
+ "params": {
+ "query": "2"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.category_uid": "2"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "layerId": "4cab14b9-ca69-44a2-b928-bbf788e859d4",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "75df3c1f-63fa-4154-8ffb-e33403d73d8a"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "4964978d-8bad-4415-8d52-e68606f0866c"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "2d578ef5-4712-46cd-8842-a90f12288a1d",
+ "w": 19,
+ "x": 29,
+ "y": 0
+ },
+ "panelIndex": "2d578ef5-4712-46cd-8842-a90f12288a1d",
+ "title": "Events by Analytic Type [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-03e5b96c-3c7c-4bf5-98ba-ac874f18dced",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e20f26ba-9f98-4116-94fa-dbf5ed7c8739",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "03e5b96c-3c7c-4bf5-98ba-ac874f18dced": {
+ "columnOrder": [
+ "6d21bef0-4a0f-4ddd-a88f-23b07c100590",
+ "861909a0-1abb-4831-b221-d1728d466409"
+ ],
+ "columns": {
+ "6d21bef0-4a0f-4ddd-a88f-23b07c100590": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Activity Name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "861909a0-1abb-4831-b221-d1728d466409",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "ocsf.activity_name"
+ },
+ "861909a0-1abb-4831-b221-d1728d466409": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "e20f26ba-9f98-4116-94fa-dbf5ed7c8739",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.category_uid",
+ "index": "logs-*",
+ "key": "ocsf.category_uid",
+ "negate": false,
+ "params": {
+ "query": "2"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.category_uid": "2"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "layerId": "03e5b96c-3c7c-4bf5-98ba-ac874f18dced",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "861909a0-1abb-4831-b221-d1728d466409"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "6d21bef0-4a0f-4ddd-a88f-23b07c100590"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "3f93abe8-88a9-499c-bbf7-51cc6c456e36",
+ "w": 19,
+ "x": 10,
+ "y": 16
+ },
+ "panelIndex": "3f93abe8-88a9-499c-bbf7-51cc6c456e36",
+ "title": "Events by Activity [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-7b40bda7-e96b-4f46-af23-82c8b35481e5",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "75fa021c-a616-4c39-8617-ef9350fc8a86",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "7b40bda7-e96b-4f46-af23-82c8b35481e5": {
+ "columnOrder": [
+ "cb691458-f06d-482c-87ca-7ebba38d657d",
+ "eb5950df-594f-4fcf-a8b1-def70b139c4b"
+ ],
+ "columns": {
+ "cb691458-f06d-482c-87ca-7ebba38d657d": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Kill Chain Phase",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "eb5950df-594f-4fcf-a8b1-def70b139c4b",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "ocsf.kill_chain.phase"
+ },
+ "eb5950df-594f-4fcf-a8b1-def70b139c4b": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "75fa021c-a616-4c39-8617-ef9350fc8a86",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.category_uid",
+ "index": "logs-*",
+ "key": "ocsf.category_uid",
+ "negate": false,
+ "params": {
+ "query": "2"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.category_uid": "2"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "eb5950df-594f-4fcf-a8b1-def70b139c4b"
+ ],
+ "layerId": "7b40bda7-e96b-4f46-af23-82c8b35481e5",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_horizontal_stacked",
+ "showGridlines": false,
+ "xAccessor": "cb691458-f06d-482c-87ca-7ebba38d657d"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right",
+ "shouldTruncate": false,
+ "showSingleSeries": false
+ },
+ "preferredSeriesType": "bar_horizontal_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "show"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "5a0e7a0d-1249-496b-b456-72a0e57a9080",
+ "w": 19,
+ "x": 29,
+ "y": 16
+ },
+ "panelIndex": "5a0e7a0d-1249-496b-b456-72a0e57a9080",
+ "title": "Events by Kill Chain Phase [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-8d1be711-df84-4131-a3d0-2cbfac4ce2e8",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "4f8df874-baea-4394-9200-3a264719221e",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "8d1be711-df84-4131-a3d0-2cbfac4ce2e8": {
+ "columnOrder": [
+ "58df9e1c-3bb4-4f47-9600-688928abb95d",
+ "88f2a237-e273-4828-952a-eab7af8cb20d"
+ ],
+ "columns": {
+ "58df9e1c-3bb4-4f47-9600-688928abb95d": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Malware Classifications",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "88f2a237-e273-4828-952a-eab7af8cb20d",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "ocsf.malware.classifications"
+ },
+ "88f2a237-e273-4828-952a-eab7af8cb20d": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "4f8df874-baea-4394-9200-3a264719221e",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.category_uid",
+ "index": "logs-*",
+ "key": "ocsf.category_uid",
+ "negate": false,
+ "params": {
+ "query": "2"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.category_uid": "2"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "88f2a237-e273-4828-952a-eab7af8cb20d"
+ ],
+ "layerId": "8d1be711-df84-4131-a3d0-2cbfac4ce2e8",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_stacked",
+ "showGridlines": false,
+ "xAccessor": "58df9e1c-3bb4-4f47-9600-688928abb95d"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right",
+ "shouldTruncate": false,
+ "showSingleSeries": false
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "show"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "f335dc96-f388-4d5d-824f-8e14299f9dcc",
+ "w": 24,
+ "x": 0,
+ "y": 31
+ },
+ "panelIndex": "f335dc96-f388-4d5d-824f-8e14299f9dcc",
+ "title": "Events by Malware Classifications [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-00561990-40f2-4bd6-9f56-01dc3268bfbe",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "dcb866bc-4afa-4d14-9bb7-80b558e51559",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "00561990-40f2-4bd6-9f56-01dc3268bfbe": {
+ "columnOrder": [
+ "db406e7a-d0e7-4520-96f6-8d8220cda8c9",
+ "2839ca48-f92b-4f9f-9e93-f6dbb03f2632"
+ ],
+ "columns": {
+ "2839ca48-f92b-4f9f-9e93-f6dbb03f2632": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "db406e7a-d0e7-4520-96f6-8d8220cda8c9": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Attack Technique",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "2839ca48-f92b-4f9f-9e93-f6dbb03f2632",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "threat.technique.name"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "dcb866bc-4afa-4d14-9bb7-80b558e51559",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.category_uid",
+ "index": "logs-*",
+ "key": "ocsf.category_uid",
+ "negate": false,
+ "params": {
+ "query": "2"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.category_uid": "2"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "db406e7a-d0e7-4520-96f6-8d8220cda8c9"
+ },
+ {
+ "columnId": "2839ca48-f92b-4f9f-9e93-f6dbb03f2632"
+ }
+ ],
+ "layerId": "00561990-40f2-4bd6-9f56-01dc3268bfbe",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "b51f48f2-8da0-455f-93dc-7aef69af3ca6",
+ "w": 24,
+ "x": 24,
+ "y": 31
+ },
+ "panelIndex": "b51f48f2-8da0-455f-93dc-7aef69af3ca6",
+ "title": "Top 10 Attack Technique [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-0b8edcc7-e63e-471c-a19a-875842640bc0",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "9042038b-e077-42e1-8eb2-7331495c85b4",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "0b8edcc7-e63e-471c-a19a-875842640bc0": {
+ "columnOrder": [
+ "0f13fd06-5d7f-49a6-9e34-700539b531f5",
+ "9c8a74e7-0d42-4a62-9601-37db83720f7f"
+ ],
+ "columns": {
+ "0f13fd06-5d7f-49a6-9e34-700539b531f5": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Finding Title",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Confidence Score",
+ "operationType": "max",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "ocsf.confidence_score"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "ocsf.finding.title"
+ },
+ "9c8a74e7-0d42-4a62-9601-37db83720f7f": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Confidence Score",
+ "operationType": "max",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "ocsf.confidence_score"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "9042038b-e077-42e1-8eb2-7331495c85b4",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.category_uid",
+ "index": "logs-*",
+ "key": "ocsf.category_uid",
+ "negate": false,
+ "params": {
+ "query": "2"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.category_uid": "2"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "9c8a74e7-0d42-4a62-9601-37db83720f7f",
+ "hidden": false,
+ "isTransposed": false
+ },
+ {
+ "columnId": "0f13fd06-5d7f-49a6-9e34-700539b531f5",
+ "isTransposed": false
+ }
+ ],
+ "headerRowHeight": "single",
+ "headerRowHeightLines": 1,
+ "layerId": "0b8edcc7-e63e-471c-a19a-875842640bc0",
+ "layerType": "data",
+ "rowHeight": "auto"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "dfc70cec-b8c7-4263-a735-135278f215d8",
+ "w": 24,
+ "x": 0,
+ "y": 46
+ },
+ "panelIndex": "dfc70cec-b8c7-4263-a735-135278f215d8",
+ "title": "Top 10 Events with Highest Confidence Score [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-0b8edcc7-e63e-471c-a19a-875842640bc0",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "3025cb0b-f49f-460c-8f69-a69072a5f112",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "0b8edcc7-e63e-471c-a19a-875842640bc0": {
+ "columnOrder": [
+ "0f13fd06-5d7f-49a6-9e34-700539b531f5",
+ "9c8a74e7-0d42-4a62-9601-37db83720f7f"
+ ],
+ "columns": {
+ "0f13fd06-5d7f-49a6-9e34-700539b531f5": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Finding Title",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Impact Score",
+ "operationType": "max",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "ocsf.impact_score"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "ocsf.finding.title"
+ },
+ "9c8a74e7-0d42-4a62-9601-37db83720f7f": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Impact Score",
+ "operationType": "max",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "ocsf.impact_score"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "3025cb0b-f49f-460c-8f69-a69072a5f112",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.category_uid",
+ "index": "logs-*",
+ "key": "ocsf.category_uid",
+ "negate": false,
+ "params": {
+ "query": "2"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.category_uid": "2"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "9c8a74e7-0d42-4a62-9601-37db83720f7f",
+ "hidden": false,
+ "isTransposed": false
+ },
+ {
+ "columnId": "0f13fd06-5d7f-49a6-9e34-700539b531f5",
+ "isTransposed": false
+ }
+ ],
+ "layerId": "0b8edcc7-e63e-471c-a19a-875842640bc0",
+ "layerType": "data",
+ "rowHeight": "auto"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "88c216cd-f675-4243-90a1-fd05521f0d17",
+ "w": 24,
+ "x": 24,
+ "y": 46
+ },
+ "panelIndex": "88c216cd-f675-4243-90a1-fd05521f0d17",
+ "title": "Top 10 Events with Impact Score [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-0b8edcc7-e63e-471c-a19a-875842640bc0",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "337c6ebc-8c54-45ad-bc04-b083782b66f8",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "0b8edcc7-e63e-471c-a19a-875842640bc0": {
+ "columnOrder": [
+ "0f13fd06-5d7f-49a6-9e34-700539b531f5",
+ "9c8a74e7-0d42-4a62-9601-37db83720f7f"
+ ],
+ "columns": {
+ "0f13fd06-5d7f-49a6-9e34-700539b531f5": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Finding Title",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Risk Score",
+ "operationType": "max",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "event.risk_score"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "ocsf.finding.title"
+ },
+ "9c8a74e7-0d42-4a62-9601-37db83720f7f": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Risk Score",
+ "operationType": "max",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "event.risk_score"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "337c6ebc-8c54-45ad-bc04-b083782b66f8",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.category_uid",
+ "index": "logs-*",
+ "key": "ocsf.category_uid",
+ "negate": false,
+ "params": {
+ "query": "2"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.category_uid": "2"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "9c8a74e7-0d42-4a62-9601-37db83720f7f",
+ "hidden": false,
+ "isTransposed": false
+ },
+ {
+ "columnId": "0f13fd06-5d7f-49a6-9e34-700539b531f5",
+ "isTransposed": false
+ }
+ ],
+ "layerId": "0b8edcc7-e63e-471c-a19a-875842640bc0",
+ "layerType": "data",
+ "rowHeight": "auto"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "45763df1-6737-4d5d-92fb-0658c0c1604d",
+ "w": 24,
+ "x": 0,
+ "y": 61
+ },
+ "panelIndex": "45763df1-6737-4d5d-92fb-0658c0c1604d",
+ "title": "Top 10 Events with Highest Risk Score [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-a380a187-be4b-4aa2-9240-ebe38efee4a5",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "c7b51d06-7002-4c01-889f-22b4cd8d34d8",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "a380a187-be4b-4aa2-9240-ebe38efee4a5": {
+ "columnOrder": [
+ "3fd213b5-2550-41db-8249-acb0f7d50513",
+ "361ff57f-e19c-4758-8ae4-979ab68be335",
+ "431fbb35-8304-4803-b9fe-ad1a04335b93"
+ ],
+ "columns": {
+ "361ff57f-e19c-4758-8ae4-979ab68be335": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "3fd213b5-2550-41db-8249-acb0f7d50513": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Severity",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "431fbb35-8304-4803-b9fe-ad1a04335b93",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "ocsf.severity"
+ },
+ "431fbb35-8304-4803-b9fe-ad1a04335b93": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "c7b51d06-7002-4c01-889f-22b4cd8d34d8",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.category_uid",
+ "index": "logs-*",
+ "key": "ocsf.category_uid",
+ "negate": false,
+ "params": {
+ "query": "2"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.category_uid": "2"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "431fbb35-8304-4803-b9fe-ad1a04335b93"
+ ],
+ "layerId": "a380a187-be4b-4aa2-9240-ebe38efee4a5",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_stacked",
+ "showGridlines": false,
+ "splitAccessor": "3fd213b5-2550-41db-8249-acb0f7d50513",
+ "xAccessor": "361ff57f-e19c-4758-8ae4-979ab68be335"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right",
+ "shouldTruncate": false,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "show"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "086e7a53-619c-456e-ac59-46479173bb49",
+ "w": 24,
+ "x": 24,
+ "y": 61
+ },
+ "panelIndex": "086e7a53-619c-456e-ac59-46479173bb49",
+ "title": "Finding Velocity [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 15,
+ "i": "d116dfa1-b873-42f7-8a58-b4d789a9b6c0",
+ "w": 48,
+ "x": 0,
+ "y": 76
+ },
+ "panelIndex": "d116dfa1-b873-42f7-8a58-b4d789a9b6c0",
+ "panelRefName": "panel_d116dfa1-b873-42f7-8a58-b4d789a9b6c0",
+ "type": "search",
+ "version": "8.9.0"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[Logs Amazon Security Lake] Findings",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2023-07-25T11:49:14.212Z",
+ "id": "amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c",
+ "managed": false,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "772e49a3-3da9-4d70-a2b4-922375ec283a:indexpattern-datasource-layer-1cc05391-c5a8-4a13-9ae4-bcffba57b040",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "772e49a3-3da9-4d70-a2b4-922375ec283a:0e8db665-7da4-405f-8076-08ae60909d36",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "2d578ef5-4712-46cd-8842-a90f12288a1d:indexpattern-datasource-layer-4cab14b9-ca69-44a2-b928-bbf788e859d4",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "2d578ef5-4712-46cd-8842-a90f12288a1d:2f81d806-50ec-4aae-a5c5-1a96e22561bb",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "3f93abe8-88a9-499c-bbf7-51cc6c456e36:indexpattern-datasource-layer-03e5b96c-3c7c-4bf5-98ba-ac874f18dced",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "3f93abe8-88a9-499c-bbf7-51cc6c456e36:e20f26ba-9f98-4116-94fa-dbf5ed7c8739",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "5a0e7a0d-1249-496b-b456-72a0e57a9080:indexpattern-datasource-layer-7b40bda7-e96b-4f46-af23-82c8b35481e5",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "5a0e7a0d-1249-496b-b456-72a0e57a9080:75fa021c-a616-4c39-8617-ef9350fc8a86",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "f335dc96-f388-4d5d-824f-8e14299f9dcc:indexpattern-datasource-layer-8d1be711-df84-4131-a3d0-2cbfac4ce2e8",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "f335dc96-f388-4d5d-824f-8e14299f9dcc:4f8df874-baea-4394-9200-3a264719221e",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "b51f48f2-8da0-455f-93dc-7aef69af3ca6:indexpattern-datasource-layer-00561990-40f2-4bd6-9f56-01dc3268bfbe",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "b51f48f2-8da0-455f-93dc-7aef69af3ca6:dcb866bc-4afa-4d14-9bb7-80b558e51559",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "dfc70cec-b8c7-4263-a735-135278f215d8:indexpattern-datasource-layer-0b8edcc7-e63e-471c-a19a-875842640bc0",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "dfc70cec-b8c7-4263-a735-135278f215d8:9042038b-e077-42e1-8eb2-7331495c85b4",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "88c216cd-f675-4243-90a1-fd05521f0d17:indexpattern-datasource-layer-0b8edcc7-e63e-471c-a19a-875842640bc0",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "88c216cd-f675-4243-90a1-fd05521f0d17:3025cb0b-f49f-460c-8f69-a69072a5f112",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "45763df1-6737-4d5d-92fb-0658c0c1604d:indexpattern-datasource-layer-0b8edcc7-e63e-471c-a19a-875842640bc0",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "45763df1-6737-4d5d-92fb-0658c0c1604d:337c6ebc-8c54-45ad-bc04-b083782b66f8",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "086e7a53-619c-456e-ac59-46479173bb49:indexpattern-datasource-layer-a380a187-be4b-4aa2-9240-ebe38efee4a5",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "086e7a53-619c-456e-ac59-46479173bb49:c7b51d06-7002-4c01-889f-22b4cd8d34d8",
+ "type": "index-pattern"
+ },
+ {
+ "id": "amazon_security_lake-93f1c2f0-262e-11ee-abb4-f9698f7e351e",
+ "name": "d116dfa1-b873-42f7-8a58-b4d789a9b6c0:panel_d116dfa1-b873-42f7-8a58-b4d789a9b6c0",
+ "type": "search"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_a9902929-fb15-4000-a8f5-68d5e9589426:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_a8bbda91-8b1d-44a3-b504-842dfb9e77ed:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_e62b5356-0c7e-4273-ba74-1a792810bdea:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_65ce75bf-9eab-49d7-9232-e44895885e97:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_dd9a9c7e-b17b-40aa-98b0-5275105b2c91:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_65c05770-1197-4f82-8a0b-577316a13f82:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_a4235b9e-98ae-4992-93eb-5e65aefd93d5:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_061d39e5-3fba-405c-a829-83a8adf60717:optionsListDataView",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "dashboard",
+ "migrationVersion": {
+ "dashboard": "8.9.0"
+ }
+}
\ No newline at end of file
diff --git a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3.json b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3.json
new file mode 100644
index 00000000000..9d71c7d47a7
--- /dev/null
+++ b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3.json
@@ -0,0 +1,1495 @@
+{
+ "attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
+ "panelsJSON": "{\"bc4f37e3-7f39-4c78-89e5-00c3355c0a97\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"small\",\"explicitInput\":{\"id\":\"bc4f37e3-7f39-4c78-89e5-00c3355c0a97\",\"fieldName\":\"ocsf.severity\",\"title\":\"Severity\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}},\"179b8bc1-c0bc-44be-a77c-ebfadc226dff\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"small\",\"explicitInput\":{\"id\":\"179b8bc1-c0bc-44be-a77c-ebfadc226dff\",\"fieldName\":\"ocsf.metadata.product.vendor_name\",\"title\":\"Vendor Name\",\"grow\":true,\"width\":\"small\",\"enhancements\":{}}},\"65707c2f-975e-4c11-96b6-09026317154b\":{\"type\":\"optionsListControl\",\"order\":2,\"grow\":true,\"width\":\"small\",\"explicitInput\":{\"id\":\"65707c2f-975e-4c11-96b6-09026317154b\",\"fieldName\":\"ocsf.class_name\",\"title\":\"Class Name\",\"grow\":true,\"width\":\"small\",\"enhancements\":{}}},\"f94c69b8-73e1-44d1-a047-8d1764098ba4\":{\"type\":\"optionsListControl\",\"order\":3,\"grow\":true,\"width\":\"small\",\"explicitInput\":{\"id\":\"f94c69b8-73e1-44d1-a047-8d1764098ba4\",\"fieldName\":\"ocsf.category_name\",\"title\":\"Category Name\",\"grow\":true,\"width\":\"small\",\"enhancements\":{}}},\"b436c427-201d-4cbf-90d4-e9673cfff751\":{\"type\":\"optionsListControl\",\"order\":4,\"grow\":true,\"width\":\"small\",\"explicitInput\":{\"id\":\"b436c427-201d-4cbf-90d4-e9673cfff751\",\"fieldName\":\"ocsf.activity_name\",\"title\":\"Activity Name\",\"grow\":true,\"width\":\"small\",\"enhancements\":{}}},\"e0dfa34d-a3b8-49ca-a268-d14ad744d247\":{\"type\":\"optionsListControl\",\"order\":5,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"e0dfa34d-a3b8-49ca-a268-d14ad744d247\",\"fieldName\":\"ocsf.status\",\"title\":\"Status\",\"grow\":true,\"width\":\"small\",\"enhancements\":{}}},\"ab4227c9-7e6e-40be-9da0-44fc88056434\":{\"type\":\"optionsListControl\",\"order\":6,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"ab4227c9-7e6e-40be-9da0-44fc88056434\",\"fieldName\":\"cloud.account.id\",\"title\":\"Cloud Account ID\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}}}"
+ },
+ "description": "Overview of the Common logs collected by the Amazon Security Lake Integration.",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "optionsJSON": {
+ "hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "useMargins": true
+ },
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "hidePanelTitles": false,
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "id": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n**[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3)** \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1)\n \n\n**Overview**\n\nThis dashboard shows an overview of the most common data collected from the Amazon Security Lake Integration.\n\nPlease visit the [Base Event](https://schema.ocsf.io/1.0.0-rc.3/base_event) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)\n\n",
+ "openLinksInNewTab": false
+ },
+ "title": "",
+ "type": "markdown",
+ "uiState": {}
+ }
+ },
+ "gridData": {
+ "h": 29,
+ "i": "9acdbabc-b3a8-47e3-b782-4fe29dce3841",
+ "w": 10,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "9acdbabc-b3a8-47e3-b782-4fe29dce3841",
+ "title": "Table of Contents",
+ "type": "visualization",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-b5f1e575-9bb5-4d72-be62-dbcddc036f2e",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "0fd35359-5773-43b7-9d2f-bb71ad7320d9",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "b5f1e575-9bb5-4d72-be62-dbcddc036f2e": {
+ "columnOrder": [
+ "a797d927-a6a1-4fae-bfcf-6157f0cc0613",
+ "96c905f6-8a2e-4952-9604-61620306f3ef"
+ ],
+ "columns": {
+ "96c905f6-8a2e-4952-9604-61620306f3ef": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "a797d927-a6a1-4fae-bfcf-6157f0cc0613": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Category Name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "96c905f6-8a2e-4952-9604-61620306f3ef",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 6
+ },
+ "scale": "ordinal",
+ "sourceField": "ocsf.category_name"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "0fd35359-5773-43b7-9d2f-bb71ad7320d9",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "breakdownByAccessor": "a797d927-a6a1-4fae-bfcf-6157f0cc0613",
+ "color": "#6092C0",
+ "layerId": "b5f1e575-9bb5-4d72-be62-dbcddc036f2e",
+ "layerType": "data",
+ "metricAccessor": "96c905f6-8a2e-4952-9604-61620306f3ef"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": true
+ },
+ "gridData": {
+ "h": 14,
+ "i": "6d129c0e-ddf1-48df-b38a-bee772e29a0b",
+ "w": 38,
+ "x": 10,
+ "y": 0
+ },
+ "panelIndex": "6d129c0e-ddf1-48df-b38a-bee772e29a0b",
+ "title": "Categories Count[Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-04f0a6f8-2d59-4409-ba3c-f1b1814185e4",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "a153c59a-bae3-4045-96d3-9265c8e4a648",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "04f0a6f8-2d59-4409-ba3c-f1b1814185e4": {
+ "columnOrder": [
+ "7eaccd01-7b5e-4a7f-bf61-9fc877afe06a",
+ "0fff782a-739d-4a55-89fd-9e16ac51e40c"
+ ],
+ "columns": {
+ "0fff782a-739d-4a55-89fd-9e16ac51e40c": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "7eaccd01-7b5e-4a7f-bf61-9fc877afe06a": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Status",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "0fff782a-739d-4a55-89fd-9e16ac51e40c",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "ocsf.status"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "a153c59a-bae3-4045-96d3-9265c8e4a648",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "layerId": "04f0a6f8-2d59-4409-ba3c-f1b1814185e4",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "0fff782a-739d-4a55-89fd-9e16ac51e40c"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "7eaccd01-7b5e-4a7f-bf61-9fc877afe06a"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "efb10252-f73d-4f0d-ac12-55b3bf39eb87",
+ "w": 19,
+ "x": 10,
+ "y": 14
+ },
+ "panelIndex": "efb10252-f73d-4f0d-ac12-55b3bf39eb87",
+ "title": "Events by Status [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-f065b90d-7ae8-4374-a54b-6785aa58a121",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "f7c57946-d81e-407a-b5f7-5102816358ca",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "f065b90d-7ae8-4374-a54b-6785aa58a121": {
+ "columnOrder": [
+ "db7af86c-8092-4292-8aea-b70d74d8dbcc",
+ "7e8c977f-0dc3-4a84-a9e7-40954d748abe"
+ ],
+ "columns": {
+ "7e8c977f-0dc3-4a84-a9e7-40954d748abe": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "db7af86c-8092-4292-8aea-b70d74d8dbcc": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Region",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "7e8c977f-0dc3-4a84-a9e7-40954d748abe",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "cloud.region"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "f7c57946-d81e-407a-b5f7-5102816358ca",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "layerId": "f065b90d-7ae8-4374-a54b-6785aa58a121",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "7e8c977f-0dc3-4a84-a9e7-40954d748abe"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "db7af86c-8092-4292-8aea-b70d74d8dbcc"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "f6b60a1b-9416-4066-8037-5c31282c5c09",
+ "w": 19,
+ "x": 29,
+ "y": 14
+ },
+ "panelIndex": "f6b60a1b-9416-4066-8037-5c31282c5c09",
+ "title": "Events by Region [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-f065b90d-7ae8-4374-a54b-6785aa58a121",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "333d085b-3a28-43ce-a5ed-ceafa5fdf8d2",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "f065b90d-7ae8-4374-a54b-6785aa58a121": {
+ "columnOrder": [
+ "db7af86c-8092-4292-8aea-b70d74d8dbcc",
+ "7e8c977f-0dc3-4a84-a9e7-40954d748abe"
+ ],
+ "columns": {
+ "7e8c977f-0dc3-4a84-a9e7-40954d748abe": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "db7af86c-8092-4292-8aea-b70d74d8dbcc": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Severity",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "7e8c977f-0dc3-4a84-a9e7-40954d748abe",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "ocsf.severity"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "333d085b-3a28-43ce-a5ed-ceafa5fdf8d2",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "layerId": "f065b90d-7ae8-4374-a54b-6785aa58a121",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "7e8c977f-0dc3-4a84-a9e7-40954d748abe"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "db7af86c-8092-4292-8aea-b70d74d8dbcc"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "877cc6e8-0997-4702-9ce7-4e61b34e1afa",
+ "w": 24,
+ "x": 0,
+ "y": 29
+ },
+ "panelIndex": "877cc6e8-0997-4702-9ce7-4e61b34e1afa",
+ "title": "Events by Severity [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-0d647d4c-4aee-4028-9af5-09b89aa5f5f1",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "b7a67e08-43b4-4787-923b-c30dc8121335",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "0d647d4c-4aee-4028-9af5-09b89aa5f5f1": {
+ "columnOrder": [
+ "13cf2d87-bd9a-455d-8e36-77d27aa3023d",
+ "370f6166-ad3a-4d17-8a58-bcddc0efc314"
+ ],
+ "columns": {
+ "13cf2d87-bd9a-455d-8e36-77d27aa3023d": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Vendor Name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "370f6166-ad3a-4d17-8a58-bcddc0efc314",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "ocsf.metadata.product.vendor_name"
+ },
+ "370f6166-ad3a-4d17-8a58-bcddc0efc314": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "b7a67e08-43b4-4787-923b-c30dc8121335",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "370f6166-ad3a-4d17-8a58-bcddc0efc314"
+ ],
+ "layerId": "0d647d4c-4aee-4028-9af5-09b89aa5f5f1",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_horizontal_stacked",
+ "showGridlines": false,
+ "xAccessor": "13cf2d87-bd9a-455d-8e36-77d27aa3023d"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right",
+ "shouldTruncate": false,
+ "showSingleSeries": false
+ },
+ "preferredSeriesType": "bar_horizontal_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "show"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "0835ddad-4601-411b-b5c1-1e838c0608c5",
+ "w": 24,
+ "x": 24,
+ "y": 29
+ },
+ "panelIndex": "0835ddad-4601-411b-b5c1-1e838c0608c5",
+ "title": "Events by Vendor Name [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-0d647d4c-4aee-4028-9af5-09b89aa5f5f1",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "33c483e8-7b7f-4e20-87cd-6e599a8fcbe9",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "0d647d4c-4aee-4028-9af5-09b89aa5f5f1": {
+ "columnOrder": [
+ "13cf2d87-bd9a-455d-8e36-77d27aa3023d",
+ "370f6166-ad3a-4d17-8a58-bcddc0efc314"
+ ],
+ "columns": {
+ "13cf2d87-bd9a-455d-8e36-77d27aa3023d": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Class Name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "370f6166-ad3a-4d17-8a58-bcddc0efc314",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 33
+ },
+ "scale": "ordinal",
+ "sourceField": "ocsf.class_name"
+ },
+ "370f6166-ad3a-4d17-8a58-bcddc0efc314": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "33c483e8-7b7f-4e20-87cd-6e599a8fcbe9",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "370f6166-ad3a-4d17-8a58-bcddc0efc314"
+ ],
+ "layerId": "0d647d4c-4aee-4028-9af5-09b89aa5f5f1",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_horizontal_stacked",
+ "showGridlines": false,
+ "xAccessor": "13cf2d87-bd9a-455d-8e36-77d27aa3023d"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right",
+ "shouldTruncate": false,
+ "showSingleSeries": false
+ },
+ "preferredSeriesType": "bar_horizontal_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "show"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "3875494b-7f90-4064-896e-76ac9391edbc",
+ "w": 24,
+ "x": 0,
+ "y": 44
+ },
+ "panelIndex": "3875494b-7f90-4064-896e-76ac9391edbc",
+ "title": "Events by Class [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-0d647d4c-4aee-4028-9af5-09b89aa5f5f1",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "f6b1180a-fa24-41ac-88ee-2f3d20d4ad89",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "0d647d4c-4aee-4028-9af5-09b89aa5f5f1": {
+ "columnOrder": [
+ "13cf2d87-bd9a-455d-8e36-77d27aa3023d",
+ "370f6166-ad3a-4d17-8a58-bcddc0efc314"
+ ],
+ "columns": {
+ "13cf2d87-bd9a-455d-8e36-77d27aa3023d": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Product Name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "370f6166-ad3a-4d17-8a58-bcddc0efc314",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "ocsf.metadata.product.name"
+ },
+ "370f6166-ad3a-4d17-8a58-bcddc0efc314": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "f6b1180a-fa24-41ac-88ee-2f3d20d4ad89",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "370f6166-ad3a-4d17-8a58-bcddc0efc314"
+ ],
+ "layerId": "0d647d4c-4aee-4028-9af5-09b89aa5f5f1",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_horizontal_stacked",
+ "showGridlines": false,
+ "xAccessor": "13cf2d87-bd9a-455d-8e36-77d27aa3023d"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right",
+ "shouldTruncate": false,
+ "showSingleSeries": false
+ },
+ "preferredSeriesType": "bar_horizontal_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "show"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "fd7315e0-aa9b-4ea6-a415-6547f732c14a",
+ "w": 24,
+ "x": 24,
+ "y": 44
+ },
+ "panelIndex": "fd7315e0-aa9b-4ea6-a415-6547f732c14a",
+ "title": "Events by Product Name [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-b7a523aa-06c7-4aa3-8848-3dc27db9afc6",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "63d76fe7-4cd2-43cd-a69d-3d0fef0e3cde",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "b7a523aa-06c7-4aa3-8848-3dc27db9afc6": {
+ "columnOrder": [
+ "78eaa4ae-a5f4-4b9e-9b30-6c5fa16fedbf",
+ "b082e6e3-bd9e-4697-997d-c0b02016bf0e"
+ ],
+ "columns": {
+ "78eaa4ae-a5f4-4b9e-9b30-6c5fa16fedbf": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "b082e6e3-bd9e-4697-997d-c0b02016bf0e": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Severity",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "event.severity"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "63d76fe7-4cd2-43cd-a69d-3d0fef0e3cde",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "b082e6e3-bd9e-4697-997d-c0b02016bf0e"
+ ],
+ "layerId": "b7a523aa-06c7-4aa3-8848-3dc27db9afc6",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "line",
+ "showGridlines": false,
+ "xAccessor": "78eaa4ae-a5f4-4b9e-9b30-6c5fa16fedbf"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right",
+ "shouldTruncate": false,
+ "showSingleSeries": false
+ },
+ "preferredSeriesType": "line",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 14,
+ "i": "5a5c0ff1-5286-445e-b95d-6ca234e09614",
+ "w": 48,
+ "x": 0,
+ "y": 59
+ },
+ "panelIndex": "5a5c0ff1-5286-445e-b95d-6ca234e09614",
+ "title": "Severity over Time [Logs Amazon Security Lake]",
+ "type": "lens",
+ "version": "8.9.0"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[Logs Amazon Security Lake] Overview",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2023-07-25T11:49:14.212Z",
+ "id": "amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3",
+ "managed": false,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "6d129c0e-ddf1-48df-b38a-bee772e29a0b:indexpattern-datasource-layer-b5f1e575-9bb5-4d72-be62-dbcddc036f2e",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6d129c0e-ddf1-48df-b38a-bee772e29a0b:0fd35359-5773-43b7-9d2f-bb71ad7320d9",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "efb10252-f73d-4f0d-ac12-55b3bf39eb87:indexpattern-datasource-layer-04f0a6f8-2d59-4409-ba3c-f1b1814185e4",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "efb10252-f73d-4f0d-ac12-55b3bf39eb87:a153c59a-bae3-4045-96d3-9265c8e4a648",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "f6b60a1b-9416-4066-8037-5c31282c5c09:indexpattern-datasource-layer-f065b90d-7ae8-4374-a54b-6785aa58a121",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "f6b60a1b-9416-4066-8037-5c31282c5c09:f7c57946-d81e-407a-b5f7-5102816358ca",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "877cc6e8-0997-4702-9ce7-4e61b34e1afa:indexpattern-datasource-layer-f065b90d-7ae8-4374-a54b-6785aa58a121",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "877cc6e8-0997-4702-9ce7-4e61b34e1afa:333d085b-3a28-43ce-a5ed-ceafa5fdf8d2",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "0835ddad-4601-411b-b5c1-1e838c0608c5:indexpattern-datasource-layer-0d647d4c-4aee-4028-9af5-09b89aa5f5f1",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "0835ddad-4601-411b-b5c1-1e838c0608c5:b7a67e08-43b4-4787-923b-c30dc8121335",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "3875494b-7f90-4064-896e-76ac9391edbc:indexpattern-datasource-layer-0d647d4c-4aee-4028-9af5-09b89aa5f5f1",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "3875494b-7f90-4064-896e-76ac9391edbc:33c483e8-7b7f-4e20-87cd-6e599a8fcbe9",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "fd7315e0-aa9b-4ea6-a415-6547f732c14a:indexpattern-datasource-layer-0d647d4c-4aee-4028-9af5-09b89aa5f5f1",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "fd7315e0-aa9b-4ea6-a415-6547f732c14a:f6b1180a-fa24-41ac-88ee-2f3d20d4ad89",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "5a5c0ff1-5286-445e-b95d-6ca234e09614:indexpattern-datasource-layer-b7a523aa-06c7-4aa3-8848-3dc27db9afc6",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "5a5c0ff1-5286-445e-b95d-6ca234e09614:63d76fe7-4cd2-43cd-a69d-3d0fef0e3cde",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_bc4f37e3-7f39-4c78-89e5-00c3355c0a97:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_179b8bc1-c0bc-44be-a77c-ebfadc226dff:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_65707c2f-975e-4c11-96b6-09026317154b:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_f94c69b8-73e1-44d1-a047-8d1764098ba4:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_b436c427-201d-4cbf-90d4-e9673cfff751:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_e0dfa34d-a3b8-49ca-a268-d14ad744d247:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_ab4227c9-7e6e-40be-9da0-44fc88056434:optionsListDataView",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "dashboard",
+ "migrationVersion": {
+ "dashboard": "8.9.0"
+ }
+}
\ No newline at end of file
diff --git a/packages/amazon_security_lake/kibana/search/amazon_security_lake-16a0aa00-26dd-11ee-a94e-bfa24df19b15.json b/packages/amazon_security_lake/kibana/search/amazon_security_lake-16a0aa00-26dd-11ee-a94e-bfa24df19b15.json
new file mode 100644
index 00000000000..fb788c4177b
--- /dev/null
+++ b/packages/amazon_security_lake/kibana/search/amazon_security_lake-16a0aa00-26dd-11ee-a94e-bfa24df19b15.json
@@ -0,0 +1,108 @@
+{
+ "attributes": {
+ "columns": [
+ "ocsf.activity_name",
+ "cloud.account.id",
+ "source.ip",
+ "destination.ip",
+ "event.outcome",
+ "network.iana_number"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.class_uid",
+ "index": "logs-*",
+ "key": "ocsf.class_uid",
+ "negate": false,
+ "params": {
+ "query": "4001"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.class_uid": "4001"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "Network Activity Essential Details [Logs Amazon Security Lake]",
+ "usesAdHocDataView": false
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2023-07-25T11:49:14.212Z",
+ "id": "amazon_security_lake-16a0aa00-26dd-11ee-a94e-bfa24df19b15",
+ "managed": false,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "7.9.3"
+}
\ No newline at end of file
diff --git a/packages/amazon_security_lake/kibana/search/amazon_security_lake-81902d50-2538-11ee-9f72-193490b86197.json b/packages/amazon_security_lake/kibana/search/amazon_security_lake-81902d50-2538-11ee-9f72-193490b86197.json
new file mode 100644
index 00000000000..08fe38e3bbd
--- /dev/null
+++ b/packages/amazon_security_lake/kibana/search/amazon_security_lake-81902d50-2538-11ee-9f72-193490b86197.json
@@ -0,0 +1,129 @@
+{
+ "attributes": {
+ "columns": [
+ "ocsf.actor.user.account.uid",
+ "ocsf.api.service.name",
+ "ocsf.api.request.uid",
+ "ocsf.api.operation",
+ "ocsf.api.response.code",
+ "ocsf.api.response.message"
+ ],
+ "description": "",
+ "grid": {
+ "columns": {
+ "ocsf.actor.user.account.uid": {
+ "width": 193
+ },
+ "ocsf.api.operation": {
+ "width": 170
+ },
+ "ocsf.api.request.uid": {
+ "width": 154
+ },
+ "ocsf.api.response.code": {
+ "width": 169
+ },
+ "ocsf.api.response.message": {
+ "width": 195
+ },
+ "ocsf.api.service.name": {
+ "width": 169
+ }
+ }
+ },
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.category_uid",
+ "index": "logs-*",
+ "key": "ocsf.category_uid",
+ "negate": false,
+ "params": {
+ "query": "6"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.category_uid": "6"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "Application Activity Essential Details [Logs Amazon Security Lake]",
+ "usesAdHocDataView": false
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2023-07-25T11:49:14.212Z",
+ "id": "amazon_security_lake-81902d50-2538-11ee-9f72-193490b86197",
+ "managed": false,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "7.9.3"
+}
\ No newline at end of file
diff --git a/packages/amazon_security_lake/kibana/search/amazon_security_lake-93f1c2f0-262e-11ee-abb4-f9698f7e351e.json b/packages/amazon_security_lake/kibana/search/amazon_security_lake-93f1c2f0-262e-11ee-abb4-f9698f7e351e.json
new file mode 100644
index 00000000000..1fe76f5f387
--- /dev/null
+++ b/packages/amazon_security_lake/kibana/search/amazon_security_lake-93f1c2f0-262e-11ee-abb4-f9698f7e351e.json
@@ -0,0 +1,117 @@
+{
+ "attributes": {
+ "columns": [
+ "ocsf.severity",
+ "ocsf.compliance.status",
+ "ocsf.state",
+ "ocsf.finding.title",
+ "ocsf.finding.types",
+ "ocsf.activity_name"
+ ],
+ "description": "",
+ "grid": {
+ "columns": {
+ "ocsf.compliance.status": {
+ "width": 170
+ },
+ "ocsf.severity": {
+ "width": 128
+ }
+ }
+ },
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.category_uid",
+ "index": "logs-*",
+ "key": "ocsf.category_uid",
+ "negate": false,
+ "params": {
+ "query": "2"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.category_uid": "2"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "Finding Essential Details [Logs Amazon Security Lake]",
+ "usesAdHocDataView": false
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2023-07-25T11:49:14.212Z",
+ "id": "amazon_security_lake-93f1c2f0-262e-11ee-abb4-f9698f7e351e",
+ "managed": false,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "7.9.3"
+}
\ No newline at end of file
diff --git a/packages/amazon_security_lake/kibana/search/amazon_security_lake-ab4090f0-2618-11ee-983a-17fb20a3b25d.json b/packages/amazon_security_lake/kibana/search/amazon_security_lake-ab4090f0-2618-11ee-983a-17fb20a3b25d.json
new file mode 100644
index 00000000000..0950bae299e
--- /dev/null
+++ b/packages/amazon_security_lake/kibana/search/amazon_security_lake-ab4090f0-2618-11ee-983a-17fb20a3b25d.json
@@ -0,0 +1,131 @@
+{
+ "attributes": {
+ "columns": [
+ "ocsf.class_name",
+ "user.name",
+ "ocsf.auth_protocol",
+ "ocsf.logon_type",
+ "ocsf.activity_name"
+ ],
+ "description": "",
+ "grid": {
+ "columns": {
+ "ocsf.activity_name": {
+ "width": 211
+ },
+ "ocsf.api.operation": {
+ "width": 155
+ },
+ "ocsf.auth_protocol": {
+ "width": 236
+ },
+ "ocsf.category_name": {
+ "width": 141
+ },
+ "ocsf.class_name": {
+ "width": 187
+ },
+ "ocsf.logon_type": {
+ "width": 261
+ },
+ "user.name": {
+ "width": 163
+ }
+ }
+ },
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.category_uid",
+ "index": "logs-*",
+ "key": "ocsf.category_uid",
+ "negate": false,
+ "params": {
+ "query": "3"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.category_uid": "3"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "Identity \u0026 Access Management Essential Details [Logs Amazon Security Lake]",
+ "usesAdHocDataView": false
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2023-07-25T11:49:14.212Z",
+ "id": "amazon_security_lake-ab4090f0-2618-11ee-983a-17fb20a3b25d",
+ "managed": false,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "7.9.3"
+}
\ No newline at end of file
diff --git a/packages/amazon_security_lake/kibana/search/amazon_security_lake-c2472e60-262e-11ee-a94e-bfa24df19b15.json b/packages/amazon_security_lake/kibana/search/amazon_security_lake-c2472e60-262e-11ee-a94e-bfa24df19b15.json
new file mode 100644
index 00000000000..21ea09655ba
--- /dev/null
+++ b/packages/amazon_security_lake/kibana/search/amazon_security_lake-c2472e60-262e-11ee-a94e-bfa24df19b15.json
@@ -0,0 +1,107 @@
+{
+ "attributes": {
+ "columns": [
+ "ocsf.activity_name",
+ "dns.question.name",
+ "message",
+ "dns.response_code",
+ "event.outcome"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "logs-*",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "amazon_security_lake.event"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "amazon_security_lake.event"
+ }
+ }
+ },
+ {
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "ocsf.class_uid",
+ "index": "logs-*",
+ "key": "ocsf.class_uid",
+ "negate": false,
+ "params": {
+ "query": "4003"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "ocsf.class_uid": "4003"
+ }
+ }
+ }
+ ],
+ "relation": "AND",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "DNS Activity Essential Details [Logs Amazon Security Lake]",
+ "usesAdHocDataView": false
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2023-07-25T11:49:14.212Z",
+ "id": "amazon_security_lake-c2472e60-262e-11ee-a94e-bfa24df19b15",
+ "managed": false,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "7.9.3"
+}
\ No newline at end of file
diff --git a/packages/amazon_security_lake/kibana/tags.yml b/packages/amazon_security_lake/kibana/tags.yml
new file mode 100644
index 00000000000..47f20a8f551
--- /dev/null
+++ b/packages/amazon_security_lake/kibana/tags.yml
@@ -0,0 +1,4 @@
+- text: Security Solution
+ asset_types:
+ - dashboard
+ - search
diff --git a/packages/amazon_security_lake/manifest.yml b/packages/amazon_security_lake/manifest.yml
new file mode 100644
index 00000000000..9a2e8217c18
--- /dev/null
+++ b/packages/amazon_security_lake/manifest.yml
@@ -0,0 +1,53 @@
+format_version: "3.0.0"
+name: amazon_security_lake
+title: Amazon Security Lake
+version: "0.4.0"
+description: Collect logs from Amazon Security Lake with Elastic Agent.
+type: integration
+categories: ["aws", "security"]
+conditions:
+ kibana:
+ version: ^8.11.0
+ elastic:
+ subscription: basic
+screenshots:
+ - src: /img/amazon-security-lake-overview-dashboard.png
+ title: Amazon Security Lake Overview Dashboard Screenshot
+ size: 600x600
+ type: image/png
+ - src: /img/amazon-security-lake-findings-dashboard.png
+ title: Amazon Security Lake Findings Dashboard Screenshot
+ size: 600x600
+ type: image/png
+ - src: /img/amazon-security-lake-identity-and-access-management-dashboard.png
+ title: Amazon Security Lake Identity And Access Management Dashboard Screenshot
+ size: 600x600
+ type: image/png
+ - src: /img/amazon-security-lake-network-activity-dashboard.png
+ title: Amazon Security Lake Network Activity Dashboard Screenshot
+ size: 600x600
+ type: image/png
+ - src: /img/amazon-security-lake-dns-activity-dashboard.png
+ title: Amazon Security Lake DNS Activity Dashboard Screenshot
+ size: 600x600
+ type: image/png
+ - src: /img/amazon-security-lake-application-activity-dashboard.png
+ title: Amazon Security Lake Application Activity Dashboard Screenshot
+ size: 600x600
+ type: image/png
+icons:
+ - src: /img/amazon-security-lake-logo.svg
+ title: Amazon Security Lake Logo
+ size: 32x32
+ type: image/svg+xml
+policy_templates:
+ - name: amazon_security_lake
+ title: Amazon Security Lake logs
+ description: Collect logs from Amazon Security Lake instances.
+ inputs:
+ - type: aws-s3
+ title: Collect Amazon Security Lake logs via AWS S3 or AWS SQS
+ description: Collecting logs from Amazon Security Lake via AWS S3 or AWS SQS.
+owner:
+ github: elastic/security-external-integrations
+ type: elastic
diff --git a/packages/apache/changelog.yml b/packages/apache/changelog.yml
index bbb53b87efc..0c9405edc13 100644
--- a/packages/apache/changelog.yml
+++ b/packages/apache/changelog.yml
@@ -1,4 +1,14 @@
# newer versions go on top
+- version: "1.15.1"
+ changes:
+ - description: Add null check and ignore_missing check to the rename processor
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7845
+- version: "1.15.0"
+ changes:
+ - description: Add ability to set condition for logs and metrics.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7372
- version: "1.14.0"
changes:
- description: Enable time series data streams for the metrics datasets. This dramatically reduces storage for metrics and is expected to progressively improve query performance. For more details, see https://www.elastic.co/guide/en/elasticsearch/reference/current/tsds.html.
diff --git a/packages/apache/data_stream/access/agent/stream/log.yml.hbs b/packages/apache/data_stream/access/agent/stream/log.yml.hbs
index c6e5ed4c737..de5eea39419 100644
--- a/packages/apache/data_stream/access/agent/stream/log.yml.hbs
+++ b/packages/apache/data_stream/access/agent/stream/log.yml.hbs
@@ -16,4 +16,7 @@ exclude_files: [".gz$"]
{{#if processors}}
processors:
{{processors}}
+{{/if}}
+{{#if condition}}
+condition: {{ condition }}
{{/if}}
\ No newline at end of file
diff --git a/packages/apache/data_stream/access/elasticsearch/ingest_pipeline/default.yml b/packages/apache/data_stream/access/elasticsearch/ingest_pipeline/default.yml
index 574d5cbdbff..556390d4a14 100644
--- a/packages/apache/data_stream/access/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/apache/data_stream/access/elasticsearch/ingest_pipeline/default.yml
@@ -13,6 +13,8 @@ processors:
- rename:
field: message
target_field: event.original
+ ignore_missing: true
+ if: 'ctx.event?.original == null'
- grok:
field: event.original
patterns:
diff --git a/packages/apache/data_stream/error/agent/stream/log.yml.hbs b/packages/apache/data_stream/error/agent/stream/log.yml.hbs
index 781c90981a4..38b2da9e4d2 100644
--- a/packages/apache/data_stream/error/agent/stream/log.yml.hbs
+++ b/packages/apache/data_stream/error/agent/stream/log.yml.hbs
@@ -17,4 +17,7 @@ processors:
- add_locale: ~
{{#if processors}}
{{processors}}
+{{/if}}
+{{#if condition}}
+condition: {{ condition }}
{{/if}}
\ No newline at end of file
diff --git a/packages/apache/data_stream/status/agent/stream/stream.yml.hbs b/packages/apache/data_stream/status/agent/stream/stream.yml.hbs
index 9c7975244ba..0ec9932f4f9 100644
--- a/packages/apache/data_stream/status/agent/stream/stream.yml.hbs
+++ b/packages/apache/data_stream/status/agent/stream/stream.yml.hbs
@@ -7,3 +7,6 @@ period: {{period}}
{{#if server_status_path}}
server_status_path: {{server_status_path}}
{{/if}}
+{{#if condition}}
+condition: {{ condition }}
+{{/if}}
\ No newline at end of file
diff --git a/packages/apache/manifest.yml b/packages/apache/manifest.yml
index c06d14aec76..d399ce20c8f 100644
--- a/packages/apache/manifest.yml
+++ b/packages/apache/manifest.yml
@@ -1,7 +1,7 @@
format_version: 1.0.0
name: apache
title: Apache HTTP Server
-version: "1.14.0"
+version: "1.15.1"
license: basic
source:
license: Elastic-2.0
@@ -36,6 +36,14 @@ policy_templates:
- type: logfile
title: Collect logs from Apache instances
description: Collecting Apache access and error logs
+ vars:
+ - name: condition
+ title: Condition
+ description: Condition to filter when to collect this input. See [Dynamic Input Configuration](https://www.elastic.co/guide/en/fleet/current/dynamic-input-configuration.html) for details.
+ type: text
+ multi: false
+ required: false
+ show_user: false
- type: httpjson
title: Collect logs from third-party REST API (experimental)
description: Collect logs from third-party REST API (experimental)
@@ -107,5 +115,12 @@ policy_templates:
show_user: true
default:
- http://127.0.0.1
+ - name: condition
+ title: Condition
+ description: Condition to filter when to collect this input. See [Dynamic Input Configuration](https://www.elastic.co/guide/en/fleet/current/dynamic-input-configuration.html) for details.
+ type: text
+ multi: false
+ required: false
+ show_user: false
owner:
github: elastic/obs-infraobs-integrations
diff --git a/packages/apache_spark/_dev/build/docs/README.md b/packages/apache_spark/_dev/build/docs/README.md
index fe027d37b1e..32b8147a622 100644
--- a/packages/apache_spark/_dev/build/docs/README.md
+++ b/packages/apache_spark/_dev/build/docs/README.md
@@ -63,6 +63,10 @@ Restart Spark master.
Follow the same set of steps for Spark Worker, Driver and Executor.
+### Troubleshooting
+
+If host.ip is shown conflicted under ``metrics-*`` data view, then this issue can be solved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/use-a-data-stream.html#reindex-with-a-data-stream) the ``Application``, ``Driver``, ``Executor`` and ``Node`` data stream's indices.
+
## Metrics
### Application
diff --git a/packages/apache_spark/changelog.yml b/packages/apache_spark/changelog.yml
index 5155c3d6367..9529381cc10 100644
--- a/packages/apache_spark/changelog.yml
+++ b/packages/apache_spark/changelog.yml
@@ -1,4 +1,19 @@
# newer versions go on top
+- version: "0.6.3"
+ changes:
+ - description: Update Apache Spark logo.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7830
+- version: "0.6.2"
+ changes:
+ - description: Resolve the conflicts in host.ip field
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7468
+- version: "0.6.1"
+ changes:
+ - description: Remove incorrect filter from the visualizations
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7467
- version: "0.6.0"
changes:
- description: Rename ownership from obs-service-integrations to obs-infraobs-integrations
diff --git a/packages/apache_spark/data_stream/application/fields/ecs.yml b/packages/apache_spark/data_stream/application/fields/ecs.yml
index ded177ab1a7..280e296f9e9 100644
--- a/packages/apache_spark/data_stream/application/fields/ecs.yml
+++ b/packages/apache_spark/data_stream/application/fields/ecs.yml
@@ -1,12 +1,20 @@
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: error.message
+- external: ecs
+ name: event.dataset
- external: ecs
name: event.kind
- external: ecs
- name: event.type
+ name: event.module
- external: ecs
- name: ecs.version
+ name: event.type
- external: ecs
- name: tags
+ name: host.ip
- external: ecs
name: service.address
- external: ecs
name: service.type
+- external: ecs
+ name: tags
diff --git a/packages/apache_spark/data_stream/driver/fields/ecs.yml b/packages/apache_spark/data_stream/driver/fields/ecs.yml
index ded177ab1a7..280e296f9e9 100644
--- a/packages/apache_spark/data_stream/driver/fields/ecs.yml
+++ b/packages/apache_spark/data_stream/driver/fields/ecs.yml
@@ -1,12 +1,20 @@
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: error.message
+- external: ecs
+ name: event.dataset
- external: ecs
name: event.kind
- external: ecs
- name: event.type
+ name: event.module
- external: ecs
- name: ecs.version
+ name: event.type
- external: ecs
- name: tags
+ name: host.ip
- external: ecs
name: service.address
- external: ecs
name: service.type
+- external: ecs
+ name: tags
diff --git a/packages/apache_spark/data_stream/executor/fields/ecs.yml b/packages/apache_spark/data_stream/executor/fields/ecs.yml
index ded177ab1a7..280e296f9e9 100644
--- a/packages/apache_spark/data_stream/executor/fields/ecs.yml
+++ b/packages/apache_spark/data_stream/executor/fields/ecs.yml
@@ -1,12 +1,20 @@
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: error.message
+- external: ecs
+ name: event.dataset
- external: ecs
name: event.kind
- external: ecs
- name: event.type
+ name: event.module
- external: ecs
- name: ecs.version
+ name: event.type
- external: ecs
- name: tags
+ name: host.ip
- external: ecs
name: service.address
- external: ecs
name: service.type
+- external: ecs
+ name: tags
diff --git a/packages/apache_spark/data_stream/node/fields/ecs.yml b/packages/apache_spark/data_stream/node/fields/ecs.yml
index ded177ab1a7..280e296f9e9 100644
--- a/packages/apache_spark/data_stream/node/fields/ecs.yml
+++ b/packages/apache_spark/data_stream/node/fields/ecs.yml
@@ -1,12 +1,20 @@
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: error.message
+- external: ecs
+ name: event.dataset
- external: ecs
name: event.kind
- external: ecs
- name: event.type
+ name: event.module
- external: ecs
- name: ecs.version
+ name: event.type
- external: ecs
- name: tags
+ name: host.ip
- external: ecs
name: service.address
- external: ecs
name: service.type
+- external: ecs
+ name: tags
diff --git a/packages/apache_spark/docs/README.md b/packages/apache_spark/docs/README.md
index 35b69abb1de..4dd6d17c2e4 100644
--- a/packages/apache_spark/docs/README.md
+++ b/packages/apache_spark/docs/README.md
@@ -63,6 +63,10 @@ Restart Spark master.
Follow the same set of steps for Spark Worker, Driver and Executor.
+### Troubleshooting
+
+If host.ip is shown conflicted under ``metrics-*`` data view, then this issue can be solved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/use-a-data-stream.html#reindex-with-a-data-stream) the ``Application``, ``Driver``, ``Executor`` and ``Node`` data stream's indices.
+
## Metrics
### Application
@@ -156,8 +160,12 @@ An example event for `application` looks as following:
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
+| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword |
| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword |
| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| host.ip | Host ip addresses. | ip |
| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword |
| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword |
| tags | List of keywords used to tag each event. | keyword |
@@ -325,8 +333,12 @@ An example event for `driver` looks as following:
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
+| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword |
| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword |
| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| host.ip | Host ip addresses. | ip |
| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword |
| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword |
| tags | List of keywords used to tag each event. | keyword |
@@ -491,8 +503,12 @@ An example event for `executor` looks as following:
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
+| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword |
| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword |
| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| host.ip | Host ip addresses. | ip |
| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword |
| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword |
| tags | List of keywords used to tag each event. | keyword |
@@ -600,8 +616,12 @@ An example event for `node` looks as following:
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
+| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword |
| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword |
| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| host.ip | Host ip addresses. | ip |
| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword |
| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword |
| tags | List of keywords used to tag each event. | keyword |
diff --git a/packages/apache_spark/img/apache_spark-logo.svg b/packages/apache_spark/img/apache_spark-logo.svg
index b70fe9f2238..5f7f6f460cd 100644
--- a/packages/apache_spark/img/apache_spark-logo.svg
+++ b/packages/apache_spark/img/apache_spark-logo.svg
@@ -1,123 +1 @@
-
-
-
+
\ No newline at end of file
diff --git a/packages/apache_spark/kibana/dashboard/apache_spark-b22dc960-a06c-11ec-8d4f-4fe3367a4156.json b/packages/apache_spark/kibana/dashboard/apache_spark-b22dc960-a06c-11ec-8d4f-4fe3367a4156.json
index f440b9f3a39..197c1863e79 100644
--- a/packages/apache_spark/kibana/dashboard/apache_spark-b22dc960-a06c-11ec-8d4f-4fe3367a4156.json
+++ b/packages/apache_spark/kibana/dashboard/apache_spark-b22dc960-a06c-11ec-8d4f-4fe3367a4156.json
@@ -597,12 +597,7 @@
},
{
"id": "metrics-*",
- "name": "dc8a3118-0580-4875-a323-3e5a8e12e731",
- "type": "index-pattern"
- },
- {
- "id": "metrics-*",
- "name": "74dfc7a8-6d13-4ca1-92dd-3ecd9dfc5a41",
+ "name": "cd121fe6-bb0a-4217-b691-dd52c2100256",
"type": "index-pattern"
}
],
@@ -671,7 +666,7 @@
"meta": {
"alias": null,
"disabled": false,
- "index": "dc8a3118-0580-4875-a323-3e5a8e12e731",
+ "index": "cd121fe6-bb0a-4217-b691-dd52c2100256",
"key": "event.dataset",
"negate": false,
"params": {
@@ -684,25 +679,6 @@
"event.dataset": "apache_spark.driver"
}
}
- },
- {
- "$state": {
- "store": "appState"
- },
- "meta": {
- "alias": null,
- "disabled": false,
- "index": "74dfc7a8-6d13-4ca1-92dd-3ecd9dfc5a41",
- "key": "apache_spark.driver.tasks.completed",
- "negate": false,
- "type": "exists",
- "value": "exists"
- },
- "query": {
- "exists": {
- "field": "apache_spark.driver.tasks.completed"
- }
- }
}
],
"query": {
@@ -1181,12 +1157,7 @@
},
{
"id": "metrics-*",
- "name": "5db88011-6682-4806-b1f1-f0d738dd193b",
- "type": "index-pattern"
- },
- {
- "id": "metrics-*",
- "name": "9c84d414-1f94-4ad0-ac80-fa876871f52e",
+ "name": "c5b4b675-16d1-4ea2-8bdf-6645d970eed2",
"type": "index-pattern"
}
],
@@ -1255,7 +1226,7 @@
"meta": {
"alias": null,
"disabled": false,
- "index": "5db88011-6682-4806-b1f1-f0d738dd193b",
+ "index": "c5b4b675-16d1-4ea2-8bdf-6645d970eed2",
"key": "event.dataset",
"negate": false,
"params": {
@@ -1268,25 +1239,6 @@
"event.dataset": "apache_spark.executor"
}
}
- },
- {
- "$state": {
- "store": "appState"
- },
- "meta": {
- "alias": null,
- "disabled": false,
- "index": "9c84d414-1f94-4ad0-ac80-fa876871f52e",
- "key": "apache_spark.executor.threadpool.complete_tasks",
- "negate": false,
- "type": "exists",
- "value": "exists"
- },
- "query": {
- "exists": {
- "field": "apache_spark.executor.threadpool.complete_tasks"
- }
- }
}
],
"query": {
@@ -1545,12 +1497,12 @@
},
{
"id": "metrics-*",
- "name": "e5897d1f-1cbe-4c21-8839-2febca793277",
+ "name": "b972e024-53b4-4a9f-8b87-25082e082b47",
"type": "index-pattern"
},
{
"id": "metrics-*",
- "name": "121f59c6-c392-4e47-9cad-3ca03bdc50b1",
+ "name": "975ed76d-8b6a-4f8d-9dc8-bc4e74001665",
"type": "index-pattern"
}
],
@@ -1568,7 +1520,10 @@
"dataType": "number",
"isBucketed": false,
"label": "Records Read",
- "operationType": "max",
+ "operationType": "last_value",
+ "params": {
+ "sortField": "@timestamp"
+ },
"scale": "ratio",
"sourceField": "apache_spark.executor.records.read"
}
@@ -1586,7 +1541,7 @@
"meta": {
"alias": null,
"disabled": false,
- "index": "e5897d1f-1cbe-4c21-8839-2febca793277",
+ "index": "b972e024-53b4-4a9f-8b87-25082e082b47",
"key": "event.dataset",
"negate": false,
"params": {
@@ -1607,7 +1562,7 @@
"meta": {
"alias": null,
"disabled": false,
- "index": "121f59c6-c392-4e47-9cad-3ca03bdc50b1",
+ "index": "975ed76d-8b6a-4f8d-9dc8-bc4e74001665",
"key": "apache_spark.executor.records.read",
"negate": false,
"type": "exists",
@@ -1665,12 +1620,12 @@
},
{
"id": "metrics-*",
- "name": "76c995fa-3bfc-41c5-8b5d-91d5414c75df",
+ "name": "cffd3ad8-723b-4694-bf3e-9d8a826ce05e",
"type": "index-pattern"
},
{
"id": "metrics-*",
- "name": "bbb8e53b-72ff-4438-b4ae-c13c943a4887",
+ "name": "a3034e1f-cb79-4ef6-91f1-ff8b1f2510c8",
"type": "index-pattern"
}
],
@@ -1688,7 +1643,10 @@
"dataType": "number",
"isBucketed": false,
"label": "Records Written",
- "operationType": "max",
+ "operationType": "last_value",
+ "params": {
+ "sortField": "@timestamp"
+ },
"scale": "ratio",
"sourceField": "apache_spark.executor.records.written"
}
@@ -1706,7 +1664,7 @@
"meta": {
"alias": null,
"disabled": false,
- "index": "76c995fa-3bfc-41c5-8b5d-91d5414c75df",
+ "index": "cffd3ad8-723b-4694-bf3e-9d8a826ce05e",
"key": "event.dataset",
"negate": false,
"params": {
@@ -1727,7 +1685,7 @@
"meta": {
"alias": null,
"disabled": false,
- "index": "bbb8e53b-72ff-4438-b4ae-c13c943a4887",
+ "index": "a3034e1f-cb79-4ef6-91f1-ff8b1f2510c8",
"key": "apache_spark.executor.records.written",
"negate": false,
"type": "exists",
@@ -2173,7 +2131,7 @@
},
{
"id": "metrics-*",
- "name": "3c4d7129-299a-435c-ac1d-8c7088a33ef8",
+ "name": "c5d1d4ff-3497-4067-96b3-8dedc2f58de8",
"type": "index-pattern"
}
],
@@ -2191,7 +2149,10 @@
"dataType": "number",
"isBucketed": false,
"label": "Number of Cores Used",
- "operationType": "max",
+ "operationType": "last_value",
+ "params": {
+ "sortField": "@timestamp"
+ },
"scale": "ratio",
"sourceField": "apache_spark.node.worker.cores.used"
}
@@ -2209,7 +2170,7 @@
"meta": {
"alias": null,
"disabled": false,
- "index": "3c4d7129-299a-435c-ac1d-8c7088a33ef8",
+ "index": "c5d1d4ff-3497-4067-96b3-8dedc2f58de8",
"key": "event.dataset",
"negate": false,
"params": {
@@ -2270,7 +2231,7 @@
},
{
"id": "metrics-*",
- "name": "f8d47e84-2b01-4c09-b2b2-4a1d2d4c6e5f",
+ "name": "c413b9be-9a11-47d9-8d15-8059ff9a02ad",
"type": "index-pattern"
}
],
@@ -2288,7 +2249,10 @@
"dataType": "number",
"isBucketed": false,
"label": "Memory Used (MB)",
- "operationType": "max",
+ "operationType": "last_value",
+ "params": {
+ "sortField": "@timestamp"
+ },
"scale": "ratio",
"sourceField": "apache_spark.node.worker.memory.used"
}
@@ -2306,7 +2270,7 @@
"meta": {
"alias": null,
"disabled": false,
- "index": "f8d47e84-2b01-4c09-b2b2-4a1d2d4c6e5f",
+ "index": "c413b9be-9a11-47d9-8d15-8059ff9a02ad",
"key": "event.dataset",
"negate": false,
"params": {
@@ -2581,12 +2545,7 @@
},
{
"id": "metrics-*",
- "name": "f84a1cd9-1b4b-484e-87f7-953c2f645570:dc8a3118-0580-4875-a323-3e5a8e12e731",
- "type": "index-pattern"
- },
- {
- "id": "metrics-*",
- "name": "f84a1cd9-1b4b-484e-87f7-953c2f645570:74dfc7a8-6d13-4ca1-92dd-3ecd9dfc5a41",
+ "name": "f84a1cd9-1b4b-484e-87f7-953c2f645570:cd121fe6-bb0a-4217-b691-dd52c2100256",
"type": "index-pattern"
},
{
@@ -2661,12 +2620,7 @@
},
{
"id": "metrics-*",
- "name": "b5caa5d1-221e-400d-a11a-ea539f1f4546:5db88011-6682-4806-b1f1-f0d738dd193b",
- "type": "index-pattern"
- },
- {
- "id": "metrics-*",
- "name": "b5caa5d1-221e-400d-a11a-ea539f1f4546:9c84d414-1f94-4ad0-ac80-fa876871f52e",
+ "name": "b5caa5d1-221e-400d-a11a-ea539f1f4546:c5b4b675-16d1-4ea2-8bdf-6645d970eed2",
"type": "index-pattern"
},
{
@@ -2711,12 +2665,12 @@
},
{
"id": "metrics-*",
- "name": "75c23769-a2bd-4825-b20a-d140aeb36175:e5897d1f-1cbe-4c21-8839-2febca793277",
+ "name": "75c23769-a2bd-4825-b20a-d140aeb36175:b972e024-53b4-4a9f-8b87-25082e082b47",
"type": "index-pattern"
},
{
"id": "metrics-*",
- "name": "75c23769-a2bd-4825-b20a-d140aeb36175:121f59c6-c392-4e47-9cad-3ca03bdc50b1",
+ "name": "75c23769-a2bd-4825-b20a-d140aeb36175:975ed76d-8b6a-4f8d-9dc8-bc4e74001665",
"type": "index-pattern"
},
{
@@ -2731,12 +2685,12 @@
},
{
"id": "metrics-*",
- "name": "ab9316b5-5728-4b03-aadb-a93e22da9257:76c995fa-3bfc-41c5-8b5d-91d5414c75df",
+ "name": "ab9316b5-5728-4b03-aadb-a93e22da9257:cffd3ad8-723b-4694-bf3e-9d8a826ce05e",
"type": "index-pattern"
},
{
"id": "metrics-*",
- "name": "ab9316b5-5728-4b03-aadb-a93e22da9257:bbb8e53b-72ff-4438-b4ae-c13c943a4887",
+ "name": "ab9316b5-5728-4b03-aadb-a93e22da9257:a3034e1f-cb79-4ef6-91f1-ff8b1f2510c8",
"type": "index-pattern"
},
{
@@ -2806,7 +2760,7 @@
},
{
"id": "metrics-*",
- "name": "fa3bca1d-df9c-4e2b-8785-cfe9211a7843:3c4d7129-299a-435c-ac1d-8c7088a33ef8",
+ "name": "fa3bca1d-df9c-4e2b-8785-cfe9211a7843:c5d1d4ff-3497-4067-96b3-8dedc2f58de8",
"type": "index-pattern"
},
{
@@ -2821,7 +2775,7 @@
},
{
"id": "metrics-*",
- "name": "18c0d3d3-912f-42e4-a322-a5fcaa9002b0:f8d47e84-2b01-4c09-b2b2-4a1d2d4c6e5f",
+ "name": "18c0d3d3-912f-42e4-a322-a5fcaa9002b0:c413b9be-9a11-47d9-8d15-8059ff9a02ad",
"type": "index-pattern"
},
{
diff --git a/packages/apache_spark/kibana/lens/apache_spark-114428e0-c165-11ec-97dc-abb2b7efe8a8.json b/packages/apache_spark/kibana/lens/apache_spark-114428e0-c165-11ec-97dc-abb2b7efe8a8.json
index 1c44a23c8de..dae40f1aa87 100644
--- a/packages/apache_spark/kibana/lens/apache_spark-114428e0-c165-11ec-97dc-abb2b7efe8a8.json
+++ b/packages/apache_spark/kibana/lens/apache_spark-114428e0-c165-11ec-97dc-abb2b7efe8a8.json
@@ -19,14 +19,15 @@
},
"isBucketed": false,
"label": "Bytes Read",
- "operationType": "max",
+ "operationType": "last_value",
"params": {
"format": {
"id": "bytes",
"params": {
"decimals": 2
}
- }
+ },
+ "sortField": "@timestamp"
},
"scale": "ratio",
"sourceField": "apache_spark.executor.bytes.read"
diff --git a/packages/apache_spark/kibana/lens/apache_spark-478726a0-c165-11ec-97dc-abb2b7efe8a8.json b/packages/apache_spark/kibana/lens/apache_spark-478726a0-c165-11ec-97dc-abb2b7efe8a8.json
index d82c7b90980..9171bc4c9c5 100644
--- a/packages/apache_spark/kibana/lens/apache_spark-478726a0-c165-11ec-97dc-abb2b7efe8a8.json
+++ b/packages/apache_spark/kibana/lens/apache_spark-478726a0-c165-11ec-97dc-abb2b7efe8a8.json
@@ -19,14 +19,15 @@
},
"isBucketed": false,
"label": "Bytes Written",
- "operationType": "max",
+ "operationType": "last_value",
"params": {
"format": {
"id": "bytes",
"params": {
"decimals": 2
}
- }
+ },
+ "sortField": "@timestamp"
},
"scale": "ratio",
"sourceField": "apache_spark.executor.bytes.written"
diff --git a/packages/apache_spark/manifest.yml b/packages/apache_spark/manifest.yml
index 9403f579ac2..65dd3121cc2 100644
--- a/packages/apache_spark/manifest.yml
+++ b/packages/apache_spark/manifest.yml
@@ -1,7 +1,7 @@
format_version: 1.0.0
name: apache_spark
title: Apache Spark
-version: "0.6.0"
+version: "0.6.3"
license: basic
description: Collect metrics from Apache Spark with Elastic Agent.
type: integration
diff --git a/packages/apache_tomcat/_dev/build/docs/README.md b/packages/apache_tomcat/_dev/build/docs/README.md
index b4833abc80d..9b0933ee5a3 100644
--- a/packages/apache_tomcat/_dev/build/docs/README.md
+++ b/packages/apache_tomcat/_dev/build/docs/README.md
@@ -6,7 +6,7 @@
Use the Apache Tomcat integration to:
-- Collect metrics related to the cache and request and collect logs related to access, catalina, and localhost.
+- Collect metrics related to the cache, connection pool, memory, request, session and thread pool and collect logs related to access, catalina, and localhost.
- Create visualizations to monitor, measure and analyze the usage trend and key data, and derive business insights.
- Create alerts to reduce the MTTD and also the MTTR by referencing relevant logs when troubleshooting an issue.
@@ -16,14 +16,18 @@ The Apache Tomcat integration collects logs and metrics data.
Logs help you keep a record of events that happen on your machine. The `Log` data streams collected by Apache Tomcat integration are `access`, `catalina`, and `localhost`, so that users can keep track of the IP addresses of the clients, bytes returned to the client or sent by clients, etc., so that users could monitor and troubleshoot the performance of Java applications.
-Metrics give you insight into the statistics of the Apache Tomcat. The `Metric` data streams collected by the Apache Tomcat integration are `cache` and `request`, so that the user can monitor and troubleshoot the performance of the Apache Tomcat instance.
+Metrics give you insight into the statistics of the Apache Tomcat. The `Metric` data streams collected by the Apache Tomcat integration are `cache`, `connection pool`, `memory`, `request`, `session` and `thread pool`, so that the user can monitor and troubleshoot the performance of the Apache Tomcat instance.
Data streams:
- `access`: Collects information related to overall performance of Java applications.
+- `cache`: Collects information related to the overall cache of the Apache Tomcat instance.
- `catalina`: Collects information related to the startup and shutdown of the Apache Tomcat application server, the deployment of new applications, or the failure of one or more subsystems.
+- `connection pool`: Collects information related to connection pool such as number of active and idle connections.
- `localhost`: Collects information related to Web application activity which is related to HTTP transactions between the application server and the client.
-- `cache`: Collects information related to the overall cache of the Apache Tomcat instance.
+- `memory`: Collects information related to heap memory, non-heap memory and garbage collection of the Tomcat instance.
- `request`: Collects information related to requests of the Apache Tomcat instance.
+- `thread pool`: Collects information related to the overall states of the threads, CPU time and processing termination time of the threads in the Tomcat instance.
+- `session`: Collects information related to overall created, active and expired sessions of the Tomcat instance.
Note:
- Users can monitor and see the log inside the ingested documents for Apache Tomcat in the `logs-*` index pattern from `Discover`, and for metrics, the index pattern is `metrics-*`.
@@ -48,14 +52,14 @@ For step-by-step instructions on how to set up an integration, see the [Getting
Here are the steps to configure Prometheus in Apache Tomcat instance:
-1. Go to `/webapps` from Apache Tomcat instance.
+1. Go to `/webapps` from Apache Tomcat instance.
2. Please find latest [Prometheus version](https://repo1.maven.org/maven2/io/prometheus/jmx/jmx_prometheus_javaagent/), replace in below command and perform from Apache Tomcat instance: -
```
wget https://repo1.maven.org/maven2/io/prometheus/jmx/jmx_prometheus_javaagent//jmx_prometheus_javaagent-.jar
```
-3. Create `config.yml` file in `/webapps` and paste the following content in `config.yml` file: -
+3. Create `config.yml` file in `/webapps` and paste the following content in `config.yml` file: -
```
rules:
@@ -64,7 +68,7 @@ rules:
4. Go to `/etc/systemd/system` and add the following content in `tomcat.service` file: -
```
-Environment='JAVA_OPTS=-javaagent:/webapps/jmx_prometheus_javaagent-.jar=:/opt/tomcat/webapps/config.yml'
+Environment='JAVA_OPTS=-javaagent:/webapps/jmx_prometheus_javaagent-.jar=:/opt/tomcat/webapps/config.yml'
```
5. Run the following commands to reload demon and restart Apache Tomcat instance: -
@@ -78,7 +82,7 @@ systemctl restart tomcat
Here are the steps to configure Log format in Apache Tomcat instance:
-1. Go to `/conf/server.xml` from Apache Tomcat instance.
+1. Go to `/conf/server.xml` from Apache Tomcat instance.
2. The user can update the log format in the pattern field of the class `org.apache.catalina.valves.AccessLogValve`. Here is an example of the `org.apache.catalina.valves.AccessLogValve` class.
@@ -101,6 +105,18 @@ Combined Log Format + X-Forwarded-For header :- '%h %l %u %t "%r" %s %b %A %X %T
systemctl restart tomcat
```
+## Supported log formats for Catalina and Localhost logs:
+
+- With error stack trace:
+```
+dd-MMM-yyyy HH:mm:ss.SSS [Severity] [Subsystem] [Message Text] [Error Stack Trace]
+```
+
+- Without error stack trace:
+```
+dd-MMM-yyyy HH:mm:ss.SSS [Severity] [Subsystem] [Message Text]
+```
+
Note:
- Restarting Apache Tomcat does not affect the virtual desktops that are currently running. It will only prevent new users from logging in for the duration of the restart process (typically several seconds).
@@ -165,10 +181,42 @@ This is the `Cache` data stream. This data stream collects metrics related to th
{{fields "cache"}}
+### Connection Pool
+
+This is the `connection pool` data stream. This data stream collects metrics related to connection pool such as number of active and idle connections.
+
+{{event "connection_pool"}}
+
+{{fields "connection_pool"}}
+
+### Memory
+
+This is the `memory` data stream. This data stream collects metrics related to the heap memory, non-heap memory, garbage collection time and count.
+
+{{event "memory"}}
+
+{{fields "memory"}}
+
### Request
This is the `Request` data stream. This data stream collects metrics related to request count, and amount of data received and sent.
{{event "request"}}
-{{fields "request"}}
\ No newline at end of file
+{{fields "request"}}
+
+### Session
+
+This is the `session` data stream. This data stream collects metrics related to created, active, expired and rejected sessions, alive and processing time for sessions.
+
+{{event "session"}}
+
+{{fields "session"}}
+
+### Thread Pool
+
+This is the `thread pool` data stream. This data stream collects metrics related to the total, active, current, daemon, busy and peak threads, CPU time and processing termination time of the threads.
+
+{{event "thread_pool"}}
+
+{{fields "thread_pool"}}
diff --git a/packages/apache_tomcat/_dev/deploy/docker/configs/context.xml b/packages/apache_tomcat/_dev/deploy/docker/configs/context.xml
new file mode 100644
index 00000000000..8babf2395e2
--- /dev/null
+++ b/packages/apache_tomcat/_dev/deploy/docker/configs/context.xml
@@ -0,0 +1,22 @@
+
+
+ WEB-INF/web.xml
+ WEB-INF/tomcat-web.xml
+ ${catalina.base}/conf/web.xml
+
+
+
diff --git a/packages/apache_tomcat/_dev/deploy/docker/docker-compose.yml b/packages/apache_tomcat/_dev/deploy/docker/docker-compose.yml
index 442b6587f14..ca1e60a414f 100644
--- a/packages/apache_tomcat/_dev/deploy/docker/docker-compose.yml
+++ b/packages/apache_tomcat/_dev/deploy/docker/docker-compose.yml
@@ -7,6 +7,7 @@ services:
volumes:
- ./setup/:/usr/local/tomcat/webapps/:rw
- ${SERVICE_LOGS_DIR}:/usr/local/tomcat/logs
+ - ./configs/context.xml:/usr/local/tomcat/conf/context.xml
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:8080"]
interval: 30s
diff --git a/packages/apache_tomcat/changelog.yml b/packages/apache_tomcat/changelog.yml
index 26004d121a6..2ea70c4f228 100644
--- a/packages/apache_tomcat/changelog.yml
+++ b/packages/apache_tomcat/changelog.yml
@@ -1,4 +1,49 @@
# newer versions go on top
+- version: "0.12.3"
+ changes:
+ - description: Add null check and ignore_missing check to the rename processor
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7845
+- version: "0.12.2"
+ changes:
+ - description: Remove forwarded tag from metrics data streams.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7824
+- version: "0.12.1"
+ changes:
+ - description: Add supported log formats for Catalina and Localhost logs in README.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7099
+- version: "0.12.0"
+ changes:
+ - description: Add overview dashboards for logs and metrics.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6982
+- version: "0.11.0"
+ changes:
+ - description: Apache Tomcat integration package with "connection_pool" data stream.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6596
+- version: "0.10.0"
+ changes:
+ - description: Apache Tomcat integration package with "thread_pool" data stream.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6609
+- version: "0.9.0"
+ changes:
+ - description: Apache Tomcat integration package with "memory" data stream.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6527
+- version: "0.8.0"
+ changes:
+ - description: Update the processor description link.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6891
+- version: "0.7.0"
+ changes:
+ - description: Apache Tomcat integration package with "session" data stream.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6573
- version: "0.6.0"
changes:
- description: Rename ownership from obs-service-integrations to obs-infraobs-integrations
diff --git a/packages/apache_tomcat/data_stream/access/elasticsearch/ingest_pipeline/default.yml b/packages/apache_tomcat/data_stream/access/elasticsearch/ingest_pipeline/default.yml
index 8c658a5bdbc..cc55c87ff41 100644
--- a/packages/apache_tomcat/data_stream/access/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/apache_tomcat/data_stream/access/elasticsearch/ingest_pipeline/default.yml
@@ -20,6 +20,7 @@ processors:
field: message
target_field: event.original
ignore_missing: true
+ if: 'ctx.event?.original == null'
- grok:
field: event.original
tag: 'grok_parse_log'
diff --git a/packages/apache_tomcat/data_stream/access/manifest.yml b/packages/apache_tomcat/data_stream/access/manifest.yml
index 1b589c94ae5..2670a5d0aa7 100644
--- a/packages/apache_tomcat/data_stream/access/manifest.yml
+++ b/packages/apache_tomcat/data_stream/access/manifest.yml
@@ -35,7 +35,7 @@ streams:
multi: false
required: false
show_user: false
- description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+ description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.
template_path: filestream.yml.hbs
title: Apache Tomcat Access logs
description: Collect Apache Tomcat Access logs.
diff --git a/packages/apache_tomcat/data_stream/cache/agent/stream/stream.yml.hbs b/packages/apache_tomcat/data_stream/cache/agent/stream/stream.yml.hbs
index 304de45e30c..67aaa7d5002 100644
--- a/packages/apache_tomcat/data_stream/cache/agent/stream/stream.yml.hbs
+++ b/packages/apache_tomcat/data_stream/cache/agent/stream/stream.yml.hbs
@@ -19,9 +19,6 @@ tags:
{{#each tags as |tag|}}
- {{tag}}
{{/each}}
-{{#contains "forwarded" tags}}
-publisher_pipeline.disable_host: true
-{{/contains}}
{{#if processors}}
processors:
{{processors}}
diff --git a/packages/apache_tomcat/data_stream/cache/manifest.yml b/packages/apache_tomcat/data_stream/cache/manifest.yml
index daafc421825..2ff0625d09c 100644
--- a/packages/apache_tomcat/data_stream/cache/manifest.yml
+++ b/packages/apache_tomcat/data_stream/cache/manifest.yml
@@ -17,7 +17,6 @@ streams:
required: true
show_user: false
default:
- - forwarded
- apache_tomcat-cache
- name: processors
type: yaml
@@ -25,7 +24,7 @@ streams:
multi: false
required: false
show_user: false
- description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+ description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.
template_path: stream.yml.hbs
title: Apache Tomcat Cache metrics
description: Collect Apache Tomcat Cache metrics.
diff --git a/packages/apache_tomcat/data_stream/cache/sample_event.json b/packages/apache_tomcat/data_stream/cache/sample_event.json
index 7ec6458dd4a..20ecbd3dcc3 100644
--- a/packages/apache_tomcat/data_stream/cache/sample_event.json
+++ b/packages/apache_tomcat/data_stream/cache/sample_event.json
@@ -94,7 +94,6 @@
"type": "prometheus"
},
"tags": [
- "forwarded",
"apache_tomcat-cache"
]
}
\ No newline at end of file
diff --git a/packages/apache_tomcat/data_stream/catalina/elasticsearch/ingest_pipeline/default.yml b/packages/apache_tomcat/data_stream/catalina/elasticsearch/ingest_pipeline/default.yml
index aa1a5784d7c..5b7a0ca1434 100644
--- a/packages/apache_tomcat/data_stream/catalina/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/apache_tomcat/data_stream/catalina/elasticsearch/ingest_pipeline/default.yml
@@ -20,6 +20,7 @@ processors:
field: message
target_field: event.original
ignore_missing: true
+ if: 'ctx.event?.original == null'
- grok:
field: event.original
tag: 'grok_parse_log'
diff --git a/packages/apache_tomcat/data_stream/catalina/manifest.yml b/packages/apache_tomcat/data_stream/catalina/manifest.yml
index 81d13003012..6cf28aa119c 100644
--- a/packages/apache_tomcat/data_stream/catalina/manifest.yml
+++ b/packages/apache_tomcat/data_stream/catalina/manifest.yml
@@ -44,7 +44,7 @@ streams:
multi: false
required: false
show_user: false
- description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+ description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.
template_path: filestream.yml.hbs
title: Apache Tomcat Catalina logs
description: Collect Apache Tomcat Catalina logs.
diff --git a/packages/apache_tomcat/data_stream/connection_pool/_dev/test/pipeline/test-common-config.yml b/packages/apache_tomcat/data_stream/connection_pool/_dev/test/pipeline/test-common-config.yml
new file mode 100644
index 00000000000..c39dc386179
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/connection_pool/_dev/test/pipeline/test-common-config.yml
@@ -0,0 +1,2 @@
+dynamic_fields:
+ event.ingested: ".*"
diff --git a/packages/apache_tomcat/data_stream/connection_pool/_dev/test/pipeline/test-conection-pool-metrics.json b/packages/apache_tomcat/data_stream/connection_pool/_dev/test/pipeline/test-conection-pool-metrics.json
new file mode 100644
index 00000000000..b2df19f8dfa
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/connection_pool/_dev/test/pipeline/test-conection-pool-metrics.json
@@ -0,0 +1,52 @@
+{
+ "events": [
+ {
+ "prometheus": {
+ "labels": {
+ "host": "localhost",
+ "context": "/sample",
+ "name": "jdbc/MyDB",
+ "instance": "127.0.0.1:9090",
+ "job": "prometheus"
+ },
+ "metrics": {
+ "Catalina_DataSource_accessToUnderlyingConnectionAllowed": 0,
+ "Catalina_DataSource_cacheState": 1,
+ "Catalina_DataSource_removeAbandonedOnBorrow": 0,
+ "Catalina_DataSource_abandonedUsageTracking": 0,
+ "Catalina_DataSource_autoCommitOnReturn": 1,
+ "Catalina_DataSource_closed": 0,
+ "Catalina_DataSource_numActive": 0,
+ "Catalina_DataSource_defaultTransactionIsolation": -1,
+ "Catalina_DataSource_enableAutoCommitOnReturn": 1,
+ "Catalina_DataSource_fastFailValidation": 0,
+ "Catalina_DataSource_numIdle": 0,
+ "Catalina_DataSource_logAbandoned": 0,
+ "Catalina_DataSource_maxOpenPreparedStatements": 0,
+ "Catalina_DataSource_maxIdle": 20,
+ "Catalina_DataSource_minIdle": 5,
+ "Catalina_DataSource_softMinEvictableIdleTimeMillis": -1,
+ "Catalina_DataSource_numTestsPerEvictionRun": 3,
+ "Catalina_DataSource_initialSize": 0,
+ "Catalina_DataSource_maxConnLifetimeMillis": -1,
+ "Catalina_DataSource_maxWaitMillis": -1,
+ "Catalina_DataSource_logExpiredConnections": 1,
+ "Catalina_DataSource_minEvictableIdleTimeMillis": 1800000,
+ "Catalina_DataSource_removeAbandonedOnMaintenance": 0,
+ "Catalina_DataSource_removeAbandonedTimeout": 300,
+ "Catalina_DataSource_rollbackOnReturn": 1,
+ "Catalina_DataSource_testOnReturn": 0,
+ "Catalina_DataSource_testWhileIdle": 0,
+ "Catalina_DataSource_timeBetweenEvictionRunsMillis": -1,
+ "Catalina_DataSource_validationQueryTimeout": -1,
+ "Catalina_DataSource_clearStatementPoolOnReturn": 0,
+ "Catalina_DataSource_lifo": 1,
+ "Catalina_DataSource_maxTotal": 8,
+ "Catalina_DataSource_poolPreparedStatements": 0,
+ "Catalina_DataSource_testOnBorrow": 1,
+ "Catalina_DataSource_testOnCreate": 0
+ }
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/apache_tomcat/data_stream/connection_pool/_dev/test/pipeline/test-conection-pool-metrics.json-expected.json b/packages/apache_tomcat/data_stream/connection_pool/_dev/test/pipeline/test-conection-pool-metrics.json-expected.json
new file mode 100644
index 00000000000..27f7a1d90ab
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/connection_pool/_dev/test/pipeline/test-conection-pool-metrics.json-expected.json
@@ -0,0 +1,95 @@
+{
+ "expected": [
+ {
+ "apache_tomcat": {
+ "connection_pool": {
+ "access_to_underlying_connection_allowed": false,
+ "application_name": "/sample",
+ "cache": {
+ "state": 1
+ },
+ "connection": {
+ "abandoned_usage_tracking": false,
+ "active": {
+ "count": 0
+ },
+ "autocommit_on_return": true,
+ "clear_statement_pool_on_return": false,
+ "closed": false,
+ "database": {
+ "time": {
+ "max": {
+ "ms": -1
+ }
+ }
+ },
+ "default_transaction_isolation": -1,
+ "enable_autocommit_on_return": true,
+ "fast_fail_validation": false,
+ "idle": {
+ "count": 0,
+ "exists": false,
+ "max": {
+ "count": 20,
+ "size": 0,
+ "time": {
+ "ms": 3
+ }
+ },
+ "min": {
+ "size": 5,
+ "time": {
+ "ms": -1
+ }
+ }
+ },
+ "initial_size": {
+ "count": 0
+ },
+ "lifetime": {
+ "max": {
+ "ms": -1
+ }
+ },
+ "log_expired": true,
+ "min_evictable_idle": {
+ "time": 1800000
+ },
+ "remove_abandoned_on_borrow": false,
+ "remove_abandoned_on_maintenance": false,
+ "remove_abandoned_timeout": 300,
+ "rollback_on_return": true,
+ "test_on_return": false,
+ "test_while_idle": false,
+ "time_betwen_eviction_run": {
+ "time": {
+ "ms": -1
+ }
+ },
+ "validate": -1
+ },
+ "lifo": true,
+ "max": {
+ "total": 8
+ },
+ "prepared_statements": false,
+ "test_on_borrow": true,
+ "test_on_create": false
+ }
+ },
+ "ecs": {
+ "version": "8.7.0"
+ },
+ "event": {
+ "category": [
+ "web"
+ ],
+ "kind": "metric",
+ "module": "apache_tomcat",
+ "type": [
+ "info"
+ ]
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/apache_tomcat/data_stream/connection_pool/_dev/test/system/test-default-config.yml b/packages/apache_tomcat/data_stream/connection_pool/_dev/test/system/test-default-config.yml
new file mode 100644
index 00000000000..74e3dda05e3
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/connection_pool/_dev/test/system/test-default-config.yml
@@ -0,0 +1,5 @@
+vars:
+ hosts:
+ - http://{{Hostname}}:{{Port}}/metrics
+input: prometheus/metrics
+service: apache_tomcat
diff --git a/packages/apache_tomcat/data_stream/connection_pool/agent/stream/stream.yml.hbs b/packages/apache_tomcat/data_stream/connection_pool/agent/stream/stream.yml.hbs
new file mode 100644
index 00000000000..7e205c7f24f
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/connection_pool/agent/stream/stream.yml.hbs
@@ -0,0 +1,25 @@
+metricsets: ["collector"]
+hosts:
+{{#each hosts}}
+ - {{this}}
+{{/each}}
+metrics_filters:
+ include: ["Catalina_DataSource_*"]
+period: {{period}}
+{{#if username}}
+username: "{{username}}"
+{{/if}}
+{{#if password}}
+password: "{{password}}"
+{{/if}}
+{{#if ssl}}
+{{ssl}}
+{{/if}}
+tags:
+{{#each tags as |tag|}}
+ - {{tag}}
+{{/each}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/apache_tomcat/data_stream/connection_pool/elasticsearch/ingest_pipeline/default.yml b/packages/apache_tomcat/data_stream/connection_pool/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 00000000000..1db13f68794
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/connection_pool/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,267 @@
+---
+description: Pipeline for processing Connection Pool metrics.
+processors:
+ - set:
+ field: ecs.version
+ value: 8.7.0
+ - set:
+ field: event.kind
+ value: metric
+ - set:
+ field: event.module
+ value: apache_tomcat
+ - set:
+ field: event.type
+ value: [info]
+ - set:
+ field: event.category
+ value: [web]
+ - rename:
+ field: prometheus.labels.context
+ target_field: apache_tomcat.connection_pool.application_name
+ ignore_missing: true
+ - set:
+ field: apache_tomcat.connection_pool.access_to_underlying_connection_allowed
+ value: true
+ if: ctx.prometheus?.metrics?.Catalina_DataSource_accessToUnderlyingConnectionAllowed == 1
+ - set:
+ field: apache_tomcat.connection_pool.access_to_underlying_connection_allowed
+ value: false
+ if: ctx.prometheus?.metrics?.Catalina_DataSource_accessToUnderlyingConnectionAllowed == 0
+ - rename:
+ field: prometheus.metrics.Catalina_DataSource_cacheState
+ target_field: apache_tomcat.connection_pool.cache.state
+ ignore_missing: true
+ - set:
+ field: apache_tomcat.connection_pool.connection.remove_abandoned_on_borrow
+ value: true
+ if: ctx.prometheus?.metrics?.Catalina_DataSource_removeAbandonedOnBorrow == 1
+ - set:
+ field: apache_tomcat.connection_pool.connection.remove_abandoned_on_borrow
+ value: false
+ if: ctx.prometheus?.metrics?.Catalina_DataSource_removeAbandonedOnBorrow == 0
+ - set:
+ field: apache_tomcat.connection_pool.connection.abandoned_usage_tracking
+ value: true
+ if: ctx.prometheus?.metrics?.Catalina_DataSource_abandonedUsageTracking == 1
+ - set:
+ field: apache_tomcat.connection_pool.connection.abandoned_usage_tracking
+ value: false
+ if: ctx.prometheus?.metrics?.Catalina_DataSource_abandonedUsageTracking == 0
+ - set:
+ field: apache_tomcat.connection_pool.connection.autocommit_on_return
+ value: true
+ if: ctx.prometheus?.metrics?.Catalina_DataSource_autoCommitOnReturn == 1
+ - set:
+ field: apache_tomcat.connection_pool.connection.autocommit_on_return
+ value: false
+ if: ctx.prometheus?.metrics?.Catalina_DataSource_autoCommitOnReturn == 0
+ - set:
+ field: apache_tomcat.connection_pool.connection.closed
+ value: true
+ if: ctx.prometheus?.metrics?.Catalina_DataSource_closed == 1
+ - set:
+ field: apache_tomcat.connection_pool.connection.closed
+ value: false
+ if: ctx.prometheus?.metrics?.Catalina_DataSource_closed == 0
+ - rename:
+ field: prometheus.metrics.Catalina_DataSource_numActive
+ target_field: apache_tomcat.connection_pool.connection.active.count
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_DataSource_defaultTransactionIsolation
+ target_field: apache_tomcat.connection_pool.connection.default_transaction_isolation
+ ignore_missing: true
+ - set:
+ field: apache_tomcat.connection_pool.connection.enable_autocommit_on_return
+ value: true
+ if: ctx.prometheus?.metrics?.Catalina_DataSource_enableAutoCommitOnReturn == 1
+ - set:
+ field: apache_tomcat.connection_pool.connection.enable_autocommit_on_return
+ value: false
+ if: ctx.prometheus?.metrics?.Catalina_DataSource_enableAutoCommitOnReturn == 0
+ - set:
+ field: apache_tomcat.connection_pool.connection.fast_fail_validation
+ value: true
+ if: ctx.prometheus?.metrics?.Catalina_DataSource_fastFailValidation == 1
+ - set:
+ field: apache_tomcat.connection_pool.connection.fast_fail_validation
+ value: false
+ if: ctx.prometheus?.metrics?.Catalina_DataSource_fastFailValidation == 0
+ - rename:
+ field: prometheus.metrics.Catalina_DataSource_numIdle
+ target_field: apache_tomcat.connection_pool.connection.idle.count
+ ignore_missing: true
+ - set:
+ field: apache_tomcat.connection_pool.connection.idle.exists
+ value: true
+ if: ctx.prometheus?.metrics?.Catalina_DataSource_logAbandoned == 1
+ - set:
+ field: apache_tomcat.connection_pool.connection.idle.exists
+ value: false
+ if: ctx.prometheus?.metrics?.Catalina_DataSource_logAbandoned == 0
+ - rename:
+ field: prometheus.metrics.Catalina_DataSource_maxOpenPreparedStatements
+ target_field: apache_tomcat.connection_pool.connection.idle.max.size
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_DataSource_maxIdle
+ target_field: apache_tomcat.connection_pool.connection.idle.max.count
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_DataSource_minIdle
+ target_field: apache_tomcat.connection_pool.connection.idle.min.size
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_DataSource_softMinEvictableIdleTimeMillis
+ target_field: apache_tomcat.connection_pool.connection.idle.min.time.ms
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_DataSource_numTestsPerEvictionRun
+ target_field: apache_tomcat.connection_pool.connection.idle.max.time.ms
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_DataSource_initialSize
+ target_field: apache_tomcat.connection_pool.connection.initial_size.count
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_DataSource_maxConnLifetimeMillis
+ target_field: apache_tomcat.connection_pool.connection.lifetime.max.ms
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_DataSource_maxWaitMillis
+ target_field: apache_tomcat.connection_pool.connection.database.time.max.ms
+ ignore_missing: true
+ - set:
+ field: apache_tomcat.connection_pool.connection.log_expired
+ value: true
+ if: ctx.prometheus?.metrics?.Catalina_DataSource_logExpiredConnections == 1
+ - set:
+ field: apache_tomcat.connection_pool.connection.log_expired
+ value: false
+ if: ctx.prometheus?.metrics?.Catalina_DataSource_logExpiredConnections == 0
+ - rename:
+ field: prometheus.metrics.Catalina_DataSource_minEvictableIdleTimeMillis
+ target_field: apache_tomcat.connection_pool.connection.min_evictable_idle.time
+ ignore_missing: true
+ - set:
+ field: apache_tomcat.connection_pool.connection.remove_abandoned_on_maintenance
+ value: true
+ if: ctx.prometheus?.metrics?.Catalina_DataSource_removeAbandonedOnMaintenance == 1
+ - set:
+ field: apache_tomcat.connection_pool.connection.remove_abandoned_on_maintenance
+ value: false
+ if: ctx.prometheus?.metrics?.Catalina_DataSource_removeAbandonedOnMaintenance == 0
+ - rename:
+ field: prometheus.metrics.Catalina_DataSource_removeAbandonedTimeout
+ target_field: apache_tomcat.connection_pool.connection.remove_abandoned_timeout
+ ignore_missing: true
+ - set:
+ field: apache_tomcat.connection_pool.connection.rollback_on_return
+ value: true
+ if: ctx.prometheus?.metrics?.Catalina_DataSource_rollbackOnReturn == 1
+ - set:
+ field: apache_tomcat.connection_pool.connection.rollback_on_return
+ value: false
+ if: ctx.prometheus?.metrics?.Catalina_DataSource_rollbackOnReturn == 0
+ - set:
+ field: apache_tomcat.connection_pool.connection.test_on_return
+ value: true
+ if: ctx.prometheus?.metrics?.Catalina_DataSource_testOnReturn == 1
+ - set:
+ field: apache_tomcat.connection_pool.connection.test_on_return
+ value: false
+ if: ctx.prometheus?.metrics?.Catalina_DataSource_testOnReturn == 0
+ - set:
+ field: apache_tomcat.connection_pool.connection.test_while_idle
+ value: true
+ if: ctx.prometheus?.metrics?.Catalina_DataSource_testWhileIdle == 1
+ - set:
+ field: apache_tomcat.connection_pool.connection.test_while_idle
+ value: false
+ if: ctx.prometheus?.metrics?.Catalina_DataSource_testWhileIdle == 0
+ - rename:
+ field: prometheus.metrics.Catalina_DataSource_timeBetweenEvictionRunsMillis
+ target_field: apache_tomcat.connection_pool.connection.time_betwen_eviction_run.time.ms
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_DataSource_validationQueryTimeout
+ target_field: apache_tomcat.connection_pool.connection.validate
+ ignore_missing: true
+ - set:
+ field: apache_tomcat.connection_pool.connection.clear_statement_pool_on_return
+ value: true
+ if: ctx.prometheus?.metrics?.Catalina_DataSource_clearStatementPoolOnReturn == 1
+ - set:
+ field: apache_tomcat.connection_pool.connection.clear_statement_pool_on_return
+ value: false
+ if: ctx.prometheus?.metrics?.Catalina_DataSource_clearStatementPoolOnReturn == 0
+ - set:
+ field: apache_tomcat.connection_pool.lifo
+ value: true
+ if: ctx.prometheus?.metrics?.Catalina_DataSource_lifo == 1
+ - set:
+ field: apache_tomcat.connection_pool.lifo
+ value: false
+ if: ctx.prometheus?.metrics?.Catalina_DataSource_lifo == 0
+ - rename:
+ field: prometheus.metrics.Catalina_DataSource_maxTotal
+ target_field: apache_tomcat.connection_pool.max.total
+ ignore_missing: true
+ - set:
+ field: apache_tomcat.connection_pool.prepared_statements
+ value: true
+ if: ctx.prometheus?.metrics?.Catalina_DataSource_poolPreparedStatements == 1
+ - set:
+ field: apache_tomcat.connection_pool.prepared_statements
+ value: false
+ if: ctx.prometheus?.metrics?.Catalina_DataSource_poolPreparedStatements == 0
+ - set:
+ field: apache_tomcat.connection_pool.test_on_borrow
+ value: true
+ if: ctx.prometheus?.metrics?.Catalina_DataSource_testOnBorrow == 1
+ - set:
+ field: apache_tomcat.connection_pool.test_on_borrow
+ value: false
+ if: ctx.prometheus?.metrics?.Catalina_DataSource_testOnBorrow == 0
+ - set:
+ field: apache_tomcat.connection_pool.test_on_create
+ value: true
+ if: ctx.prometheus?.metrics?.Catalina_DataSource_testOnCreate == 1
+ - set:
+ field: apache_tomcat.connection_pool.test_on_create
+ value: false
+ if: ctx.prometheus?.metrics?.Catalina_DataSource_testOnCreate == 0
+ - remove:
+ field:
+ - prometheus
+ ignore_missing: true
+ - script:
+ description: Drops null/empty values recursively.
+ lang: painless
+ source: |
+ boolean drop(Object o) {
+ if (o == null || o == "") {
+ return true;
+ } else if (o instanceof Map) {
+ ((Map) o).values().removeIf(v -> drop(v));
+ return (((Map) o).size() == 0);
+ } else if (o instanceof List) {
+ ((List) o).removeIf(v -> drop(v));
+ return (((List) o).length == 0);
+ }
+ return false;
+ }
+ drop(ctx);
+ - set:
+ field: event.kind
+ value: pipeline_error
+ if: ctx.error?.message != null
+on_failure:
+ - set:
+ field: error.message
+ value: "{{{_ingest.on_failure_message}}}"
+ - append:
+ field: event.kind
+ value: pipeline_error
+ allow_duplicates: false
\ No newline at end of file
diff --git a/packages/apache_tomcat/data_stream/connection_pool/fields/base-fields.yml b/packages/apache_tomcat/data_stream/connection_pool/fields/base-fields.yml
new file mode 100644
index 00000000000..7c798f4534c
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/connection_pool/fields/base-fields.yml
@@ -0,0 +1,12 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
diff --git a/packages/apache_tomcat/data_stream/connection_pool/fields/ecs.yml b/packages/apache_tomcat/data_stream/connection_pool/fields/ecs.yml
new file mode 100644
index 00000000000..034a05db03d
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/connection_pool/fields/ecs.yml
@@ -0,0 +1,39 @@
+- external: ecs
+ name: agent.id
+ dimension: true
+- external: ecs
+ name: cloud.account.id
+ dimension: true
+- external: ecs
+ name: cloud.availability_zone
+ dimension: true
+- external: ecs
+ name: cloud.instance.id
+ dimension: true
+- external: ecs
+ name: cloud.provider
+ dimension: true
+- external: ecs
+ name: cloud.region
+ dimension: true
+- external: ecs
+ name: container.id
+ dimension: true
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: error.message
+- external: ecs
+ name: event.category
+- external: ecs
+ name: event.type
+- external: ecs
+ name: event.kind
+- external: ecs
+ name: event.module
+- external: ecs
+ name: host.name
+ dimension: true
+- external: ecs
+ name: service.address
+ dimension: true
diff --git a/packages/apache_tomcat/data_stream/connection_pool/fields/fields.yml b/packages/apache_tomcat/data_stream/connection_pool/fields/fields.yml
new file mode 100644
index 00000000000..525e3596bce
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/connection_pool/fields/fields.yml
@@ -0,0 +1,192 @@
+- name: apache_tomcat
+ type: group
+ fields:
+ - name: connection_pool
+ type: group
+ fields:
+ - name: application_name
+ type: keyword
+ # Reason to add as a dimension field: There can be many different applications in Apache Tomcat instance.
+ dimension: true
+ description: Name of the Apache Tomcat application.
+ - name: access_to_underlying_connection_allowed
+ type: boolean
+ description: Returns the state of connections that will be established when the connection pool is started.
+ - name: cache
+ type: group
+ fields:
+ - name: state
+ type: double
+ description: Cache state of connection pool.
+ metric_type: gauge
+ - name: connection
+ type: group
+ fields:
+ - name: abandoned_usage_tracking
+ type: boolean
+ description: Indicates if full stack traces are required when logAbandoned is true.
+ - name: active
+ type: group
+ fields:
+ - name: count
+ type: double
+ description: Number of active connection in pool.
+ metric_type: gauge
+ - name: autocommit_on_return
+ type: boolean
+ description: Connections being returned to the pool.
+ - name: clear_statement_pool_on_return
+ type: boolean
+ description: Keeps track of statements associated with a connection.
+ - name: closed
+ type: boolean
+ description: Random Connection Closed Exceptions.
+ - name: database
+ type: group
+ fields:
+ - name: time
+ type: group
+ fields:
+ - name: max
+ type: group
+ fields:
+ - name: ms
+ type: double
+ description: Maximum time to wait for a database connection to become available in ms.
+ unit: ms
+ metric_type: gauge
+ - name: default_transaction_isolation
+ type: double
+ description: TransactionIsolation state of connections created by this pool
+ metric_type: gauge
+ - name: enable_autocommit_on_return
+ type: boolean
+ description: Connections being returned to the pool will be checked and configured with Connection.
+ - name: fast_fail_validation
+ type: boolean
+ description: Timeout before a connection validation queries fail.
+ - name: idle
+ type: group
+ fields:
+ - name: count
+ type: double
+ description: Idle number of connection pool.
+ metric_type: gauge
+ - name: exists
+ type: boolean
+ description: logAbandoned to figure out the connection is idle.
+ - name: max
+ type: group
+ fields:
+ - name: count
+ type: double
+ description: Maximum idle connections.
+ metric_type: gauge
+ - name: size
+ type: double
+ description: Returns the maximum number of connections that can remain idle in the pool.
+ metric_type: gauge
+ - name: time
+ type: group
+ fields:
+ - name: ms
+ type: double
+ description: It represents the maximum number of objects that the pool will examine during each run of the idle object evictor thread.
+ unit: ms
+ metric_type: gauge
+ - name: min
+ type: group
+ fields:
+ - name: size
+ type: double
+ description: The minimum number of established connections that should be kept in the pool at all times.
+ metric_type: gauge
+ - name: time
+ type: group
+ fields:
+ - name: ms
+ type: double
+ description: An attribute of the Tomcat DataSource object that sets the minimum time an object may sit idle in the pool before it is eligable for eviction by the idle object evictor.
+ unit: ms
+ metric_type: gauge
+ - name: initial_size
+ type: group
+ fields:
+ - name: count
+ type: double
+ description: The initial number of connections that are created when the pool is started.
+ metric_type: gauge
+ - name: lifetime
+ type: group
+ fields:
+ - name: max
+ type: group
+ fields:
+ - name: ms
+ type: double
+ description: The maximum lifetime in milliseconds of a connection.
+ unit: ms
+ metric_type: gauge
+ - name: log_expired
+ type: boolean
+ description: Log expired connection in pool.
+ - name: min_evictable_idle
+ type: group
+ fields:
+ - name: time
+ type: double
+ description: The minimum amount of time an object may sit idle in the pool before it is eligible for eviction.
+ metric_type: gauge
+ - name: remove_abandoned_on_borrow
+ type: boolean
+ description: Remove abandoned connections from the pool when a connection is borrowed.
+ - name: remove_abandoned_on_maintenance
+ type: boolean
+ description: The commons dbcp parameters which are unique from the Tomcat JDBC connection pool parameters are not being accepted.
+ - name: remove_abandoned_timeout
+ type: double
+ description: Timeout in seconds before an abandoned (in use) connection can be removed.
+ metric_type: gauge
+ - name: rollback_on_return
+ type: boolean
+ description: The pool can terminate the transaction by calling rollback on the connection.
+ - name: test_on_return
+ type: boolean
+ description: The indication of whether objects will be validated before being returned to the pool.
+ - name: test_while_idle
+ type: boolean
+ description: Introspected attribute testWhileIdle.
+ - name: time_betwen_eviction_run
+ type: group
+ fields:
+ - name: time
+ type: group
+ fields:
+ - name: ms
+ type: double
+ description: The number of milliseconds to sleep between runs of the idle connection validation/cleaner thread.
+ unit: ms
+ metric_type: gauge
+ - name: validate
+ type: double
+ description: Validate connections from this pool.
+ metric_type: gauge
+ - name: lifo
+ type: boolean
+ description: Last In First Out connections.
+ - name: max
+ type: group
+ fields:
+ - name: total
+ type: double
+ description: Maximum total of connection pool.
+ metric_type: gauge
+ - name: prepared_statements
+ type: boolean
+ description: Validate connections from this pool.
+ - name: test_on_borrow
+ type: boolean
+ description: The indication of whether objects will be validated before being borrowed from the pool.
+ - name: test_on_create
+ type: boolean
+ description: Property determines whether or not the pool will validate objects immediately after they are created by the pool.
diff --git a/packages/apache_tomcat/data_stream/connection_pool/manifest.yml b/packages/apache_tomcat/data_stream/connection_pool/manifest.yml
new file mode 100644
index 00000000000..74604d6d307
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/connection_pool/manifest.yml
@@ -0,0 +1,32 @@
+type: metrics
+title: Apache Tomcat Connection Pool metrics
+streams:
+ - input: prometheus/metrics
+ vars:
+ - name: period
+ type: text
+ required: true
+ title: Period
+ default: 10s
+ show_user: true
+ description: Period of fetching metrics, i.e. 1s/1m/1h.
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - apache_tomcat-connection_pool
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.
+ template_path: stream.yml.hbs
+ title: Apache Tomcat Connection Pool metrics
+ description: Collect Apache Tomcat Connection Pool metrics.
+elasticsearch:
+ index_mode: "time_series"
diff --git a/packages/apache_tomcat/data_stream/connection_pool/sample_event.json b/packages/apache_tomcat/data_stream/connection_pool/sample_event.json
new file mode 100644
index 00000000000..871bcc4e8b2
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/connection_pool/sample_event.json
@@ -0,0 +1,146 @@
+{
+ "@timestamp": "2023-07-06T06:16:33.972Z",
+ "agent": {
+ "ephemeral_id": "f5813425-689c-4d7c-97d5-b549c3948d9d",
+ "id": "c78eadae-edd0-4b88-ab24-f2fb84a98229",
+ "name": "docker-fleet-agent",
+ "type": "metricbeat",
+ "version": "8.8.0"
+ },
+ "apache_tomcat": {
+ "connection_pool": {
+ "access_to_underlying_connection_allowed": false,
+ "application_name": "/",
+ "cache": {
+ "state": 1
+ },
+ "connection": {
+ "abandoned_usage_tracking": false,
+ "active": {
+ "count": 0
+ },
+ "autocommit_on_return": true,
+ "clear_statement_pool_on_return": false,
+ "closed": false,
+ "database": {
+ "time": {
+ "max": {
+ "ms": -1
+ }
+ }
+ },
+ "default_transaction_isolation": -1,
+ "enable_autocommit_on_return": true,
+ "fast_fail_validation": false,
+ "idle": {
+ "count": 0,
+ "exists": false,
+ "max": {
+ "count": 20,
+ "size": -1,
+ "time": {
+ "ms": 3
+ }
+ },
+ "min": {
+ "size": 5,
+ "time": {
+ "ms": -1
+ }
+ }
+ },
+ "initial_size": {
+ "count": 0
+ },
+ "lifetime": {
+ "max": {
+ "ms": -1
+ }
+ },
+ "log_expired": true,
+ "min_evictable_idle": {
+ "time": 1800000
+ },
+ "remove_abandoned_on_borrow": false,
+ "remove_abandoned_on_maintenance": false,
+ "remove_abandoned_timeout": 300,
+ "rollback_on_return": true,
+ "test_on_return": false,
+ "test_while_idle": false,
+ "time_betwen_eviction_run": {
+ "time": {
+ "ms": -1
+ }
+ },
+ "validate": -1
+ },
+ "lifo": true,
+ "max": {
+ "total": 8
+ },
+ "prepared_statements": false,
+ "test_on_borrow": true,
+ "test_on_create": false
+ }
+ },
+ "data_stream": {
+ "dataset": "apache_tomcat.connection_pool",
+ "namespace": "ep",
+ "type": "metrics"
+ },
+ "ecs": {
+ "version": "8.7.0"
+ },
+ "elastic_agent": {
+ "id": "c78eadae-edd0-4b88-ab24-f2fb84a98229",
+ "snapshot": false,
+ "version": "8.8.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": [
+ "web"
+ ],
+ "dataset": "apache_tomcat.connection_pool",
+ "duration": 252065272,
+ "ingested": "2023-07-06T06:16:37Z",
+ "kind": "metric",
+ "module": "apache_tomcat",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "architecture": "x86_64",
+ "containerized": true,
+ "hostname": "docker-fleet-agent",
+ "id": "e8978f2086c14e13b7a0af9ed0011d19",
+ "ip": [
+ "172.27.0.7"
+ ],
+ "mac": [
+ "02-42-AC-1B-00-07"
+ ],
+ "name": "docker-fleet-agent",
+ "os": {
+ "codename": "focal",
+ "family": "debian",
+ "kernel": "3.10.0-1160.90.1.el7.x86_64",
+ "name": "Ubuntu",
+ "platform": "ubuntu",
+ "type": "linux",
+ "version": "20.04.6 LTS (Focal Fossa)"
+ }
+ },
+ "metricset": {
+ "name": "collector",
+ "period": 10000
+ },
+ "service": {
+ "address": "http://elastic-package-service_apache_tomcat_1:9090/metrics",
+ "type": "prometheus"
+ },
+ "tags": [
+ "apache_tomcat-connection_pool"
+ ]
+}
\ No newline at end of file
diff --git a/packages/apache_tomcat/data_stream/localhost/elasticsearch/ingest_pipeline/default.yml b/packages/apache_tomcat/data_stream/localhost/elasticsearch/ingest_pipeline/default.yml
index fff7b1e9b1b..7fd6e1afdeb 100644
--- a/packages/apache_tomcat/data_stream/localhost/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/apache_tomcat/data_stream/localhost/elasticsearch/ingest_pipeline/default.yml
@@ -20,6 +20,7 @@ processors:
field: message
target_field: event.original
ignore_missing: true
+ if: 'ctx.event?.original == null'
- grok:
field: event.original
tag: 'grok_parse_log'
diff --git a/packages/apache_tomcat/data_stream/localhost/manifest.yml b/packages/apache_tomcat/data_stream/localhost/manifest.yml
index 8e90707cb27..de5054f0e36 100644
--- a/packages/apache_tomcat/data_stream/localhost/manifest.yml
+++ b/packages/apache_tomcat/data_stream/localhost/manifest.yml
@@ -44,7 +44,7 @@ streams:
multi: false
required: false
show_user: false
- description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+ description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.
template_path: filestream.yml.hbs
title: Apache Tomcat Localhost logs
description: Collect Apache Tomcat Localhost logs.
diff --git a/packages/apache_tomcat/data_stream/memory/_dev/test/pipeline/test-common-config.yml b/packages/apache_tomcat/data_stream/memory/_dev/test/pipeline/test-common-config.yml
new file mode 100644
index 00000000000..c39dc386179
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/memory/_dev/test/pipeline/test-common-config.yml
@@ -0,0 +1,2 @@
+dynamic_fields:
+ event.ingested: ".*"
diff --git a/packages/apache_tomcat/data_stream/memory/_dev/test/pipeline/test-gc-metrics.json b/packages/apache_tomcat/data_stream/memory/_dev/test/pipeline/test-gc-metrics.json
new file mode 100644
index 00000000000..e9d7c55be77
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/memory/_dev/test/pipeline/test-gc-metrics.json
@@ -0,0 +1,19 @@
+{
+ "events": [
+ {
+ "prometheus": {
+ "labels": {
+ "host": "localhost",
+ "name": "GarbageCollector",
+ "instance": "127.0.0.1:9090",
+ "job": "prometheus"
+ },
+ "metrics": {
+ "java_lang_G1_Old_Generation_CollectionCount": 0,
+ "java_lang_G1_Old_Generation_Valid": 1,
+ "java_lang_G1_Old_Generation_CollectionTime": 0
+ }
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/apache_tomcat/data_stream/memory/_dev/test/pipeline/test-gc-metrics.json-expected.json b/packages/apache_tomcat/data_stream/memory/_dev/test/pipeline/test-gc-metrics.json-expected.json
new file mode 100644
index 00000000000..1f5b0cab2b2
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/memory/_dev/test/pipeline/test-gc-metrics.json-expected.json
@@ -0,0 +1,33 @@
+{
+ "expected": [
+ {
+ "apache_tomcat": {
+ "memory": {
+ "doc_type": "gc",
+ "gc": {
+ "collection": {
+ "count": 0,
+ "time": {
+ "ms": 0
+ }
+ },
+ "valid": 1
+ }
+ }
+ },
+ "ecs": {
+ "version": "8.7.0"
+ },
+ "event": {
+ "category": [
+ "web"
+ ],
+ "kind": "metric",
+ "module": "apache_tomcat",
+ "type": [
+ "info"
+ ]
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/apache_tomcat/data_stream/memory/_dev/test/pipeline/test-memory-metrics.json b/packages/apache_tomcat/data_stream/memory/_dev/test/pipeline/test-memory-metrics.json
new file mode 100644
index 00000000000..6a747d2efe5
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/memory/_dev/test/pipeline/test-memory-metrics.json
@@ -0,0 +1,26 @@
+{
+ "events": [
+ {
+ "prometheus": {
+ "labels": {
+ "host": "localhost",
+ "name": "Memory",
+ "instance": "127.0.0.1:9090",
+ "job": "prometheus"
+ },
+ "metrics": {
+ "java_lang_Memory_ObjectPendingFinalizationCount": 0,
+ "java_lang_Memory_HeapMemoryUsage_used": 4.5216344e+07,
+ "java_lang_Memory_NonHeapMemoryUsage_used": 3.6318104e+07,
+ "java_lang_Memory_Verbose": 1,
+ "java_lang_Memory_NonHeapMemoryUsage_init": 7.667712e+06,
+ "java_lang_Memory_HeapMemoryUsage_committed": 5.38968064e+08,
+ "java_lang_Memory_NonHeapMemoryUsage_max": -1,
+ "java_lang_Memory_HeapMemoryUsage_max": 1.073741824e+09,
+ "java_lang_Memory_HeapMemoryUsage_init": 5.36870912e+08,
+ "java_lang_Memory_NonHeapMemoryUsage_committed": 3.9518208e+07
+ }
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/apache_tomcat/data_stream/memory/_dev/test/pipeline/test-memory-metrics.json-expected.json b/packages/apache_tomcat/data_stream/memory/_dev/test/pipeline/test-memory-metrics.json-expected.json
new file mode 100644
index 00000000000..4659bd299ce
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/memory/_dev/test/pipeline/test-memory-metrics.json-expected.json
@@ -0,0 +1,56 @@
+{
+ "expected": [
+ {
+ "apache_tomcat": {
+ "memory": {
+ "doc_type": "memory",
+ "heap": {
+ "committed": {
+ "bytes": 5.38968064E8
+ },
+ "init": {
+ "bytes": 5.36870912E8
+ },
+ "max": {
+ "bytes": 1.073741824E9
+ },
+ "used": {
+ "bytes": 4.5216344E7
+ }
+ },
+ "non_heap": {
+ "committed": {
+ "bytes": 3.9518208E7
+ },
+ "init": {
+ "bytes": 7667712.0
+ },
+ "max": {
+ "bytes": -1
+ },
+ "used": {
+ "bytes": 3.6318104E7
+ }
+ },
+ "object_pending_finalization": {
+ "count": 0
+ },
+ "verbose": true
+ }
+ },
+ "ecs": {
+ "version": "8.7.0"
+ },
+ "event": {
+ "category": [
+ "web"
+ ],
+ "kind": "metric",
+ "module": "apache_tomcat",
+ "type": [
+ "info"
+ ]
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/apache_tomcat/data_stream/memory/_dev/test/system/test-default-config.yml b/packages/apache_tomcat/data_stream/memory/_dev/test/system/test-default-config.yml
new file mode 100644
index 00000000000..a6a09ba07de
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/memory/_dev/test/system/test-default-config.yml
@@ -0,0 +1,4 @@
+vars:
+ hosts:
+ - http://{{Hostname}}:{{Port}}/metrics
+input: prometheus/metrics
diff --git a/packages/apache_tomcat/data_stream/memory/agent/stream/stream.yml.hbs b/packages/apache_tomcat/data_stream/memory/agent/stream/stream.yml.hbs
new file mode 100644
index 00000000000..5b18650f441
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/memory/agent/stream/stream.yml.hbs
@@ -0,0 +1,25 @@
+metricsets: ["collector"]
+hosts:
+{{#each hosts}}
+ - {{this}}
+{{/each}}
+metrics_filters:
+ include: ["java_lang_Memory_*","java_lang_G1_Old_Generation_*"]
+period: {{period}}
+{{#if username}}
+username: "{{username}}"
+{{/if}}
+{{#if password}}
+password: "{{password}}"
+{{/if}}
+{{#if ssl}}
+{{ssl}}
+{{/if}}
+tags:
+{{#each tags as |tag|}}
+ - {{tag}}
+{{/each}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/packages/apache_tomcat/data_stream/memory/elasticsearch/ingest_pipeline/default.yml b/packages/apache_tomcat/data_stream/memory/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 00000000000..b7c859d90a9
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/memory/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,111 @@
+---
+description: Pipeline for processing Apache Tomcat Memory metrics.
+processors:
+ - set:
+ field: ecs.version
+ value: 8.7.0
+ - set:
+ field: event.kind
+ value: metric
+ - set:
+ field: event.module
+ value: apache_tomcat
+ - set:
+ field: event.type
+ value: [info]
+ - set:
+ field: event.category
+ value: [web]
+ - set:
+ field: apache_tomcat.memory.verbose
+ value: true
+ if: ctx.prometheus?.metrics?.java_lang_Memory_Verbose == 1
+ - set:
+ field: apache_tomcat.memory.verbose
+ value: false
+ if: ctx.prometheus?.metrics?.java_lang_Memory_Verbose == 0
+ - rename:
+ field: prometheus.metrics.java_lang_Memory_HeapMemoryUsage_max
+ target_field: apache_tomcat.memory.heap.max.bytes
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.java_lang_Memory_HeapMemoryUsage_init
+ target_field: apache_tomcat.memory.heap.init.bytes
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.java_lang_Memory_HeapMemoryUsage_used
+ target_field: apache_tomcat.memory.heap.used.bytes
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.java_lang_Memory_HeapMemoryUsage_committed
+ target_field: apache_tomcat.memory.heap.committed.bytes
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.java_lang_Memory_NonHeapMemoryUsage_max
+ target_field: apache_tomcat.memory.non_heap.max.bytes
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.java_lang_Memory_NonHeapMemoryUsage_init
+ target_field: apache_tomcat.memory.non_heap.init.bytes
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.java_lang_Memory_NonHeapMemoryUsage_used
+ target_field: apache_tomcat.memory.non_heap.used.bytes
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.java_lang_Memory_NonHeapMemoryUsage_committed
+ target_field: apache_tomcat.memory.non_heap.committed.bytes
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.java_lang_Memory_ObjectPendingFinalizationCount
+ target_field: apache_tomcat.memory.object_pending_finalization.count
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.java_lang_G1_Old_Generation_CollectionCount
+ target_field: apache_tomcat.memory.gc.collection.count
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.java_lang_G1_Old_Generation_CollectionTime
+ target_field: apache_tomcat.memory.gc.collection.time.ms
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.java_lang_G1_Old_Generation_Valid
+ target_field: apache_tomcat.memory.gc.valid
+ ignore_missing: true
+ - set:
+ field: apache_tomcat.memory.doc_type
+ value: memory
+ if: ctx.apache_tomcat?.memory?.heap != null || ctx.apache_tomcat?.memory?.non_heap != null
+ - set:
+ field: apache_tomcat.memory.doc_type
+ value: gc
+ if: ctx.apache_tomcat?.memory?.gc != null
+ - remove:
+ field:
+ - prometheus
+ ignore_missing: true
+ - script:
+ description: Drops null/empty values recursively.
+ lang: painless
+ source: |
+ boolean drop(Object o) {
+ if (o == null || o == "") {
+ return true;
+ } else if (o instanceof Map) {
+ ((Map) o).values().removeIf(v -> drop(v));
+ return (((Map) o).size() == 0);
+ } else if (o instanceof List) {
+ ((List) o).removeIf(v -> drop(v));
+ return (((List) o).length == 0);
+ }
+ return false;
+ }
+ drop(ctx);
+on_failure:
+ - set:
+ field: error.message
+ value: "{{{_ingest.on_failure_message}}}"
+ - append:
+ field: event.kind
+ value: pipeline_error
+ allow_duplicates: false
\ No newline at end of file
diff --git a/packages/apache_tomcat/data_stream/memory/fields/base-fields.yml b/packages/apache_tomcat/data_stream/memory/fields/base-fields.yml
new file mode 100644
index 00000000000..909e7ff859a
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/memory/fields/base-fields.yml
@@ -0,0 +1,15 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: tags
+ type: keyword
+ description: List of keywords used to tag each event.
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
diff --git a/packages/apache_tomcat/data_stream/memory/fields/ecs.yml b/packages/apache_tomcat/data_stream/memory/fields/ecs.yml
new file mode 100644
index 00000000000..034a05db03d
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/memory/fields/ecs.yml
@@ -0,0 +1,39 @@
+- external: ecs
+ name: agent.id
+ dimension: true
+- external: ecs
+ name: cloud.account.id
+ dimension: true
+- external: ecs
+ name: cloud.availability_zone
+ dimension: true
+- external: ecs
+ name: cloud.instance.id
+ dimension: true
+- external: ecs
+ name: cloud.provider
+ dimension: true
+- external: ecs
+ name: cloud.region
+ dimension: true
+- external: ecs
+ name: container.id
+ dimension: true
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: error.message
+- external: ecs
+ name: event.category
+- external: ecs
+ name: event.type
+- external: ecs
+ name: event.kind
+- external: ecs
+ name: event.module
+- external: ecs
+ name: host.name
+ dimension: true
+- external: ecs
+ name: service.address
+ dimension: true
diff --git a/packages/apache_tomcat/data_stream/memory/fields/fields.yml b/packages/apache_tomcat/data_stream/memory/fields/fields.yml
new file mode 100644
index 00000000000..34c24ebf69f
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/memory/fields/fields.yml
@@ -0,0 +1,82 @@
+- name: apache_tomcat
+ type: group
+ fields:
+ - name: memory
+ type: group
+ fields:
+ - name: doc_type
+ type: keyword
+ description: Document type of the event. This should be either "memory" or "gc".
+ dimension: true
+ - name: gc
+ type: group
+ fields:
+ - name: collection
+ type: group
+ fields:
+ - name: count
+ type: long
+ description: The cumulative number of invoked garbage collections since the start of the server.
+ metric_type: counter
+ - name: time.ms
+ type: long
+ description: The time (in milliseconds) taken by garbage collection during the collection interval.
+ metric_type: gauge
+ unit: ms
+ - name: valid
+ type: long
+ description: The garbage collection process in G1 is considered valid even if the old GC JMX counter remains at 0 while old space is gradually reclaimed by the young collections.
+ metric_type: gauge
+ - name: heap
+ type: group
+ fields:
+ - name: committed.bytes
+ type: double
+ description: Committed heap memory usage.
+ metric_type: gauge
+ unit: byte
+ - name: init.bytes
+ type: double
+ description: Initial heap memory usage.
+ metric_type: gauge
+ unit: byte
+ - name: max.bytes
+ type: double
+ description: Max heap memory usage. When the value for the maximum memory size (in bytes) is set to -1 for heap memory configurations, it indicates that the user has not specified a predefined size for the memory allocation.
+ metric_type: gauge
+ unit: byte
+ - name: used.bytes
+ type: double
+ description: Used heap memory usage.
+ metric_type: gauge
+ unit: byte
+ - name: non_heap
+ type: group
+ fields:
+ - name: committed.bytes
+ type: double
+ description: Committed non-heap memory usage.
+ metric_type: gauge
+ unit: byte
+ - name: init.bytes
+ type: double
+ description: Initial non-heap memory usage.
+ metric_type: gauge
+ unit: byte
+ - name: max.bytes
+ type: double
+ description: Max non-heap memory usage. When the value for the maximum memory size (in bytes) is set to -1 for non-heap memory configurations, it indicates that the user has not specified a predefined size for the memory allocation.
+ metric_type: gauge
+ unit: byte
+ - name: used.bytes
+ type: double
+ description: Used non-heap memory usage.
+ metric_type: gauge
+ unit: byte
+ - name: object_pending_finalization.count
+ type: double
+ description: Count of object pending finalization.
+ metric_type: gauge
+ - name: verbose
+ type: boolean
+ description: When set to true, will cause the memory manager to print messages to the console whenever it performs certain memory-related operations.(1.0-true, 0.0-false).
diff --git a/packages/apache_tomcat/data_stream/memory/manifest.yml b/packages/apache_tomcat/data_stream/memory/manifest.yml
new file mode 100644
index 00000000000..87264ba4170
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/memory/manifest.yml
@@ -0,0 +1,32 @@
+type: metrics
+title: Apache Tomcat Memory metrics
+streams:
+ - input: prometheus/metrics
+ vars:
+ - name: period
+ type: text
+ title: Period
+ required: true
+ default: 10s
+ show_user: true
+ description: Period of fetching metrics, i.e. 1s/1m/1h.
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - apache_tomcat-memory
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.
+ template_path: stream.yml.hbs
+ title: Apache Tomcat Memory metrics
+ description: Collect Apache Tomcat Memory and Garbage collection metrics.
+elasticsearch:
+ index_mode: "time_series"
diff --git a/packages/apache_tomcat/data_stream/memory/sample_event.json b/packages/apache_tomcat/data_stream/memory/sample_event.json
new file mode 100644
index 00000000000..4666ae700a0
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/memory/sample_event.json
@@ -0,0 +1,107 @@
+{
+ "@timestamp": "2023-07-11T13:20:12.035Z",
+ "agent": {
+ "ephemeral_id": "d25b802e-38e7-44c1-82d3-ef14a3522214",
+ "id": "fe5945f5-4d47-4726-8da8-5f694a655519",
+ "name": "docker-fleet-agent",
+ "type": "metricbeat",
+ "version": "8.8.0"
+ },
+ "apache_tomcat": {
+ "memory": {
+ "doc_type": "memory",
+ "heap": {
+ "committed": {
+ "bytes": 77594624
+ },
+ "init": {
+ "bytes": 195035136
+ },
+ "max": {
+ "bytes": 3103784960
+ },
+ "used": {
+ "bytes": 35204712
+ }
+ },
+ "non_heap": {
+ "committed": {
+ "bytes": 44695552
+ },
+ "init": {
+ "bytes": 7667712
+ },
+ "max": {
+ "bytes": -1
+ },
+ "used": {
+ "bytes": 42286456
+ }
+ },
+ "object_pending_finalization": {
+ "count": 0
+ },
+ "verbose": false
+ }
+ },
+ "data_stream": {
+ "dataset": "apache_tomcat.memory",
+ "namespace": "ep",
+ "type": "metrics"
+ },
+ "ecs": {
+ "version": "8.7.0"
+ },
+ "elastic_agent": {
+ "id": "fe5945f5-4d47-4726-8da8-5f694a655519",
+ "snapshot": false,
+ "version": "8.8.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": [
+ "web"
+ ],
+ "dataset": "apache_tomcat.memory",
+ "duration": 281008420,
+ "ingested": "2023-07-11T13:20:15Z",
+ "kind": "metric",
+ "module": "apache_tomcat",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "architecture": "x86_64",
+ "containerized": true,
+ "hostname": "docker-fleet-agent",
+ "id": "e8978f2086c14e13b7a0af9ed0011d19",
+ "ip": [
+ "192.168.64.7"
+ ],
+ "mac": [
+ "02-42-C0-A8-40-07"
+ ],
+ "name": "docker-fleet-agent",
+ "os": {
+ "codename": "focal",
+ "family": "debian",
+ "kernel": "3.10.0-1160.90.1.el7.x86_64",
+ "name": "Ubuntu",
+ "platform": "ubuntu",
+ "type": "linux",
+ "version": "20.04.6 LTS (Focal Fossa)"
+ }
+ },
+ "metricset": {
+ "name": "collector",
+ "period": 10000
+ },
+ "service": {
+ "address": "http://elastic-package-service_apache_tomcat_1:9090/metrics",
+ "type": "prometheus"
+ },
+ "tags": [
+ "apache_tomcat-memory"
+ ]
+}
\ No newline at end of file
diff --git a/packages/apache_tomcat/data_stream/request/agent/stream/stream.yml.hbs b/packages/apache_tomcat/data_stream/request/agent/stream/stream.yml.hbs
index d4368ab82d5..73dd43d6f08 100644
--- a/packages/apache_tomcat/data_stream/request/agent/stream/stream.yml.hbs
+++ b/packages/apache_tomcat/data_stream/request/agent/stream/stream.yml.hbs
@@ -19,9 +19,6 @@ tags:
{{#each tags as |tag|}}
- {{tag}}
{{/each}}
-{{#contains "forwarded" tags}}
-publisher_pipeline.disable_host: true
-{{/contains}}
{{#if processors}}
processors:
{{processors}}
diff --git a/packages/apache_tomcat/data_stream/request/manifest.yml b/packages/apache_tomcat/data_stream/request/manifest.yml
index c42137de2f2..4c211e97bbb 100644
--- a/packages/apache_tomcat/data_stream/request/manifest.yml
+++ b/packages/apache_tomcat/data_stream/request/manifest.yml
@@ -17,7 +17,6 @@ streams:
required: true
show_user: false
default:
- - forwarded
- apache_tomcat-request
- name: processors
type: yaml
@@ -25,7 +24,7 @@ streams:
multi: false
required: false
show_user: false
- description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+ description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.
template_path: stream.yml.hbs
title: Apache Tomcat Request metrics
description: Collect Apache Tomcat Request metrics.
diff --git a/packages/apache_tomcat/data_stream/request/sample_event.json b/packages/apache_tomcat/data_stream/request/sample_event.json
index ed8e5b55ed4..f37fd4ae1c4 100644
--- a/packages/apache_tomcat/data_stream/request/sample_event.json
+++ b/packages/apache_tomcat/data_stream/request/sample_event.json
@@ -84,7 +84,6 @@
"type": "prometheus"
},
"tags": [
- "forwarded",
"apache_tomcat-request"
]
}
\ No newline at end of file
diff --git a/packages/apache_tomcat/data_stream/session/_dev/test/pipeline/test-common-config.yml b/packages/apache_tomcat/data_stream/session/_dev/test/pipeline/test-common-config.yml
new file mode 100644
index 00000000000..c39dc386179
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/session/_dev/test/pipeline/test-common-config.yml
@@ -0,0 +1,2 @@
+dynamic_fields:
+ event.ingested: ".*"
diff --git a/packages/apache_tomcat/data_stream/session/_dev/test/pipeline/test-session-metrics.json b/packages/apache_tomcat/data_stream/session/_dev/test/pipeline/test-session-metrics.json
new file mode 100644
index 00000000000..9cebb2c0fdc
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/session/_dev/test/pipeline/test-session-metrics.json
@@ -0,0 +1,31 @@
+{
+ "events": [
+ {
+ "prometheus": {
+ "labels": {
+ "host": "localhost",
+ "context": "/sample",
+ "instance": "localhost:9409",
+ "job": "prometheus"
+ },
+ "metrics": {
+ "Catalina_Manager_rejectedSessions": 1,
+ "Catalina_Manager_sessionCounter": 3,
+ "Catalina_Manager_sessionMaxAliveTime": 0,
+ "Catalina_Manager_activeSessions": 1,
+ "Catalina_Manager_expiredSessions": 1,
+ "Catalina_Manager_sessionCreateRate": 1,
+ "Catalina_Manager_processingTime": 2,
+ "Catalina_Manager_processExpiresFrequency": 6,
+ "Catalina_Manager_persistAuthentication": 1,
+ "Catalina_Manager_warnOnSessionAttributeFilterFailure": 1,
+ "Catalina_Manager_duplicates": 1,
+ "Catalina_Manager_sessionExpireRate": 1,
+ "Catalina_Manager_maxActive": 1,
+ "Catalina_Manager_maxActiveSessions": -1,
+ "Catalina_Manager_sessionAverageAliveTime": 1
+ }
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/apache_tomcat/data_stream/session/_dev/test/pipeline/test-session-metrics.json-expected.json b/packages/apache_tomcat/data_stream/session/_dev/test/pipeline/test-session-metrics.json-expected.json
new file mode 100644
index 00000000000..c8803fc4aa6
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/session/_dev/test/pipeline/test-session-metrics.json-expected.json
@@ -0,0 +1,54 @@
+{
+ "expected": [
+ {
+ "apache_tomcat": {
+ "session": {
+ "active": {
+ "allowed": {
+ "max": -1
+ },
+ "max": 1,
+ "total": 1
+ },
+ "alive_time": {
+ "avg": 1,
+ "max": 0
+ },
+ "application_name": "/sample",
+ "create": {
+ "rate": 1,
+ "total": 3
+ },
+ "duplicate_ids": {
+ "count": 1
+ },
+ "expire": {
+ "rate": 1,
+ "total": 1
+ },
+ "persist_authentication": true,
+ "process_expires_frequency": {
+ "count": 6
+ },
+ "processing_time": 2,
+ "rejected": {
+ "count": 1
+ }
+ }
+ },
+ "ecs": {
+ "version": "8.7.0"
+ },
+ "event": {
+ "category": [
+ "web"
+ ],
+ "kind": "metric",
+ "module": "apache_tomcat",
+ "type": [
+ "info"
+ ]
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/apache_tomcat/data_stream/session/_dev/test/system/test-default-config.yml b/packages/apache_tomcat/data_stream/session/_dev/test/system/test-default-config.yml
new file mode 100644
index 00000000000..a6a09ba07de
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/session/_dev/test/system/test-default-config.yml
@@ -0,0 +1,4 @@
+vars:
+ hosts:
+ - http://{{Hostname}}:{{Port}}/metrics
+input: prometheus/metrics
diff --git a/packages/apache_tomcat/data_stream/session/agent/stream/stream.yml.hbs b/packages/apache_tomcat/data_stream/session/agent/stream/stream.yml.hbs
new file mode 100644
index 00000000000..af01a5f4fa8
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/session/agent/stream/stream.yml.hbs
@@ -0,0 +1,25 @@
+metricsets: ["collector"]
+hosts:
+{{#each hosts}}
+ - {{this}}
+{{/each}}
+metrics_filters:
+ include: ["Catalina_Manager_*"]
+period: {{period}}
+{{#if username}}
+username: "{{username}}"
+{{/if}}
+{{#if password}}
+password: "{{password}}"
+{{/if}}
+{{#if ssl}}
+{{ssl}}
+{{/if}}
+tags:
+{{#each tags as |tag|}}
+ - {{tag}}
+{{/each}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/apache_tomcat/data_stream/session/elasticsearch/ingest_pipeline/default.yml b/packages/apache_tomcat/data_stream/session/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 00000000000..c1a19e9f318
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/session/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,111 @@
+---
+description: Pipeline for processing Apache Tomcat Session metrics.
+processors:
+ - set:
+ field: ecs.version
+ value: 8.7.0
+ - set:
+ field: event.kind
+ value: metric
+ - set:
+ field: event.module
+ value: apache_tomcat
+ - set:
+ field: event.type
+ value: [info]
+ - set:
+ field: event.category
+ value: [web]
+ - set:
+ field: apache_tomcat.session.persist_authentication
+ value: true
+ if: ctx.prometheus?.metrics?.Catalina_Manager_persistAuthentication == 1
+ - set:
+ field: apache_tomcat.session.persist_authentication
+ value: false
+ if: ctx.prometheus?.metrics?.Catalina_Manager_persistAuthentication == 0
+ - rename:
+ field: prometheus.labels.context
+ target_field: apache_tomcat.session.application_name
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_Manager_maxActiveSessions
+ target_field: apache_tomcat.session.active.allowed.max
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_Manager_maxActive
+ target_field: apache_tomcat.session.active.max
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_Manager_activeSessions
+ target_field: apache_tomcat.session.active.total
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_Manager_sessionAverageAliveTime
+ target_field: apache_tomcat.session.alive_time.avg
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_Manager_sessionMaxAliveTime
+ target_field: apache_tomcat.session.alive_time.max
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_Manager_sessionCreateRate
+ target_field: apache_tomcat.session.create.rate
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_Manager_sessionCounter
+ target_field: apache_tomcat.session.create.total
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_Manager_duplicates
+ target_field: apache_tomcat.session.duplicate_ids.count
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_Manager_sessionExpireRate
+ target_field: apache_tomcat.session.expire.rate
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_Manager_expiredSessions
+ target_field: apache_tomcat.session.expire.total
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_Manager_rejectedSessions
+ target_field: apache_tomcat.session.rejected.count
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_Manager_processExpiresFrequency
+ target_field: apache_tomcat.session.process_expires_frequency.count
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_Manager_processingTime
+ target_field: apache_tomcat.session.processing_time
+ ignore_missing: true
+ - remove:
+ field:
+ - prometheus
+ ignore_missing: true
+ - script:
+ description: Drops null/empty values recursively.
+ lang: painless
+ source: |
+ boolean drop(Object o) {
+ if (o == null || o == "") {
+ return true;
+ } else if (o instanceof Map) {
+ ((Map) o).values().removeIf(v -> drop(v));
+ return (((Map) o).size() == 0);
+ } else if (o instanceof List) {
+ ((List) o).removeIf(v -> drop(v));
+ return (((List) o).length == 0);
+ }
+ return false;
+ }
+ drop(ctx);
+on_failure:
+ - set:
+ field: error.message
+ value: "{{{_ingest.on_failure_message}}}"
+ - append:
+ field: event.kind
+ value: pipeline_error
+ allow_duplicates: false
\ No newline at end of file
diff --git a/packages/apache_tomcat/data_stream/session/fields/base-fields.yml b/packages/apache_tomcat/data_stream/session/fields/base-fields.yml
new file mode 100644
index 00000000000..909e7ff859a
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/session/fields/base-fields.yml
@@ -0,0 +1,15 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: tags
+ type: keyword
+ description: List of keywords used to tag each event.
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
diff --git a/packages/apache_tomcat/data_stream/session/fields/ecs.yml b/packages/apache_tomcat/data_stream/session/fields/ecs.yml
new file mode 100644
index 00000000000..55dcbb1de8a
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/session/fields/ecs.yml
@@ -0,0 +1,33 @@
+- external: ecs
+ name: agent.id
+ dimension: true
+- external: ecs
+ name: cloud.instance.id
+ dimension: true
+- external: ecs
+ name: cloud.project.id
+ dimension: true
+- external: ecs
+ name: cloud.provider
+ dimension: true
+- external: ecs
+ name: container.id
+ dimension: true
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: error.message
+- external: ecs
+ name: event.category
+- external: ecs
+ name: event.type
+- external: ecs
+ name: event.kind
+- external: ecs
+ name: event.module
+- external: ecs
+ name: host.name
+ dimension: true
+- external: ecs
+ name: service.address
+ dimension: true
diff --git a/packages/apache_tomcat/data_stream/session/fields/fields.yml b/packages/apache_tomcat/data_stream/session/fields/fields.yml
new file mode 100644
index 00000000000..ffe64ef659f
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/session/fields/fields.yml
@@ -0,0 +1,79 @@
+- name: apache_tomcat
+ type: group
+ fields:
+ - name: session
+ type: group
+ fields:
+ - name: active
+ type: group
+ fields:
+ - name: allowed.max
+ type: double
+ description: The maximum number of active sessions allowed, or -1 for no limit.
+ metric_type: gauge
+ - name: max
+ type: double
+ description: Maximum number of active sessions so far.
+ metric_type: counter
+ - name: total
+ type: double
+ description: Number of active sessions at this moment.
+ metric_type: gauge
+ - name: alive_time
+ type: group
+ fields:
+ - name: avg
+ type: double
+ description: Average time an expired session had been alive.
+ metric_type: gauge
+ - name: max
+ type: double
+ description: Longest time an expired session had been alive.
+ metric_type: counter
+ - name: application_name
+ type: keyword
+ description: Name of the Apache Tomcat application.
+ # Reason to add as a dimension field: Users can deploy many different Applications in Apache Tomcat instance.
+ dimension: true
+ - name: create
+ type: group
+ fields:
+ - name: rate
+ type: double
+ description: Session creation rate in sessions per minute.
+ metric_type: gauge
+ - name: total
+ type: double
+ description: Total number of sessions created by the manager.
+ metric_type: counter
+ - name: duplicate_ids.count
+ type: double
+ description: Number of duplicated session ids generated.
+ metric_type: gauge
+ - name: expire
+ type: group
+ fields:
+ - name: rate
+ type: double
+ description: Session expiration rate in sessions per minute.
+ metric_type: gauge
+ - name: total
+ type: double
+ description: Number of sessions that expired (doesn't include explicit invalidations).
+ metric_type: gauge
+ - name: persist_authentication
+ type: boolean
+ description: Indicates whether sessions shall persist authentication information when being persisted (e.g. across application restarts).
+ - name: process_expires_frequency.count
+ type: double
+ description: The frequency of the manager checks (expiration and passivation).
+ metric_type: gauge
+ - name: processing_time
+ type: double
+ description: Time spent doing housekeeping and expiration.
+ metric_type: gauge
+ unit: ms
+ - name: rejected.count
+ type: double
+ description: Number of sessions we rejected due to maxActive being reached.
+ metric_type: gauge
diff --git a/packages/apache_tomcat/data_stream/session/manifest.yml b/packages/apache_tomcat/data_stream/session/manifest.yml
new file mode 100644
index 00000000000..bfe5b257a07
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/session/manifest.yml
@@ -0,0 +1,32 @@
+type: metrics
+title: Apache Tomcat Session metrics
+elasticsearch:
+ index_mode: "time_series"
+streams:
+ - input: prometheus/metrics
+ vars:
+ - name: period
+ type: text
+ required: true
+ title: Period
+ default: 10s
+ show_user: true
+ description: Period of fetching metrics, i.e. 1s/1m/1h.
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - apache_tomcat-session
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.
+ template_path: stream.yml.hbs
+ title: Apache Tomcat Session metrics
+ description: Collect Apache Tomcat Session metrics.
diff --git a/packages/apache_tomcat/data_stream/session/sample_event.json b/packages/apache_tomcat/data_stream/session/sample_event.json
new file mode 100644
index 00000000000..daa8eb717d5
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/session/sample_event.json
@@ -0,0 +1,105 @@
+{
+ "@timestamp": "2023-07-06T06:11:01.712Z",
+ "agent": {
+ "ephemeral_id": "27d03e29-cf11-4c0e-a36d-502210fff5f6",
+ "id": "c78eadae-edd0-4b88-ab24-f2fb84a98229",
+ "name": "docker-fleet-agent",
+ "type": "metricbeat",
+ "version": "8.8.0"
+ },
+ "apache_tomcat": {
+ "session": {
+ "active": {
+ "allowed": {
+ "max": -1
+ },
+ "max": 0,
+ "total": 0
+ },
+ "alive_time": {
+ "avg": 0,
+ "max": 0
+ },
+ "application_name": "/",
+ "create": {
+ "rate": 0,
+ "total": 0
+ },
+ "duplicate_ids": {
+ "count": 0
+ },
+ "expire": {
+ "rate": 0,
+ "total": 0
+ },
+ "persist_authentication": false,
+ "process_expires_frequency": {
+ "count": 6
+ },
+ "processing_time": 0,
+ "rejected": {
+ "count": 0
+ }
+ }
+ },
+ "data_stream": {
+ "dataset": "apache_tomcat.session",
+ "namespace": "ep",
+ "type": "metrics"
+ },
+ "ecs": {
+ "version": "8.7.0"
+ },
+ "elastic_agent": {
+ "id": "c78eadae-edd0-4b88-ab24-f2fb84a98229",
+ "snapshot": false,
+ "version": "8.8.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": [
+ "web"
+ ],
+ "dataset": "apache_tomcat.session",
+ "duration": 259368511,
+ "ingested": "2023-07-06T06:11:05Z",
+ "kind": "metric",
+ "module": "apache_tomcat",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "architecture": "x86_64",
+ "containerized": true,
+ "hostname": "docker-fleet-agent",
+ "id": "e8978f2086c14e13b7a0af9ed0011d19",
+ "ip": [
+ "172.27.0.7"
+ ],
+ "mac": [
+ "02-42-AC-1B-00-07"
+ ],
+ "name": "docker-fleet-agent",
+ "os": {
+ "codename": "focal",
+ "family": "debian",
+ "kernel": "3.10.0-1160.90.1.el7.x86_64",
+ "name": "Ubuntu",
+ "platform": "ubuntu",
+ "type": "linux",
+ "version": "20.04.6 LTS (Focal Fossa)"
+ }
+ },
+ "metricset": {
+ "name": "collector",
+ "period": 10000
+ },
+ "service": {
+ "address": "http://elastic-package-service_apache_tomcat_1:9090/metrics",
+ "type": "prometheus"
+ },
+ "tags": [
+ "apache_tomcat-session"
+ ]
+}
\ No newline at end of file
diff --git a/packages/apache_tomcat/data_stream/thread_pool/_dev/test/pipeline/test-common-config.yml b/packages/apache_tomcat/data_stream/thread_pool/_dev/test/pipeline/test-common-config.yml
new file mode 100644
index 00000000000..c39dc386179
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/thread_pool/_dev/test/pipeline/test-common-config.yml
@@ -0,0 +1,2 @@
+dynamic_fields:
+ event.ingested: ".*"
diff --git a/packages/apache_tomcat/data_stream/thread_pool/_dev/test/pipeline/test-thread-pool-metrics.json b/packages/apache_tomcat/data_stream/thread_pool/_dev/test/pipeline/test-thread-pool-metrics.json
new file mode 100644
index 00000000000..15a11ecbaca
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/thread_pool/_dev/test/pipeline/test-thread-pool-metrics.json
@@ -0,0 +1,45 @@
+{
+ "events": [
+ {
+ "prometheus": {
+ "labels": {
+ "instance": "127.0.0.1:9090",
+ "job": "prometheus",
+ "name": "\"http-nio-8080\""
+ },
+ "metrics": {
+ "Catalina_ThreadPool_maxConnections": 8192,
+ "Catalina_ThreadPool_minSpareThreads": 10,
+ "Catalina_ThreadPool_currentThreadsBusy": 0,
+ "Catalina_ThreadPool_pollerThreadPriority": 5,
+ "Catalina_ThreadPool_connectionLinger": -1,
+ "Catalina_ThreadPool_acceptorThreadPriority": 5,
+ "Catalina_ThreadPool_daemon": 1,
+ "Catalina_ThreadPool_portWithOffset": 8080,
+ "Catalina_ThreadPool_port": 8080,
+ "Catalina_ThreadPool_keepAliveCount": 0,
+ "Catalina_ThreadPool_sniParseLimit": 65536,
+ "Catalina_ThreadPool_sSLEnabled": 0,
+ "Catalina_ThreadPool_running": 1,
+ "Catalina_ThreadPool_connectionTimeout": 20000,
+ "Catalina_ThreadPool_useInheritedChannel": 0,
+ "Catalina_ThreadPool_acceptCount": 100,
+ "Catalina_ThreadPool_keepAliveTimeout": 20000,
+ "Catalina_ThreadPool_maxThreads": 200,
+ "Catalina_ThreadPool_threadPriority": 5,
+ "Catalina_ThreadPool_localPort": 8080,
+ "Catalina_ThreadPool_connectionCount": 1,
+ "Catalina_ThreadPool_paused": 0,
+ "Catalina_ThreadPool_portOffset": 0,
+ "Catalina_ThreadPool_bindOnInit": 1,
+ "Catalina_ThreadPool_tcpNoDelay": 1,
+ "Catalina_ThreadPool_useSendfile": 1,
+ "Catalina_ThreadPool_currentThreadCount": 10,
+ "Catalina_ThreadPool_maxKeepAliveRequests": 100,
+ "Catalina_ThreadPool_executorTerminationTimeoutMillis": 5000,
+ "Catalina_ThreadPool_selectorTimeout": 1000
+ }
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/apache_tomcat/data_stream/thread_pool/_dev/test/pipeline/test-thread-pool-metrics.json-expected.json b/packages/apache_tomcat/data_stream/thread_pool/_dev/test/pipeline/test-thread-pool-metrics.json-expected.json
new file mode 100644
index 00000000000..a9bdcf4c983
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/thread_pool/_dev/test/pipeline/test-thread-pool-metrics.json-expected.json
@@ -0,0 +1,82 @@
+{
+ "expected": [
+ {
+ "apache_tomcat": {
+ "thread_pool": {
+ "connection": {
+ "count": 1,
+ "linger": -1,
+ "max": 8192,
+ "timeout": 20000
+ },
+ "executor_termination": {
+ "timeout": {
+ "ms": 5000
+ }
+ },
+ "initiated_connector": {
+ "state": true
+ },
+ "keep_alive": {
+ "count": 0,
+ "max_requests": 100,
+ "timeout": 20000
+ },
+ "nio_connector": "http-nio-8080",
+ "ssl_enabled": false,
+ "tcp_no_delay": true,
+ "thread": {
+ "accept": {
+ "count": 100
+ },
+ "current": {
+ "busy": 0,
+ "count": 10
+ },
+ "daemon": {
+ "status": true
+ },
+ "paused": false,
+ "port": {
+ "default": 8080,
+ "offset": 0,
+ "value": 8080,
+ "with_offset": 8080
+ },
+ "priority": {
+ "acceptor": 5,
+ "count": 5,
+ "poller": 5
+ },
+ "requests": {
+ "max": 200
+ },
+ "running": {
+ "min": 10,
+ "value": true
+ },
+ "selector": {
+ "timeout": 1000
+ },
+ "sni_parse_limit": 65536
+ },
+ "use_inherited_channel": false,
+ "use_send_file": true
+ }
+ },
+ "ecs": {
+ "version": "8.7.0"
+ },
+ "event": {
+ "category": [
+ "web"
+ ],
+ "kind": "metric",
+ "module": "apache_tomcat",
+ "type": [
+ "info"
+ ]
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/apache_tomcat/data_stream/thread_pool/_dev/test/pipeline/test-thread-pool-threading-metrics.json b/packages/apache_tomcat/data_stream/thread_pool/_dev/test/pipeline/test-thread-pool-threading-metrics.json
new file mode 100644
index 00000000000..307314765b1
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/thread_pool/_dev/test/pipeline/test-thread-pool-threading-metrics.json
@@ -0,0 +1,31 @@
+{
+ "events": [
+ {
+ "prometheus": {
+ "labels": {
+ "instance": "127.0.0.1:9090",
+ "job": "prometheus",
+ "name": "\"http-nio-8080\""
+ },
+ "metrics": {
+ "java_lang_Threading_ThreadCount": 25,
+ "java_lang_Threading_CurrentThreadCpuTimeSupported": 1,
+ "java_lang_Threading_ThreadContentionMonitoringEnabled": 0,
+ "java_lang_Threading_ThreadContentionMonitoringSupported": 1,
+ "java_lang_Threading_ThreadCpuTimeSupported": 1,
+ "java_lang_Threading_CurrentThreadAllocatedBytes": 2.159124728832e+12,
+ "java_lang_Threading_ThreadCpuTimeEnabled": 1,
+ "java_lang_Threading_TotalStartedThreadCount": 50,
+ "java_lang_Threading_CurrentThreadCpuTime": 3.048293149766e+12,
+ "java_lang_Threading_DaemonThreadCount": 22,
+ "java_lang_Threading_SynchronizerUsageSupported": 1,
+ "java_lang_Threading_PeakThreadCount": 26,
+ "java_lang_Threading_ThreadAllocatedMemorySupported": 1,
+ "java_lang_Threading_CurrentThreadUserTime": 2.97763e+12,
+ "java_lang_Threading_ObjectMonitorUsageSupported": 1,
+ "java_lang_Threading_ThreadAllocatedMemoryEnabled": 1
+ }
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/apache_tomcat/data_stream/thread_pool/_dev/test/pipeline/test-thread-pool-threading-metrics.json-expected.json b/packages/apache_tomcat/data_stream/thread_pool/_dev/test/pipeline/test-thread-pool-threading-metrics.json-expected.json
new file mode 100644
index 00000000000..846a9af645a
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/thread_pool/_dev/test/pipeline/test-thread-pool-threading-metrics.json-expected.json
@@ -0,0 +1,71 @@
+{
+ "expected": [
+ {
+ "apache_tomcat": {
+ "thread_pool": {
+ "contention": {
+ "monitoring_enabled": false
+ },
+ "nio_connector": "http-nio-8080",
+ "thread": {
+ "active": {
+ "count": 25
+ },
+ "allocated_memory": {
+ "enabled": true,
+ "supported": true
+ },
+ "current": {
+ "allocated": {
+ "bytes": 2.159124728832E12
+ },
+ "cpu": {
+ "time": {
+ "enabled": true,
+ "ms": 3.048293149766E12
+ }
+ },
+ "user": {
+ "time": {
+ "ms": 2.97763E12
+ }
+ }
+ },
+ "daemon": {
+ "count": 22
+ },
+ "peak": {
+ "count": 26
+ },
+ "supported": {
+ "contention_monitoring": true,
+ "cpu": {
+ "current": {
+ "time": true
+ }
+ },
+ "usage": {
+ "object_monitor": true,
+ "synchronizer": true
+ }
+ },
+ "total": 50
+ }
+ }
+ },
+ "ecs": {
+ "version": "8.7.0"
+ },
+ "event": {
+ "category": [
+ "web"
+ ],
+ "kind": "metric",
+ "module": "apache_tomcat",
+ "type": [
+ "info"
+ ]
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/apache_tomcat/data_stream/thread_pool/_dev/test/system/test-default-config.yml b/packages/apache_tomcat/data_stream/thread_pool/_dev/test/system/test-default-config.yml
new file mode 100644
index 00000000000..a6a09ba07de
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/thread_pool/_dev/test/system/test-default-config.yml
@@ -0,0 +1,4 @@
+vars:
+ hosts:
+ - http://{{Hostname}}:{{Port}}/metrics
+input: prometheus/metrics
diff --git a/packages/apache_tomcat/data_stream/thread_pool/agent/stream/stream.yml.hbs b/packages/apache_tomcat/data_stream/thread_pool/agent/stream/stream.yml.hbs
new file mode 100644
index 00000000000..4d6bedf6f5a
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/thread_pool/agent/stream/stream.yml.hbs
@@ -0,0 +1,25 @@
+metricsets: ["collector"]
+hosts:
+{{#each hosts}}
+ - {{this}}
+{{/each}}
+metrics_filters:
+ include: ["Catalina_ThreadPool_*","java_lang_Threading_*"]
+period: {{period}}
+{{#if username}}
+username: "{{username}}"
+{{/if}}
+{{#if password}}
+password: "{{password}}"
+{{/if}}
+{{#if ssl}}
+{{ssl}}
+{{/if}}
+tags:
+{{#each tags as |tag|}}
+ - {{tag}}
+{{/each}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/packages/apache_tomcat/data_stream/thread_pool/elasticsearch/ingest_pipeline/default.yml b/packages/apache_tomcat/data_stream/thread_pool/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 00000000000..29683590b7d
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/thread_pool/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,308 @@
+---
+description: Pipeline for processing Apache Tomcat Thread Pool metrics.
+processors:
+ - set:
+ field: ecs.version
+ value: 8.7.0
+ - set:
+ field: event.kind
+ value: metric
+ - set:
+ field: event.module
+ value: apache_tomcat
+ - set:
+ field: event.type
+ value: [info]
+ - set:
+ field: event.category
+ value: [web]
+ - dissect:
+ field: prometheus.labels.name
+ tag: 'dissect_nio_connector'
+ pattern: "\"%{apache_tomcat.thread_pool.nio_connector}\""
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: prometheus.metrics.Catalina_ThreadPool_acceptCount
+ target_field: apache_tomcat.thread_pool.thread.accept.count
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_ThreadPool_currentThreadsBusy
+ target_field: apache_tomcat.thread_pool.thread.current.busy
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_ThreadPool_connectionCount
+ target_field: apache_tomcat.thread_pool.connection.count
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_ThreadPool_connectionLinger
+ target_field: apache_tomcat.thread_pool.connection.linger
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_ThreadPool_maxConnections
+ target_field: apache_tomcat.thread_pool.connection.max
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_ThreadPool_connectionTimeout
+ target_field: apache_tomcat.thread_pool.connection.timeout
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_ThreadPool_currentThreadCount
+ target_field: apache_tomcat.thread_pool.thread.current.count
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_ThreadPool_executorTerminationTimeoutMillis
+ target_field: apache_tomcat.thread_pool.executor_termination.timeout.ms
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_ThreadPool_keepAliveCount
+ target_field: apache_tomcat.thread_pool.keep_alive.count
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_ThreadPool_maxKeepAliveRequests
+ target_field: apache_tomcat.thread_pool.keep_alive.max_requests
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_ThreadPool_keepAliveTimeout
+ target_field: apache_tomcat.thread_pool.keep_alive.timeout
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_ThreadPool_maxThreads
+ target_field: apache_tomcat.thread_pool.thread.requests.max
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_ThreadPool_localPort
+ target_field: apache_tomcat.thread_pool.thread.port.default
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_ThreadPool_portOffset
+ target_field: apache_tomcat.thread_pool.thread.port.offset
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_ThreadPool_port
+ target_field: apache_tomcat.thread_pool.thread.port.value
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_ThreadPool_portWithOffset
+ target_field: apache_tomcat.thread_pool.thread.port.with_offset
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_ThreadPool_acceptorThreadPriority
+ target_field: apache_tomcat.thread_pool.thread.priority.acceptor
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_ThreadPool_pollerThreadPriority
+ target_field: apache_tomcat.thread_pool.thread.priority.poller
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_ThreadPool_threadPriority
+ target_field: apache_tomcat.thread_pool.thread.priority.count
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_ThreadPool_selectorTimeout
+ target_field: apache_tomcat.thread_pool.thread.selector.timeout
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_ThreadPool_sniParseLimit
+ target_field: apache_tomcat.thread_pool.thread.sni_parse_limit
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.Catalina_ThreadPool_minSpareThreads
+ target_field: apache_tomcat.thread_pool.thread.running.min
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.java_lang_Threading_CurrentThreadAllocatedBytes
+ target_field: apache_tomcat.thread_pool.thread.current.allocated.bytes
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.java_lang_Threading_CurrentThreadCpuTime
+ target_field: apache_tomcat.thread_pool.thread.current.cpu.time.ms
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.java_lang_Threading_CurrentThreadUserTime
+ target_field: apache_tomcat.thread_pool.thread.current.user.time.ms
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.java_lang_Threading_DaemonThreadCount
+ target_field: apache_tomcat.thread_pool.thread.daemon.count
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.java_lang_Threading_PeakThreadCount
+ target_field: apache_tomcat.thread_pool.thread.peak.count
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.java_lang_Threading_ThreadCount
+ target_field: apache_tomcat.thread_pool.thread.active.count
+ ignore_missing: true
+ - rename:
+ field: prometheus.metrics.java_lang_Threading_TotalStartedThreadCount
+ target_field: apache_tomcat.thread_pool.thread.total
+ ignore_missing: true
+ - set:
+ field: apache_tomcat.thread_pool.thread.running.value
+ value: true
+ if: ctx.prometheus?.metrics?.Catalina_ThreadPool_running == 1
+ - set:
+ field: apache_tomcat.thread_pool.thread.running.value
+ value: false
+ if: ctx.prometheus?.metrics?.Catalina_ThreadPool_running == 0
+ - set:
+ field: apache_tomcat.thread_pool.ssl_enabled
+ value: true
+ if: ctx.prometheus?.metrics?.Catalina_ThreadPool_sSLEnabled == 1
+ - set:
+ field: apache_tomcat.thread_pool.ssl_enabled
+ value: false
+ if: ctx.prometheus?.metrics?.Catalina_ThreadPool_sSLEnabled == 0
+ - set:
+ field: apache_tomcat.thread_pool.tcp_no_delay
+ value: true
+ if: ctx.prometheus?.metrics?.Catalina_ThreadPool_tcpNoDelay == 1
+ - set:
+ field: apache_tomcat.thread_pool.tcp_no_delay
+ value: false
+ if: ctx.prometheus?.metrics?.Catalina_ThreadPool_tcpNoDelay == 0
+ - set:
+ field: apache_tomcat.thread_pool.use_inherited_channel
+ value: true
+ if: ctx.prometheus?.metrics?.Catalina_ThreadPool_useInheritedChannel == 1
+ - set:
+ field: apache_tomcat.thread_pool.use_inherited_channel
+ value: false
+ if: ctx.prometheus?.metrics?.Catalina_ThreadPool_useInheritedChannel == 0
+ - set:
+ field: apache_tomcat.thread_pool.use_send_file
+ value: true
+ if: ctx.prometheus?.metrics?.Catalina_ThreadPool_useSendfile == 1
+ - set:
+ field: apache_tomcat.thread_pool.use_send_file
+ value: false
+ if: ctx.prometheus?.metrics?.Catalina_ThreadPool_useSendfile == 0
+ - set:
+ field: apache_tomcat.thread_pool.thread.allocated_memory.enabled
+ value: true
+ if: ctx.prometheus?.metrics?.java_lang_Threading_ThreadAllocatedMemoryEnabled == 1
+ - set:
+ field: apache_tomcat.thread_pool.thread.allocated_memory.enabled
+ value: false
+ if: ctx.prometheus?.metrics?.java_lang_Threading_ThreadAllocatedMemoryEnabled == 0
+ - set:
+ field: apache_tomcat.thread_pool.thread.allocated_memory.supported
+ value: true
+ if: ctx.prometheus?.metrics?.java_lang_Threading_ThreadAllocatedMemorySupported == 1
+ - set:
+ field: apache_tomcat.thread_pool.thread.allocated_memory.supported
+ value: false
+ if: ctx.prometheus?.metrics?.java_lang_Threading_ThreadAllocatedMemorySupported == 0
+ - set:
+ field: apache_tomcat.thread_pool.contention.monitoring_enabled
+ value: true
+ if: ctx.prometheus?.metrics?.java_lang_Threading_ThreadContentionMonitoringEnabled == 1
+ - set:
+ field: apache_tomcat.thread_pool.contention.monitoring_enabled
+ value: false
+ if: ctx.prometheus?.metrics?.java_lang_Threading_ThreadContentionMonitoringEnabled == 0
+ - set:
+ field: apache_tomcat.thread_pool.initiated_connector.state
+ value: true
+ if: ctx.prometheus?.metrics?.Catalina_ThreadPool_bindOnInit == 1
+ - set:
+ field: apache_tomcat.thread_pool.initiated_connector.state
+ value: false
+ if: ctx.prometheus?.metrics?.Catalina_ThreadPool_bindOnInit == 0
+ - set:
+ field: apache_tomcat.thread_pool.thread.daemon.status
+ value: true
+ if: ctx.prometheus?.metrics?.Catalina_ThreadPool_daemon == 1
+ - set:
+ field: apache_tomcat.thread_pool.thread.daemon.status
+ value: false
+ if: ctx.prometheus?.metrics?.Catalina_ThreadPool_daemon == 0
+ - set:
+ field: apache_tomcat.thread_pool.thread.paused
+ value: true
+ if: ctx.prometheus?.metrics?.Catalina_ThreadPool_paused == 1
+ - set:
+ field: apache_tomcat.thread_pool.thread.paused
+ value: false
+ if: ctx.prometheus?.metrics?.Catalina_ThreadPool_paused == 0
+ - set:
+ field: apache_tomcat.thread_pool.thread.current.cpu.time.enabled
+ value: true
+ if: ctx.prometheus?.metrics?.java_lang_Threading_ThreadCpuTimeEnabled == 1
+ - set:
+ field: apache_tomcat.thread_pool.thread.current.cpu.time.enabled
+ value: false
+ if: ctx.prometheus?.metrics?.java_lang_Threading_ThreadCpuTimeEnabled == 0
+ - set:
+ field: apache_tomcat.thread_pool.thread.supported.contention_monitoring
+ value: true
+ if: ctx.prometheus?.metrics?.java_lang_Threading_ThreadContentionMonitoringSupported == 1
+ - set:
+ field: apache_tomcat.thread_pool.thread.supported.contention_monitoring
+ value: false
+ if: ctx.prometheus?.metrics?.java_lang_Threading_ThreadContentionMonitoringSupported == 0
+ - set:
+ field: apache_tomcat.thread_pool.thread.supported.usage.object_monitor
+ value: true
+ if: ctx.prometheus?.metrics?.java_lang_Threading_ObjectMonitorUsageSupported == 1
+ - set:
+ field: apache_tomcat.thread_pool.thread.supported.usage.object_monitor
+ value: false
+ if: ctx.prometheus?.metrics?.java_lang_Threading_ObjectMonitorUsageSupported == 0
+ - set:
+ field: apache_tomcat.thread_pool.thread.supported.usage.synchronizer
+ value: true
+ if: ctx.prometheus?.metrics?.java_lang_Threading_SynchronizerUsageSupported == 1
+ - set:
+ field: apache_tomcat.thread_pool.thread.supported.usage.synchronizer
+ value: false
+ if: ctx.prometheus?.metrics?.java_lang_Threading_SynchronizerUsageSupported == 0
+ - set:
+ field: apache_tomcat.thread_pool.thread.supported.cpu.current.time
+ value: true
+ if: ctx.prometheus?.metrics?.java_lang_Threading_CurrentThreadCpuTimeSupported == 1
+ - set:
+ field: apache_tomcat.thread_pool.thread.supported.cpu.current.time
+ value: false
+ if: ctx.prometheus?.metrics?.java_lang_Threading_CurrentThreadCpuTimeSupported == 0
+ - set:
+ field: apache_tomcat.thread_pool.persist_authentication
+ value: true
+ if: ctx.prometheus?.metrics?.Catalina_Manager_persistAuthentication == 1
+ - set:
+ field: apache_tomcat.thread_pool.persist_authentication
+ value: false
+ if: ctx.prometheus?.metrics?.Catalina_Manager_persistAuthentication == 0
+ - remove:
+ field:
+ - prometheus
+ ignore_missing: true
+ - script:
+ description: Drops null/empty values recursively.
+ lang: painless
+ source: |
+ boolean drop(Object o) {
+ if (o == null || o == "") {
+ return true;
+ } else if (o instanceof Map) {
+ ((Map) o).values().removeIf(v -> drop(v));
+ return (((Map) o).size() == 0);
+ } else if (o instanceof List) {
+ ((List) o).removeIf(v -> drop(v));
+ return (((List) o).length == 0);
+ }
+ return false;
+ }
+ drop(ctx);
+on_failure:
+ - set:
+ field: error.message
+ value: "{{{_ingest.on_failure_message}}}"
+ - append:
+ field: event.kind
+ value: pipeline_error
+ allow_duplicates: false
\ No newline at end of file
diff --git a/packages/apache_tomcat/data_stream/thread_pool/fields/base-fields.yml b/packages/apache_tomcat/data_stream/thread_pool/fields/base-fields.yml
new file mode 100644
index 00000000000..909e7ff859a
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/thread_pool/fields/base-fields.yml
@@ -0,0 +1,15 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: tags
+ type: keyword
+ description: List of keywords used to tag each event.
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
diff --git a/packages/apache_tomcat/data_stream/thread_pool/fields/ecs.yml b/packages/apache_tomcat/data_stream/thread_pool/fields/ecs.yml
new file mode 100644
index 00000000000..bddafc20650
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/thread_pool/fields/ecs.yml
@@ -0,0 +1,41 @@
+- external: ecs
+ name: agent.id
+ dimension: true
+- external: ecs
+ name: cloud.account.id
+ dimension: true
+- external: ecs
+ name: cloud.availability_zone
+ dimension: true
+- external: ecs
+ name: cloud.instance.id
+ dimension: true
+- external: ecs
+ name: cloud.provider
+ dimension: true
+- external: ecs
+ name: cloud.region
+ dimension: true
+- external: ecs
+ name: container.id
+ dimension: true
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: error.message
+- external: ecs
+ name: event.category
+- external: ecs
+ name: event.type
+- external: ecs
+ name: event.kind
+- external: ecs
+ name: event.module
+- external: ecs
+ name: host.name
+ dimension: true
+- external: ecs
+ name: service.address
+ dimension: true
+- external: ecs
+ name: service.type
diff --git a/packages/apache_tomcat/data_stream/thread_pool/fields/fields.yml b/packages/apache_tomcat/data_stream/thread_pool/fields/fields.yml
new file mode 100644
index 00000000000..5c11fded17f
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/thread_pool/fields/fields.yml
@@ -0,0 +1,216 @@
+- name: apache_tomcat
+ type: group
+ fields:
+ - name: thread_pool
+ type: group
+ fields:
+ - name: connection
+ type: group
+ fields:
+ - name: count
+ type: double
+ description: Count of all connections.
+ metric_type: counter
+ - name: linger
+ type: double
+ description: The number of seconds during which the sockets used by this connector will linger when they are closed.
+ metric_type: gauge
+ unit: s
+ - name: max
+ type: double
+ description: The total number of concurrent connections that the server will accept and process.
+ metric_type: gauge
+ - name: timeout
+ type: double
+ description: Thread connection timeout.
+ metric_type: counter
+ - name: contention.monitoring_enabled
+ type: boolean
+ description: This is used to determine if a Java virtual machine enables thread contention monitoring.
+ - name: executor_termination.timeout.ms
+ type: double
+ description: The time that the private internal executor will wait for request processing threads to terminate before continuing with the process of stopping the connector. If not set, the default is 5000 (5 seconds).
+ metric_type: gauge
+ unit: ms
+ - name: initiated_connector.state
+ type: boolean
+ description: State of bound when the connector is initiated.
+ - name: keep_alive
+ type: group
+ fields:
+ - name: count
+ type: double
+ description: Total keep alive on the ThreadPool.
+ metric_type: gauge
+ - name: max_requests
+ type: double
+ description: Maximum number of request keep alive in ThreadPool.
+ metric_type: gauge
+ - name: timeout
+ type: double
+ description: Keep alive timeout on the ThreadPool.
+ metric_type: gauge
+ - name: nio_connector
+ type: keyword
+ description: Name of NIO Connector.
+ # Reason to add as a dimension field: Users can configure many different NIO Connector in Apache Tomcat instance.
+ dimension: true
+ - name: ssl_enabled
+ type: boolean
+ description: SSL enable status.
+ - name: tcp_no_delay
+ type: boolean
+ description: Status of tcp no delay option used to improves performance under most circumstances.
+ - name: thread
+ type: group
+ fields:
+ - name: accept.count
+ type: double
+ description: Count of all threads accepted.
+ metric_type: counter
+ - name: active.count
+ type: double
+ description: Current active threads at JVM level (from java.lang:type=Threading).
+ metric_type: gauge
+ - name: allocated_memory
+ type: group
+ fields:
+ - name: enabled
+ type: boolean
+ description: Allocated memory enabled in thread.
+ - name: supported
+ type: boolean
+ description: Allocated memory supported in thread.
+ - name: current
+ type: group
+ fields:
+ - name: allocated.bytes
+ type: double
+ description: Allocated bytes in current thread.
+ metric_type: counter
+ unit: byte
+ - name: busy
+ type: double
+ description: Current busy threads from the ThreadPool.
+ metric_type: gauge
+ - name: count
+ type: double
+ description: Current number of threads, taken from the ThreadPool.
+ metric_type: gauge
+ - name: cpu.time
+ type: group
+ fields:
+ - name: enabled
+ type: boolean
+ description: CPU time for the current thread.
+ - name: ms
+ type: double
+ description: CPU time in milliseconds.
+ metric_type: gauge
+ unit: ms
+ - name: user.time.ms
+ type: double
+ description: User time in milliseconds.
+ metric_type: gauge
+ unit: ms
+ - name: daemon
+ type: group
+ fields:
+ - name: count
+ type: double
+ description: Daemon count for the current thread.
+ metric_type: gauge
+ - name: status
+ type: boolean
+ description: The status which states whether the thread is daemon or not.
+ - name: paused
+ type: boolean
+ description: Pause state of Thread.
+ - name: peak.count
+ type: double
+ description: Peak number of threads at JVM level (from java.lang:type=Threading).
+ metric_type: gauge
+ - name: port
+ type: group
+ fields:
+ - name: default
+ type: long
+ description: Default port of thread in Apache Tomcat.
+ metric_type: gauge
+ - name: offset
+ type: long
+ description: The offset to apply to port of thread.
+ metric_type: gauge
+ - name: value
+ type: long
+ description: Port of thread.
+ metric_type: gauge
+ - name: with_offset
+ type: long
+ description: Port of thread with offset.
+ metric_type: gauge
+ - name: priority
+ type: group
+ fields:
+ - name: acceptor
+ type: double
+ description: The priority of the acceptor thread.
+ metric_type: gauge
+ - name: count
+ type: double
+ description: Priority of thread.
+ metric_type: gauge
+ - name: poller
+ type: double
+ description: The priority of the poller threads.
+ metric_type: gauge
+ - name: requests.max
+ type: double
+ description: Max threads from the ThreadPool, to be created by the connector and made available for requests.
+ metric_type: counter
+ - name: running
+ type: group
+ fields:
+ - name: min
+ type: double
+ description: The minimum number of threads always kept running.
+ metric_type: gauge
+ - name: value
+ type: boolean
+ description: The status which states whether the thread is running or not.
+ - name: selector.timeout
+ type: double
+ description: Selector thread's timeout.
+ metric_type: gauge
+ - name: sni_parse_limit
+ type: double
+ description: SNI parsing limit of thread.
+ metric_type: gauge
+ - name: supported
+ type: group
+ fields:
+ - name: contention_monitoring
+ type: boolean
+ description: This is used to determine if a Java virtual machine supports thread contention monitoring.
+ - name: cpu.current.time
+ type: boolean
+ description: CPU time that the current thread has executed in user mode is supported or not.
+ - name: usage
+ type: group
+ fields:
+ - name: object_monitor
+ type: boolean
+ description: Support of object monitor usage of thread.
+ - name: synchronizer
+ type: boolean
+ description: Support of synchronizer usage.
+ - name: total
+ type: double
+ description: Total threads at the JVM level (from java.lang:type=Threading).
+ metric_type: gauge
+ - name: use_inherited_channel
+ type: boolean
+ description: Returns the channel inherited from the entity that created this Java virtual machine.
+ - name: use_send_file
+ type: boolean
+ description: Use of sendfile will disable any compression that Tomcat may otherwise have performed on the response.
diff --git a/packages/apache_tomcat/data_stream/thread_pool/manifest.yml b/packages/apache_tomcat/data_stream/thread_pool/manifest.yml
new file mode 100644
index 00000000000..1e23c1003ff
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/thread_pool/manifest.yml
@@ -0,0 +1,32 @@
+type: metrics
+title: Apache Tomcat Thread Pool metrics
+streams:
+ - input: prometheus/metrics
+ vars:
+ - name: period
+ type: text
+ title: Period
+ required: true
+ default: 10s
+ show_user: true
+ description: Period of fetching metrics, i.e. 1s/1m/1h.
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - apache_tomcat-thread_pool
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.
+ template_path: stream.yml.hbs
+ title: Apache Tomcat Thread Pool metrics
+ description: Collect Apache Tomcat Thread Pool and Threading metrics.
+elasticsearch:
+ index_mode: "time_series"
diff --git a/packages/apache_tomcat/data_stream/thread_pool/sample_event.json b/packages/apache_tomcat/data_stream/thread_pool/sample_event.json
new file mode 100644
index 00000000000..4c6f52562c8
--- /dev/null
+++ b/packages/apache_tomcat/data_stream/thread_pool/sample_event.json
@@ -0,0 +1,121 @@
+{
+ "@timestamp": "2023-07-06T06:13:12.777Z",
+ "agent": {
+ "ephemeral_id": "5209fee4-2cae-4498-bf4b-c295a793454b",
+ "id": "c78eadae-edd0-4b88-ab24-f2fb84a98229",
+ "name": "docker-fleet-agent",
+ "type": "metricbeat",
+ "version": "8.8.0"
+ },
+ "apache_tomcat": {
+ "thread_pool": {
+ "contention": {
+ "monitoring_enabled": false
+ },
+ "thread": {
+ "active": {
+ "count": 26
+ },
+ "allocated_memory": {
+ "enabled": true,
+ "supported": true
+ },
+ "current": {
+ "allocated": {
+ "bytes": 2835120
+ },
+ "cpu": {
+ "time": {
+ "enabled": true,
+ "ms": 31925017
+ }
+ },
+ "user": {
+ "time": {
+ "ms": 30000000
+ }
+ }
+ },
+ "daemon": {
+ "count": 23
+ },
+ "peak": {
+ "count": 26
+ },
+ "supported": {
+ "contention_monitoring": true,
+ "cpu": {
+ "current": {
+ "time": true
+ }
+ },
+ "usage": {
+ "object_monitor": true,
+ "synchronizer": true
+ }
+ },
+ "total": 27
+ }
+ }
+ },
+ "data_stream": {
+ "dataset": "apache_tomcat.thread_pool",
+ "namespace": "ep",
+ "type": "metrics"
+ },
+ "ecs": {
+ "version": "8.7.0"
+ },
+ "elastic_agent": {
+ "id": "c78eadae-edd0-4b88-ab24-f2fb84a98229",
+ "snapshot": false,
+ "version": "8.8.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": [
+ "web"
+ ],
+ "dataset": "apache_tomcat.thread_pool",
+ "duration": 256268755,
+ "ingested": "2023-07-06T06:13:16Z",
+ "kind": "metric",
+ "module": "apache_tomcat",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "architecture": "x86_64",
+ "containerized": true,
+ "hostname": "docker-fleet-agent",
+ "id": "e8978f2086c14e13b7a0af9ed0011d19",
+ "ip": [
+ "172.27.0.7"
+ ],
+ "mac": [
+ "02-42-AC-1B-00-07"
+ ],
+ "name": "docker-fleet-agent",
+ "os": {
+ "codename": "focal",
+ "family": "debian",
+ "kernel": "3.10.0-1160.90.1.el7.x86_64",
+ "name": "Ubuntu",
+ "platform": "ubuntu",
+ "type": "linux",
+ "version": "20.04.6 LTS (Focal Fossa)"
+ }
+ },
+ "metricset": {
+ "name": "collector",
+ "period": 10000
+ },
+ "service": {
+ "address": "http://elastic-package-service_apache_tomcat_1:9090/metrics",
+ "type": "prometheus"
+ },
+ "tags": [
+ "apache_tomcat-thread_pool"
+ ]
+}
\ No newline at end of file
diff --git a/packages/apache_tomcat/docs/README.md b/packages/apache_tomcat/docs/README.md
index 6850de66654..6ccc1081188 100644
--- a/packages/apache_tomcat/docs/README.md
+++ b/packages/apache_tomcat/docs/README.md
@@ -6,7 +6,7 @@
Use the Apache Tomcat integration to:
-- Collect metrics related to the cache and request and collect logs related to access, catalina, and localhost.
+- Collect metrics related to the cache, connection pool, memory, request, session and thread pool and collect logs related to access, catalina, and localhost.
- Create visualizations to monitor, measure and analyze the usage trend and key data, and derive business insights.
- Create alerts to reduce the MTTD and also the MTTR by referencing relevant logs when troubleshooting an issue.
@@ -16,14 +16,18 @@ The Apache Tomcat integration collects logs and metrics data.
Logs help you keep a record of events that happen on your machine. The `Log` data streams collected by Apache Tomcat integration are `access`, `catalina`, and `localhost`, so that users can keep track of the IP addresses of the clients, bytes returned to the client or sent by clients, etc., so that users could monitor and troubleshoot the performance of Java applications.
-Metrics give you insight into the statistics of the Apache Tomcat. The `Metric` data streams collected by the Apache Tomcat integration are `cache` and `request`, so that the user can monitor and troubleshoot the performance of the Apache Tomcat instance.
+Metrics give you insight into the statistics of the Apache Tomcat. The `Metric` data streams collected by the Apache Tomcat integration are `cache`, `connection pool`, `memory`, `request`, `session` and `thread pool`, so that the user can monitor and troubleshoot the performance of the Apache Tomcat instance.
Data streams:
- `access`: Collects information related to overall performance of Java applications.
+- `cache`: Collects information related to the overall cache of the Apache Tomcat instance.
- `catalina`: Collects information related to the startup and shutdown of the Apache Tomcat application server, the deployment of new applications, or the failure of one or more subsystems.
+- `connection pool`: Collects information related to connection pool such as number of active and idle connections.
- `localhost`: Collects information related to Web application activity which is related to HTTP transactions between the application server and the client.
-- `cache`: Collects information related to the overall cache of the Apache Tomcat instance.
+- `memory`: Collects information related to heap memory, non-heap memory and garbage collection of the Tomcat instance.
- `request`: Collects information related to requests of the Apache Tomcat instance.
+- `thread pool`: Collects information related to the overall states of the threads, CPU time and processing termination time of the threads in the Tomcat instance.
+- `session`: Collects information related to overall created, active and expired sessions of the Tomcat instance.
Note:
- Users can monitor and see the log inside the ingested documents for Apache Tomcat in the `logs-*` index pattern from `Discover`, and for metrics, the index pattern is `metrics-*`.
@@ -48,14 +52,14 @@ For step-by-step instructions on how to set up an integration, see the [Getting
Here are the steps to configure Prometheus in Apache Tomcat instance:
-1. Go to `/webapps` from Apache Tomcat instance.
+1. Go to `/webapps` from Apache Tomcat instance.
2. Please find latest [Prometheus version](https://repo1.maven.org/maven2/io/prometheus/jmx/jmx_prometheus_javaagent/), replace in below command and perform from Apache Tomcat instance: -
```
wget https://repo1.maven.org/maven2/io/prometheus/jmx/jmx_prometheus_javaagent//jmx_prometheus_javaagent-.jar
```
-3. Create `config.yml` file in `/webapps` and paste the following content in `config.yml` file: -
+3. Create `config.yml` file in `/webapps` and paste the following content in `config.yml` file: -
```
rules:
@@ -64,7 +68,7 @@ rules:
4. Go to `/etc/systemd/system` and add the following content in `tomcat.service` file: -
```
-Environment='JAVA_OPTS=-javaagent:/webapps/jmx_prometheus_javaagent-.jar=:/opt/tomcat/webapps/config.yml'
+Environment='JAVA_OPTS=-javaagent:/webapps/jmx_prometheus_javaagent-.jar=:/opt/tomcat/webapps/config.yml'
```
5. Run the following commands to reload demon and restart Apache Tomcat instance: -
@@ -78,7 +82,7 @@ systemctl restart tomcat
Here are the steps to configure Log format in Apache Tomcat instance:
-1. Go to `/conf/server.xml` from Apache Tomcat instance.
+1. Go to `/conf/server.xml` from Apache Tomcat instance.
2. The user can update the log format in the pattern field of the class `org.apache.catalina.valves.AccessLogValve`. Here is an example of the `org.apache.catalina.valves.AccessLogValve` class.
@@ -101,6 +105,18 @@ Combined Log Format + X-Forwarded-For header :- '%h %l %u %t "%r" %s %b %A %X %T
systemctl restart tomcat
```
+## Supported log formats for Catalina and Localhost logs:
+
+- With error stack trace:
+```
+dd-MMM-yyyy HH:mm:ss.SSS [Severity] [Subsystem] [Message Text] [Error Stack Trace]
+```
+
+- Without error stack trace:
+```
+dd-MMM-yyyy HH:mm:ss.SSS [Severity] [Subsystem] [Message Text]
+```
+
Note:
- Restarting Apache Tomcat does not affect the virtual desktops that are currently running. It will only prevent new users from logging in for the duration of the restart process (typically several seconds).
@@ -565,7 +581,6 @@ An example event for `cache` looks as following:
"type": "prometheus"
},
"tags": [
- "forwarded",
"apache_tomcat-cache"
]
}
@@ -602,6 +617,378 @@ An example event for `cache` looks as following:
| tags | List of keywords used to tag each event. | keyword | | |
+### Connection Pool
+
+This is the `connection pool` data stream. This data stream collects metrics related to connection pool such as number of active and idle connections.
+
+An example event for `connection_pool` looks as following:
+
+```json
+{
+ "@timestamp": "2023-07-06T06:16:33.972Z",
+ "agent": {
+ "ephemeral_id": "f5813425-689c-4d7c-97d5-b549c3948d9d",
+ "id": "c78eadae-edd0-4b88-ab24-f2fb84a98229",
+ "name": "docker-fleet-agent",
+ "type": "metricbeat",
+ "version": "8.8.0"
+ },
+ "apache_tomcat": {
+ "connection_pool": {
+ "access_to_underlying_connection_allowed": false,
+ "application_name": "/",
+ "cache": {
+ "state": 1
+ },
+ "connection": {
+ "abandoned_usage_tracking": false,
+ "active": {
+ "count": 0
+ },
+ "autocommit_on_return": true,
+ "clear_statement_pool_on_return": false,
+ "closed": false,
+ "database": {
+ "time": {
+ "max": {
+ "ms": -1
+ }
+ }
+ },
+ "default_transaction_isolation": -1,
+ "enable_autocommit_on_return": true,
+ "fast_fail_validation": false,
+ "idle": {
+ "count": 0,
+ "exists": false,
+ "max": {
+ "count": 20,
+ "size": -1,
+ "time": {
+ "ms": 3
+ }
+ },
+ "min": {
+ "size": 5,
+ "time": {
+ "ms": -1
+ }
+ }
+ },
+ "initial_size": {
+ "count": 0
+ },
+ "lifetime": {
+ "max": {
+ "ms": -1
+ }
+ },
+ "log_expired": true,
+ "min_evictable_idle": {
+ "time": 1800000
+ },
+ "remove_abandoned_on_borrow": false,
+ "remove_abandoned_on_maintenance": false,
+ "remove_abandoned_timeout": 300,
+ "rollback_on_return": true,
+ "test_on_return": false,
+ "test_while_idle": false,
+ "time_betwen_eviction_run": {
+ "time": {
+ "ms": -1
+ }
+ },
+ "validate": -1
+ },
+ "lifo": true,
+ "max": {
+ "total": 8
+ },
+ "prepared_statements": false,
+ "test_on_borrow": true,
+ "test_on_create": false
+ }
+ },
+ "data_stream": {
+ "dataset": "apache_tomcat.connection_pool",
+ "namespace": "ep",
+ "type": "metrics"
+ },
+ "ecs": {
+ "version": "8.7.0"
+ },
+ "elastic_agent": {
+ "id": "c78eadae-edd0-4b88-ab24-f2fb84a98229",
+ "snapshot": false,
+ "version": "8.8.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": [
+ "web"
+ ],
+ "dataset": "apache_tomcat.connection_pool",
+ "duration": 252065272,
+ "ingested": "2023-07-06T06:16:37Z",
+ "kind": "metric",
+ "module": "apache_tomcat",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "architecture": "x86_64",
+ "containerized": true,
+ "hostname": "docker-fleet-agent",
+ "id": "e8978f2086c14e13b7a0af9ed0011d19",
+ "ip": [
+ "172.27.0.7"
+ ],
+ "mac": [
+ "02-42-AC-1B-00-07"
+ ],
+ "name": "docker-fleet-agent",
+ "os": {
+ "codename": "focal",
+ "family": "debian",
+ "kernel": "3.10.0-1160.90.1.el7.x86_64",
+ "name": "Ubuntu",
+ "platform": "ubuntu",
+ "type": "linux",
+ "version": "20.04.6 LTS (Focal Fossa)"
+ }
+ },
+ "metricset": {
+ "name": "collector",
+ "period": 10000
+ },
+ "service": {
+ "address": "http://elastic-package-service_apache_tomcat_1:9090/metrics",
+ "type": "prometheus"
+ },
+ "tags": [
+ "apache_tomcat-connection_pool"
+ ]
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type | Unit | Metric Type |
+|---|---|---|---|---|
+| @timestamp | Event timestamp. | date | | |
+| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | |
+| apache_tomcat.connection_pool.access_to_underlying_connection_allowed | Returns the state of connections that will be established when the connection pool is started. | boolean | | |
+| apache_tomcat.connection_pool.application_name | Name of the Apache Tomcat application. | keyword | | |
+| apache_tomcat.connection_pool.cache.state | Cache state of connection pool. | double | | gauge |
+| apache_tomcat.connection_pool.connection.abandoned_usage_tracking | Indicates if full stack traces are required when logAbandoned is true. | boolean | | |
+| apache_tomcat.connection_pool.connection.active.count | Number of active connection in pool. | double | | gauge |
+| apache_tomcat.connection_pool.connection.autocommit_on_return | Connections being returned to the pool. | boolean | | |
+| apache_tomcat.connection_pool.connection.clear_statement_pool_on_return | Keeps track of statements associated with a connection. | boolean | | |
+| apache_tomcat.connection_pool.connection.closed | Random Connection Closed Exceptions. | boolean | | |
+| apache_tomcat.connection_pool.connection.database.time.max.ms | Maximum time to wait for a database connection to become available in ms. | double | ms | gauge |
+| apache_tomcat.connection_pool.connection.default_transaction_isolation | TransactionIsolation state of connections created by this pool | double | | gauge |
+| apache_tomcat.connection_pool.connection.enable_autocommit_on_return | Connections being returned to the pool will be checked and configured with Connection. | boolean | | |
+| apache_tomcat.connection_pool.connection.fast_fail_validation | Timeout before a connection validation queries fail. | boolean | | |
+| apache_tomcat.connection_pool.connection.idle.count | Idle number of connection pool. | double | | gauge |
+| apache_tomcat.connection_pool.connection.idle.exists | logAbandoned to figure out the connection is idle. | boolean | | |
+| apache_tomcat.connection_pool.connection.idle.max.count | Maximum idle connections. | double | | gauge |
+| apache_tomcat.connection_pool.connection.idle.max.size | Returns the maximum number of connections that can remain idle in the pool. | double | | gauge |
+| apache_tomcat.connection_pool.connection.idle.max.time.ms | It represents the maximum number of objects that the pool will examine during each run of the idle object evictor thread. | double | ms | gauge |
+| apache_tomcat.connection_pool.connection.idle.min.size | The minimum number of established connections that should be kept in the pool at all times. | double | | gauge |
+| apache_tomcat.connection_pool.connection.idle.min.time.ms | An attribute of the Tomcat DataSource object that sets the minimum time an object may sit idle in the pool before it is eligable for eviction by the idle object evictor. | double | ms | gauge |
+| apache_tomcat.connection_pool.connection.initial_size.count | The initial number of connections that are created when the pool is started. | double | | gauge |
+| apache_tomcat.connection_pool.connection.lifetime.max.ms | The maximum lifetime in milliseconds of a connection. | double | ms | gauge |
+| apache_tomcat.connection_pool.connection.log_expired | Log expired connection in pool. | boolean | | |
+| apache_tomcat.connection_pool.connection.min_evictable_idle.time | The minimum amount of time an object may sit idle in the pool before it is eligible for eviction. | double | | gauge |
+| apache_tomcat.connection_pool.connection.remove_abandoned_on_borrow | Remove abandoned connections from the pool when a connection is borrowed. | boolean | | |
+| apache_tomcat.connection_pool.connection.remove_abandoned_on_maintenance | The commons dbcp parameters which are unique from the Tomcat JDBC connection pool parameters are not being accepted. | boolean | | |
+| apache_tomcat.connection_pool.connection.remove_abandoned_timeout | Timeout in seconds before an abandoned (in use) connection can be removed. | double | | gauge |
+| apache_tomcat.connection_pool.connection.rollback_on_return | The pool can terminate the transaction by calling rollback on the connection. | boolean | | |
+| apache_tomcat.connection_pool.connection.test_on_return | The indication of whether objects will be validated before being returned to the pool. | boolean | | |
+| apache_tomcat.connection_pool.connection.test_while_idle | Introspected attribute testWhileIdle. | boolean | | |
+| apache_tomcat.connection_pool.connection.time_betwen_eviction_run.time.ms | The number of milliseconds to sleep between runs of the idle connection validation/cleaner thread. | double | ms | gauge |
+| apache_tomcat.connection_pool.connection.validate | Validate connections from this pool. | double | | gauge |
+| apache_tomcat.connection_pool.lifo | Last In First Out connections. | boolean | | |
+| apache_tomcat.connection_pool.max.total | Maximum total of connection pool. | double | | gauge |
+| apache_tomcat.connection_pool.prepared_statements | Validate connections from this pool. | boolean | | |
+| apache_tomcat.connection_pool.test_on_borrow | The indication of whether objects will be validated before being borrowed from the pool. | boolean | | |
+| apache_tomcat.connection_pool.test_on_create | Property determines whether or not the pool will validate objects immediately after they are created by the pool. | boolean | | |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | |
+| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | |
+| cloud.instance.id | Instance ID of the host machine. | keyword | | |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | |
+| cloud.region | Region in which this host, resource, or service is located. | keyword | | |
+| container.id | Unique container id. | keyword | | |
+| data_stream.dataset | Data stream dataset. | constant_keyword | | |
+| data_stream.namespace | Data stream namespace. | constant_keyword | | |
+| data_stream.type | Data stream type. | constant_keyword | | |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | |
+| error.message | Error message. | match_only_text | | |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | | |
+| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | |
+| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | | |
+| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | |
+
+
+### Memory
+
+This is the `memory` data stream. This data stream collects metrics related to the heap memory, non-heap memory, garbage collection time and count.
+
+An example event for `memory` looks as following:
+
+```json
+{
+ "@timestamp": "2023-07-11T13:20:12.035Z",
+ "agent": {
+ "ephemeral_id": "d25b802e-38e7-44c1-82d3-ef14a3522214",
+ "id": "fe5945f5-4d47-4726-8da8-5f694a655519",
+ "name": "docker-fleet-agent",
+ "type": "metricbeat",
+ "version": "8.8.0"
+ },
+ "apache_tomcat": {
+ "memory": {
+ "doc_type": "memory",
+ "heap": {
+ "committed": {
+ "bytes": 77594624
+ },
+ "init": {
+ "bytes": 195035136
+ },
+ "max": {
+ "bytes": 3103784960
+ },
+ "used": {
+ "bytes": 35204712
+ }
+ },
+ "non_heap": {
+ "committed": {
+ "bytes": 44695552
+ },
+ "init": {
+ "bytes": 7667712
+ },
+ "max": {
+ "bytes": -1
+ },
+ "used": {
+ "bytes": 42286456
+ }
+ },
+ "object_pending_finalization": {
+ "count": 0
+ },
+ "verbose": false
+ }
+ },
+ "data_stream": {
+ "dataset": "apache_tomcat.memory",
+ "namespace": "ep",
+ "type": "metrics"
+ },
+ "ecs": {
+ "version": "8.7.0"
+ },
+ "elastic_agent": {
+ "id": "fe5945f5-4d47-4726-8da8-5f694a655519",
+ "snapshot": false,
+ "version": "8.8.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": [
+ "web"
+ ],
+ "dataset": "apache_tomcat.memory",
+ "duration": 281008420,
+ "ingested": "2023-07-11T13:20:15Z",
+ "kind": "metric",
+ "module": "apache_tomcat",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "architecture": "x86_64",
+ "containerized": true,
+ "hostname": "docker-fleet-agent",
+ "id": "e8978f2086c14e13b7a0af9ed0011d19",
+ "ip": [
+ "192.168.64.7"
+ ],
+ "mac": [
+ "02-42-C0-A8-40-07"
+ ],
+ "name": "docker-fleet-agent",
+ "os": {
+ "codename": "focal",
+ "family": "debian",
+ "kernel": "3.10.0-1160.90.1.el7.x86_64",
+ "name": "Ubuntu",
+ "platform": "ubuntu",
+ "type": "linux",
+ "version": "20.04.6 LTS (Focal Fossa)"
+ }
+ },
+ "metricset": {
+ "name": "collector",
+ "period": 10000
+ },
+ "service": {
+ "address": "http://elastic-package-service_apache_tomcat_1:9090/metrics",
+ "type": "prometheus"
+ },
+ "tags": [
+ "apache_tomcat-memory"
+ ]
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type | Unit | Metric Type |
+|---|---|---|---|---|
+| @timestamp | Event timestamp. | date | | |
+| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | |
+| apache_tomcat.memory.doc_type | Document type of the event. This should be either "memory" or "gc". | keyword | | |
+| apache_tomcat.memory.gc.collection.count | The cumulative number of invoked garbage collections since the start of the server. | long | | counter |
+| apache_tomcat.memory.gc.collection.time.ms | The time (in milliseconds) taken by garbage collection during the collection interval. | long | ms | gauge |
+| apache_tomcat.memory.gc.valid | The garbage collection process in G1 is considered valid even if the old GC JMX counter remains at 0 while old space is gradually reclaimed by the young collections. | long | | gauge |
+| apache_tomcat.memory.heap.committed.bytes | Committed heap memory usage. | double | byte | gauge |
+| apache_tomcat.memory.heap.init.bytes | Initial heap memory usage. | double | byte | gauge |
+| apache_tomcat.memory.heap.max.bytes | Max heap memory usage. When the value for the maximum memory size (in bytes) is set to -1 for heap memory configurations, it indicates that the user has not specified a predefined size for the memory allocation. | double | byte | gauge |
+| apache_tomcat.memory.heap.used.bytes | Used heap memory usage. | double | byte | gauge |
+| apache_tomcat.memory.non_heap.committed.bytes | Committed non-heap memory usage. | double | byte | gauge |
+| apache_tomcat.memory.non_heap.init.bytes | Initial non-heap memory usage. | double | byte | gauge |
+| apache_tomcat.memory.non_heap.max.bytes | Max non-heap memory usage. When the value for the maximum memory size (in bytes) is set to -1 for non-heap memory configurations, it indicates that the user has not specified a predefined size for the memory allocation. | double | byte | gauge |
+| apache_tomcat.memory.non_heap.used.bytes | Used non-heap memory usage. | double | byte | gauge |
+| apache_tomcat.memory.object_pending_finalization.count | Count of object pending finalization. | double | | gauge |
+| apache_tomcat.memory.verbose | When set to true, will cause the memory manager to print messages to the console whenever it performs certain memory-related operations.(1.0-true, 0.0-false). | boolean | | |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | |
+| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | |
+| cloud.instance.id | Instance ID of the host machine. | keyword | | |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | |
+| cloud.region | Region in which this host, resource, or service is located. | keyword | | |
+| container.id | Unique container id. | keyword | | |
+| data_stream.dataset | Data stream dataset. | constant_keyword | | |
+| data_stream.namespace | Data stream namespace. | constant_keyword | | |
+| data_stream.type | Data stream type. | constant_keyword | | |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | |
+| error.message | Error message. | match_only_text | | |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | | |
+| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | |
+| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | | |
+| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | |
+| tags | List of keywords used to tag each event. | keyword | | |
+
+
### Request
This is the `Request` data stream. This data stream collects metrics related to request count, and amount of data received and sent.
@@ -695,7 +1082,6 @@ An example event for `request` looks as following:
"type": "prometheus"
},
"tags": [
- "forwarded",
"apache_tomcat-request"
]
}
@@ -730,3 +1116,360 @@ An example event for `request` looks as following:
| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | | |
| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | |
| tags | List of keywords used to tag each event. | keyword | | |
+
+
+### Session
+
+This is the `session` data stream. This data stream collects metrics related to created, active, expired and rejected sessions, alive and processing time for sessions.
+
+An example event for `session` looks as following:
+
+```json
+{
+ "@timestamp": "2023-07-06T06:11:01.712Z",
+ "agent": {
+ "ephemeral_id": "27d03e29-cf11-4c0e-a36d-502210fff5f6",
+ "id": "c78eadae-edd0-4b88-ab24-f2fb84a98229",
+ "name": "docker-fleet-agent",
+ "type": "metricbeat",
+ "version": "8.8.0"
+ },
+ "apache_tomcat": {
+ "session": {
+ "active": {
+ "allowed": {
+ "max": -1
+ },
+ "max": 0,
+ "total": 0
+ },
+ "alive_time": {
+ "avg": 0,
+ "max": 0
+ },
+ "application_name": "/",
+ "create": {
+ "rate": 0,
+ "total": 0
+ },
+ "duplicate_ids": {
+ "count": 0
+ },
+ "expire": {
+ "rate": 0,
+ "total": 0
+ },
+ "persist_authentication": false,
+ "process_expires_frequency": {
+ "count": 6
+ },
+ "processing_time": 0,
+ "rejected": {
+ "count": 0
+ }
+ }
+ },
+ "data_stream": {
+ "dataset": "apache_tomcat.session",
+ "namespace": "ep",
+ "type": "metrics"
+ },
+ "ecs": {
+ "version": "8.7.0"
+ },
+ "elastic_agent": {
+ "id": "c78eadae-edd0-4b88-ab24-f2fb84a98229",
+ "snapshot": false,
+ "version": "8.8.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": [
+ "web"
+ ],
+ "dataset": "apache_tomcat.session",
+ "duration": 259368511,
+ "ingested": "2023-07-06T06:11:05Z",
+ "kind": "metric",
+ "module": "apache_tomcat",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "architecture": "x86_64",
+ "containerized": true,
+ "hostname": "docker-fleet-agent",
+ "id": "e8978f2086c14e13b7a0af9ed0011d19",
+ "ip": [
+ "172.27.0.7"
+ ],
+ "mac": [
+ "02-42-AC-1B-00-07"
+ ],
+ "name": "docker-fleet-agent",
+ "os": {
+ "codename": "focal",
+ "family": "debian",
+ "kernel": "3.10.0-1160.90.1.el7.x86_64",
+ "name": "Ubuntu",
+ "platform": "ubuntu",
+ "type": "linux",
+ "version": "20.04.6 LTS (Focal Fossa)"
+ }
+ },
+ "metricset": {
+ "name": "collector",
+ "period": 10000
+ },
+ "service": {
+ "address": "http://elastic-package-service_apache_tomcat_1:9090/metrics",
+ "type": "prometheus"
+ },
+ "tags": [
+ "apache_tomcat-session"
+ ]
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type | Unit | Metric Type |
+|---|---|---|---|---|
+| @timestamp | Event timestamp. | date | | |
+| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | |
+| apache_tomcat.session.active.allowed.max | The maximum number of active sessions allowed, or -1 for no limit. | double | | gauge |
+| apache_tomcat.session.active.max | Maximum number of active sessions so far. | double | | counter |
+| apache_tomcat.session.active.total | Number of active sessions at this moment. | double | | gauge |
+| apache_tomcat.session.alive_time.avg | Average time an expired session had been alive. | double | | gauge |
+| apache_tomcat.session.alive_time.max | Longest time an expired session had been alive. | double | | counter |
+| apache_tomcat.session.application_name | Name of the Apache Tomcat application. | keyword | | |
+| apache_tomcat.session.create.rate | Session creation rate in sessions per minute. | double | | gauge |
+| apache_tomcat.session.create.total | Total number of sessions created by the manager. | double | | counter |
+| apache_tomcat.session.duplicate_ids.count | Number of duplicated session ids generated. | double | | gauge |
+| apache_tomcat.session.expire.rate | Session expiration rate in sessions per minute. | double | | gauge |
+| apache_tomcat.session.expire.total | Number of sessions that expired (doesn't include explicit invalidations). | double | | gauge |
+| apache_tomcat.session.persist_authentication | Indicates whether sessions shall persist authentication information when being persisted (e.g. across application restarts). | boolean | | |
+| apache_tomcat.session.process_expires_frequency.count | The frequency of the manager checks (expiration and passivation). | double | | gauge |
+| apache_tomcat.session.processing_time | Time spent doing housekeeping and expiration. | double | ms | gauge |
+| apache_tomcat.session.rejected.count | Number of sessions we rejected due to maxActive being reached. | double | | gauge |
+| cloud.instance.id | Instance ID of the host machine. | keyword | | |
+| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | | |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | |
+| container.id | Unique container id. | keyword | | |
+| data_stream.dataset | Data stream dataset. | constant_keyword | | |
+| data_stream.namespace | Data stream namespace. | constant_keyword | | |
+| data_stream.type | Data stream type. | constant_keyword | | |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | |
+| error.message | Error message. | match_only_text | | |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | | |
+| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | |
+| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | | |
+| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | |
+| tags | List of keywords used to tag each event. | keyword | | |
+
+
+### Thread Pool
+
+This is the `thread pool` data stream. This data stream collects metrics related to the total, active, current, daemon, busy and peak threads, CPU time and processing termination time of the threads.
+
+An example event for `thread_pool` looks as following:
+
+```json
+{
+ "@timestamp": "2023-07-06T06:13:12.777Z",
+ "agent": {
+ "ephemeral_id": "5209fee4-2cae-4498-bf4b-c295a793454b",
+ "id": "c78eadae-edd0-4b88-ab24-f2fb84a98229",
+ "name": "docker-fleet-agent",
+ "type": "metricbeat",
+ "version": "8.8.0"
+ },
+ "apache_tomcat": {
+ "thread_pool": {
+ "contention": {
+ "monitoring_enabled": false
+ },
+ "thread": {
+ "active": {
+ "count": 26
+ },
+ "allocated_memory": {
+ "enabled": true,
+ "supported": true
+ },
+ "current": {
+ "allocated": {
+ "bytes": 2835120
+ },
+ "cpu": {
+ "time": {
+ "enabled": true,
+ "ms": 31925017
+ }
+ },
+ "user": {
+ "time": {
+ "ms": 30000000
+ }
+ }
+ },
+ "daemon": {
+ "count": 23
+ },
+ "peak": {
+ "count": 26
+ },
+ "supported": {
+ "contention_monitoring": true,
+ "cpu": {
+ "current": {
+ "time": true
+ }
+ },
+ "usage": {
+ "object_monitor": true,
+ "synchronizer": true
+ }
+ },
+ "total": 27
+ }
+ }
+ },
+ "data_stream": {
+ "dataset": "apache_tomcat.thread_pool",
+ "namespace": "ep",
+ "type": "metrics"
+ },
+ "ecs": {
+ "version": "8.7.0"
+ },
+ "elastic_agent": {
+ "id": "c78eadae-edd0-4b88-ab24-f2fb84a98229",
+ "snapshot": false,
+ "version": "8.8.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": [
+ "web"
+ ],
+ "dataset": "apache_tomcat.thread_pool",
+ "duration": 256268755,
+ "ingested": "2023-07-06T06:13:16Z",
+ "kind": "metric",
+ "module": "apache_tomcat",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "architecture": "x86_64",
+ "containerized": true,
+ "hostname": "docker-fleet-agent",
+ "id": "e8978f2086c14e13b7a0af9ed0011d19",
+ "ip": [
+ "172.27.0.7"
+ ],
+ "mac": [
+ "02-42-AC-1B-00-07"
+ ],
+ "name": "docker-fleet-agent",
+ "os": {
+ "codename": "focal",
+ "family": "debian",
+ "kernel": "3.10.0-1160.90.1.el7.x86_64",
+ "name": "Ubuntu",
+ "platform": "ubuntu",
+ "type": "linux",
+ "version": "20.04.6 LTS (Focal Fossa)"
+ }
+ },
+ "metricset": {
+ "name": "collector",
+ "period": 10000
+ },
+ "service": {
+ "address": "http://elastic-package-service_apache_tomcat_1:9090/metrics",
+ "type": "prometheus"
+ },
+ "tags": [
+ "apache_tomcat-thread_pool"
+ ]
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type | Unit | Metric Type |
+|---|---|---|---|---|
+| @timestamp | Event timestamp. | date | | |
+| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | |
+| apache_tomcat.thread_pool.connection.count | Count of all connections. | double | | counter |
+| apache_tomcat.thread_pool.connection.linger | The number of seconds during which the sockets used by this connector will linger when they are closed. | double | s | gauge |
+| apache_tomcat.thread_pool.connection.max | The total number of concurrent connections that the server will accept and process. | double | | gauge |
+| apache_tomcat.thread_pool.connection.timeout | Thread connection timeout. | double | | counter |
+| apache_tomcat.thread_pool.contention.monitoring_enabled | This is used to determine if a Java virtual machine enables thread contention monitoring. | boolean | | |
+| apache_tomcat.thread_pool.executor_termination.timeout.ms | The time that the private internal executor will wait for request processing threads to terminate before continuing with the process of stopping the connector. If not set, the default is 5000 (5 seconds). | double | ms | gauge |
+| apache_tomcat.thread_pool.initiated_connector.state | State of bound when the connector is initiated. | boolean | | |
+| apache_tomcat.thread_pool.keep_alive.count | Total keep alive on the ThreadPool. | double | | gauge |
+| apache_tomcat.thread_pool.keep_alive.max_requests | Maximum number of request keep alive in ThreadPool. | double | | gauge |
+| apache_tomcat.thread_pool.keep_alive.timeout | Keep alive timeout on the ThreadPool. | double | | gauge |
+| apache_tomcat.thread_pool.nio_connector | Name of NIO Connector. | keyword | | |
+| apache_tomcat.thread_pool.ssl_enabled | SSL enable status. | boolean | | |
+| apache_tomcat.thread_pool.tcp_no_delay | Status of tcp no delay option used to improves performance under most circumstances. | boolean | | |
+| apache_tomcat.thread_pool.thread.accept.count | Count of all threads accepted. | double | | counter |
+| apache_tomcat.thread_pool.thread.active.count | Current active threads at JVM level (from java.lang:type=Threading). | double | | gauge |
+| apache_tomcat.thread_pool.thread.allocated_memory.enabled | Allocated memory enabled in thread. | boolean | | |
+| apache_tomcat.thread_pool.thread.allocated_memory.supported | Allocated memory supported in thread. | boolean | | |
+| apache_tomcat.thread_pool.thread.current.allocated.bytes | Allocated bytes in current thread. | double | byte | counter |
+| apache_tomcat.thread_pool.thread.current.busy | Current busy threads from the ThreadPool. | double | | gauge |
+| apache_tomcat.thread_pool.thread.current.count | Current number of threads, taken from the ThreadPool. | double | | gauge |
+| apache_tomcat.thread_pool.thread.current.cpu.time.enabled | CPU time for the current thread. | boolean | | |
+| apache_tomcat.thread_pool.thread.current.cpu.time.ms | CPU time in milliseconds. | double | ms | gauge |
+| apache_tomcat.thread_pool.thread.current.user.time.ms | User time in milliseconds. | double | ms | gauge |
+| apache_tomcat.thread_pool.thread.daemon.count | Daemon count for the current thread. | double | | gauge |
+| apache_tomcat.thread_pool.thread.daemon.status | The status which states whether the thread is daemon or not. | boolean | | |
+| apache_tomcat.thread_pool.thread.paused | Pause state of Thread. | boolean | | |
+| apache_tomcat.thread_pool.thread.peak.count | Peak number of threads at JVM level (from java.lang:type=Threading). | double | | gauge |
+| apache_tomcat.thread_pool.thread.port.default | Default port of thread in Apache Tomcat. | long | | gauge |
+| apache_tomcat.thread_pool.thread.port.offset | The offset to apply to port of thread. | long | | gauge |
+| apache_tomcat.thread_pool.thread.port.value | Port of thread. | long | | gauge |
+| apache_tomcat.thread_pool.thread.port.with_offset | Port of thread with offset. | long | | gauge |
+| apache_tomcat.thread_pool.thread.priority.acceptor | The priority of the acceptor thread. | double | | gauge |
+| apache_tomcat.thread_pool.thread.priority.count | Priority of thread. | double | | gauge |
+| apache_tomcat.thread_pool.thread.priority.poller | The priority of the poller threads. | double | | gauge |
+| apache_tomcat.thread_pool.thread.requests.max | Max threads from the ThreadPool, to be created by the connector and made available for requests. | double | | counter |
+| apache_tomcat.thread_pool.thread.running.min | The minimum number of threads always kept running. | double | | gauge |
+| apache_tomcat.thread_pool.thread.running.value | The status which states whether the thread is running or not. | boolean | | |
+| apache_tomcat.thread_pool.thread.selector.timeout | Selector thread's timeout. | double | | gauge |
+| apache_tomcat.thread_pool.thread.sni_parse_limit | SNI parsing limit of thread. | double | | gauge |
+| apache_tomcat.thread_pool.thread.supported.contention_monitoring | This is used to determine if a Java virtual machine supports thread contention monitoring. | boolean | | |
+| apache_tomcat.thread_pool.thread.supported.cpu.current.time | CPU time that the current thread has executed in user mode is supported or not. | boolean | | |
+| apache_tomcat.thread_pool.thread.supported.usage.object_monitor | Support of object monitor usage of thread. | boolean | | |
+| apache_tomcat.thread_pool.thread.supported.usage.synchronizer | Support of synchronizer usage. | boolean | | |
+| apache_tomcat.thread_pool.thread.total | Total threads at the JVM level (from java.lang:type=Threading). | double | | gauge |
+| apache_tomcat.thread_pool.use_inherited_channel | Returns the channel inherited from the entity that created this Java virtual machine. | boolean | | |
+| apache_tomcat.thread_pool.use_send_file | Use of sendfile will disable any compression that Tomcat may otherwise have performed on the response. | boolean | | |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | |
+| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | |
+| cloud.instance.id | Instance ID of the host machine. | keyword | | |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | |
+| cloud.region | Region in which this host, resource, or service is located. | keyword | | |
+| container.id | Unique container id. | keyword | | |
+| data_stream.dataset | Data stream dataset. | constant_keyword | | |
+| data_stream.namespace | Data stream namespace. | constant_keyword | | |
+| data_stream.type | Data stream type. | constant_keyword | | |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | |
+| error.message | Error message. | match_only_text | | |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | | |
+| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | |
+| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | | |
+| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | |
+| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | |
+| tags | List of keywords used to tag each event. | keyword | | |
+
diff --git a/packages/apache_tomcat/img/apache_tomcat-access-dashboard.png b/packages/apache_tomcat/img/apache_tomcat-access-dashboard.png
index a7d0fca78c3..1f36b73bc55 100644
Binary files a/packages/apache_tomcat/img/apache_tomcat-access-dashboard.png and b/packages/apache_tomcat/img/apache_tomcat-access-dashboard.png differ
diff --git a/packages/apache_tomcat/img/apache_tomcat-catalina-localhost-dashboard.png b/packages/apache_tomcat/img/apache_tomcat-catalina-localhost-dashboard.png
index 410ce2a1c80..5ebaf349b40 100644
Binary files a/packages/apache_tomcat/img/apache_tomcat-catalina-localhost-dashboard.png and b/packages/apache_tomcat/img/apache_tomcat-catalina-localhost-dashboard.png differ
diff --git a/packages/apache_tomcat/img/apache_tomcat-connection-pool-dashboard.png b/packages/apache_tomcat/img/apache_tomcat-connection-pool-dashboard.png
new file mode 100644
index 00000000000..c93a50f81e8
Binary files /dev/null and b/packages/apache_tomcat/img/apache_tomcat-connection-pool-dashboard.png differ
diff --git a/packages/apache_tomcat/img/apache_tomcat-logs-overview-dashboard.png b/packages/apache_tomcat/img/apache_tomcat-logs-overview-dashboard.png
new file mode 100644
index 00000000000..c089d2c42f7
Binary files /dev/null and b/packages/apache_tomcat/img/apache_tomcat-logs-overview-dashboard.png differ
diff --git a/packages/apache_tomcat/img/apache_tomcat-memory-dashboard.png b/packages/apache_tomcat/img/apache_tomcat-memory-dashboard.png
new file mode 100644
index 00000000000..3b9a3ab2388
Binary files /dev/null and b/packages/apache_tomcat/img/apache_tomcat-memory-dashboard.png differ
diff --git a/packages/apache_tomcat/img/apache_tomcat-metrics-overview-dashboard.png b/packages/apache_tomcat/img/apache_tomcat-metrics-overview-dashboard.png
new file mode 100644
index 00000000000..323359faa53
Binary files /dev/null and b/packages/apache_tomcat/img/apache_tomcat-metrics-overview-dashboard.png differ
diff --git a/packages/apache_tomcat/img/apache_tomcat-session-dashboard.png b/packages/apache_tomcat/img/apache_tomcat-session-dashboard.png
new file mode 100644
index 00000000000..123c813b889
Binary files /dev/null and b/packages/apache_tomcat/img/apache_tomcat-session-dashboard.png differ
diff --git a/packages/apache_tomcat/img/apache_tomcat-thread-pool-dashboard.png b/packages/apache_tomcat/img/apache_tomcat-thread-pool-dashboard.png
new file mode 100644
index 00000000000..b3c2faab75d
Binary files /dev/null and b/packages/apache_tomcat/img/apache_tomcat-thread-pool-dashboard.png differ
diff --git a/packages/apache_tomcat/kibana/dashboard/apache_tomcat-2a331270-b8cd-11ed-a099-3791d000f969.json b/packages/apache_tomcat/kibana/dashboard/apache_tomcat-2a331270-b8cd-11ed-a099-3791d000f969.json
new file mode 100644
index 00000000000..1bc2443c451
--- /dev/null
+++ b/packages/apache_tomcat/kibana/dashboard/apache_tomcat-2a331270-b8cd-11ed-a099-3791d000f969.json
@@ -0,0 +1,1070 @@
+{
+ "attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
+ "panelsJSON": "{\"48036e6b-bb5f-4779-8ff2-a0affc20a119\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"service.address\",\"title\":\"Host Name\",\"id\":\"48036e6b-bb5f-4779-8ff2-a0affc20a119\",\"existsSelected\":false,\"selectedOptions\":[],\"enhancements\":{}}},\"b59436ce-764c-468d-ab13-0eb522f11c5c\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"apache_tomcat.session.application_name\",\"title\":\"Application Name\",\"id\":\"b59436ce-764c-468d-ab13-0eb522f11c5c\",\"selectedOptions\":[],\"enhancements\":{},\"exclude\":true}}}"
+ },
+ "description": "This Apache Tomcat dashboard visualizes session data stream metrics.",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.dataset",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "event.dataset",
+ "negate": false,
+ "params": {
+ "query": "apache_tomcat.session"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.dataset": "apache_tomcat.session"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "optionsJSON": {
+ "hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "useMargins": true
+ },
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-0175242f-2671-474a-a828-deff61e43fb6",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "34b8c32b-1aaf-45de-bdb4-09081617f0c8",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "0175242f-2671-474a-a828-deff61e43fb6": {
+ "columnOrder": [
+ "83b48f4e-37fd-4965-a277-7fbc36cd10c4",
+ "227ea4ce-b872-4b6d-a4d6-b010fd3b7525",
+ "ebf4eedd-4933-4ed5-b63c-251ad89ce456"
+ ],
+ "columns": {
+ "227ea4ce-b872-4b6d-a4d6-b010fd3b7525": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": false,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "83b48f4e-37fd-4965-a277-7fbc36cd10c4": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Application name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "ebf4eedd-4933-4ed5-b63c-251ad89ce456",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "apache_tomcat.session.application_name"
+ },
+ "ebf4eedd-4933-4ed5-b63c-251ad89ce456": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.session.create.total: *"
+ },
+ "isBucketed": false,
+ "label": "Created",
+ "operationType": "last_value",
+ "params": {
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ },
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.session.create.total"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "34b8c32b-1aaf-45de-bdb4-09081617f0c8",
+ "key": "event.dataset",
+ "negate": false,
+ "params": {
+ "query": "apache_tomcat.session"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.dataset": "apache_tomcat.session"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "layers": [
+ {
+ "accessors": [
+ "ebf4eedd-4933-4ed5-b63c-251ad89ce456"
+ ],
+ "layerId": "0175242f-2671-474a-a828-deff61e43fb6",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "line",
+ "showGridlines": false,
+ "splitAccessor": "83b48f4e-37fd-4965-a277-7fbc36cd10c4",
+ "xAccessor": "227ea4ce-b872-4b6d-a4d6-b010fd3b7525"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "legendSize": "large",
+ "position": "right"
+ },
+ "preferredSeriesType": "line",
+ "title": "Empty XY chart",
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yTitle": "Sessions"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 14,
+ "i": "a39adf70-8e40-4d80-a127-a1747a75be1f",
+ "w": 24,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "a39adf70-8e40-4d80-a127-a1747a75be1f",
+ "title": "Created sessions over time [Metrics Apache Tomcat]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-85bb5555-4581-4120-ab66-6ce66aeb4066",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "fa5f9b9a-65b0-452a-bcd0-1df3a33b1b3e",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "85bb5555-4581-4120-ab66-6ce66aeb4066": {
+ "columnOrder": [
+ "a97f3cfc-2145-4883-9f87-11126379918d",
+ "763d5a9f-ee92-4166-806c-8b25ee913968",
+ "1eebd32f-91cc-4ea3-83d7-4802a2b9d79c"
+ ],
+ "columns": {
+ "1eebd32f-91cc-4ea3-83d7-4802a2b9d79c": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.session.expire.total: *"
+ },
+ "isBucketed": false,
+ "label": "Expired",
+ "operationType": "last_value",
+ "params": {
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ },
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.session.expire.total"
+ },
+ "763d5a9f-ee92-4166-806c-8b25ee913968": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "a97f3cfc-2145-4883-9f87-11126379918d": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Application name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "1eebd32f-91cc-4ea3-83d7-4802a2b9d79c",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "apache_tomcat.session.application_name"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "fa5f9b9a-65b0-452a-bcd0-1df3a33b1b3e",
+ "key": "event.dataset",
+ "negate": false,
+ "params": {
+ "query": "apache_tomcat.session"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.dataset": "apache_tomcat.session"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "1eebd32f-91cc-4ea3-83d7-4802a2b9d79c"
+ ],
+ "layerId": "85bb5555-4581-4120-ab66-6ce66aeb4066",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "line",
+ "showGridlines": false,
+ "splitAccessor": "a97f3cfc-2145-4883-9f87-11126379918d",
+ "xAccessor": "763d5a9f-ee92-4166-806c-8b25ee913968",
+ "yConfig": [
+ {
+ "axisMode": "auto",
+ "color": "#54b399",
+ "forAccessor": "1eebd32f-91cc-4ea3-83d7-4802a2b9d79c"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "legendSize": "large",
+ "position": "right",
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "line",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "show",
+ "valuesInLegend": true,
+ "yTitle": "Sessions"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 14,
+ "i": "91d26f64-351f-420e-a37b-88a882ecba0e",
+ "w": 24,
+ "x": 24,
+ "y": 0
+ },
+ "panelIndex": "91d26f64-351f-420e-a37b-88a882ecba0e",
+ "title": "Expired sessions per application [Metrics Apache Tomcat]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-57b12f03-6995-4072-8994-d512e5700ee4",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "de6b5c32-5630-4877-8b24-be30c47ee9c1",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "57b12f03-6995-4072-8994-d512e5700ee4": {
+ "columnOrder": [
+ "7d7e1358-c253-4d02-bb79-fff128597de4",
+ "d2e27628-e345-4f9e-b06e-2543268355c1",
+ "0d2a1caf-d316-462a-b8bd-a05a6d058d77"
+ ],
+ "columns": {
+ "0d2a1caf-d316-462a-b8bd-a05a6d058d77": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.session.active.total: *"
+ },
+ "isBucketed": false,
+ "label": "Current active",
+ "operationType": "last_value",
+ "params": {
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ },
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.session.active.total"
+ },
+ "7d7e1358-c253-4d02-bb79-fff128597de4": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Application name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "0d2a1caf-d316-462a-b8bd-a05a6d058d77",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "apache_tomcat.session.application_name"
+ },
+ "d2e27628-e345-4f9e-b06e-2543268355c1": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "de6b5c32-5630-4877-8b24-be30c47ee9c1",
+ "key": "event.dataset",
+ "negate": false,
+ "params": {
+ "query": "apache_tomcat.session"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.dataset": "apache_tomcat.session"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "layers": [
+ {
+ "accessors": [
+ "0d2a1caf-d316-462a-b8bd-a05a6d058d77"
+ ],
+ "layerId": "57b12f03-6995-4072-8994-d512e5700ee4",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "line",
+ "showGridlines": false,
+ "splitAccessor": "7d7e1358-c253-4d02-bb79-fff128597de4",
+ "xAccessor": "d2e27628-e345-4f9e-b06e-2543268355c1"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right",
+ "showSingleSeries": false
+ },
+ "preferredSeriesType": "line",
+ "title": "Empty XY chart",
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yTitle": "Sessions"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 14,
+ "i": "5922510e-e6a2-4f9c-aceb-83715cc3b539",
+ "w": 24,
+ "x": 0,
+ "y": 14
+ },
+ "panelIndex": "5922510e-e6a2-4f9c-aceb-83715cc3b539",
+ "title": "Current active sessions over time [Metrics Apache Tomcat]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "Time spent doing housekeeping and expiration for sessions",
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-9b0dd57c-eb2b-434c-a7d6-21a8e5e83e8b",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "efe32f1b-651c-4ce4-a1e9-06cb0cf2d5af",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "9b0dd57c-eb2b-434c-a7d6-21a8e5e83e8b": {
+ "columnOrder": [
+ "110a6317-3f6c-4522-9c5a-f66baf19cd30",
+ "5b3ec5bb-5905-4cac-bb0e-5f830e4d63cd"
+ ],
+ "columns": {
+ "110a6317-3f6c-4522-9c5a-f66baf19cd30": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Application name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "5b3ec5bb-5905-4cac-bb0e-5f830e4d63cd",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "apache_tomcat.session.application_name"
+ },
+ "5b3ec5bb-5905-4cac-bb0e-5f830e4d63cd": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.session.processing_time: *"
+ },
+ "isBucketed": false,
+ "label": "Processing time(ms)",
+ "operationType": "last_value",
+ "params": {
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.session.processing_time"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "efe32f1b-651c-4ce4-a1e9-06cb0cf2d5af",
+ "key": "event.dataset",
+ "negate": false,
+ "params": {
+ "query": "apache_tomcat.session"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.dataset": "apache_tomcat.session"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "5b3ec5bb-5905-4cac-bb0e-5f830e4d63cd"
+ ],
+ "layerId": "9b0dd57c-eb2b-434c-a7d6-21a8e5e83e8b",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_horizontal",
+ "showGridlines": false,
+ "xAccessor": "110a6317-3f6c-4522-9c5a-f66baf19cd30"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "bar_horizontal",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "show"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 14,
+ "i": "2d408e1c-da52-4aed-b760-812f89f48184",
+ "w": 24,
+ "x": 24,
+ "y": 14
+ },
+ "panelIndex": "2d408e1c-da52-4aed-b760-812f89f48184",
+ "title": "Session expiration processing time [Metric Apache Tomcat]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-8533f30a-f59a-4f19-8a60-2231660778cf",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "1df29502-1178-4b06-b0c8-3009d0c3271b",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "8533f30a-f59a-4f19-8a60-2231660778cf": {
+ "columnOrder": [
+ "da9f5c00-8752-45b3-8ecc-d8260b2f9522",
+ "ede9710d-b7f7-40ca-91ac-4532bf0f9c26",
+ "e5699bbc-30d5-4eca-a198-bc9e0d08819b",
+ "8622a6d6-5901-49e2-a998-285029bdc82b",
+ "b90571b5-4b61-4a20-996a-f27afcf022e2"
+ ],
+ "columns": {
+ "8622a6d6-5901-49e2-a998-285029bdc82b": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.session.expire.total: *"
+ },
+ "isBucketed": false,
+ "label": "Expired",
+ "operationType": "last_value",
+ "params": {
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.session.expire.total"
+ },
+ "b90571b5-4b61-4a20-996a-f27afcf022e2": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.session.rejected.count: *"
+ },
+ "isBucketed": false,
+ "label": "Rejected",
+ "operationType": "last_value",
+ "params": {
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.session.rejected.count"
+ },
+ "da9f5c00-8752-45b3-8ecc-d8260b2f9522": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Application name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "ede9710d-b7f7-40ca-91ac-4532bf0f9c26",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10000
+ },
+ "scale": "ordinal",
+ "sourceField": "apache_tomcat.session.application_name"
+ },
+ "e5699bbc-30d5-4eca-a198-bc9e0d08819b": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.session.active.total: *"
+ },
+ "isBucketed": false,
+ "label": "Current active",
+ "operationType": "last_value",
+ "params": {
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.session.active.total"
+ },
+ "ede9710d-b7f7-40ca-91ac-4532bf0f9c26": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.session.create.total: *"
+ },
+ "isBucketed": false,
+ "label": "Created",
+ "operationType": "last_value",
+ "params": {
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.session.create.total"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "1df29502-1178-4b06-b0c8-3009d0c3271b",
+ "key": "event.dataset",
+ "negate": false,
+ "params": {
+ "query": "apache_tomcat.session"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.dataset": "apache_tomcat.session"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "da9f5c00-8752-45b3-8ecc-d8260b2f9522",
+ "isTransposed": false
+ },
+ {
+ "alignment": "center",
+ "columnId": "e5699bbc-30d5-4eca-a198-bc9e0d08819b",
+ "isTransposed": false
+ },
+ {
+ "alignment": "center",
+ "columnId": "ede9710d-b7f7-40ca-91ac-4532bf0f9c26",
+ "isTransposed": false
+ },
+ {
+ "alignment": "center",
+ "columnId": "8622a6d6-5901-49e2-a998-285029bdc82b",
+ "isTransposed": false
+ },
+ {
+ "alignment": "center",
+ "columnId": "b90571b5-4b61-4a20-996a-f27afcf022e2",
+ "isTransposed": false
+ }
+ ],
+ "headerRowHeight": "auto",
+ "layerId": "8533f30a-f59a-4f19-8a60-2231660778cf",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 10
+ },
+ "rowHeight": "auto"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "8ce83532-0623-4974-9280-b6c56c6b0c27",
+ "w": 48,
+ "x": 0,
+ "y": 28
+ },
+ "panelIndex": "8ce83532-0623-4974-9280-b6c56c6b0c27",
+ "title": "Sessions overview [Metrics Apache Tomcat]",
+ "type": "lens",
+ "version": "8.7.0"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[Metrics Apache Tomcat] Session",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.7.0",
+ "created_at": "2023-06-09T11:27:22.150Z",
+ "id": "apache_tomcat-2a331270-b8cd-11ed-a099-3791d000f969",
+ "migrationVersion": {
+ "dashboard": "8.7.0"
+ },
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "a39adf70-8e40-4d80-a127-a1747a75be1f:indexpattern-datasource-layer-0175242f-2671-474a-a828-deff61e43fb6",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "a39adf70-8e40-4d80-a127-a1747a75be1f:34b8c32b-1aaf-45de-bdb4-09081617f0c8",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "91d26f64-351f-420e-a37b-88a882ecba0e:indexpattern-datasource-layer-85bb5555-4581-4120-ab66-6ce66aeb4066",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "91d26f64-351f-420e-a37b-88a882ecba0e:fa5f9b9a-65b0-452a-bcd0-1df3a33b1b3e",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "5922510e-e6a2-4f9c-aceb-83715cc3b539:indexpattern-datasource-layer-57b12f03-6995-4072-8994-d512e5700ee4",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "5922510e-e6a2-4f9c-aceb-83715cc3b539:de6b5c32-5630-4877-8b24-be30c47ee9c1",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "2d408e1c-da52-4aed-b760-812f89f48184:indexpattern-datasource-layer-9b0dd57c-eb2b-434c-a7d6-21a8e5e83e8b",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "2d408e1c-da52-4aed-b760-812f89f48184:efe32f1b-651c-4ce4-a1e9-06cb0cf2d5af",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "8ce83532-0623-4974-9280-b6c56c6b0c27:indexpattern-datasource-layer-8533f30a-f59a-4f19-8a60-2231660778cf",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "8ce83532-0623-4974-9280-b6c56c6b0c27:1df29502-1178-4b06-b0c8-3009d0c3271b",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "controlGroup_48036e6b-bb5f-4779-8ff2-a0affc20a119:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "controlGroup_b59436ce-764c-468d-ab13-0eb522f11c5c:optionsListDataView",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/apache_tomcat/kibana/dashboard/apache_tomcat-44a8e0d0-b8f5-11ed-ac9b-cb6bcd97d223.json b/packages/apache_tomcat/kibana/dashboard/apache_tomcat-44a8e0d0-b8f5-11ed-ac9b-cb6bcd97d223.json
index 8601541b992..171f69ec4b9 100644
--- a/packages/apache_tomcat/kibana/dashboard/apache_tomcat-44a8e0d0-b8f5-11ed-ac9b-cb6bcd97d223.json
+++ b/packages/apache_tomcat/kibana/dashboard/apache_tomcat-44a8e0d0-b8f5-11ed-ac9b-cb6bcd97d223.json
@@ -52,12 +52,12 @@
},
{
"id": "logs-*",
- "name": "ea2ab93a-4a2f-433e-81ea-74069ab85ae2",
+ "name": "167c0497-503a-417c-a30c-768525e8b8dc",
"type": "index-pattern"
},
{
"id": "logs-*",
- "name": "6325ecc7-745a-4885-8e55-673da3cc467f",
+ "name": "8c6e9f3c-a1db-4cf0-8b30-1d860be11d98",
"type": "index-pattern"
}
],
@@ -132,7 +132,7 @@
"meta": {
"alias": null,
"disabled": false,
- "index": "ea2ab93a-4a2f-433e-81ea-74069ab85ae2",
+ "index": "167c0497-503a-417c-a30c-768525e8b8dc",
"key": "event.dataset",
"negate": false,
"params": {
@@ -154,7 +154,7 @@
"alias": null,
"disabled": false,
"field": "http.response.status_code",
- "index": "6325ecc7-745a-4885-8e55-673da3cc467f",
+ "index": "8c6e9f3c-a1db-4cf0-8b30-1d860be11d98",
"key": "http.response.status_code",
"negate": false,
"params": {
@@ -791,6 +791,7 @@
{
"embeddableConfig": {
"attributes": {
+ "description": "",
"references": [
{
"id": "logs-*",
@@ -799,7 +800,12 @@
},
{
"id": "logs-*",
- "name": "1f241a4d-3837-4d53-a4e2-d6b3b23f0966",
+ "name": "4b8a9e86-71d4-4b03-9049-bf28ec63ac90",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "8d346bac-67c0-4aed-ad35-3a5693fc2836",
"type": "index-pattern"
}
],
@@ -845,7 +851,7 @@
"dataType": "number",
"filter": {
"language": "kuery",
- "query": "http.response.status_code \u003e= 400 and http.response.status_code \u003c600"
+ "query": ""
},
"isBucketed": false,
"label": "Count",
@@ -874,7 +880,7 @@
"meta": {
"alias": null,
"disabled": false,
- "index": "1f241a4d-3837-4d53-a4e2-d6b3b23f0966",
+ "index": "4b8a9e86-71d4-4b03-9049-bf28ec63ac90",
"key": "event.dataset",
"negate": false,
"params": {
@@ -887,6 +893,36 @@
"event.dataset": "apache_tomcat.access"
}
}
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "http.response.status_code",
+ "index": "8d346bac-67c0-4aed-ad35-3a5693fc2836",
+ "key": "http.response.status_code",
+ "negate": false,
+ "params": {
+ "gte": "400",
+ "lt": "599"
+ },
+ "type": "range",
+ "value": {
+ "gte": "400",
+ "lt": "599"
+ }
+ },
+ "query": {
+ "range": {
+ "http.response.status_code": {
+ "gte": "400",
+ "lt": "599"
+ }
+ }
+ }
}
],
"internalReferences": [],
@@ -930,7 +966,7 @@
"y": 30
},
"panelIndex": "911f0638-46a9-4967-b588-a05fddc3ed62",
- "title": "Distribution by HTTP Client and Server error status code [Logs Apache Tomcat]",
+ "title": "Distribution by HTTP Client(4xx) and Server(5xx) error status code [Logs Apache Tomcat]",
"type": "lens",
"version": "8.7.0"
},
@@ -1204,7 +1240,8 @@
},
{
"embeddableConfig": {
- "enhancements": {}
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 15,
@@ -1224,7 +1261,7 @@
"version": 1
},
"coreMigrationVersion": "8.7.0",
- "created_at": "2023-05-08T13:43:13.601Z",
+ "created_at": "2023-07-24T12:48:07.116Z",
"id": "apache_tomcat-44a8e0d0-b8f5-11ed-ac9b-cb6bcd97d223",
"migrationVersion": {
"dashboard": "8.7.0"
@@ -1242,12 +1279,12 @@
},
{
"id": "logs-*",
- "name": "af3cd65d-02e9-477c-8b3b-45f4b717a982:ea2ab93a-4a2f-433e-81ea-74069ab85ae2",
+ "name": "af3cd65d-02e9-477c-8b3b-45f4b717a982:167c0497-503a-417c-a30c-768525e8b8dc",
"type": "index-pattern"
},
{
"id": "logs-*",
- "name": "af3cd65d-02e9-477c-8b3b-45f4b717a982:6325ecc7-745a-4885-8e55-673da3cc467f",
+ "name": "af3cd65d-02e9-477c-8b3b-45f4b717a982:8c6e9f3c-a1db-4cf0-8b30-1d860be11d98",
"type": "index-pattern"
},
{
@@ -1297,7 +1334,12 @@
},
{
"id": "logs-*",
- "name": "911f0638-46a9-4967-b588-a05fddc3ed62:1f241a4d-3837-4d53-a4e2-d6b3b23f0966",
+ "name": "911f0638-46a9-4967-b588-a05fddc3ed62:4b8a9e86-71d4-4b03-9049-bf28ec63ac90",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "911f0638-46a9-4967-b588-a05fddc3ed62:8d346bac-67c0-4aed-ad35-3a5693fc2836",
"type": "index-pattern"
},
{
diff --git a/packages/apache_tomcat/kibana/dashboard/apache_tomcat-5b24a9c0-0e86-11ee-8c11-879004e1a267.json b/packages/apache_tomcat/kibana/dashboard/apache_tomcat-5b24a9c0-0e86-11ee-8c11-879004e1a267.json
new file mode 100644
index 00000000000..9bb4ee02c9c
--- /dev/null
+++ b/packages/apache_tomcat/kibana/dashboard/apache_tomcat-5b24a9c0-0e86-11ee-8c11-879004e1a267.json
@@ -0,0 +1,982 @@
+{
+ "attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
+ "panelsJSON": "{\"77e2e883-4872-4992-80ef-ad4bce414173\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"77e2e883-4872-4992-80ef-ad4bce414173\",\"fieldName\":\"service.address\",\"title\":\"Host Name\",\"enhancements\":{},\"singleSelect\":true}},\"1d674dc5-5d99-4ffc-80ab-8d55f3c9961b\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"1d674dc5-5d99-4ffc-80ab-8d55f3c9961b\",\"fieldName\":\"apache_tomcat.thread_pool.nio_connector\",\"title\":\"Nio Connector\",\"enhancements\":{},\"singleSelect\":true}}}"
+ },
+ "description": "This Apache Tomcat dashboard visualizes Thread Pool data stream metrics.",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.dataset",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "event.dataset",
+ "negate": false,
+ "params": {
+ "query": "apache_tomcat.thread_pool"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.dataset": "apache_tomcat.thread_pool"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "optionsJSON": {
+ "hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "useMargins": true
+ },
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-05b7c993-53aa-433b-9754-7c1d297dbbad",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "37c53ea7-8de0-4acb-955f-38c67bd51b0a",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "05b7c993-53aa-433b-9754-7c1d297dbbad": {
+ "columnOrder": [
+ "959d96eb-d216-4f84-8c5c-4cafd358cb48"
+ ],
+ "columns": {
+ "959d96eb-d216-4f84-8c5c-4cafd358cb48": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.thread_pool.thread.total: *"
+ },
+ "isBucketed": false,
+ "label": "Total threads",
+ "operationType": "last_value",
+ "params": {
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.thread_pool.thread.total"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.dataset",
+ "index": "37c53ea7-8de0-4acb-955f-38c67bd51b0a",
+ "key": "event.dataset",
+ "negate": false,
+ "params": {
+ "query": "apache_tomcat.thread_pool"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.dataset": "apache_tomcat.thread_pool"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "#FFFFFF",
+ "layerId": "05b7c993-53aa-433b-9754-7c1d297dbbad",
+ "layerType": "data",
+ "metricAccessor": "959d96eb-d216-4f84-8c5c-4cafd358cb48",
+ "showBar": false
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "description": "Total number of created or started threads at JVM level (from java.lang:type=Threading).",
+ "enhancements": {},
+ "hidePanelTitles": true
+ },
+ "gridData": {
+ "h": 10,
+ "i": "f9c94977-dd52-43b4-922f-4341aacacf07",
+ "w": 9,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "f9c94977-dd52-43b4-922f-4341aacacf07",
+ "title": "Total threads [Metrics Apache Tomcat]",
+ "type": "lens",
+ "version": "8.8.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-a6c3093d-5a17-4f06-831e-4bc8428628cf",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "5b583af7-2a44-43ac-b787-9d6fc93f6374",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "a6c3093d-5a17-4f06-831e-4bc8428628cf": {
+ "columnOrder": [
+ "8b8f505d-9584-47f2-a09c-f5f0ba2c2bca",
+ "954c993d-42e0-4b02-8b56-fcfd5cbcab88",
+ "8471118f-6052-464a-9837-55cd8d147d9e",
+ "be178c96-9061-49bc-84af-9e82883a5dcf",
+ "27fb64e4-2a65-4aff-944e-0ae665894c3c",
+ "bbd32239-3193-47dd-913d-272d1040ef26"
+ ],
+ "columns": {
+ "27fb64e4-2a65-4aff-944e-0ae665894c3c": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.thread_pool.thread.active.count: *"
+ },
+ "isBucketed": false,
+ "label": "Active",
+ "operationType": "last_value",
+ "params": {
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.thread_pool.thread.active.count"
+ },
+ "8471118f-6052-464a-9837-55cd8d147d9e": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.thread_pool.thread.current.busy: *"
+ },
+ "isBucketed": false,
+ "label": "Busy",
+ "operationType": "last_value",
+ "params": {
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.thread_pool.thread.current.busy"
+ },
+ "8b8f505d-9584-47f2-a09c-f5f0ba2c2bca": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "954c993d-42e0-4b02-8b56-fcfd5cbcab88": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.thread_pool.thread.current.count: *"
+ },
+ "isBucketed": false,
+ "label": "Current",
+ "operationType": "last_value",
+ "params": {
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.thread_pool.thread.current.count"
+ },
+ "bbd32239-3193-47dd-913d-272d1040ef26": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.thread_pool.thread.peak.count: *"
+ },
+ "isBucketed": false,
+ "label": "Peak",
+ "operationType": "last_value",
+ "params": {
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.thread_pool.thread.peak.count"
+ },
+ "be178c96-9061-49bc-84af-9e82883a5dcf": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.thread_pool.thread.daemon.count: *"
+ },
+ "isBucketed": false,
+ "label": "Daemon",
+ "operationType": "last_value",
+ "params": {
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.thread_pool.thread.daemon.count"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.dataset",
+ "index": "5b583af7-2a44-43ac-b787-9d6fc93f6374",
+ "key": "event.dataset",
+ "negate": false,
+ "params": {
+ "query": "apache_tomcat.thread_pool"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.dataset": "apache_tomcat.thread_pool"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "layers": [
+ {
+ "accessors": [
+ "954c993d-42e0-4b02-8b56-fcfd5cbcab88",
+ "be178c96-9061-49bc-84af-9e82883a5dcf",
+ "8471118f-6052-464a-9837-55cd8d147d9e",
+ "27fb64e4-2a65-4aff-944e-0ae665894c3c",
+ "bbd32239-3193-47dd-913d-272d1040ef26"
+ ],
+ "layerId": "a6c3093d-5a17-4f06-831e-4bc8428628cf",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "line",
+ "showGridlines": false,
+ "xAccessor": "8b8f505d-9584-47f2-a09c-f5f0ba2c2bca"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "line",
+ "title": "Empty XY chart",
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yTitle": "Count"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "description": "Active threads represent Current active threads at the JVM level (from java.lang:type=Threading), Current threads represent Current number of threads that are taken from the ThreadPool and Peak threads represent Peak threads at the JVM level (from java.lang:type=Threading)",
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 10,
+ "i": "29239466-a1a0-456b-a1f8-5209e6c26339",
+ "w": 39,
+ "x": 9,
+ "y": 4
+ },
+ "panelIndex": "29239466-a1a0-456b-a1f8-5209e6c26339",
+ "title": "Threads count by state over time [Metrics Apache Tomcat]",
+ "type": "lens",
+ "version": "8.8.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-1f96fdb7-93b8-4ced-9765-f891869c6b47",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-e1e0cfc0-ff9f-4f4c-924a-a4d5ebc4d2ee",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "2a8c013c-a759-4b11-81f2-65a7797491c7",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "1f96fdb7-93b8-4ced-9765-f891869c6b47": {
+ "columnOrder": [
+ "252c4f53-feef-4ec8-a461-c51904bfb922",
+ "eecc178b-3354-4d0f-a1b8-6c9f310c0435"
+ ],
+ "columns": {
+ "252c4f53-feef-4ec8-a461-c51904bfb922": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "eecc178b-3354-4d0f-a1b8-6c9f310c0435": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.thread_pool.connection.count: *"
+ },
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "last_value",
+ "params": {
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.thread_pool.connection.count"
+ }
+ },
+ "incompleteColumns": {},
+ "linkToLayers": [],
+ "sampling": 1
+ },
+ "e1e0cfc0-ff9f-4f4c-924a-a4d5ebc4d2ee": {
+ "columnOrder": [
+ "f4bd05a0-a4cc-4750-8410-005076687bcd",
+ "c721065e-935e-481e-8a3e-abd99147d6d4"
+ ],
+ "columns": {
+ "c721065e-935e-481e-8a3e-abd99147d6d4": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.thread_pool.connection.max: *"
+ },
+ "isBucketed": false,
+ "label": "Max",
+ "operationType": "last_value",
+ "params": {
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.thread_pool.connection.max"
+ },
+ "f4bd05a0-a4cc-4750-8410-005076687bcd": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.dataset",
+ "index": "2a8c013c-a759-4b11-81f2-65a7797491c7",
+ "key": "event.dataset",
+ "negate": false,
+ "params": {
+ "query": "apache_tomcat.thread_pool"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.dataset": "apache_tomcat.thread_pool"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "c721065e-935e-481e-8a3e-abd99147d6d4"
+ ],
+ "layerId": "e1e0cfc0-ff9f-4f4c-924a-a4d5ebc4d2ee",
+ "layerType": "data",
+ "seriesType": "line",
+ "xAccessor": "f4bd05a0-a4cc-4750-8410-005076687bcd",
+ "yConfig": [
+ {
+ "color": "#e7664c",
+ "forAccessor": "c721065e-935e-481e-8a3e-abd99147d6d4"
+ }
+ ]
+ },
+ {
+ "accessors": [
+ "eecc178b-3354-4d0f-a1b8-6c9f310c0435"
+ ],
+ "layerId": "1f96fdb7-93b8-4ced-9765-f891869c6b47",
+ "layerType": "data",
+ "seriesType": "area",
+ "xAccessor": "252c4f53-feef-4ec8-a461-c51904bfb922",
+ "yConfig": [
+ {
+ "color": "#54b399",
+ "forAccessor": "eecc178b-3354-4d0f-a1b8-6c9f310c0435"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right",
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "line",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yTitle": "Connections"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 11,
+ "i": "a4b1a059-57c5-469a-9c83-936263c4c73c",
+ "w": 48,
+ "x": 0,
+ "y": 11
+ },
+ "panelIndex": "a4b1a059-57c5-469a-9c83-936263c4c73c",
+ "title": "Number of connections over time [Metrics Apache Tomcat]",
+ "type": "lens",
+ "version": "8.8.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-76459985-8ced-4307-8994-b36fcde849cc",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "d2a87cd7-ddfb-45b0-81cd-64a63f6b2290",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "76459985-8ced-4307-8994-b36fcde849cc": {
+ "columnOrder": [
+ "c1982a59-1a97-48a0-b4ca-e19acaf9dac4",
+ "ec31966f-73dd-41db-b36b-c9a378fd3c37"
+ ],
+ "columns": {
+ "c1982a59-1a97-48a0-b4ca-e19acaf9dac4": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "ec31966f-73dd-41db-b36b-c9a378fd3c37": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.thread_pool.thread.current.allocated.bytes: *"
+ },
+ "isBucketed": false,
+ "label": "Allocated bytes in current threads",
+ "operationType": "last_value",
+ "params": {
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 2
+ }
+ },
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.thread_pool.thread.current.allocated.bytes"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "d2a87cd7-ddfb-45b0-81cd-64a63f6b2290",
+ "key": "event.dataset",
+ "negate": false,
+ "params": {
+ "query": "apache_tomcat.thread_pool"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.dataset": "apache_tomcat.thread_pool"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "ec31966f-73dd-41db-b36b-c9a378fd3c37"
+ ],
+ "layerId": "76459985-8ced-4307-8994-b36fcde849cc",
+ "layerType": "data",
+ "seriesType": "line",
+ "xAccessor": "c1982a59-1a97-48a0-b4ca-e19acaf9dac4"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "line",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "yTitle": "Bytes"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 11,
+ "i": "31540e97-068b-4767-b7bd-373d35f8c6fe",
+ "w": 48,
+ "x": 0,
+ "y": 22
+ },
+ "panelIndex": "31540e97-068b-4767-b7bd-373d35f8c6fe",
+ "title": "Allocated bytes in current threads over time [Metrics Apache Tomcat]",
+ "type": "lens",
+ "version": "8.8.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "Time that the private internal executor will wait for request processing threads to terminate before continuing with the process of stopping the connector.",
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-b6e6d14b-5440-4a1c-882f-a698d66eacfb",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "9bb893c7-c116-49ed-99b8-2e35efd24bf3",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "b6e6d14b-5440-4a1c-882f-a698d66eacfb": {
+ "columnOrder": [
+ "20c1d4cc-f690-485c-93ef-5dd9c3e7e245",
+ "396ec4b2-d505-431b-8598-239292105dfa"
+ ],
+ "columns": {
+ "20c1d4cc-f690-485c-93ef-5dd9c3e7e245": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "396ec4b2-d505-431b-8598-239292105dfa": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.thread_pool.executor_termination.timeout.ms: *"
+ },
+ "isBucketed": false,
+ "label": "Time (ms)",
+ "operationType": "last_value",
+ "params": {
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.thread_pool.executor_termination.timeout.ms"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "9bb893c7-c116-49ed-99b8-2e35efd24bf3",
+ "key": "event.dataset",
+ "negate": false,
+ "params": {
+ "query": "apache_tomcat.thread_pool"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.dataset": "apache_tomcat.thread_pool"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "accessors": [
+ "396ec4b2-d505-431b-8598-239292105dfa"
+ ],
+ "layerId": "b6e6d14b-5440-4a1c-882f-a698d66eacfb",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "line",
+ "showGridlines": false,
+ "xAccessor": "20c1d4cc-f690-485c-93ef-5dd9c3e7e245"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "line",
+ "title": "Empty XY chart",
+ "valueLabels": "hide",
+ "valuesInLegend": true
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "description": "Time that the private internal executor will wait for request processing threads to terminate before continuing with the process of stopping the connector.",
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 11,
+ "i": "5756b1ad-a32f-4248-8337-9cce4fb74b3e",
+ "w": 48,
+ "x": 0,
+ "y": 33
+ },
+ "panelIndex": "5756b1ad-a32f-4248-8337-9cce4fb74b3e",
+ "title": "Processing threads termination time over time [Metrics Apache Tomcat]",
+ "type": "lens",
+ "version": "8.8.0"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[Metrics Apache Tomcat] Thread Pool",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.7.0",
+ "created_at": "2023-07-19T08:01:33.946Z",
+ "id": "apache_tomcat-5b24a9c0-0e86-11ee-8c11-879004e1a267",
+ "migrationVersion": {
+ "dashboard": "8.7.0"
+ },
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "f9c94977-dd52-43b4-922f-4341aacacf07:indexpattern-datasource-layer-05b7c993-53aa-433b-9754-7c1d297dbbad",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "f9c94977-dd52-43b4-922f-4341aacacf07:37c53ea7-8de0-4acb-955f-38c67bd51b0a",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "29239466-a1a0-456b-a1f8-5209e6c26339:indexpattern-datasource-layer-a6c3093d-5a17-4f06-831e-4bc8428628cf",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "29239466-a1a0-456b-a1f8-5209e6c26339:5b583af7-2a44-43ac-b787-9d6fc93f6374",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "a4b1a059-57c5-469a-9c83-936263c4c73c:indexpattern-datasource-layer-1f96fdb7-93b8-4ced-9765-f891869c6b47",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "a4b1a059-57c5-469a-9c83-936263c4c73c:indexpattern-datasource-layer-e1e0cfc0-ff9f-4f4c-924a-a4d5ebc4d2ee",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "a4b1a059-57c5-469a-9c83-936263c4c73c:2a8c013c-a759-4b11-81f2-65a7797491c7",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "31540e97-068b-4767-b7bd-373d35f8c6fe:indexpattern-datasource-layer-76459985-8ced-4307-8994-b36fcde849cc",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "31540e97-068b-4767-b7bd-373d35f8c6fe:d2a87cd7-ddfb-45b0-81cd-64a63f6b2290",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "5756b1ad-a32f-4248-8337-9cce4fb74b3e:indexpattern-datasource-layer-b6e6d14b-5440-4a1c-882f-a698d66eacfb",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "5756b1ad-a32f-4248-8337-9cce4fb74b3e:9bb893c7-c116-49ed-99b8-2e35efd24bf3",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "controlGroup_77e2e883-4872-4992-80ef-ad4bce414173:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "controlGroup_1d674dc5-5d99-4ffc-80ab-8d55f3c9961b:optionsListDataView",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/apache_tomcat/kibana/dashboard/apache_tomcat-8fd54a20-1f0d-11ee-9d6b-bb41d08322c8.json b/packages/apache_tomcat/kibana/dashboard/apache_tomcat-8fd54a20-1f0d-11ee-9d6b-bb41d08322c8.json
new file mode 100644
index 00000000000..71bf9e6dd49
--- /dev/null
+++ b/packages/apache_tomcat/kibana/dashboard/apache_tomcat-8fd54a20-1f0d-11ee-9d6b-bb41d08322c8.json
@@ -0,0 +1,702 @@
+{
+ "attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
+ "panelsJSON": "{\"fc0ca4ed-ecfc-4255-a799-24675b4a1206\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":false,\"width\":\"medium\",\"explicitInput\":{\"id\":\"fc0ca4ed-ecfc-4255-a799-24675b4a1206\",\"fieldName\":\"agent.name\",\"title\":\"Agent Name\",\"singleSelect\":false,\"enhancements\":{}}}}"
+ },
+ "description": "This Apache Tomcat dashboard visualizes all logs data streams.",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.module",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "event.module",
+ "negate": false,
+ "params": {
+ "query": "apache_tomcat"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.module": "apache_tomcat"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "optionsJSON": {
+ "hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "useMargins": true
+ },
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-55ba9c87-2de6-468b-ae00-ab24cdb6c2d7",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "b6532743-79d3-4ab0-bdfa-fff8aa69c7a9",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "55ba9c87-2de6-468b-ae00-ab24cdb6c2d7": {
+ "columnOrder": [
+ "932c5d98-32f4-4a94-9051-563bcd1931fa",
+ "9fb85e3f-ca9d-47db-b236-88d3e03e5fff"
+ ],
+ "columns": {
+ "932c5d98-32f4-4a94-9051-563bcd1931fa": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": true,
+ "label": "HTTP Status Code",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "9fb85e3f-ca9d-47db-b236-88d3e03e5fff",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "http.response.status_code"
+ },
+ "9fb85e3f-ca9d-47db-b236-88d3e03e5fff": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "b6532743-79d3-4ab0-bdfa-fff8aa69c7a9",
+ "key": "event.dataset",
+ "negate": false,
+ "params": {
+ "query": "apache_tomcat.access"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.dataset": "apache_tomcat.access"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "emptySizeRatio": 0.3,
+ "layerId": "55ba9c87-2de6-468b-ae00-ab24cdb6c2d7",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "9fb85e3f-ca9d-47db-b236-88d3e03e5fff"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "932c5d98-32f4-4a94-9051-563bcd1931fa"
+ ]
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "b089289a-38be-4f6f-8519-ef9b20a77409",
+ "w": 24,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "b089289a-38be-4f6f-8519-ef9b20a77409",
+ "title": "Distribution by HTTP status code [Logs Apache Tomcat]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-55ba9c87-2de6-468b-ae00-ab24cdb6c2d7",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "25ce66fb-534d-42a3-9baf-e3c7768ee2d6",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "adb3c9a7-d289-4c05-9c2b-0791a5c482ff",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "55ba9c87-2de6-468b-ae00-ab24cdb6c2d7": {
+ "columnOrder": [
+ "932c5d98-32f4-4a94-9051-563bcd1931fa",
+ "9fb85e3f-ca9d-47db-b236-88d3e03e5fff"
+ ],
+ "columns": {
+ "932c5d98-32f4-4a94-9051-563bcd1931fa": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": true,
+ "label": "HTTP Status Code",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "9fb85e3f-ca9d-47db-b236-88d3e03e5fff",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "http.response.status_code"
+ },
+ "9fb85e3f-ca9d-47db-b236-88d3e03e5fff": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "25ce66fb-534d-42a3-9baf-e3c7768ee2d6",
+ "key": "event.dataset",
+ "negate": false,
+ "params": {
+ "query": "apache_tomcat.access"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.dataset": "apache_tomcat.access"
+ }
+ }
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "http.response.status_code",
+ "index": "adb3c9a7-d289-4c05-9c2b-0791a5c482ff",
+ "key": "http.response.status_code",
+ "negate": false,
+ "params": {
+ "gte": "400",
+ "lt": "599"
+ },
+ "type": "range",
+ "value": {
+ "gte": "400",
+ "lt": "599"
+ }
+ },
+ "query": {
+ "range": {
+ "http.response.status_code": {
+ "gte": "400",
+ "lt": "599"
+ }
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "emptySizeRatio": 0.3,
+ "layerId": "55ba9c87-2de6-468b-ae00-ab24cdb6c2d7",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "9fb85e3f-ca9d-47db-b236-88d3e03e5fff"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "932c5d98-32f4-4a94-9051-563bcd1931fa"
+ ]
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "2f7de9ea-b38c-4a20-9f50-2c50f76f450d",
+ "w": 24,
+ "x": 24,
+ "y": 0
+ },
+ "panelIndex": "2f7de9ea-b38c-4a20-9f50-2c50f76f450d",
+ "title": "Distribution by HTTP Client(4xx) and Server(5xx) error status code [Logs Apache Tomcat]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-d30a1b56-5918-4732-850a-381fab2c59fb",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "44d71f68-2675-4ed4-adb5-9f2bdce23a3a",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "cfb45038-17c1-40f9-b31e-916d1eefc5c6",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "d30a1b56-5918-4732-850a-381fab2c59fb": {
+ "columnOrder": [
+ "daff9bcb-6674-42f0-a1eb-2d9cada6a05f",
+ "cfc457cd-293c-4d73-8513-899d7d32f03d",
+ "10a85224-53f8-4655-9305-57d024227f99"
+ ],
+ "columns": {
+ "10a85224-53f8-4655-9305-57d024227f99": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Error count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "cfc457cd-293c-4d73-8513-899d7d32f03d": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "URLs",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "10a85224-53f8-4655-9305-57d024227f99",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "url.original"
+ },
+ "daff9bcb-6674-42f0-a1eb-2d9cada6a05f": {
+ "customLabel": true,
+ "dataType": "ip",
+ "isBucketed": true,
+ "label": "Host",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "10a85224-53f8-4655-9305-57d024227f99",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "source.ip"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.dataset",
+ "index": "44d71f68-2675-4ed4-adb5-9f2bdce23a3a",
+ "key": "event.dataset",
+ "negate": false,
+ "params": {
+ "query": "apache_tomcat.access"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.dataset": "apache_tomcat.access"
+ }
+ }
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "http.response.status_code",
+ "index": "cfb45038-17c1-40f9-b31e-916d1eefc5c6",
+ "key": "http.response.status_code",
+ "negate": false,
+ "params": {
+ "gte": "400",
+ "lt": "600"
+ },
+ "type": "range",
+ "value": {
+ "gte": "400",
+ "lt": "600"
+ }
+ },
+ "query": {
+ "range": {
+ "http.response.status_code": {
+ "gte": "400",
+ "lt": "600"
+ }
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "center",
+ "columnId": "10a85224-53f8-4655-9305-57d024227f99",
+ "isTransposed": false
+ },
+ {
+ "alignment": "left",
+ "columnId": "daff9bcb-6674-42f0-a1eb-2d9cada6a05f",
+ "isTransposed": false,
+ "oneClickFilter": false
+ },
+ {
+ "alignment": "left",
+ "columnId": "cfc457cd-293c-4d73-8513-899d7d32f03d",
+ "isTransposed": false,
+ "oneClickFilter": true
+ }
+ ],
+ "headerRowHeight": "auto",
+ "layerId": "d30a1b56-5918-4732-850a-381fab2c59fb",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 10
+ },
+ "rowHeight": "auto"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "e87fc489-df1a-4f67-9d91-7b3383fcb8c7",
+ "w": 48,
+ "x": 0,
+ "y": 15
+ },
+ "panelIndex": "e87fc489-df1a-4f67-9d91-7b3383fcb8c7",
+ "title": "Top error causing URLs with hosts [Logs Apache Tomcat]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "f02e494c-1b62-407e-a402-7799e9fab580",
+ "w": 48,
+ "x": 0,
+ "y": 30
+ },
+ "panelIndex": "f02e494c-1b62-407e-a402-7799e9fab580",
+ "panelRefName": "panel_f02e494c-1b62-407e-a402-7799e9fab580",
+ "title": "Catalina Logs overview [Logs Apache Tomcat]",
+ "type": "search",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "9940557b-4932-4f76-8aec-029ddac34539",
+ "w": 48,
+ "x": 0,
+ "y": 45
+ },
+ "panelIndex": "9940557b-4932-4f76-8aec-029ddac34539",
+ "panelRefName": "panel_9940557b-4932-4f76-8aec-029ddac34539",
+ "title": "Localhost Logs overview [Logs Apache Tomcat]",
+ "type": "search",
+ "version": "8.7.0"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[Logs Apache Tomcat] Overview",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.7.0",
+ "created_at": "2023-07-24T12:48:07.116Z",
+ "id": "apache_tomcat-8fd54a20-1f0d-11ee-9d6b-bb41d08322c8",
+ "migrationVersion": {
+ "dashboard": "8.7.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "b089289a-38be-4f6f-8519-ef9b20a77409:indexpattern-datasource-layer-55ba9c87-2de6-468b-ae00-ab24cdb6c2d7",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "b089289a-38be-4f6f-8519-ef9b20a77409:b6532743-79d3-4ab0-bdfa-fff8aa69c7a9",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "2f7de9ea-b38c-4a20-9f50-2c50f76f450d:indexpattern-datasource-layer-55ba9c87-2de6-468b-ae00-ab24cdb6c2d7",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "2f7de9ea-b38c-4a20-9f50-2c50f76f450d:25ce66fb-534d-42a3-9baf-e3c7768ee2d6",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "2f7de9ea-b38c-4a20-9f50-2c50f76f450d:adb3c9a7-d289-4c05-9c2b-0791a5c482ff",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e87fc489-df1a-4f67-9d91-7b3383fcb8c7:indexpattern-datasource-layer-d30a1b56-5918-4732-850a-381fab2c59fb",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e87fc489-df1a-4f67-9d91-7b3383fcb8c7:44d71f68-2675-4ed4-adb5-9f2bdce23a3a",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e87fc489-df1a-4f67-9d91-7b3383fcb8c7:cfb45038-17c1-40f9-b31e-916d1eefc5c6",
+ "type": "index-pattern"
+ },
+ {
+ "id": "apache_tomcat-1f3c6e30-dd11-11ed-9f4f-d97c9f37d195",
+ "name": "f02e494c-1b62-407e-a402-7799e9fab580:panel_f02e494c-1b62-407e-a402-7799e9fab580",
+ "type": "search"
+ },
+ {
+ "id": "apache_tomcat-4d39c820-ddcd-11ed-8080-ddad81fe2c3c",
+ "name": "9940557b-4932-4f76-8aec-029ddac34539:panel_9940557b-4932-4f76-8aec-029ddac34539",
+ "type": "search"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_fc0ca4ed-ecfc-4255-a799-24675b4a1206:optionsListDataView",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/apache_tomcat/kibana/dashboard/apache_tomcat-9c66eb10-dd0c-11ed-9f4f-d97c9f37d195.json b/packages/apache_tomcat/kibana/dashboard/apache_tomcat-9c66eb10-dd0c-11ed-9f4f-d97c9f37d195.json
index b837b64fbc1..3e2812e7449 100644
--- a/packages/apache_tomcat/kibana/dashboard/apache_tomcat-9c66eb10-dd0c-11ed-9f4f-d97c9f37d195.json
+++ b/packages/apache_tomcat/kibana/dashboard/apache_tomcat-9c66eb10-dd0c-11ed-9f4f-d97c9f37d195.json
@@ -205,9 +205,9 @@
"hidePanelTitles": false
},
"gridData": {
- "h": 15,
+ "h": 14,
"i": "ce217a0a-1038-4867-b22b-c51765d12c99",
- "w": 17,
+ "w": 24,
"x": 0,
"y": 0
},
@@ -216,27 +216,10 @@
"type": "lens",
"version": "8.7.0"
},
- {
- "embeddableConfig": {
- "enhancements": {},
- "hidePanelTitles": false
- },
- "gridData": {
- "h": 15,
- "i": "8901474e-f646-4eb9-b734-667804d70207",
- "w": 31,
- "x": 17,
- "y": 15
- },
- "panelIndex": "8901474e-f646-4eb9-b734-667804d70207",
- "panelRefName": "panel_8901474e-f646-4eb9-b734-667804d70207",
- "title": "Localhost Logs overview [Logs Apache Tomcat]",
- "type": "search",
- "version": "8.7.0"
- },
{
"embeddableConfig": {
"attributes": {
+ "description": "",
"references": [
{
"id": "logs-*",
@@ -245,7 +228,7 @@
},
{
"id": "logs-*",
- "name": "3cff818b-98f7-499c-bb64-5feae903ac17",
+ "name": "1fb283e4-af20-4f0b-b875-baaaacd84281",
"type": "index-pattern"
}
],
@@ -317,7 +300,7 @@
"alias": null,
"disabled": false,
"field": "event.dataset",
- "index": "3cff818b-98f7-499c-bb64-5feae903ac17",
+ "index": "1fb283e4-af20-4f0b-b875-baaaacd84281",
"key": "event.dataset",
"negate": false,
"params": {
@@ -344,7 +327,6 @@
"layerId": "996302ea-5ca4-458a-b92b-8b1c8e76adf6",
"layerType": "data",
"legendDisplay": "show",
- "legendSize": "small",
"metrics": [
"0ef3cc80-154a-4270-a59b-e47e5916cba5"
],
@@ -367,11 +349,11 @@
"hidePanelTitles": false
},
"gridData": {
- "h": 15,
+ "h": 14,
"i": "e48f4633-1502-44e1-b093-2b9bc378d24c",
- "w": 17,
- "x": 0,
- "y": 15
+ "w": 24,
+ "x": 24,
+ "y": 0
},
"panelIndex": "e48f4633-1502-44e1-b093-2b9bc378d24c",
"title": "Distribution of Localhost events by log level [Logs Apache Tomcat]",
@@ -384,17 +366,35 @@
"hidePanelTitles": false
},
"gridData": {
- "h": 15,
+ "h": 14,
"i": "e9897b3c-32b2-4c12-9510-4e1685ecb611",
- "w": 31,
- "x": 17,
- "y": 0
+ "w": 48,
+ "x": 0,
+ "y": 14
},
"panelIndex": "e9897b3c-32b2-4c12-9510-4e1685ecb611",
"panelRefName": "panel_e9897b3c-32b2-4c12-9510-4e1685ecb611",
"title": "Catalina Logs overview [Logs Apache Tomcat]",
"type": "search",
"version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 14,
+ "i": "8901474e-f646-4eb9-b734-667804d70207",
+ "w": 48,
+ "x": 0,
+ "y": 28
+ },
+ "panelIndex": "8901474e-f646-4eb9-b734-667804d70207",
+ "panelRefName": "panel_8901474e-f646-4eb9-b734-667804d70207",
+ "title": "Localhost Logs overview [Logs Apache Tomcat]",
+ "type": "search",
+ "version": "8.7.0"
}
],
"timeRestore": false,
@@ -402,7 +402,7 @@
"version": 1
},
"coreMigrationVersion": "8.7.0",
- "created_at": "2023-05-09T09:59:39.804Z",
+ "created_at": "2023-07-24T10:47:18.401Z",
"id": "apache_tomcat-9c66eb10-dd0c-11ed-9f4f-d97c9f37d195",
"migrationVersion": {
"dashboard": "8.7.0"
@@ -423,11 +423,6 @@
"name": "ce217a0a-1038-4867-b22b-c51765d12c99:be7a31fc-fdbf-4791-81bc-e7c6f7fd4e72",
"type": "index-pattern"
},
- {
- "id": "apache_tomcat-4d39c820-ddcd-11ed-8080-ddad81fe2c3c",
- "name": "8901474e-f646-4eb9-b734-667804d70207:panel_8901474e-f646-4eb9-b734-667804d70207",
- "type": "search"
- },
{
"id": "logs-*",
"name": "e48f4633-1502-44e1-b093-2b9bc378d24c:indexpattern-datasource-layer-996302ea-5ca4-458a-b92b-8b1c8e76adf6",
@@ -435,13 +430,18 @@
},
{
"id": "logs-*",
- "name": "e48f4633-1502-44e1-b093-2b9bc378d24c:3cff818b-98f7-499c-bb64-5feae903ac17",
+ "name": "e48f4633-1502-44e1-b093-2b9bc378d24c:1fb283e4-af20-4f0b-b875-baaaacd84281",
"type": "index-pattern"
},
{
"id": "apache_tomcat-1f3c6e30-dd11-11ed-9f4f-d97c9f37d195",
"name": "e9897b3c-32b2-4c12-9510-4e1685ecb611:panel_e9897b3c-32b2-4c12-9510-4e1685ecb611",
"type": "search"
+ },
+ {
+ "id": "apache_tomcat-4d39c820-ddcd-11ed-8080-ddad81fe2c3c",
+ "name": "8901474e-f646-4eb9-b734-667804d70207:panel_8901474e-f646-4eb9-b734-667804d70207",
+ "type": "search"
}
],
"type": "dashboard"
diff --git a/packages/apache_tomcat/kibana/dashboard/apache_tomcat-af7759b0-0a75-11ee-a8d8-d15950a587f6.json b/packages/apache_tomcat/kibana/dashboard/apache_tomcat-af7759b0-0a75-11ee-a8d8-d15950a587f6.json
new file mode 100644
index 00000000000..dde26173ef3
--- /dev/null
+++ b/packages/apache_tomcat/kibana/dashboard/apache_tomcat-af7759b0-0a75-11ee-a8d8-d15950a587f6.json
@@ -0,0 +1,499 @@
+{
+ "attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
+ "panelsJSON": "{\"3503af0f-80d1-487e-8fa3-e470f20f9f8b\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"3503af0f-80d1-487e-8fa3-e470f20f9f8b\",\"fieldName\":\"service.address\",\"title\":\"Host Name\",\"enhancements\":{},\"singleSelect\":true}},\"80f0e8b9-8077-4aec-bcea-2cc806ff57ed\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"80f0e8b9-8077-4aec-bcea-2cc806ff57ed\",\"fieldName\":\"apache_tomcat.connection_pool.application_name\",\"title\":\"Application Name\",\"enhancements\":{},\"selectedOptions\":[],\"singleSelect\":true}}}"
+ },
+ "description": "This Apache Tomcat dashboard visualizes connection pool data stream metrics.",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.dataset",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "event.dataset",
+ "negate": false,
+ "params": {
+ "query": "apache_tomcat.connection_pool"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.dataset": "apache_tomcat.connection_pool"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "optionsJSON": {
+ "hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "useMargins": true
+ },
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-e325a4cc-4f13-45e6-ad1d-ab520a86078f",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "d754c647-0a3e-4949-b974-ae09a1bc847d",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "e325a4cc-4f13-45e6-ad1d-ab520a86078f": {
+ "columnOrder": [
+ "85eeb55f-dc5a-4e6a-95be-bae70a4539b4",
+ "a595aca1-c1f6-4115-b83f-5624fefff173",
+ "ffa09b26-9189-492d-8e79-da9b5f6183b8"
+ ],
+ "columns": {
+ "85eeb55f-dc5a-4e6a-95be-bae70a4539b4": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "a595aca1-c1f6-4115-b83f-5624fefff173": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.connection_pool.connection.active.count: *"
+ },
+ "isBucketed": false,
+ "label": "Active connections",
+ "operationType": "last_value",
+ "params": {
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.connection_pool.connection.active.count"
+ },
+ "ffa09b26-9189-492d-8e79-da9b5f6183b8": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.connection_pool.connection.idle.count: *"
+ },
+ "isBucketed": false,
+ "label": "Idle connections",
+ "operationType": "last_value",
+ "params": {
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.connection_pool.connection.idle.count"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.dataset",
+ "index": "d754c647-0a3e-4949-b974-ae09a1bc847d",
+ "key": "event.dataset",
+ "negate": false,
+ "params": {
+ "query": "apache_tomcat.connection_pool"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.dataset": "apache_tomcat.connection_pool"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "a595aca1-c1f6-4115-b83f-5624fefff173",
+ "ffa09b26-9189-492d-8e79-da9b5f6183b8"
+ ],
+ "layerId": "e325a4cc-4f13-45e6-ad1d-ab520a86078f",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "line",
+ "showGridlines": false,
+ "xAccessor": "85eeb55f-dc5a-4e6a-95be-bae70a4539b4"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "legendSize": "large",
+ "position": "right"
+ },
+ "preferredSeriesType": "line",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "yTitle": "Count"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 20,
+ "i": "8379c1c8-9392-4af4-a7f4-e625811a8f12",
+ "w": 38,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "8379c1c8-9392-4af4-a7f4-e625811a8f12",
+ "title": "Connections over time [Metrics Apache Tomcat]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-bf37fdfd-568b-4d88-8698-f487013d0e7a",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "c82a919f-342a-40fb-b752-e7d04fed8ff7",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "bf37fdfd-568b-4d88-8698-f487013d0e7a": {
+ "columnOrder": [
+ "d8899acf-91a6-4a42-9f2b-2c4724b59a49"
+ ],
+ "columns": {
+ "d8899acf-91a6-4a42-9f2b-2c4724b59a49": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.connection_pool.connection.active.count: *"
+ },
+ "isBucketed": false,
+ "label": "Active connections",
+ "operationType": "last_value",
+ "params": {
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.connection_pool.connection.active.count"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.dataset",
+ "index": "c82a919f-342a-40fb-b752-e7d04fed8ff7",
+ "key": "event.dataset",
+ "negate": false,
+ "params": {
+ "query": "apache_tomcat.connection_pool"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.dataset": "apache_tomcat.connection_pool"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "#FFFFFF",
+ "layerId": "bf37fdfd-568b-4d88-8698-f487013d0e7a",
+ "layerType": "data",
+ "metricAccessor": "d8899acf-91a6-4a42-9f2b-2c4724b59a49",
+ "showBar": false
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": true
+ },
+ "gridData": {
+ "h": 10,
+ "i": "f170f694-3b15-4d7f-8d02-93721b07841a",
+ "w": 10,
+ "x": 38,
+ "y": 0
+ },
+ "panelIndex": "f170f694-3b15-4d7f-8d02-93721b07841a",
+ "title": "Active connections [Metrics Apache Tomcat]",
+ "type": "lens",
+ "version": "8.7.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-bf37fdfd-568b-4d88-8698-f487013d0e7a",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "18d6b810-b483-4c38-8003-439a9795566e",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "bf37fdfd-568b-4d88-8698-f487013d0e7a": {
+ "columnOrder": [
+ "37ab7957-367f-4788-8d40-2bb3abf57bb8"
+ ],
+ "columns": {
+ "37ab7957-367f-4788-8d40-2bb3abf57bb8": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.connection_pool.connection.idle.count: *"
+ },
+ "isBucketed": false,
+ "label": "Idle connections",
+ "operationType": "last_value",
+ "params": {
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.connection_pool.connection.idle.count"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.dataset",
+ "index": "18d6b810-b483-4c38-8003-439a9795566e",
+ "key": "event.dataset",
+ "negate": false,
+ "params": {
+ "query": "apache_tomcat.connection_pool"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.dataset": "apache_tomcat.connection_pool"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "#FFFFFF",
+ "layerId": "bf37fdfd-568b-4d88-8698-f487013d0e7a",
+ "layerType": "data",
+ "metricAccessor": "37ab7957-367f-4788-8d40-2bb3abf57bb8",
+ "showBar": false
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": true
+ },
+ "gridData": {
+ "h": 10,
+ "i": "4ba1c352-1167-4214-a1e0-a8acb13e59aa",
+ "w": 10,
+ "x": 38,
+ "y": 10
+ },
+ "panelIndex": "4ba1c352-1167-4214-a1e0-a8acb13e59aa",
+ "title": "Idle connections [Metrics Apache Tomcat]",
+ "type": "lens",
+ "version": "8.7.0"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[Metrics Apache Tomcat] Connection Pool",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.7.0",
+ "created_at": "2023-06-30T05:14:49.407Z",
+ "id": "apache_tomcat-af7759b0-0a75-11ee-a8d8-d15950a587f6",
+ "migrationVersion": {
+ "dashboard": "8.7.0"
+ },
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "8379c1c8-9392-4af4-a7f4-e625811a8f12:indexpattern-datasource-layer-e325a4cc-4f13-45e6-ad1d-ab520a86078f",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "8379c1c8-9392-4af4-a7f4-e625811a8f12:d754c647-0a3e-4949-b974-ae09a1bc847d",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "f170f694-3b15-4d7f-8d02-93721b07841a:indexpattern-datasource-layer-bf37fdfd-568b-4d88-8698-f487013d0e7a",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "f170f694-3b15-4d7f-8d02-93721b07841a:c82a919f-342a-40fb-b752-e7d04fed8ff7",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "4ba1c352-1167-4214-a1e0-a8acb13e59aa:indexpattern-datasource-layer-bf37fdfd-568b-4d88-8698-f487013d0e7a",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "4ba1c352-1167-4214-a1e0-a8acb13e59aa:18d6b810-b483-4c38-8003-439a9795566e",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "controlGroup_3503af0f-80d1-487e-8fa3-e470f20f9f8b:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "controlGroup_80f0e8b9-8077-4aec-bcea-2cc806ff57ed:optionsListDataView",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/apache_tomcat/kibana/dashboard/apache_tomcat-c2e71320-bccb-11ed-8065-19219c0d55ab.json b/packages/apache_tomcat/kibana/dashboard/apache_tomcat-c2e71320-bccb-11ed-8065-19219c0d55ab.json
new file mode 100644
index 00000000000..30ac4e11b58
--- /dev/null
+++ b/packages/apache_tomcat/kibana/dashboard/apache_tomcat-c2e71320-bccb-11ed-8065-19219c0d55ab.json
@@ -0,0 +1,1246 @@
+{
+ "attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
+ "panelsJSON": "{\"40090461-b167-4b82-8ae3-e1326133b845\":{\"order\":0,\"width\":\"medium\",\"grow\":false,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"service.address\",\"title\":\"Hostname\",\"id\":\"40090461-b167-4b82-8ae3-e1326133b845\",\"selectedOptions\":[],\"enhancements\":{},\"singleSelect\":true}}}"
+ },
+ "description": "This Apache Tomcat dashboard visualizes memory data stream metrics.",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "apache_tomcat.memory"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "apache_tomcat.memory"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "optionsJSON": {
+ "hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "useMargins": true
+ },
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-603b89be-e03d-4ed5-83b6-4ca7c19f41aa",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-7a97f25c-2c29-43be-a9d9-227e78aa4824",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "424f182e-1baf-4bc9-a7a6-74f1ca6881ef",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "603b89be-e03d-4ed5-83b6-4ca7c19f41aa": {
+ "columnOrder": [
+ "6d6a63fb-4d3d-49ce-bad9-f199c1b2f9ac"
+ ],
+ "columns": {
+ "6d6a63fb-4d3d-49ce-bad9-f199c1b2f9ac": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.memory.heap.used.bytes: *"
+ },
+ "isBucketed": false,
+ "label": "Heap memory usage",
+ "operationType": "last_value",
+ "params": {
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 2
+ }
+ },
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.memory.heap.used.bytes"
+ }
+ },
+ "incompleteColumns": {}
+ },
+ "7a97f25c-2c29-43be-a9d9-227e78aa4824": {
+ "columnOrder": [
+ "5a75a03a-9d36-44d3-8ff9-66d3de324ce5",
+ "f610bbb4-2cd9-45b1-b9a1-b61d89b32ee8"
+ ],
+ "columns": {
+ "5a75a03a-9d36-44d3-8ff9-66d3de324ce5": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "f610bbb4-2cd9-45b1-b9a1-b61d89b32ee8": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.memory.heap.used.bytes: *"
+ },
+ "isBucketed": false,
+ "label": "Heap memory usage",
+ "operationType": "last_value",
+ "params": {
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 2
+ }
+ },
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.memory.heap.used.bytes"
+ }
+ },
+ "incompleteColumns": {},
+ "linkToLayers": [
+ "603b89be-e03d-4ed5-83b6-4ca7c19f41aa"
+ ],
+ "sampling": 1
+ }
+ }
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "424f182e-1baf-4bc9-a7a6-74f1ca6881ef",
+ "key": "event.dataset",
+ "negate": false,
+ "params": {
+ "query": "apache_tomcat.memory"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.dataset": "apache_tomcat.memory"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "#FFFFFF",
+ "icon": "empty",
+ "layerId": "603b89be-e03d-4ed5-83b6-4ca7c19f41aa",
+ "layerType": "data",
+ "metricAccessor": "6d6a63fb-4d3d-49ce-bad9-f199c1b2f9ac",
+ "showBar": false,
+ "trendlineLayerId": "7a97f25c-2c29-43be-a9d9-227e78aa4824",
+ "trendlineLayerType": "metricTrendline",
+ "trendlineMetricAccessor": "f610bbb4-2cd9-45b1-b9a1-b61d89b32ee8",
+ "trendlineTimeAccessor": "5a75a03a-9d36-44d3-8ff9-66d3de324ce5"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": true
+ },
+ "gridData": {
+ "h": 11,
+ "i": "7249a3d9-803b-4ddd-952f-0021fcfe7f58",
+ "w": 10,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "7249a3d9-803b-4ddd-952f-0021fcfe7f58",
+ "type": "lens",
+ "version": "8.8.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-832a1cf4-a2fb-4da0-a1a9-e2e4ad75cf0b",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-ce5c86d1-5778-457d-a66f-8d2be35fdd09",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "1be63b2a-edae-4674-a21f-4cc44d7ef2a4",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "832a1cf4-a2fb-4da0-a1a9-e2e4ad75cf0b": {
+ "columnOrder": [
+ "0dd778b3-8804-4a74-9807-284a48c0f474",
+ "cbcd07a6-0246-46f5-b746-22c186e60d4d"
+ ],
+ "columns": {
+ "0dd778b3-8804-4a74-9807-284a48c0f474": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "cbcd07a6-0246-46f5-b746-22c186e60d4d": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.memory.heap.used.bytes: *"
+ },
+ "isBucketed": false,
+ "label": "Used",
+ "operationType": "last_value",
+ "params": {
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 2
+ }
+ },
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.memory.heap.used.bytes"
+ }
+ },
+ "incompleteColumns": {}
+ },
+ "ce5c86d1-5778-457d-a66f-8d2be35fdd09": {
+ "columnOrder": [
+ "73ecedb4-176f-4c0d-aa3c-c0861634ecf3",
+ "7e8653c8-9ed6-465d-8288-9f6dc4c909f6",
+ "9b37895d-2df4-48a1-8044-cbcd95046198",
+ "019aef94-5186-4949-8172-fd656fb1c550"
+ ],
+ "columns": {
+ "019aef94-5186-4949-8172-fd656fb1c550": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.memory.heap.max.bytes: *"
+ },
+ "isBucketed": false,
+ "label": "Max",
+ "operationType": "last_value",
+ "params": {
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 2
+ }
+ },
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.memory.heap.max.bytes"
+ },
+ "73ecedb4-176f-4c0d-aa3c-c0861634ecf3": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "7e8653c8-9ed6-465d-8288-9f6dc4c909f6": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.memory.heap.init.bytes: *"
+ },
+ "isBucketed": false,
+ "label": "Init",
+ "operationType": "last_value",
+ "params": {
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 2
+ }
+ },
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.memory.heap.init.bytes"
+ },
+ "9b37895d-2df4-48a1-8044-cbcd95046198": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.memory.heap.committed.bytes: *"
+ },
+ "isBucketed": false,
+ "label": "Commited",
+ "operationType": "last_value",
+ "params": {
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 2
+ }
+ },
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.memory.heap.committed.bytes"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "1be63b2a-edae-4674-a21f-4cc44d7ef2a4",
+ "key": "event.dataset",
+ "negate": false,
+ "params": {
+ "query": "apache_tomcat.memory"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.dataset": "apache_tomcat.memory"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "layers": [
+ {
+ "accessors": [
+ "7e8653c8-9ed6-465d-8288-9f6dc4c909f6",
+ "9b37895d-2df4-48a1-8044-cbcd95046198",
+ "019aef94-5186-4949-8172-fd656fb1c550"
+ ],
+ "layerId": "ce5c86d1-5778-457d-a66f-8d2be35fdd09",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "line",
+ "showGridlines": false,
+ "xAccessor": "73ecedb4-176f-4c0d-aa3c-c0861634ecf3",
+ "yConfig": [
+ {
+ "color": "#8143ca",
+ "forAccessor": "7e8653c8-9ed6-465d-8288-9f6dc4c909f6"
+ },
+ {
+ "color": "#d41515",
+ "forAccessor": "019aef94-5186-4949-8172-fd656fb1c550"
+ },
+ {
+ "color": "#d6bf57",
+ "forAccessor": "9b37895d-2df4-48a1-8044-cbcd95046198"
+ }
+ ]
+ },
+ {
+ "accessors": [
+ "cbcd07a6-0246-46f5-b746-22c186e60d4d"
+ ],
+ "layerId": "832a1cf4-a2fb-4da0-a1a9-e2e4ad75cf0b",
+ "layerType": "data",
+ "seriesType": "bar",
+ "xAccessor": "0dd778b3-8804-4a74-9807-284a48c0f474",
+ "yConfig": [
+ {
+ "color": "#6092c0",
+ "forAccessor": "cbcd07a6-0246-46f5-b746-22c186e60d4d"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "legendSize": "large",
+ "position": "right",
+ "showSingleSeries": false
+ },
+ "preferredSeriesType": "bar_stacked",
+ "title": "Empty XY chart",
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yTitle": "Memory"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "description": "When the value for the maximum memory size (in bytes) is set to -1 for heap memory configurations, it indicates that the user has not specified a predefined size for the memory allocation",
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 11,
+ "i": "ff461eaa-d936-4fbd-af56-72a528fdf515",
+ "w": 38,
+ "x": 10,
+ "y": 0
+ },
+ "panelIndex": "ff461eaa-d936-4fbd-af56-72a528fdf515",
+ "title": "Heap memory over time [Metrics Apache Tomcat]",
+ "type": "lens",
+ "version": "8.8.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-603b89be-e03d-4ed5-83b6-4ca7c19f41aa",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-b9cb687d-7e05-469a-bc47-e9b07685a0d8",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "8708baa5-febb-4d77-9857-ba124b9c91f8",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "603b89be-e03d-4ed5-83b6-4ca7c19f41aa": {
+ "columnOrder": [
+ "6d6a63fb-4d3d-49ce-bad9-f199c1b2f9ac"
+ ],
+ "columns": {
+ "6d6a63fb-4d3d-49ce-bad9-f199c1b2f9ac": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.memory.non_heap.used.bytes: *"
+ },
+ "isBucketed": false,
+ "label": "Non-heap memory usage",
+ "operationType": "last_value",
+ "params": {
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 2
+ }
+ },
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.memory.non_heap.used.bytes"
+ }
+ },
+ "incompleteColumns": {}
+ },
+ "b9cb687d-7e05-469a-bc47-e9b07685a0d8": {
+ "columnOrder": [
+ "1b77df70-bf4a-4f5e-90e7-72fd4d33e42d",
+ "641fc5ee-3abf-4790-9d21-f5995f257dff"
+ ],
+ "columns": {
+ "1b77df70-bf4a-4f5e-90e7-72fd4d33e42d": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "641fc5ee-3abf-4790-9d21-f5995f257dff": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.memory.non_heap.used.bytes: *"
+ },
+ "isBucketed": false,
+ "label": "Non-heap memory usage",
+ "operationType": "last_value",
+ "params": {
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 2
+ }
+ },
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.memory.non_heap.used.bytes"
+ }
+ },
+ "incompleteColumns": {},
+ "linkToLayers": [
+ "603b89be-e03d-4ed5-83b6-4ca7c19f41aa"
+ ],
+ "sampling": 1
+ }
+ }
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "8708baa5-febb-4d77-9857-ba124b9c91f8",
+ "key": "event.dataset",
+ "negate": false,
+ "params": {
+ "query": "apache_tomcat.memory"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.dataset": "apache_tomcat.memory"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "FFFFFF",
+ "layerId": "603b89be-e03d-4ed5-83b6-4ca7c19f41aa",
+ "layerType": "data",
+ "metricAccessor": "6d6a63fb-4d3d-49ce-bad9-f199c1b2f9ac",
+ "showBar": false,
+ "trendlineLayerId": "b9cb687d-7e05-469a-bc47-e9b07685a0d8",
+ "trendlineLayerType": "metricTrendline",
+ "trendlineMetricAccessor": "641fc5ee-3abf-4790-9d21-f5995f257dff",
+ "trendlineTimeAccessor": "1b77df70-bf4a-4f5e-90e7-72fd4d33e42d"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": true
+ },
+ "gridData": {
+ "h": 11,
+ "i": "3b18802f-5ac5-48f1-8ba3-c46d37f86d47",
+ "w": 10,
+ "x": 0,
+ "y": 11
+ },
+ "panelIndex": "3b18802f-5ac5-48f1-8ba3-c46d37f86d47",
+ "title": "",
+ "type": "lens",
+ "version": "8.8.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-832a1cf4-a2fb-4da0-a1a9-e2e4ad75cf0b",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-ce5c86d1-5778-457d-a66f-8d2be35fdd09",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "4fba9f55-18c8-458c-9ee5-83936d0402ac",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "832a1cf4-a2fb-4da0-a1a9-e2e4ad75cf0b": {
+ "columnOrder": [
+ "0dd778b3-8804-4a74-9807-284a48c0f474",
+ "cbcd07a6-0246-46f5-b746-22c186e60d4d"
+ ],
+ "columns": {
+ "0dd778b3-8804-4a74-9807-284a48c0f474": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "cbcd07a6-0246-46f5-b746-22c186e60d4d": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.memory.non_heap.used.bytes: *"
+ },
+ "isBucketed": false,
+ "label": "Used",
+ "operationType": "last_value",
+ "params": {
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 2
+ }
+ },
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.memory.non_heap.used.bytes"
+ }
+ },
+ "incompleteColumns": {}
+ },
+ "ce5c86d1-5778-457d-a66f-8d2be35fdd09": {
+ "columnOrder": [
+ "73ecedb4-176f-4c0d-aa3c-c0861634ecf3",
+ "7e8653c8-9ed6-465d-8288-9f6dc4c909f6",
+ "9b37895d-2df4-48a1-8044-cbcd95046198",
+ "1a8d3154-9b7f-41e9-af52-64e4f0935387"
+ ],
+ "columns": {
+ "1a8d3154-9b7f-41e9-af52-64e4f0935387": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.memory.non_heap.max.bytes: *"
+ },
+ "isBucketed": false,
+ "label": "Max",
+ "operationType": "last_value",
+ "params": {
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 2
+ }
+ },
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.memory.non_heap.max.bytes"
+ },
+ "73ecedb4-176f-4c0d-aa3c-c0861634ecf3": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "7e8653c8-9ed6-465d-8288-9f6dc4c909f6": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.memory.non_heap.init.bytes: *"
+ },
+ "isBucketed": false,
+ "label": "Init",
+ "operationType": "last_value",
+ "params": {
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 2
+ }
+ },
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.memory.non_heap.init.bytes"
+ },
+ "9b37895d-2df4-48a1-8044-cbcd95046198": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.memory.non_heap.committed.bytes: *"
+ },
+ "isBucketed": false,
+ "label": "Commited",
+ "operationType": "last_value",
+ "params": {
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 2
+ }
+ },
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.memory.non_heap.committed.bytes"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "4fba9f55-18c8-458c-9ee5-83936d0402ac",
+ "key": "event.dataset",
+ "negate": false,
+ "params": {
+ "query": "apache_tomcat.memory"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.dataset": "apache_tomcat.memory"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "layers": [
+ {
+ "accessors": [
+ "7e8653c8-9ed6-465d-8288-9f6dc4c909f6",
+ "9b37895d-2df4-48a1-8044-cbcd95046198",
+ "1a8d3154-9b7f-41e9-af52-64e4f0935387"
+ ],
+ "layerId": "ce5c86d1-5778-457d-a66f-8d2be35fdd09",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "line",
+ "showGridlines": false,
+ "xAccessor": "73ecedb4-176f-4c0d-aa3c-c0861634ecf3",
+ "yConfig": [
+ {
+ "color": "#8143ca",
+ "forAccessor": "7e8653c8-9ed6-465d-8288-9f6dc4c909f6"
+ },
+ {
+ "color": "#e01212",
+ "forAccessor": "1a8d3154-9b7f-41e9-af52-64e4f0935387"
+ },
+ {
+ "color": "#d6bf57",
+ "forAccessor": "9b37895d-2df4-48a1-8044-cbcd95046198"
+ }
+ ]
+ },
+ {
+ "accessors": [
+ "cbcd07a6-0246-46f5-b746-22c186e60d4d"
+ ],
+ "layerId": "832a1cf4-a2fb-4da0-a1a9-e2e4ad75cf0b",
+ "layerType": "data",
+ "seriesType": "bar",
+ "xAccessor": "0dd778b3-8804-4a74-9807-284a48c0f474",
+ "yConfig": [
+ {
+ "color": "#6092c0",
+ "forAccessor": "cbcd07a6-0246-46f5-b746-22c186e60d4d"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "legendSize": "large",
+ "position": "right",
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "title": "Empty XY chart",
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yTitle": "Memory"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "description": "When the value for the maximum memory size (in bytes) is set to -1 for non-heap memory configurations, it indicates that the user has not specified a predefined size for the memory allocation",
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 11,
+ "i": "1c7a5509-3841-40a3-9b00-fd11ee6db933",
+ "w": 38,
+ "x": 10,
+ "y": 11
+ },
+ "panelIndex": "1c7a5509-3841-40a3-9b00-fd11ee6db933",
+ "title": "Non-heap memory over time [Metrics Apache Tomcat]",
+ "type": "lens",
+ "version": "8.8.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-88daef46-ca28-45c1-b7cc-8f7ccff4842d",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-9664f1c8-ab27-4919-9805-e22529ee1f2c",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "f7dd40ff-6ab5-4c72-9c14-3d9a3a1459c0",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "88daef46-ca28-45c1-b7cc-8f7ccff4842d": {
+ "columnOrder": [
+ "11293177-6826-46e6-a6f5-365beee20933",
+ "7da790e2-9037-4e7d-af92-513305d139e2"
+ ],
+ "columns": {
+ "11293177-6826-46e6-a6f5-365beee20933": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "7da790e2-9037-4e7d-af92-513305d139e2": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.memory.gc.collection.time.ms: *"
+ },
+ "isBucketed": false,
+ "label": "GC time(ms)",
+ "operationType": "last_value",
+ "params": {
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.memory.gc.collection.time.ms"
+ }
+ },
+ "incompleteColumns": {}
+ },
+ "9664f1c8-ab27-4919-9805-e22529ee1f2c": {
+ "columnOrder": [
+ "f5806bac-f641-4bfb-8be9-c3fb8728ee6d",
+ "78f1082b-f1fc-4ed4-98fd-fdb3b92bac32"
+ ],
+ "columns": {
+ "78f1082b-f1fc-4ed4-98fd-fdb3b92bac32": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.memory.gc.collection.count: *"
+ },
+ "isBucketed": false,
+ "label": "GC count",
+ "operationType": "last_value",
+ "params": {
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.memory.gc.collection.count"
+ },
+ "f5806bac-f641-4bfb-8be9-c3fb8728ee6d": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "f7dd40ff-6ab5-4c72-9c14-3d9a3a1459c0",
+ "key": "event.dataset",
+ "negate": false,
+ "params": {
+ "query": "apache_tomcat.memory"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.dataset": "apache_tomcat.memory"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "78f1082b-f1fc-4ed4-98fd-fdb3b92bac32"
+ ],
+ "layerId": "9664f1c8-ab27-4919-9805-e22529ee1f2c",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar",
+ "showGridlines": false,
+ "xAccessor": "f5806bac-f641-4bfb-8be9-c3fb8728ee6d",
+ "yConfig": [
+ {
+ "color": "#6092c0",
+ "forAccessor": "78f1082b-f1fc-4ed4-98fd-fdb3b92bac32"
+ }
+ ]
+ },
+ {
+ "accessors": [
+ "7da790e2-9037-4e7d-af92-513305d139e2"
+ ],
+ "layerId": "88daef46-ca28-45c1-b7cc-8f7ccff4842d",
+ "layerType": "data",
+ "seriesType": "line",
+ "xAccessor": "11293177-6826-46e6-a6f5-365beee20933",
+ "yConfig": [
+ {
+ "color": "#d6bf57",
+ "forAccessor": "7da790e2-9037-4e7d-af92-513305d139e2"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right",
+ "showSingleSeries": false
+ },
+ "preferredSeriesType": "bar",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yTitle": "Garbage Collection"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 11,
+ "i": "af80afbb-07f6-4f69-b475-2e5f19cfa60d",
+ "w": 48,
+ "x": 0,
+ "y": 22
+ },
+ "panelIndex": "af80afbb-07f6-4f69-b475-2e5f19cfa60d",
+ "title": "Garbage collection over time [Metrics Apache Tomcat]",
+ "type": "lens",
+ "version": "8.8.0"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[Metrics Apache Tomcat] Memory",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.7.0",
+ "created_at": "2023-07-18T10:55:22.442Z",
+ "id": "apache_tomcat-c2e71320-bccb-11ed-8065-19219c0d55ab",
+ "migrationVersion": {
+ "dashboard": "8.7.0"
+ },
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "7249a3d9-803b-4ddd-952f-0021fcfe7f58:indexpattern-datasource-layer-603b89be-e03d-4ed5-83b6-4ca7c19f41aa",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "7249a3d9-803b-4ddd-952f-0021fcfe7f58:indexpattern-datasource-layer-7a97f25c-2c29-43be-a9d9-227e78aa4824",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "7249a3d9-803b-4ddd-952f-0021fcfe7f58:424f182e-1baf-4bc9-a7a6-74f1ca6881ef",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "ff461eaa-d936-4fbd-af56-72a528fdf515:indexpattern-datasource-layer-832a1cf4-a2fb-4da0-a1a9-e2e4ad75cf0b",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "ff461eaa-d936-4fbd-af56-72a528fdf515:indexpattern-datasource-layer-ce5c86d1-5778-457d-a66f-8d2be35fdd09",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "ff461eaa-d936-4fbd-af56-72a528fdf515:1be63b2a-edae-4674-a21f-4cc44d7ef2a4",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "3b18802f-5ac5-48f1-8ba3-c46d37f86d47:indexpattern-datasource-layer-603b89be-e03d-4ed5-83b6-4ca7c19f41aa",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "3b18802f-5ac5-48f1-8ba3-c46d37f86d47:indexpattern-datasource-layer-b9cb687d-7e05-469a-bc47-e9b07685a0d8",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "3b18802f-5ac5-48f1-8ba3-c46d37f86d47:8708baa5-febb-4d77-9857-ba124b9c91f8",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "1c7a5509-3841-40a3-9b00-fd11ee6db933:indexpattern-datasource-layer-832a1cf4-a2fb-4da0-a1a9-e2e4ad75cf0b",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "1c7a5509-3841-40a3-9b00-fd11ee6db933:indexpattern-datasource-layer-ce5c86d1-5778-457d-a66f-8d2be35fdd09",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "1c7a5509-3841-40a3-9b00-fd11ee6db933:4fba9f55-18c8-458c-9ee5-83936d0402ac",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "af80afbb-07f6-4f69-b475-2e5f19cfa60d:indexpattern-datasource-layer-88daef46-ca28-45c1-b7cc-8f7ccff4842d",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "af80afbb-07f6-4f69-b475-2e5f19cfa60d:indexpattern-datasource-layer-9664f1c8-ab27-4919-9805-e22529ee1f2c",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "af80afbb-07f6-4f69-b475-2e5f19cfa60d:f7dd40ff-6ab5-4c72-9c14-3d9a3a1459c0",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "controlGroup_40090461-b167-4b82-8ae3-e1326133b845:optionsListDataView",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/apache_tomcat/kibana/dashboard/apache_tomcat-c8ec7280-1a57-11ee-8c1a-099fb2bcb823.json b/packages/apache_tomcat/kibana/dashboard/apache_tomcat-c8ec7280-1a57-11ee-8c1a-099fb2bcb823.json
new file mode 100644
index 00000000000..ab28ff8c7f7
--- /dev/null
+++ b/packages/apache_tomcat/kibana/dashboard/apache_tomcat-c8ec7280-1a57-11ee-8c1a-099fb2bcb823.json
@@ -0,0 +1,1509 @@
+{
+ "attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
+ "panelsJSON": "{\"389cb789-1fc8-43c8-b276-08d02bae4cee\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":false,\"width\":\"medium\",\"explicitInput\":{\"id\":\"389cb789-1fc8-43c8-b276-08d02bae4cee\",\"fieldName\":\"service.address\",\"title\":\"Host Name\",\"singleSelect\":true,\"selectedOptions\":[],\"enhancements\":{}}}}"
+ },
+ "description": "This Apache Tomcat dashboard visualizes all metrics data streams.",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.module",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "event.module",
+ "negate": false,
+ "params": {
+ "query": "apache_tomcat"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.module": "apache_tomcat"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "optionsJSON": {
+ "hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "useMargins": true
+ },
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-99998251-2f00-4a88-bf98-07e7d8e3ac81",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-207a8774-23b1-43df-831f-56cb6d093dc0",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "f3e87a81-2a03-49e7-b465-ae2e5540cfd7",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "207a8774-23b1-43df-831f-56cb6d093dc0": {
+ "columnOrder": [
+ "ecb80070-fb11-4e81-a168-fce13b5c6e79",
+ "9aee1c62-a8bb-4f94-8e6b-35914633c7bf"
+ ],
+ "columns": {
+ "9aee1c62-a8bb-4f94-8e6b-35914633c7bf": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Applications",
+ "operationType": "unique_count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.session.application_name"
+ },
+ "ecb80070-fb11-4e81-a168-fce13b5c6e79": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {},
+ "linkToLayers": [
+ "99998251-2f00-4a88-bf98-07e7d8e3ac81"
+ ],
+ "sampling": 1
+ },
+ "99998251-2f00-4a88-bf98-07e7d8e3ac81": {
+ "columnOrder": [
+ "403632df-7fa6-4f1b-8d06-d1a5c50081b5"
+ ],
+ "columns": {
+ "403632df-7fa6-4f1b-8d06-d1a5c50081b5": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Applications",
+ "operationType": "unique_count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.session.application_name"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.dataset",
+ "index": "f3e87a81-2a03-49e7-b465-ae2e5540cfd7",
+ "key": "event.dataset",
+ "negate": false,
+ "params": {
+ "query": "apache_tomcat.session"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.dataset": "apache_tomcat.session"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layerId": "99998251-2f00-4a88-bf98-07e7d8e3ac81",
+ "layerType": "data",
+ "metricAccessor": "403632df-7fa6-4f1b-8d06-d1a5c50081b5",
+ "showBar": false,
+ "trendlineLayerId": "207a8774-23b1-43df-831f-56cb6d093dc0",
+ "trendlineLayerType": "metricTrendline",
+ "trendlineMetricAccessor": "9aee1c62-a8bb-4f94-8e6b-35914633c7bf",
+ "trendlineTimeAccessor": "ecb80070-fb11-4e81-a168-fce13b5c6e79"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": true
+ },
+ "gridData": {
+ "h": 8,
+ "i": "06854553-1f37-41b0-972c-380acf5cb39f",
+ "w": 12,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "06854553-1f37-41b0-972c-380acf5cb39f",
+ "title": "Number of Applications [Metrics Apache Tomcat]",
+ "type": "lens",
+ "version": "8.8.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-e6ec4f57-529c-490f-86c3-5ae4140dc908",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "791b20c2-6ace-42e3-a393-51b4f378bd2a",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "e6ec4f57-529c-490f-86c3-5ae4140dc908": {
+ "columnOrder": [
+ "db6bdb81-fe6d-4c67-ade9-705e6a94b3f5",
+ "8b4f3972-938e-4f87-bbef-54e1b639a222",
+ "cdcf84af-9e79-4e24-9514-2f4c82adfd58"
+ ],
+ "columns": {
+ "8b4f3972-938e-4f87-bbef-54e1b639a222": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "cdcf84af-9e79-4e24-9514-2f4c82adfd58": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.cache.lookup.count: *"
+ },
+ "isBucketed": false,
+ "label": "Requests",
+ "operationType": "last_value",
+ "params": {
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.cache.lookup.count"
+ },
+ "db6bdb81-fe6d-4c67-ade9-705e6a94b3f5": {
+ "customLabel": false,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 5 values of apache_tomcat.cache.application_name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "cdcf84af-9e79-4e24-9514-2f4c82adfd58",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "apache_tomcat.cache.application_name"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.dataset",
+ "index": "791b20c2-6ace-42e3-a393-51b4f378bd2a",
+ "key": "event.dataset",
+ "negate": false,
+ "params": {
+ "query": "apache_tomcat.cache"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.dataset": "apache_tomcat.cache"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "cdcf84af-9e79-4e24-9514-2f4c82adfd58"
+ ],
+ "layerId": "e6ec4f57-529c-490f-86c3-5ae4140dc908",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_stacked",
+ "showGridlines": false,
+ "splitAccessor": "db6bdb81-fe6d-4c67-ade9-705e6a94b3f5",
+ "xAccessor": "8b4f3972-938e-4f87-bbef-54e1b639a222"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right",
+ "shouldTruncate": false
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "show",
+ "valuesInLegend": true,
+ "yTitle": "Count"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "b8716edd-6941-4cba-9f1a-b3a08c7fc647",
+ "w": 36,
+ "x": 12,
+ "y": 0
+ },
+ "panelIndex": "b8716edd-6941-4cba-9f1a-b3a08c7fc647",
+ "title": "Top 5 requests per application over time [Metrics Apache Tomcat]",
+ "type": "lens",
+ "version": "8.8.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-041c5a9d-e816-4c77-ae9f-e31b81d15a8a",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-e4ff0e97-e884-4a2e-859a-f16a579acd75",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "e03e36e7-2153-4e6b-ad73-0b3f58c89969",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "041c5a9d-e816-4c77-ae9f-e31b81d15a8a": {
+ "columnOrder": [
+ "9b579883-49f8-440c-adaf-bf72a16efdcd",
+ "2dc00ae2-0844-423c-b259-b597618dc7e7",
+ "2dc00ae2-0844-423c-b259-b597618dc7e7X0",
+ "2dc00ae2-0844-423c-b259-b597618dc7e7X1",
+ "2dc00ae2-0844-423c-b259-b597618dc7e7X2"
+ ],
+ "columns": {
+ "2dc00ae2-0844-423c-b259-b597618dc7e7": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Average request processing time (ms)",
+ "operationType": "formula",
+ "params": {
+ "formula": "(last_value(apache_tomcat.request.time.total, kql='apache_tomcat.request.time.total: *')) / (last_value(apache_tomcat.request.count, kql='apache_tomcat.request.count: *'))",
+ "isFormulaBroken": false
+ },
+ "references": [
+ "2dc00ae2-0844-423c-b259-b597618dc7e7X2"
+ ],
+ "scale": "ratio"
+ },
+ "2dc00ae2-0844-423c-b259-b597618dc7e7X0": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.request.time.total: *"
+ },
+ "isBucketed": false,
+ "label": "Part of Average request processing time (ms)",
+ "operationType": "last_value",
+ "params": {
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.request.time.total"
+ },
+ "2dc00ae2-0844-423c-b259-b597618dc7e7X1": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.request.count: *"
+ },
+ "isBucketed": false,
+ "label": "Part of Average request processing time (ms)",
+ "operationType": "last_value",
+ "params": {
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.request.count"
+ },
+ "2dc00ae2-0844-423c-b259-b597618dc7e7X2": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of Average request processing time (ms)",
+ "operationType": "math",
+ "params": {
+ "tinymathAst": {
+ "args": [
+ "2dc00ae2-0844-423c-b259-b597618dc7e7X0",
+ "2dc00ae2-0844-423c-b259-b597618dc7e7X1"
+ ],
+ "location": {
+ "max": 171,
+ "min": 0
+ },
+ "name": "divide",
+ "text": "(last_value(apache_tomcat.request.time.total, kql='apache_tomcat.request.time.total: *')) / (last_value(apache_tomcat.request.count, kql='apache_tomcat.request.count: *'))",
+ "type": "function"
+ }
+ },
+ "references": [
+ "2dc00ae2-0844-423c-b259-b597618dc7e7X0",
+ "2dc00ae2-0844-423c-b259-b597618dc7e7X1"
+ ],
+ "scale": "ratio"
+ },
+ "9b579883-49f8-440c-adaf-bf72a16efdcd": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {},
+ "linkToLayers": [
+ "e4ff0e97-e884-4a2e-859a-f16a579acd75"
+ ],
+ "sampling": 1
+ },
+ "e4ff0e97-e884-4a2e-859a-f16a579acd75": {
+ "columnOrder": [
+ "637d48c2-7443-454d-a1a8-beb47046c833",
+ "637d48c2-7443-454d-a1a8-beb47046c833X0",
+ "637d48c2-7443-454d-a1a8-beb47046c833X1",
+ "637d48c2-7443-454d-a1a8-beb47046c833X2"
+ ],
+ "columns": {
+ "637d48c2-7443-454d-a1a8-beb47046c833": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Average request processing time (ms)",
+ "operationType": "formula",
+ "params": {
+ "formula": "(last_value(apache_tomcat.request.time.total, kql='apache_tomcat.request.time.total: *')) / (last_value(apache_tomcat.request.count, kql='apache_tomcat.request.count: *'))",
+ "isFormulaBroken": false
+ },
+ "references": [
+ "637d48c2-7443-454d-a1a8-beb47046c833X2"
+ ],
+ "scale": "ratio"
+ },
+ "637d48c2-7443-454d-a1a8-beb47046c833X0": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.request.time.total: *"
+ },
+ "isBucketed": false,
+ "label": "Part of Average request processing time (ms)",
+ "operationType": "last_value",
+ "params": {
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.request.time.total"
+ },
+ "637d48c2-7443-454d-a1a8-beb47046c833X1": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.request.count: *"
+ },
+ "isBucketed": false,
+ "label": "Part of Average request processing time (ms)",
+ "operationType": "last_value",
+ "params": {
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.request.count"
+ },
+ "637d48c2-7443-454d-a1a8-beb47046c833X2": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of Average request processing time (ms)",
+ "operationType": "math",
+ "params": {
+ "tinymathAst": {
+ "args": [
+ "637d48c2-7443-454d-a1a8-beb47046c833X0",
+ "637d48c2-7443-454d-a1a8-beb47046c833X1"
+ ],
+ "location": {
+ "max": 171,
+ "min": 0
+ },
+ "name": "divide",
+ "text": "(last_value(apache_tomcat.request.time.total, kql='apache_tomcat.request.time.total: *')) / (last_value(apache_tomcat.request.count, kql='apache_tomcat.request.count: *'))",
+ "type": "function"
+ }
+ },
+ "references": [
+ "637d48c2-7443-454d-a1a8-beb47046c833X0",
+ "637d48c2-7443-454d-a1a8-beb47046c833X1"
+ ],
+ "scale": "ratio"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.dataset",
+ "index": "e03e36e7-2153-4e6b-ad73-0b3f58c89969",
+ "key": "event.dataset",
+ "negate": false,
+ "params": {
+ "query": "apache_tomcat.request"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.dataset": "apache_tomcat.request"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layerId": "e4ff0e97-e884-4a2e-859a-f16a579acd75",
+ "layerType": "data",
+ "metricAccessor": "637d48c2-7443-454d-a1a8-beb47046c833",
+ "showBar": false,
+ "trendlineLayerId": "041c5a9d-e816-4c77-ae9f-e31b81d15a8a",
+ "trendlineLayerType": "metricTrendline",
+ "trendlineMetricAccessor": "2dc00ae2-0844-423c-b259-b597618dc7e7",
+ "trendlineTimeAccessor": "9b579883-49f8-440c-adaf-bf72a16efdcd"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": true
+ },
+ "gridData": {
+ "h": 8,
+ "i": "9e8b29e7-3679-4e44-a585-f4cf7f17044f",
+ "w": 12,
+ "x": 0,
+ "y": 8
+ },
+ "panelIndex": "9e8b29e7-3679-4e44-a585-f4cf7f17044f",
+ "title": "Average request processing time [Metrics Apache Tomcat]",
+ "type": "lens",
+ "version": "8.8.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-7c4da97e-7d47-4847-87ae-0fbdcc983343",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "38cc0910-5849-444d-ba26-a9dab625f549",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "7c4da97e-7d47-4847-87ae-0fbdcc983343": {
+ "columnOrder": [
+ "47ab8662-6f73-47d4-927c-535c57fa4a64",
+ "c1f42f1c-d4c1-486c-afd8-e1c2f02ecd31",
+ "1b360833-8c28-4ee2-8b0c-ecb3595f83de"
+ ],
+ "columns": {
+ "1b360833-8c28-4ee2-8b0c-ecb3595f83de": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.connection_pool.connection.idle.count: *"
+ },
+ "isBucketed": false,
+ "label": "Idle",
+ "operationType": "last_value",
+ "params": {
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.connection_pool.connection.idle.count"
+ },
+ "47ab8662-6f73-47d4-927c-535c57fa4a64": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "c1f42f1c-d4c1-486c-afd8-e1c2f02ecd31": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.connection_pool.connection.active.count: *"
+ },
+ "isBucketed": false,
+ "label": "Active",
+ "operationType": "last_value",
+ "params": {
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.connection_pool.connection.active.count"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.dataset",
+ "index": "38cc0910-5849-444d-ba26-a9dab625f549",
+ "key": "event.dataset",
+ "negate": false,
+ "params": {
+ "query": "apache_tomcat.connection_pool"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.dataset": "apache_tomcat.connection_pool"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "c1f42f1c-d4c1-486c-afd8-e1c2f02ecd31",
+ "1b360833-8c28-4ee2-8b0c-ecb3595f83de"
+ ],
+ "layerId": "7c4da97e-7d47-4847-87ae-0fbdcc983343",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "line",
+ "showGridlines": false,
+ "xAccessor": "47ab8662-6f73-47d4-927c-535c57fa4a64"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "line",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yTitle": "Count"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 12,
+ "i": "ba5d9b2e-689c-4472-aa89-bc355a5cc780",
+ "w": 24,
+ "x": 0,
+ "y": 16
+ },
+ "panelIndex": "ba5d9b2e-689c-4472-aa89-bc355a5cc780",
+ "title": "Connections over time [Metrics Apache Tomcat]",
+ "type": "lens",
+ "version": "8.8.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-b09c20e6-d7d3-4fe2-8490-2c6feedb02c9",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "44b26cb6-1625-4950-9cd5-a079004b991b",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "b09c20e6-d7d3-4fe2-8490-2c6feedb02c9": {
+ "columnOrder": [
+ "97565d74-9071-4fe2-9bdf-b78c4747a99f",
+ "1074de52-890c-4177-9341-1679cec0988d",
+ "cd855517-672f-4dc1-ad08-b0c254681134"
+ ],
+ "columns": {
+ "1074de52-890c-4177-9341-1679cec0988d": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.memory.non_heap.used.bytes: *"
+ },
+ "isBucketed": false,
+ "label": "Heap",
+ "operationType": "last_value",
+ "params": {
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 2
+ }
+ },
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.memory.non_heap.used.bytes"
+ },
+ "97565d74-9071-4fe2-9bdf-b78c4747a99f": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "cd855517-672f-4dc1-ad08-b0c254681134": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.memory.heap.used.bytes: *"
+ },
+ "isBucketed": false,
+ "label": "Non-heap",
+ "operationType": "last_value",
+ "params": {
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 2
+ }
+ },
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.memory.heap.used.bytes"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.dataset",
+ "index": "44b26cb6-1625-4950-9cd5-a079004b991b",
+ "key": "event.dataset",
+ "negate": false,
+ "params": {
+ "query": "apache_tomcat.memory"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.dataset": "apache_tomcat.memory"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "layers": [
+ {
+ "accessors": [
+ "1074de52-890c-4177-9341-1679cec0988d",
+ "cd855517-672f-4dc1-ad08-b0c254681134"
+ ],
+ "layerId": "b09c20e6-d7d3-4fe2-8490-2c6feedb02c9",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "line",
+ "showGridlines": false,
+ "xAccessor": "97565d74-9071-4fe2-9bdf-b78c4747a99f"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "line",
+ "title": "Empty XY chart",
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yTitle": "Memory"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 12,
+ "i": "38423062-d16c-4911-a9e9-dfdfba9d19b5",
+ "w": 24,
+ "x": 24,
+ "y": 16
+ },
+ "panelIndex": "38423062-d16c-4911-a9e9-dfdfba9d19b5",
+ "title": "Memory usage over time [Metrics Apache Tomcat]",
+ "type": "lens",
+ "version": "8.8.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-365e11cb-9eed-4fd4-a335-2b8ee3f454c5",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "c9861b14-6ccb-4a1a-b38f-4d7c01febfc8",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "365e11cb-9eed-4fd4-a335-2b8ee3f454c5": {
+ "columnOrder": [
+ "56bfcf1f-366d-489d-aeaf-823125dba18d",
+ "9406fdc5-199c-48f2-8193-2be17f9170bd",
+ "715c511c-e362-4e96-96df-00acc3ef605b"
+ ],
+ "columns": {
+ "56bfcf1f-366d-489d-aeaf-823125dba18d": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "715c511c-e362-4e96-96df-00acc3ef605b": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.request.received.bytes: *"
+ },
+ "isBucketed": false,
+ "label": "Received",
+ "operationType": "last_value",
+ "params": {
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 2
+ }
+ },
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.request.received.bytes"
+ },
+ "9406fdc5-199c-48f2-8193-2be17f9170bd": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.request.sent.bytes: *"
+ },
+ "isBucketed": false,
+ "label": "Sent",
+ "operationType": "last_value",
+ "params": {
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 2
+ }
+ },
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.request.sent.bytes"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.dataset",
+ "index": "c9861b14-6ccb-4a1a-b38f-4d7c01febfc8",
+ "key": "event.dataset",
+ "negate": false,
+ "params": {
+ "query": "apache_tomcat.request"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.dataset": "apache_tomcat.request"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "layers": [
+ {
+ "accessors": [
+ "9406fdc5-199c-48f2-8193-2be17f9170bd",
+ "715c511c-e362-4e96-96df-00acc3ef605b"
+ ],
+ "layerId": "365e11cb-9eed-4fd4-a335-2b8ee3f454c5",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "line",
+ "showGridlines": false,
+ "xAccessor": "56bfcf1f-366d-489d-aeaf-823125dba18d"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "line",
+ "title": "Empty XY chart",
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yTitle": "Data units"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 12,
+ "i": "5862d24f-ecf5-41fd-93b4-3d214e834361",
+ "w": 24,
+ "x": 24,
+ "y": 28
+ },
+ "panelIndex": "5862d24f-ecf5-41fd-93b4-3d214e834361",
+ "title": "Throughput over time [Metrics Apache Tomcat]",
+ "type": "lens",
+ "version": "8.8.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-bdd64b4a-4147-4624-8e56-78dbbddd5986",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "1a9a387d-da2b-46c0-9d67-d84642c4450d",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "bdd64b4a-4147-4624-8e56-78dbbddd5986": {
+ "columnOrder": [
+ "c3eb8cac-6126-4ab5-b117-4f56c8085e53",
+ "29cd7eae-c51a-4725-9c89-7cbd2ba12ac1",
+ "d9b2dfee-a55c-4ec7-8bd3-6be711987fa7",
+ "b0e681ca-4edb-4fde-b59f-23f6aeba18df",
+ "8eaaccf2-0bcd-4bcc-b7d1-8e92c419da33",
+ "a43ca53b-6d71-48a4-8e43-ad363aded28d"
+ ],
+ "columns": {
+ "29cd7eae-c51a-4725-9c89-7cbd2ba12ac1": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.thread_pool.thread.current.count: *"
+ },
+ "isBucketed": false,
+ "label": "Current",
+ "operationType": "last_value",
+ "params": {
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.thread_pool.thread.current.count"
+ },
+ "8eaaccf2-0bcd-4bcc-b7d1-8e92c419da33": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.thread_pool.thread.active.count: *"
+ },
+ "isBucketed": false,
+ "label": "Active",
+ "operationType": "last_value",
+ "params": {
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.thread_pool.thread.active.count"
+ },
+ "a43ca53b-6d71-48a4-8e43-ad363aded28d": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.thread_pool.thread.current.busy: *"
+ },
+ "isBucketed": false,
+ "label": "Busy",
+ "operationType": "last_value",
+ "params": {
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.thread_pool.thread.current.busy"
+ },
+ "b0e681ca-4edb-4fde-b59f-23f6aeba18df": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.thread_pool.thread.peak.count: *"
+ },
+ "isBucketed": false,
+ "label": "Peak",
+ "operationType": "last_value",
+ "params": {
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.thread_pool.thread.peak.count"
+ },
+ "c3eb8cac-6126-4ab5-b117-4f56c8085e53": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "d9b2dfee-a55c-4ec7-8bd3-6be711987fa7": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "apache_tomcat.thread_pool.thread.daemon.count: *"
+ },
+ "isBucketed": false,
+ "label": "Daemon",
+ "operationType": "last_value",
+ "params": {
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "apache_tomcat.thread_pool.thread.daemon.count"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.dataset",
+ "index": "1a9a387d-da2b-46c0-9d67-d84642c4450d",
+ "key": "event.dataset",
+ "negate": false,
+ "params": {
+ "query": "apache_tomcat.thread_pool"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.dataset": "apache_tomcat.thread_pool"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "layers": [
+ {
+ "accessors": [
+ "29cd7eae-c51a-4725-9c89-7cbd2ba12ac1",
+ "d9b2dfee-a55c-4ec7-8bd3-6be711987fa7",
+ "b0e681ca-4edb-4fde-b59f-23f6aeba18df",
+ "8eaaccf2-0bcd-4bcc-b7d1-8e92c419da33",
+ "a43ca53b-6d71-48a4-8e43-ad363aded28d"
+ ],
+ "layerId": "bdd64b4a-4147-4624-8e56-78dbbddd5986",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "line",
+ "showGridlines": false,
+ "xAccessor": "c3eb8cac-6126-4ab5-b117-4f56c8085e53"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "line",
+ "title": "Empty XY chart",
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yTitle": "Count"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "description": "Active threads represent Current active threads at the JVM level (from java.lang:type=Threading), Current threads represent Current number of threads that are taken from the ThreadPool and Peak threads represent Peak threads at the JVM level (from java.lang:type=Threading)",
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 12,
+ "i": "8d71c0de-16f1-4231-97ff-0bf7e1af5db0",
+ "w": 24,
+ "x": 0,
+ "y": 34
+ },
+ "panelIndex": "8d71c0de-16f1-4231-97ff-0bf7e1af5db0",
+ "title": "Thread distribution by server over time [Metrics Apache Tomcat]",
+ "type": "lens",
+ "version": "8.8.0"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[Metrics Apache Tomcat] Overview ",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.7.0",
+ "created_at": "2023-07-19T08:01:33.946Z",
+ "id": "apache_tomcat-c8ec7280-1a57-11ee-8c1a-099fb2bcb823",
+ "migrationVersion": {
+ "dashboard": "8.7.0"
+ },
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "06854553-1f37-41b0-972c-380acf5cb39f:indexpattern-datasource-layer-99998251-2f00-4a88-bf98-07e7d8e3ac81",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "06854553-1f37-41b0-972c-380acf5cb39f:indexpattern-datasource-layer-207a8774-23b1-43df-831f-56cb6d093dc0",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "06854553-1f37-41b0-972c-380acf5cb39f:f3e87a81-2a03-49e7-b465-ae2e5540cfd7",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "b8716edd-6941-4cba-9f1a-b3a08c7fc647:indexpattern-datasource-layer-e6ec4f57-529c-490f-86c3-5ae4140dc908",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "b8716edd-6941-4cba-9f1a-b3a08c7fc647:791b20c2-6ace-42e3-a393-51b4f378bd2a",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "9e8b29e7-3679-4e44-a585-f4cf7f17044f:indexpattern-datasource-layer-041c5a9d-e816-4c77-ae9f-e31b81d15a8a",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "9e8b29e7-3679-4e44-a585-f4cf7f17044f:indexpattern-datasource-layer-e4ff0e97-e884-4a2e-859a-f16a579acd75",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "9e8b29e7-3679-4e44-a585-f4cf7f17044f:e03e36e7-2153-4e6b-ad73-0b3f58c89969",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "ba5d9b2e-689c-4472-aa89-bc355a5cc780:indexpattern-datasource-layer-7c4da97e-7d47-4847-87ae-0fbdcc983343",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "ba5d9b2e-689c-4472-aa89-bc355a5cc780:38cc0910-5849-444d-ba26-a9dab625f549",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "38423062-d16c-4911-a9e9-dfdfba9d19b5:indexpattern-datasource-layer-b09c20e6-d7d3-4fe2-8490-2c6feedb02c9",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "38423062-d16c-4911-a9e9-dfdfba9d19b5:44b26cb6-1625-4950-9cd5-a079004b991b",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "5862d24f-ecf5-41fd-93b4-3d214e834361:indexpattern-datasource-layer-365e11cb-9eed-4fd4-a335-2b8ee3f454c5",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "5862d24f-ecf5-41fd-93b4-3d214e834361:c9861b14-6ccb-4a1a-b38f-4d7c01febfc8",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "8d71c0de-16f1-4231-97ff-0bf7e1af5db0:indexpattern-datasource-layer-bdd64b4a-4147-4624-8e56-78dbbddd5986",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "8d71c0de-16f1-4231-97ff-0bf7e1af5db0:1a9a387d-da2b-46c0-9d67-d84642c4450d",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "controlGroup_389cb789-1fc8-43c8-b276-08d02bae4cee:optionsListDataView",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/apache_tomcat/kibana/search/apache_tomcat-1f3c6e30-dd11-11ed-9f4f-d97c9f37d195.json b/packages/apache_tomcat/kibana/search/apache_tomcat-1f3c6e30-dd11-11ed-9f4f-d97c9f37d195.json
index 41b2acec5a2..422f73d8e2c 100644
--- a/packages/apache_tomcat/kibana/search/apache_tomcat-1f3c6e30-dd11-11ed-9f4f-d97c9f37d195.json
+++ b/packages/apache_tomcat/kibana/search/apache_tomcat-1f3c6e30-dd11-11ed-9f4f-d97c9f37d195.json
@@ -42,6 +42,28 @@
"event.dataset": "apache_tomcat.catalina"
}
}
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "log.level",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "key": "log.level",
+ "negate": true,
+ "params": {
+ "query": "info"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "log.level": "info"
+ }
+ }
}
],
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
@@ -62,9 +84,10 @@
"usesAdHocDataView": false
},
"coreMigrationVersion": "8.7.0",
- "created_at": "2023-05-09T09:47:42.878Z",
+ "created_at": "2023-07-24T12:48:07.116Z",
"id": "apache_tomcat-1f3c6e30-dd11-11ed-9f4f-d97c9f37d195",
"migrationVersion": {
+ "dashboard": "8.0.0",
"search": "8.0.0"
},
"references": [
@@ -77,6 +100,11 @@
"id": "logs-*",
"name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
"type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
}
],
"type": "search"
diff --git a/packages/apache_tomcat/kibana/search/apache_tomcat-4d39c820-ddcd-11ed-8080-ddad81fe2c3c.json b/packages/apache_tomcat/kibana/search/apache_tomcat-4d39c820-ddcd-11ed-8080-ddad81fe2c3c.json
index 9b772256163..8109ba8161e 100644
--- a/packages/apache_tomcat/kibana/search/apache_tomcat-4d39c820-ddcd-11ed-8080-ddad81fe2c3c.json
+++ b/packages/apache_tomcat/kibana/search/apache_tomcat-4d39c820-ddcd-11ed-8080-ddad81fe2c3c.json
@@ -42,6 +42,28 @@
"event.dataset": "apache_tomcat.localhost"
}
}
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "log.level",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "key": "log.level",
+ "negate": true,
+ "params": {
+ "query": "info"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "log.level": "info"
+ }
+ }
}
],
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
@@ -62,9 +84,10 @@
"usesAdHocDataView": false
},
"coreMigrationVersion": "8.7.0",
- "created_at": "2023-05-09T09:47:42.878Z",
+ "created_at": "2023-07-24T12:48:07.116Z",
"id": "apache_tomcat-4d39c820-ddcd-11ed-8080-ddad81fe2c3c",
"migrationVersion": {
+ "dashboard": "8.0.0",
"search": "8.0.0"
},
"references": [
@@ -77,6 +100,11 @@
"id": "logs-*",
"name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
"type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
}
],
"type": "search"
diff --git a/packages/apache_tomcat/kibana/search/apache_tomcat-d0957a70-eda4-11ed-909a-2baec7270d1f.json b/packages/apache_tomcat/kibana/search/apache_tomcat-d0957a70-eda4-11ed-909a-2baec7270d1f.json
index 98d38d561cf..d43d4ec6699 100644
--- a/packages/apache_tomcat/kibana/search/apache_tomcat-d0957a70-eda4-11ed-909a-2baec7270d1f.json
+++ b/packages/apache_tomcat/kibana/search/apache_tomcat-d0957a70-eda4-11ed-909a-2baec7270d1f.json
@@ -91,9 +91,10 @@
"usesAdHocDataView": false
},
"coreMigrationVersion": "8.7.0",
- "created_at": "2023-05-08T13:32:44.823Z",
+ "created_at": "2023-07-24T12:48:07.116Z",
"id": "apache_tomcat-d0957a70-eda4-11ed-909a-2baec7270d1f",
"migrationVersion": {
+ "dashboard": "8.0.0",
"search": "8.0.0"
},
"references": [
diff --git a/packages/apache_tomcat/manifest.yml b/packages/apache_tomcat/manifest.yml
index c48fdf9ef2d..b4a6c304393 100644
--- a/packages/apache_tomcat/manifest.yml
+++ b/packages/apache_tomcat/manifest.yml
@@ -1,12 +1,12 @@
format_version: 2.3.0
name: apache_tomcat
title: Apache Tomcat
-version: "0.6.0"
+version: "0.12.3"
description: Collect and parse logs and metrics from Apache Tomcat servers with Elastic Agent.
categories: ["web", "observability"]
type: integration
conditions:
- kibana.version: "^8.7.0"
+ kibana.version: "^8.8.0"
policy_templates:
- name: Apache Tomcat
title: Apache Tomcat
@@ -79,6 +79,14 @@ icons:
size: 32x32
type: image/svg+xml
screenshots:
+ - src: /img/apache_tomcat-logs-overview-dashboard.png
+ title: Apache Tomcat Logs Overview dashboard
+ size: 600x600
+ type: image/png
+ - src: /img/apache_tomcat-metrics-overview-dashboard.png
+ title: Apache Tomcat Metrics Overview dashboard
+ size: 600x600
+ type: image/png
- src: /img/apache_tomcat-access-dashboard.png
title: Apache Tomcat access dashboard
size: 600x600
@@ -95,5 +103,21 @@ screenshots:
title: Apache Tomcat Catalina and Localhost dashboard
size: 600x600
type: image/png
+ - src: /img/apache_tomcat-session-dashboard.png
+ title: Apache Tomcat Session dashboard
+ size: 600x600
+ type: image/png
+ - src: /img/apache_tomcat-memory-dashboard.png
+ title: Apache Tomcat Memory dashboard
+ size: 600x600
+ type: image/png
+ - src: /img/apache_tomcat-thread-pool-dashboard.png
+ title: Apache Tomcat Thread Pool dashboard
+ size: 600x600
+ type: image/png
+ - src: /img/apache_tomcat-connection-pool-dashboard.png
+ title: Apache Tomcat Connection Pool dashboard
+ size: 600x600
+ type: image/png
owner:
github: elastic/obs-infraobs-integrations
diff --git a/packages/arista_ngfw/_dev/build/build.yml b/packages/arista_ngfw/_dev/build/build.yml
index 074278e5b1f..c8eeec8cacf 100755
--- a/packages/arista_ngfw/_dev/build/build.yml
+++ b/packages/arista_ngfw/_dev/build/build.yml
@@ -1,3 +1,3 @@
dependencies:
ecs:
- reference: git@v8.8.0
+ reference: git@v8.9.0
diff --git a/packages/arista_ngfw/_dev/build/docs/README.md b/packages/arista_ngfw/_dev/build/docs/README.md
index 361b286afc5..7cde1f70e36 100755
--- a/packages/arista_ngfw/_dev/build/docs/README.md
+++ b/packages/arista_ngfw/_dev/build/docs/README.md
@@ -15,6 +15,7 @@ Arista NG Firewall supports several syslog output rules that may be configured o
* Interface Stat Event
* Intrusion Prevention Log Event
* Session Event
+* Session Stats Event
* System Stat Event
* Web Filter Event
diff --git a/packages/arista_ngfw/changelog.yml b/packages/arista_ngfw/changelog.yml
index 39035d39499..9df41393279 100755
--- a/packages/arista_ngfw/changelog.yml
+++ b/packages/arista_ngfw/changelog.yml
@@ -1,4 +1,39 @@
# newer versions go on top
+- version: 0.5.0
+ changes:
+ - description: "The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest."
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7883
+- version: "0.4.0"
+ changes:
+ - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7789
+- version: "0.3.0"
+ changes:
+ - description: Add parsing for network.bytes and network.packets
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7353
+- version: "0.2.0"
+ changes:
+ - description: Update package to ECS 8.9.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7107
+- version: "0.1.2"
+ changes:
+ - description: Fix interface variables in manifest, and correct duplicate `_conf` fields
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/6854
+- version: "0.1.1"
+ changes:
+ - description: Fix bugs in default ingest pipeline
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/6878
+- version: "0.1.0"
+ changes:
+ - description: Add support for session stats events
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6881
- version: "0.0.1"
changes:
- description: Initial draft of the package
diff --git a/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-admin-login.log-expected.json b/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-admin-login.log-expected.json
index af569cffce7..db0efe8ff2c 100755
--- a/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-admin-login.log-expected.json
+++ b/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-admin-login.log-expected.json
@@ -3,7 +3,7 @@
{
"@timestamp": "2023-05-24T13:09:53.477-06:00",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -60,7 +60,7 @@
{
"@timestamp": "2023-05-23T10:06:57.518-06:00",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -117,7 +117,7 @@
{
"@timestamp": "2023-05-23T13:35:42.611-06:00",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -174,7 +174,7 @@
{
"@timestamp": "2023-05-22T13:47:59.495-06:00",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -231,7 +231,7 @@
{
"@timestamp": "2023-05-21T09:58:40.250-06:00",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -288,7 +288,7 @@
{
"@timestamp": "2023-05-20T08:12:47.018-06:00",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -346,7 +346,7 @@
{
"@timestamp": "2023-05-18T15:08:14.224-06:00",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -403,7 +403,7 @@
{
"@timestamp": "2023-05-18T06:58:38.360-06:00",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -460,7 +460,7 @@
{
"@timestamp": "2023-05-17T15:04:03.772-06:00",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -517,7 +517,7 @@
{
"@timestamp": "2023-05-12T09:09:40.787-06:00",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
diff --git a/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-firewall-event.log-expected.json b/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-firewall-event.log-expected.json
index 528a1b689d4..48d233dff76 100755
--- a/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-firewall-event.log-expected.json
+++ b/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-firewall-event.log-expected.json
@@ -6,13 +6,13 @@
"flagged": false
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network"
],
- "id": 110221865377229,
+ "id": "110221865377229",
"kind": "event",
"original": "\u003c174\u003eMay 22 16:32:28 INFO uvm[0]: {\"timeStamp\":\"2023-05-22 16:32:28.771\",\"flagged\":false,\"blocked\":false,\"sessionId\":110221865377229,\"ruleId\":0,\"class\":\"class com.untangle.app.firewall.FirewallEvent\"}",
"outcome": "success",
@@ -55,13 +55,13 @@
"flagged": false
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network"
],
- "id": 110221865377228,
+ "id": "110221865377228",
"kind": "event",
"original": "\u003c174\u003eMay 22 16:32:28 INFO uvm[0]: {\"timeStamp\":\"2023-05-22 16:32:28.194\",\"flagged\":false,\"blocked\":false,\"sessionId\":110221865377228,\"ruleId\":0,\"class\":\"class com.untangle.app.firewall.FirewallEvent\"}",
"outcome": "success",
@@ -104,13 +104,13 @@
"flagged": false
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network"
],
- "id": 110221865377227,
+ "id": "110221865377227",
"kind": "event",
"original": "\u003c174\u003eMay 22 16:32:27 INFO uvm[0]: {\"timeStamp\":\"2023-05-22 16:32:27.875\",\"flagged\":false,\"blocked\":false,\"sessionId\":110221865377227,\"ruleId\":0,\"class\":\"class com.untangle.app.firewall.FirewallEvent\"}",
"outcome": "success",
@@ -153,13 +153,13 @@
"flagged": false
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network"
],
- "id": 110221865377226,
+ "id": "110221865377226",
"kind": "event",
"original": "\u003c174\u003eMay 22 16:32:26 INFO uvm[0]: {\"timeStamp\":\"2023-05-22 16:32:26.743\",\"flagged\":false,\"blocked\":false,\"sessionId\":110221865377226,\"ruleId\":0,\"class\":\"class com.untangle.app.firewall.FirewallEvent\"}",
"outcome": "success",
@@ -202,13 +202,13 @@
"flagged": false
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network"
],
- "id": 110221865377225,
+ "id": "110221865377225",
"kind": "event",
"original": "\u003c174\u003eMay 22 16:32:26 INFO uvm[0]: {\"timeStamp\":\"2023-05-22 16:32:26.686\",\"flagged\":false,\"blocked\":false,\"sessionId\":110221865377225,\"ruleId\":0,\"class\":\"class com.untangle.app.firewall.FirewallEvent\"}",
"outcome": "success",
@@ -251,13 +251,13 @@
"flagged": false
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network"
],
- "id": 110221865377221,
+ "id": "110221865377221",
"kind": "event",
"original": "\u003c174\u003eMay 22 16:32:25 INFO uvm[0]: {\"timeStamp\":\"2023-05-22 16:32:25.504\",\"flagged\":false,\"blocked\":false,\"sessionId\":110221865377221,\"ruleId\":0,\"class\":\"class com.untangle.app.firewall.FirewallEvent\"}",
"outcome": "success",
@@ -300,13 +300,13 @@
"flagged": false
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network"
],
- "id": 110221865772671,
+ "id": "110221865772671",
"kind": "event",
"original": "\u003c174\u003eMay 23 15:17:15 INFO uvm[0]: {\"timeStamp\":\"2023-05-23 15:17:15.43\",\"flagged\":false,\"blocked\":false,\"sessionId\":110221865772671,\"ruleId\":0,\"class\":\"class com.untangle.app.firewall.FirewallEvent\"}",
"outcome": "success",
@@ -349,13 +349,13 @@
"flagged": false
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network"
],
- "id": 110221865772670,
+ "id": "110221865772670",
"kind": "event",
"original": "\u003c174\u003eMay 23 15:17:14 INFO uvm[0]: {\"timeStamp\":\"2023-05-23 15:17:14.164\",\"flagged\":false,\"blocked\":false,\"sessionId\":110221865772670,\"ruleId\":0,\"class\":\"class com.untangle.app.firewall.FirewallEvent\"}",
"outcome": "success",
@@ -398,13 +398,13 @@
"flagged": false
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network"
],
- "id": 110221865772669,
+ "id": "110221865772669",
"kind": "event",
"original": "\u003c174\u003eMay 23 15:17:12 INFO uvm[0]: {\"timeStamp\":\"2023-05-23 15:17:12.916\",\"flagged\":false,\"blocked\":false,\"sessionId\":110221865772669,\"ruleId\":0,\"class\":\"class com.untangle.app.firewall.FirewallEvent\"}",
"outcome": "success",
@@ -447,13 +447,13 @@
"flagged": false
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network"
],
- "id": 110221865772668,
+ "id": "110221865772668",
"kind": "event",
"original": "\u003c174\u003eMay 23 15:17:11 INFO uvm[0]: {\"timeStamp\":\"2023-05-23 15:17:11.806\",\"flagged\":false,\"blocked\":false,\"sessionId\":110221865772668,\"ruleId\":0,\"class\":\"class com.untangle.app.firewall.FirewallEvent\"}",
"outcome": "success",
@@ -496,13 +496,13 @@
"flagged": false
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network"
],
- "id": 110221865772667,
+ "id": "110221865772667",
"kind": "event",
"original": "\u003c174\u003eMay 23 15:17:11 INFO uvm[0]: {\"timeStamp\":\"2023-05-23 15:17:11.718\",\"flagged\":false,\"blocked\":false,\"sessionId\":110221865772667,\"ruleId\":0,\"class\":\"class com.untangle.app.firewall.FirewallEvent\"}",
"outcome": "success",
@@ -545,13 +545,13 @@
"flagged": false
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network"
],
- "id": 110221865772666,
+ "id": "110221865772666",
"kind": "event",
"original": "\u003c174\u003eMay 23 15:17:11 INFO uvm[0]: {\"timeStamp\":\"2023-05-23 15:17:11.699\",\"flagged\":false,\"blocked\":false,\"sessionId\":110221865772666,\"ruleId\":0,\"class\":\"class com.untangle.app.firewall.FirewallEvent\"}",
"outcome": "success",
@@ -594,13 +594,13 @@
"flagged": false
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network"
],
- "id": 110221865772664,
+ "id": "110221865772664",
"kind": "event",
"original": "\u003c174\u003eMay 23 15:17:11 INFO uvm[0]: {\"timeStamp\":\"2023-05-23 15:17:11.348\",\"flagged\":false,\"blocked\":false,\"sessionId\":110221865772664,\"ruleId\":0,\"class\":\"class com.untangle.app.firewall.FirewallEvent\"}",
"outcome": "success",
@@ -643,13 +643,13 @@
"flagged": false
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network"
],
- "id": 110221865772663,
+ "id": "110221865772663",
"kind": "event",
"original": "\u003c174\u003eMay 23 15:17:11 INFO uvm[0]: {\"timeStamp\":\"2023-05-23 15:17:11.214\",\"flagged\":false,\"blocked\":false,\"sessionId\":110221865772663,\"ruleId\":0,\"class\":\"class com.untangle.app.firewall.FirewallEvent\"}",
"outcome": "success",
@@ -692,13 +692,13 @@
"flagged": false
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network"
],
- "id": 110221865772662,
+ "id": "110221865772662",
"kind": "event",
"original": "\u003c174\u003eMay 23 15:17:11 INFO uvm[0]: {\"timeStamp\":\"2023-05-23 15:17:11.123\",\"flagged\":false,\"blocked\":false,\"sessionId\":110221865772662,\"ruleId\":0,\"class\":\"class com.untangle.app.firewall.FirewallEvent\"}",
"outcome": "success",
@@ -741,13 +741,13 @@
"flagged": false
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network"
],
- "id": 110221865772661,
+ "id": "110221865772661",
"kind": "event",
"original": "\u003c174\u003eMay 23 15:17:10 INFO uvm[0]: {\"timeStamp\":\"2023-05-23 15:17:10.907\",\"flagged\":false,\"blocked\":false,\"sessionId\":110221865772661,\"ruleId\":0,\"class\":\"class com.untangle.app.firewall.FirewallEvent\"}",
"outcome": "success",
@@ -790,13 +790,13 @@
"flagged": false
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network"
],
- "id": 110221865772657,
+ "id": "110221865772657",
"kind": "event",
"original": "\u003c174\u003eMay 23 15:17:10 INFO uvm[0]: {\"timeStamp\":\"2023-05-23 15:17:10.382\",\"flagged\":false,\"blocked\":false,\"sessionId\":110221865772657,\"ruleId\":0,\"class\":\"class com.untangle.app.firewall.FirewallEvent\"}",
"outcome": "success",
@@ -839,13 +839,13 @@
"flagged": false
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network"
],
- "id": 110221865772656,
+ "id": "110221865772656",
"kind": "event",
"original": "\u003c174\u003eMay 23 15:17:09 INFO uvm[0]: {\"timeStamp\":\"2023-05-23 15:17:09.861\",\"flagged\":false,\"blocked\":false,\"sessionId\":110221865772656,\"ruleId\":0,\"class\":\"class com.untangle.app.firewall.FirewallEvent\"}",
"outcome": "success",
@@ -888,13 +888,13 @@
"flagged": false
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network"
],
- "id": 110221865772655,
+ "id": "110221865772655",
"kind": "event",
"original": "\u003c174\u003eMay 23 15:17:09 INFO uvm[0]: {\"timeStamp\":\"2023-05-23 15:17:09.807\",\"flagged\":false,\"blocked\":false,\"sessionId\":110221865772655,\"ruleId\":0,\"class\":\"class com.untangle.app.firewall.FirewallEvent\"}",
"outcome": "success",
@@ -937,13 +937,13 @@
"flagged": false
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network"
],
- "id": 110221865772654,
+ "id": "110221865772654",
"kind": "event",
"original": "\u003c174\u003eMay 23 15:17:09 INFO uvm[0]: {\"timeStamp\":\"2023-05-23 15:17:09.738\",\"flagged\":false,\"blocked\":false,\"sessionId\":110221865772654,\"ruleId\":0,\"class\":\"class com.untangle.app.firewall.FirewallEvent\"}",
"outcome": "success",
diff --git a/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-http-request.log-expected.json b/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-http-request.log-expected.json
index 97aab8e6853..e3a68c8a7cd 100755
--- a/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-http-request.log-expected.json
+++ b/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-http-request.log-expected.json
@@ -31,14 +31,14 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"web"
],
- "id": 110221866487132,
+ "id": "110221866487132",
"kind": "event",
"original": "\u003c174\u003eMay 25 09:07:44 INFO uvm[0]: {\"timeStamp\":\"2023-05-25 09:07:44.093\",\"method\":\"GET\",\"requestId\":110221859354811,\"domain\":\"amer.ng.msg.teams.microsoft.com\",\"host\":\"amer.ng.msg.teams.microsoft.com\",\"contentLength\":0,\"requestUri\":\"/\",\"class\":\"class com.untangle.app.http.HttpRequestEvent\",\"sessionEvent\":{\"entitled\":true,\"protocol\":6,\"hostname\":\"D23613W10\",\"CServerPort\":443,\"protocolName\":\"TCP\",\"serverLatitude\":37.3388,\"localAddr\":\"192.168.201.21\",\"SServerAddr\":\"67.43.156.12\",\"remoteAddr\":\"67.43.156.12\",\"serverIntf\":1,\"CClientAddr\":\"192.168.201.21\",\"serverCountry\":\"US\",\"sessionId\":110221866487132,\"SClientAddr\":\"1.128.0.1\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":59560,\"timeStamp\":\"2023-05-25 09:07:44.062\",\"serverLongitude\":-121.8914,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":13485,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"67.43.156.12\",\"username\":\"johndoe\",\"tagsString\":\"\"}}",
"provider": "http_request",
@@ -48,6 +48,9 @@
"start"
]
},
+ "host": {
+ "name": "D23613W10"
+ },
"http": {
"request": {
"bytes": 0,
@@ -94,6 +97,7 @@
},
"related": {
"hosts": [
+ "D23613W10",
"amer.ng.msg.teams.microsoft.com"
],
"ip": [
@@ -158,14 +162,14 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"web"
],
- "id": 110221866487106,
+ "id": "110221866487106",
"kind": "event",
"original": "\u003c174\u003eMay 25 09:07:34 INFO uvm[0]: {\"timeStamp\":\"2023-05-25 09:07:34.395\",\"method\":\"GET\",\"requestId\":110221859354809,\"domain\":\"mozilla.cloudflare-dns.com\",\"host\":\"mozilla.cloudflare-dns.com\",\"contentLength\":0,\"requestUri\":\"/\",\"class\":\"class com.untangle.app.http.HttpRequestEvent\",\"sessionEvent\":{\"entitled\":true,\"protocol\":6,\"hostname\":\"RemoteApp1\",\"CServerPort\":443,\"protocolName\":\"TCP\",\"serverLatitude\":37.751,\"localAddr\":\"192.168.200.50\",\"SServerAddr\":\"81.2.69.142\",\"remoteAddr\":\"81.2.69.142\",\"serverIntf\":1,\"CClientAddr\":\"192.168.200.50\",\"serverCountry\":\"US\",\"sessionId\":110221866487106,\"SClientAddr\":\"1.128.0.1\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":16040,\"timeStamp\":\"2023-05-25 09:07:34.386\",\"serverLongitude\":-97.822,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":15128,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"81.2.69.142\",\"tagsString\":\"\"}}",
"provider": "http_request",
@@ -175,6 +179,9 @@
"start"
]
},
+ "host": {
+ "name": "RemoteApp1"
+ },
"http": {
"request": {
"bytes": 0,
@@ -221,6 +228,7 @@
},
"related": {
"hosts": [
+ "RemoteApp1",
"mozilla.cloudflare-dns.com"
],
"ip": [
@@ -279,14 +287,14 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"web"
],
- "id": 110221866487103,
+ "id": "110221866487103",
"kind": "event",
"original": "\u003c174\u003eMay 25 09:07:33 INFO uvm[0]: {\"timeStamp\":\"2023-05-25 09:07:33.314\",\"method\":\"GET\",\"requestId\":110221859354806,\"domain\":\"sb.scorecardresearch.com\",\"host\":\"sb.scorecardresearch.com\",\"contentLength\":0,\"requestUri\":\"/\",\"class\":\"class com.untangle.app.http.HttpRequestEvent\",\"sessionEvent\":{\"entitled\":true,\"protocol\":6,\"hostname\":\"Galaxy-S22\",\"CServerPort\":443,\"protocolName\":\"TCP\",\"serverLatitude\":37.751,\"localAddr\":\"192.168.201.6\",\"SServerAddr\":\"67.43.156.12\",\"remoteAddr\":\"67.43.156.12\",\"serverIntf\":1,\"CClientAddr\":\"192.168.201.6\",\"serverCountry\":\"US\",\"sessionId\":110221866487103,\"SClientAddr\":\"1.128.0.1\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":51598,\"timeStamp\":\"2023-05-25 09:07:33.273\",\"serverLongitude\":-97.822,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":45333,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"67.43.156.12\",\"tagsString\":\"\"}}",
"provider": "http_request",
@@ -296,6 +304,9 @@
"start"
]
},
+ "host": {
+ "name": "Galaxy-S22"
+ },
"http": {
"request": {
"bytes": 0,
@@ -342,6 +353,7 @@
},
"related": {
"hosts": [
+ "Galaxy-S22",
"sb.scorecardresearch.com"
],
"ip": [
@@ -400,14 +412,14 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"web"
],
- "id": 110221866487093,
+ "id": "110221866487093",
"kind": "event",
"original": "\u003c174\u003eMay 25 09:07:30 INFO uvm[0]: {\"timeStamp\":\"2023-05-25 09:07:30.333\",\"method\":\"GET\",\"requestId\":110221859354805,\"domain\":\"www.gstatic.com\",\"host\":\"www.gstatic.com\",\"contentLength\":0,\"requestUri\":\"/\",\"class\":\"class com.untangle.app.http.HttpRequestEvent\",\"sessionEvent\":{\"entitled\":true,\"protocol\":6,\"hostname\":\"Galaxy-S22\",\"CServerPort\":443,\"protocolName\":\"TCP\",\"serverLatitude\":37.751,\"localAddr\":\"192.168.201.6\",\"SServerAddr\":\"67.43.156.12\",\"remoteAddr\":\"67.43.156.12\",\"serverIntf\":1,\"CClientAddr\":\"192.168.201.6\",\"serverCountry\":\"US\",\"sessionId\":110221866487093,\"SClientAddr\":\"1.128.0.1\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":50548,\"timeStamp\":\"2023-05-25 09:07:30.316\",\"serverLongitude\":-97.822,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":39662,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"67.43.156.12\",\"tagsString\":\"\"}}",
"provider": "http_request",
@@ -417,6 +429,9 @@
"start"
]
},
+ "host": {
+ "name": "Galaxy-S22"
+ },
"http": {
"request": {
"bytes": 0,
@@ -463,6 +478,7 @@
},
"related": {
"hosts": [
+ "Galaxy-S22",
"www.gstatic.com"
],
"ip": [
@@ -521,14 +537,14 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"web"
],
- "id": 110221866487086,
+ "id": "110221866487086",
"kind": "event",
"original": "\u003c174\u003eMay 25 09:07:30 INFO uvm[0]: {\"timeStamp\":\"2023-05-25 09:07:30.118\",\"method\":\"GET\",\"requestId\":110221859354804,\"domain\":\"inapps.appsflyer.com\",\"host\":\"inapps.appsflyer.com\",\"contentLength\":0,\"requestUri\":\"/\",\"class\":\"class com.untangle.app.http.HttpRequestEvent\",\"sessionEvent\":{\"entitled\":true,\"protocol\":6,\"hostname\":\"Galaxy-S22\",\"CServerPort\":443,\"protocolName\":\"TCP\",\"serverLatitude\":37.751,\"localAddr\":\"192.168.201.6\",\"SServerAddr\":\"67.43.156.12\",\"remoteAddr\":\"67.43.156.12\",\"serverIntf\":1,\"CClientAddr\":\"192.168.201.6\",\"serverCountry\":\"US\",\"sessionId\":110221866487086,\"SClientAddr\":\"1.128.0.1\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":36398,\"timeStamp\":\"2023-05-25 09:07:30.072\",\"serverLongitude\":-97.822,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":40425,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"67.43.156.12\",\"tagsString\":\"\"}}",
"provider": "http_request",
@@ -538,6 +554,9 @@
"start"
]
},
+ "host": {
+ "name": "Galaxy-S22"
+ },
"http": {
"request": {
"bytes": 0,
@@ -584,6 +603,7 @@
},
"related": {
"hosts": [
+ "Galaxy-S22",
"inapps.appsflyer.com"
],
"ip": [
@@ -642,14 +662,14 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"web"
],
- "id": 110221866487071,
+ "id": "110221866487071",
"kind": "event",
"original": "\u003c174\u003eMay 25 09:07:29 INFO uvm[0]: {\"timeStamp\":\"2023-05-25 09:07:29.775\",\"method\":\"GET\",\"requestId\":110221859354791,\"domain\":\"data.pendo.io\",\"host\":\"data.pendo.io\",\"contentLength\":0,\"requestUri\":\"/\",\"class\":\"class com.untangle.app.http.HttpRequestEvent\",\"sessionEvent\":{\"entitled\":true,\"protocol\":6,\"hostname\":\"Galaxy-S22\",\"CServerPort\":443,\"protocolName\":\"TCP\",\"serverLatitude\":39.1028,\"localAddr\":\"192.168.201.6\",\"SServerAddr\":\"67.43.156.12\",\"remoteAddr\":\"67.43.156.12\",\"serverIntf\":1,\"CClientAddr\":\"192.168.201.6\",\"serverCountry\":\"US\",\"sessionId\":110221866487071,\"SClientAddr\":\"1.128.0.1\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":40596,\"timeStamp\":\"2023-05-25 09:07:29.763\",\"serverLongitude\":-94.5778,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":32984,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"67.43.156.12\",\"tagsString\":\"\"}}",
"provider": "http_request",
@@ -659,6 +679,9 @@
"start"
]
},
+ "host": {
+ "name": "Galaxy-S22"
+ },
"http": {
"request": {
"bytes": 0,
@@ -705,6 +728,7 @@
},
"related": {
"hosts": [
+ "Galaxy-S22",
"data.pendo.io"
],
"ip": [
@@ -763,14 +787,14 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"web"
],
- "id": 110221866487052,
+ "id": "110221866487052",
"kind": "event",
"original": "\u003c174\u003eMay 25 09:07:28 INFO uvm[0]: {\"timeStamp\":\"2023-05-25 09:07:28.758\",\"method\":\"GET\",\"requestId\":110221859354783,\"domain\":\"telemetry.elastic.co\",\"host\":\"telemetry.elastic.co\",\"contentLength\":0,\"requestUri\":\"/\",\"class\":\"class com.untangle.app.http.HttpRequestEvent\",\"sessionEvent\":{\"entitled\":true,\"protocol\":6,\"hostname\":\"Elastic\",\"CServerPort\":443,\"protocolName\":\"TCP\",\"serverLatitude\":39.1028,\"localAddr\":\"192.168.200.15\",\"SServerAddr\":\"67.43.156.12\",\"remoteAddr\":\"67.43.156.12\",\"serverIntf\":1,\"CClientAddr\":\"192.168.200.15\",\"serverCountry\":\"US\",\"sessionId\":110221866487052,\"SClientAddr\":\"1.128.0.1\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":52762,\"timeStamp\":\"2023-05-25 09:07:28.754\",\"serverLongitude\":-94.5778,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":30035,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"67.43.156.12\",\"tagsString\":\"\"}}",
"provider": "http_request",
@@ -780,6 +804,9 @@
"start"
]
},
+ "host": {
+ "name": "Elastic"
+ },
"http": {
"request": {
"bytes": 0,
@@ -826,6 +853,7 @@
},
"related": {
"hosts": [
+ "Elastic",
"telemetry.elastic.co"
],
"ip": [
@@ -884,14 +912,14 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"web"
],
- "id": 110221866487028,
+ "id": "110221866487028",
"kind": "event",
"original": "\u003c174\u003eMay 25 09:07:28 INFO uvm[0]: {\"timeStamp\":\"2023-05-25 09:07:28.187\",\"method\":\"GET\",\"requestId\":110221859354760,\"domain\":\"wn0.rumble.com\",\"host\":\"wn0.rumble.com\",\"contentLength\":0,\"requestUri\":\"/\",\"class\":\"class com.untangle.app.http.HttpRequestEvent\",\"sessionEvent\":{\"entitled\":true,\"protocol\":6,\"hostname\":\"Galaxy-S22\",\"CServerPort\":443,\"protocolName\":\"TCP\",\"localAddr\":\"192.168.201.6\",\"SServerAddr\":\"67.43.156.12\",\"remoteAddr\":\"67.43.156.12\",\"serverIntf\":1,\"CClientAddr\":\"192.168.201.6\",\"serverCountry\":\"XU\",\"sessionId\":110221866487028,\"SClientAddr\":\"1.128.0.1\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":57482,\"timeStamp\":\"2023-05-25 09:07:28.157\",\"clientIntf\":2,\"policyId\":1,\"SClientPort\":13556,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"67.43.156.12\",\"tagsString\":\"\"}}",
"provider": "http_request",
@@ -901,6 +929,9 @@
"start"
]
},
+ "host": {
+ "name": "Galaxy-S22"
+ },
"http": {
"request": {
"bytes": 0,
@@ -947,6 +978,7 @@
},
"related": {
"hosts": [
+ "Galaxy-S22",
"wn0.rumble.com"
],
"ip": [
@@ -1005,14 +1037,14 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"web"
],
- "id": 110221866487026,
+ "id": "110221866487026",
"kind": "event",
"original": "\u003c174\u003eMay 25 09:07:27 INFO uvm[0]: {\"timeStamp\":\"2023-05-25 09:07:27.517\",\"method\":\"GET\",\"requestId\":110221859354759,\"domain\":\"play-fe.googleapis.com\",\"host\":\"play-fe.googleapis.com\",\"contentLength\":0,\"requestUri\":\"/\",\"class\":\"class com.untangle.app.http.HttpRequestEvent\",\"sessionEvent\":{\"entitled\":true,\"protocol\":6,\"hostname\":\"Galaxy-S22\",\"CServerPort\":443,\"protocolName\":\"TCP\",\"serverLatitude\":37.751,\"localAddr\":\"192.168.201.6\",\"SServerAddr\":\"67.43.156.12\",\"remoteAddr\":\"67.43.156.12\",\"serverIntf\":1,\"CClientAddr\":\"192.168.201.6\",\"serverCountry\":\"US\",\"sessionId\":110221866487026,\"SClientAddr\":\"1.128.0.1\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":60308,\"timeStamp\":\"2023-05-25 09:07:27.498\",\"serverLongitude\":-97.822,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":21706,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"67.43.156.12\",\"tagsString\":\"\"}}",
"provider": "http_request",
@@ -1022,6 +1054,9 @@
"start"
]
},
+ "host": {
+ "name": "Galaxy-S22"
+ },
"http": {
"request": {
"bytes": 0,
@@ -1068,6 +1103,7 @@
},
"related": {
"hosts": [
+ "Galaxy-S22",
"play-fe.googleapis.com"
],
"ip": [
@@ -1126,14 +1162,14 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"web"
],
- "id": 110221866487024,
+ "id": "110221866487024",
"kind": "event",
"original": "\u003c174\u003eMay 25 09:07:27 INFO uvm[0]: {\"timeStamp\":\"2023-05-25 09:07:27.295\",\"method\":\"GET\",\"requestId\":110221859354758,\"domain\":\"api.accuweather.com\",\"host\":\"api.accuweather.com\",\"contentLength\":0,\"requestUri\":\"/\",\"class\":\"class com.untangle.app.http.HttpRequestEvent\",\"sessionEvent\":{\"entitled\":true,\"protocol\":6,\"hostname\":\"Galaxy-S22\",\"CServerPort\":443,\"protocolName\":\"TCP\",\"serverLatitude\":37.751,\"localAddr\":\"192.168.201.6\",\"SServerAddr\":\"67.43.156.12\",\"remoteAddr\":\"67.43.156.12\",\"serverIntf\":1,\"CClientAddr\":\"192.168.201.6\",\"serverCountry\":\"US\",\"sessionId\":110221866487024,\"SClientAddr\":\"1.128.0.1\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":48988,\"timeStamp\":\"2023-05-25 09:07:27.284\",\"serverLongitude\":-97.822,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":48278,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"67.43.156.12\",\"tagsString\":\"\"}}",
"provider": "http_request",
@@ -1143,6 +1179,9 @@
"start"
]
},
+ "host": {
+ "name": "Galaxy-S22"
+ },
"http": {
"request": {
"bytes": 0,
@@ -1189,6 +1228,7 @@
},
"related": {
"hosts": [
+ "Galaxy-S22",
"api.accuweather.com"
],
"ip": [
diff --git a/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-http-response.log-expected.json b/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-http-response.log-expected.json
index 9f0f459609c..05be611c33f 100755
--- a/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-http-response.log-expected.json
+++ b/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-http-response.log-expected.json
@@ -32,14 +32,14 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"web"
],
- "id": 110221866602155,
+ "id": "110221866602155",
"kind": "event",
"original": "\u003c174\u003eMay 25 13:59:11 INFO uvm[0]: {\"timeStamp\":\"2023-05-25 13:59:11.622\",\"contentLength\":8,\"requestLine\":\"GET http://detectportal.firefox.com/success.txt?ipv4\",\"contentType\":\"text/plain\",\"class\":\"class com.untangle.app.http.HttpResponseEvent\",\"httpRequestEvent\":{\"timeStamp\":\"2023-05-25 13:59:11.613\",\"method\":\"GET\",\"requestId\":110221859378971,\"domain\":\"detectportal.firefox.com\",\"host\":\"detectportal.firefox.com\",\"contentLength\":0,\"requestUri\":\"/success.txt?ipv4\",\"sessionEvent\":{\"entitled\":true,\"protocol\":6,\"hostname\":\"ubuntu\",\"CServerPort\":80,\"protocolName\":\"TCP\",\"serverLatitude\":39.1028,\"localAddr\":\"192.168.200.25\",\"SServerAddr\":\"67.43.156.91\",\"remoteAddr\":\"67.43.156.91\",\"serverIntf\":1,\"CClientAddr\":\"192.168.200.25\",\"serverCountry\":\"US\",\"sessionId\":110221866602155,\"SClientAddr\":\"1.128.0.10\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":41968,\"timeStamp\":\"2023-05-25 13:55:24.843\",\"serverLongitude\":-94.5778,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":47164,\"bypassed\":false,\"SServerPort\":80,\"CServerAddr\":\"67.43.156.91\",\"tagsString\":\"\"}}}",
"provider": "http_response",
@@ -49,6 +49,9 @@
"end"
]
},
+ "host": {
+ "name": "ubuntu"
+ },
"http": {
"request": {
"method": "GET"
@@ -97,6 +100,7 @@
},
"related": {
"hosts": [
+ "ubuntu",
"detectportal.firefox.com"
],
"ip": [
@@ -162,14 +166,14 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"web"
],
- "id": 110221866590454,
+ "id": "110221866590454",
"kind": "event",
"original": "\u003c174\u003eMay 25 13:28:56 INFO uvm[0]: {\"timeStamp\":\"2023-05-25 13:28:56.752\",\"contentLength\":0,\"requestLine\":\"GET http://ocsp.entrust.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRr2bwARTxMtEy9aspRAZg5QFhagQQUgrrWPZfOn89x6JI3r%2F2ztWk1V88CEHHvVXSvNVTDWixp9m9La80%3D\",\"contentType\":\"application/ocsp-response\",\"class\":\"class com.untangle.app.http.HttpResponseEvent\",\"httpRequestEvent\":{\"timeStamp\":\"2023-05-25 13:28:56.741\",\"method\":\"GET\",\"requestId\":110221859376527,\"domain\":\"ocsp.entrust.net\",\"host\":\"ocsp.entrust.net\",\"contentLength\":0,\"requestUri\":\"/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRr2bwARTxMtEy9aspRAZg5QFhagQQUgrrWPZfOn89x6JI3r%2F2ztWk1V88CEHHvVXSvNVTDWixp9m9La80%3D\",\"sessionEvent\":{\"entitled\":true,\"protocol\":6,\"hostname\":\"D23613W10\",\"CServerPort\":80,\"protocolName\":\"TCP\",\"serverLatitude\":37.751,\"localAddr\":\"192.168.201.21\",\"SServerAddr\":\"67.43.156.17\",\"remoteAddr\":\"67.43.156.17\",\"serverIntf\":1,\"CClientAddr\":\"192.168.201.21\",\"serverCountry\":\"US\",\"sessionId\":110221866590454,\"SClientAddr\":\"1.128.0.10\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":62349,\"timeStamp\":\"2023-05-25 13:28:56.735\",\"serverLongitude\":-97.822,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":15108,\"bypassed\":false,\"SServerPort\":80,\"CServerAddr\":\"67.43.156.17\",\"username\":\"eric\",\"tagsString\":\"\"}}}",
"provider": "http_response",
@@ -179,6 +183,9 @@
"end"
]
},
+ "host": {
+ "name": "D23613W10"
+ },
"http": {
"request": {
"method": "GET"
@@ -227,6 +234,7 @@
},
"related": {
"hosts": [
+ "D23613W10",
"ocsp.entrust.net"
],
"ip": [
@@ -296,14 +304,14 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"web"
],
- "id": 110221866590452,
+ "id": "110221866590452",
"kind": "event",
"original": "\u003c174\u003eMay 25 13:28:56 INFO uvm[0]: {\"timeStamp\":\"2023-05-25 13:28:56.693\",\"contentLength\":0,\"requestLine\":\"GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?9d222919ed61d6da\",\"contentType\":\"application/vnd.ms-cab-compressed\",\"class\":\"class com.untangle.app.http.HttpResponseEvent\",\"httpRequestEvent\":{\"timeStamp\":\"2023-05-25 13:28:56.684\",\"method\":\"GET\",\"requestId\":110221859376526,\"domain\":\"ctldl.windowsupdate.com\",\"host\":\"ctldl.windowsupdate.com\",\"contentLength\":0,\"requestUri\":\"/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?9d222919ed61d6da\",\"sessionEvent\":{\"entitled\":true,\"protocol\":6,\"hostname\":\"D23613W10\",\"CServerPort\":80,\"protocolName\":\"TCP\",\"serverLatitude\":37.751,\"localAddr\":\"192.168.201.21\",\"SServerAddr\":\"67.43.156.52\",\"remoteAddr\":\"67.43.156.52\",\"serverIntf\":1,\"CClientAddr\":\"192.168.201.21\",\"serverCountry\":\"US\",\"sessionId\":110221866590452,\"SClientAddr\":\"1.128.0.10\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":62348,\"timeStamp\":\"2023-05-25 13:28:56.656\",\"serverLongitude\":-97.822,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":19844,\"bypassed\":false,\"SServerPort\":80,\"CServerAddr\":\"67.43.156.52\",\"username\":\"eric\",\"tagsString\":\"\"}}}",
"provider": "http_response",
@@ -313,6 +321,9 @@
"end"
]
},
+ "host": {
+ "name": "D23613W10"
+ },
"http": {
"request": {
"method": "GET"
@@ -361,6 +372,7 @@
},
"related": {
"hosts": [
+ "D23613W10",
"ctldl.windowsupdate.com"
],
"ip": [
@@ -432,14 +444,14 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"web"
],
- "id": 110221866589634,
+ "id": "110221866589634",
"kind": "event",
"original": "\u003c174\u003eMay 25 13:28:17 INFO uvm[0]: {\"timeStamp\":\"2023-05-25 13:28:17.055\",\"contentLength\":1736,\"requestLine\":\"POST http://dmd.metaservices.microsoft.com/metadata.svc\",\"contentType\":\"text/xml\",\"class\":\"class com.untangle.app.http.HttpResponseEvent\",\"httpRequestEvent\":{\"timeStamp\":\"2023-05-25 13:28:17.019\",\"method\":\"POST\",\"requestId\":110221859376508,\"domain\":\"dmd.metaservices.microsoft.com\",\"host\":\"dmd.metaservices.microsoft.com\",\"contentLength\":1270,\"requestUri\":\"/metadata.svc\",\"sessionEvent\":{\"entitled\":true,\"protocol\":6,\"hostname\":\"RemoteApp1\",\"CServerPort\":80,\"protocolName\":\"TCP\",\"serverLatitude\":37.3388,\"localAddr\":\"192.168.200.50\",\"SServerAddr\":\"67.43.156.7\",\"remoteAddr\":\"67.43.156.7\",\"serverIntf\":1,\"CClientAddr\":\"192.168.200.50\",\"serverCountry\":\"US\",\"sessionId\":110221866589634,\"SClientAddr\":\"1.128.0.10\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":19486,\"timeStamp\":\"2023-05-25 13:28:11.523\",\"serverLongitude\":-121.8914,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":31487,\"bypassed\":false,\"SServerPort\":80,\"CServerAddr\":\"67.43.156.7\",\"tagsString\":\"\"}}}",
"provider": "http_response",
@@ -449,6 +461,9 @@
"end"
]
},
+ "host": {
+ "name": "RemoteApp1"
+ },
"http": {
"request": {
"method": "POST"
@@ -497,6 +512,7 @@
},
"related": {
"hosts": [
+ "RemoteApp1",
"dmd.metaservices.microsoft.com"
],
"ip": [
@@ -561,14 +577,14 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"web"
],
- "id": 110221866589745,
+ "id": "110221866589745",
"kind": "event",
"original": "\u003c174\u003eMay 25 13:28:17 INFO uvm[0]: {\"timeStamp\":\"2023-05-25 13:28:17.015\",\"contentLength\":0,\"requestLine\":\"POST http://go.microsoft.com/fwlink/?LinkID=252669\u0026clcid=0x409\",\"class\":\"class com.untangle.app.http.HttpResponseEvent\",\"httpRequestEvent\":{\"timeStamp\":\"2023-05-25 13:28:17.007\",\"method\":\"POST\",\"requestId\":110221859376507,\"domain\":\"go.microsoft.com\",\"host\":\"go.microsoft.com\",\"contentLength\":1270,\"requestUri\":\"/fwlink/?LinkID=252669\u0026clcid=0x409\",\"sessionEvent\":{\"entitled\":true,\"protocol\":6,\"hostname\":\"RemoteApp1\",\"CServerPort\":80,\"protocolName\":\"TCP\",\"serverLatitude\":37.751,\"localAddr\":\"192.168.200.50\",\"SServerAddr\":\"67.43.156.101\",\"remoteAddr\":\"67.43.156.101\",\"serverIntf\":1,\"CClientAddr\":\"192.168.200.50\",\"serverCountry\":\"US\",\"sessionId\":110221866589745,\"SClientAddr\":\"1.128.0.10\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":19498,\"timeStamp\":\"2023-05-25 13:28:17.002\",\"serverLongitude\":-97.822,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":48711,\"bypassed\":false,\"SServerPort\":80,\"CServerAddr\":\"67.43.156.101\",\"tagsString\":\"\"}}}",
"provider": "http_response",
@@ -578,6 +594,9 @@
"end"
]
},
+ "host": {
+ "name": "RemoteApp1"
+ },
"http": {
"request": {
"method": "POST"
@@ -626,6 +645,7 @@
},
"related": {
"hosts": [
+ "RemoteApp1",
"go.microsoft.com"
],
"ip": [
@@ -690,14 +710,14 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"web"
],
- "id": 110221866586859,
+ "id": "110221866586859",
"kind": "event",
"original": "\u003c174\u003eMay 25 13:20:58 INFO uvm[0]: {\"timeStamp\":\"2023-05-25 13:20:58.327\",\"contentLength\":0,\"requestLine\":\"GET http://connectivitycheck.gstatic.com/generate_204\",\"class\":\"class com.untangle.app.http.HttpResponseEvent\",\"httpRequestEvent\":{\"timeStamp\":\"2023-05-25 13:20:58.316\",\"method\":\"GET\",\"requestId\":110221859376191,\"domain\":\"connectivitycheck.gstatic.com\",\"host\":\"connectivitycheck.gstatic.com\",\"contentLength\":0,\"requestUri\":\"/generate_204\",\"sessionEvent\":{\"entitled\":true,\"protocol\":6,\"hostname\":\"Galaxy-S22\",\"CServerPort\":80,\"protocolName\":\"TCP\",\"serverLatitude\":37.751,\"localAddr\":\"192.168.201.6\",\"SServerAddr\":\"67.43.156.56\",\"remoteAddr\":\"67.43.156.56\",\"serverIntf\":1,\"CClientAddr\":\"192.168.201.6\",\"serverCountry\":\"US\",\"sessionId\":110221866586859,\"SClientAddr\":\"1.128.0.10\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":44148,\"timeStamp\":\"2023-05-25 13:20:57.995\",\"serverLongitude\":-97.822,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":31260,\"bypassed\":false,\"SServerPort\":80,\"CServerAddr\":\"67.43.156.56\",\"tagsString\":\"\"}}}",
"provider": "http_response",
@@ -707,6 +727,9 @@
"end"
]
},
+ "host": {
+ "name": "Galaxy-S22"
+ },
"http": {
"request": {
"method": "GET"
@@ -755,6 +778,7 @@
},
"related": {
"hosts": [
+ "Galaxy-S22",
"connectivitycheck.gstatic.com"
],
"ip": [
@@ -818,14 +842,14 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"web"
],
- "id": 110221866586366,
+ "id": "110221866586366",
"kind": "event",
"original": "\u003c174\u003eMay 25 13:18:39 INFO uvm[0]: {\"timeStamp\":\"2023-05-25 13:18:39.717\",\"contentLength\":471,\"requestLine\":\"POST http://ocsp.digicert.com/\",\"contentType\":\"application/ocsp-response\",\"class\":\"class com.untangle.app.http.HttpResponseEvent\",\"httpRequestEvent\":{\"timeStamp\":\"2023-05-25 13:18:39.707\",\"method\":\"POST\",\"requestId\":110221859376170,\"domain\":\"ocsp.digicert.com\",\"host\":\"ocsp.digicert.com\",\"contentLength\":83,\"requestUri\":\"/\",\"sessionEvent\":{\"entitled\":true,\"protocol\":6,\"hostname\":\"RemoteApp1\",\"CServerPort\":80,\"protocolName\":\"TCP\",\"serverLatitude\":37.751,\"localAddr\":\"192.168.200.50\",\"SServerAddr\":\"67.43.156.35\",\"remoteAddr\":\"67.43.156.35\",\"serverIntf\":1,\"CClientAddr\":\"192.168.200.50\",\"serverCountry\":\"US\",\"sessionId\":110221866586366,\"SClientAddr\":\"1.128.0.10\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":19427,\"timeStamp\":\"2023-05-25 13:18:39.704\",\"serverLongitude\":-97.822,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":43090,\"bypassed\":false,\"SServerPort\":80,\"CServerAddr\":\"67.43.156.35\",\"tagsString\":\"\"}}}",
"provider": "http_response",
@@ -835,6 +859,9 @@
"end"
]
},
+ "host": {
+ "name": "RemoteApp1"
+ },
"http": {
"request": {
"method": "POST"
@@ -883,6 +910,7 @@
},
"related": {
"hosts": [
+ "RemoteApp1",
"ocsp.digicert.com"
],
"ip": [
@@ -946,14 +974,14 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"web"
],
- "id": 110221866571317,
+ "id": "110221866571317",
"kind": "event",
"original": "\u003c174\u003eMay 25 12:20:36 INFO uvm[0]: {\"timeStamp\":\"2023-05-25 12:20:36.57\",\"contentLength\":1048576,\"contentFilename\":\"microsoft.bingweather_4.53.51361.0_neutral_~_8wekyb3d8bbwe.appxbundle\",\"requestLine\":\"GET http://2.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/39e27d1a-be46-4e95-be41-1fc48d1ba686?P1=1685040131\u0026P2=404\u0026P3=2\u0026P4=Vf%2fpxph%2fQJH7%2bPZqc3Xz67gngLpb9rnmPKNOcGPYlicP6iPXjtm%2fbGOxnQU8ZrFgGnsw8Ipj14OS%2fVkJglNd6A%3d%3d\",\"contentType\":\"application/octet-stream\",\"class\":\"class com.untangle.app.http.HttpResponseEvent\",\"httpRequestEvent\":{\"timeStamp\":\"2023-05-25 12:20:36.509\",\"method\":\"GET\",\"requestId\":110221859374271,\"domain\":\"2.tlu.dl.delivery.mp.microsoft.com\",\"host\":\"2.tlu.dl.delivery.mp.microsoft.com\",\"contentLength\":0,\"requestUri\":\"/filestreamingservice/files/39e27d1a-be46-4e95-be41-1fc48d1ba686?P1=1685040131\u0026P2=404\u0026P3=2\u0026P4=Vf%2fpxph%2fQJH7%2bPZqc3Xz67gngLpb9rnmPKNOcGPYlicP6iPXjtm%2fbGOxnQU8ZrFgGnsw8Ipj14OS%2fVkJglNd6A%3d%3d\",\"sessionEvent\":{\"entitled\":true,\"protocol\":6,\"hostname\":\"D23613W10\",\"CServerPort\":80,\"protocolName\":\"TCP\",\"serverLatitude\":37.751,\"localAddr\":\"192.168.201.21\",\"SServerAddr\":\"67.43.156.172\",\"remoteAddr\":\"67.43.156.172\",\"serverIntf\":1,\"CClientAddr\":\"192.168.201.21\",\"serverCountry\":\"US\",\"sessionId\":110221866571317,\"SClientAddr\":\"1.128.0.10\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":54631,\"timeStamp\":\"2023-05-25 12:20:36.113\",\"serverLongitude\":-97.822,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":49992,\"bypassed\":false,\"SServerPort\":80,\"CServerAddr\":\"67.43.156.172\",\"username\":\"eric\",\"tagsString\":\"\"}}}",
"provider": "http_response",
@@ -966,6 +994,9 @@
"file": {
"name": "microsoft.bingweather_4.53.51361.0_neutral_~_8wekyb3d8bbwe.appxbundle"
},
+ "host": {
+ "name": "D23613W10"
+ },
"http": {
"request": {
"method": "GET"
@@ -1014,6 +1045,7 @@
},
"related": {
"hosts": [
+ "D23613W10",
"2.tlu.dl.delivery.mp.microsoft.com"
],
"ip": [
@@ -1084,14 +1116,14 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"web"
],
- "id": 110221866571313,
+ "id": "110221866571313",
"kind": "event",
"original": "\u003c174\u003eMay 25 12:20:35 INFO uvm[0]: {\"timeStamp\":\"2023-05-25 12:20:35.953\",\"contentLength\":1048576,\"contentFilename\":\"microsoft.microsoftofficehub_18.2304.1202.0_neutral_~_8wekyb3d8bbwe.appxbundle\",\"requestLine\":\"GET http://2.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/faa30c4e-450f-45b5-9ba8-d999d270c123?P1=1685039689\u0026P2=404\u0026P3=2\u0026P4=J5KXMJWKulWN6iU7zXXnBHsN5grFqq4jTLeBolgTSTDCAvNAorpE%2fWRUlfYgNfcHUzyzDSl9S5jMYOK%2fY9Gqjg%3d%3d\",\"contentType\":\"application/octet-stream\",\"class\":\"class com.untangle.app.http.HttpResponseEvent\",\"httpRequestEvent\":{\"timeStamp\":\"2023-05-25 12:20:35.738\",\"method\":\"GET\",\"requestId\":110221859374261,\"domain\":\"2.tlu.dl.delivery.mp.microsoft.com\",\"host\":\"2.tlu.dl.delivery.mp.microsoft.com\",\"contentLength\":0,\"requestUri\":\"/filestreamingservice/files/faa30c4e-450f-45b5-9ba8-d999d270c123?P1=1685039689\u0026P2=404\u0026P3=2\u0026P4=J5KXMJWKulWN6iU7zXXnBHsN5grFqq4jTLeBolgTSTDCAvNAorpE%2fWRUlfYgNfcHUzyzDSl9S5jMYOK%2fY9Gqjg%3d%3d\",\"sessionEvent\":{\"entitled\":true,\"protocol\":6,\"hostname\":\"D23613W10\",\"CServerPort\":80,\"protocolName\":\"TCP\",\"serverLatitude\":37.751,\"localAddr\":\"192.168.201.21\",\"SServerAddr\":\"67.43.156.173\",\"remoteAddr\":\"67.43.156.173\",\"serverIntf\":1,\"CClientAddr\":\"192.168.201.21\",\"serverCountry\":\"US\",\"sessionId\":110221866571313,\"SClientAddr\":\"1.128.0.10\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":54628,\"timeStamp\":\"2023-05-25 12:20:35.702\",\"serverLongitude\":-97.822,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":26442,\"bypassed\":false,\"SServerPort\":80,\"CServerAddr\":\"67.43.156.173\",\"username\":\"eric\",\"tagsString\":\"\"}}}",
"provider": "http_response",
@@ -1104,6 +1136,9 @@
"file": {
"name": "microsoft.microsoftofficehub_18.2304.1202.0_neutral_~_8wekyb3d8bbwe.appxbundle"
},
+ "host": {
+ "name": "D23613W10"
+ },
"http": {
"request": {
"method": "GET"
@@ -1152,6 +1187,7 @@
},
"related": {
"hosts": [
+ "D23613W10",
"2.tlu.dl.delivery.mp.microsoft.com"
],
"ip": [
@@ -1222,14 +1258,14 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"web"
],
- "id": 110221866498840,
+ "id": "110221866498840",
"kind": "event",
"original": "\u003c174\u003eMay 25 09:28:51 INFO uvm[0]: {\"timeStamp\":\"2023-05-25 09:28:51.57\",\"contentLength\":1551,\"requestLine\":\"GET http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CECnEX2U8xxBTGE6%2BVZZgJjI%3D\",\"contentType\":\"application/ocsp-response\",\"class\":\"class com.untangle.app.http.HttpResponseEvent\",\"httpRequestEvent\":{\"timeStamp\":\"2023-05-25 09:28:51.333\",\"method\":\"GET\",\"requestId\":110221859359026,\"domain\":\"ocsp.verisign.com\",\"host\":\"ocsp.verisign.com\",\"contentLength\":0,\"requestUri\":\"/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CECnEX2U8xxBTGE6%2BVZZgJjI%3D\",\"sessionEvent\":{\"entitled\":true,\"protocol\":6,\"hostname\":\"RemoteApp1\",\"CServerPort\":80,\"protocolName\":\"TCP\",\"serverLatitude\":37.751,\"localAddr\":\"192.168.200.50\",\"SServerAddr\":\"67.43.156.128\",\"remoteAddr\":\"67.43.156.128\",\"serverIntf\":1,\"CClientAddr\":\"192.168.200.50\",\"serverCountry\":\"US\",\"sessionId\":110221866498840,\"SClientAddr\":\"1.128.0.10\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":17824,\"timeStamp\":\"2023-05-25 09:28:51.329\",\"serverLongitude\":-97.822,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":10848,\"bypassed\":false,\"SServerPort\":80,\"CServerAddr\":\"67.43.156.128\",\"tagsString\":\"\"}}}",
"provider": "http_response",
@@ -1239,6 +1275,9 @@
"end"
]
},
+ "host": {
+ "name": "RemoteApp1"
+ },
"http": {
"request": {
"method": "GET"
@@ -1287,6 +1326,7 @@
},
"related": {
"hosts": [
+ "RemoteApp1",
"ocsp.verisign.com"
],
"ip": [
diff --git a/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-interface-stats.log-expected.json b/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-interface-stats.log-expected.json
index a1a9f4afd42..792d5031c3a 100755
--- a/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-interface-stats.log-expected.json
+++ b/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-interface-stats.log-expected.json
@@ -16,7 +16,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -69,7 +69,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -122,7 +122,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -175,7 +175,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -228,7 +228,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -281,7 +281,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -334,7 +334,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -387,7 +387,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -440,7 +440,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -493,7 +493,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -546,7 +546,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -599,7 +599,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -652,7 +652,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -705,7 +705,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -758,7 +758,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -811,7 +811,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -864,7 +864,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -917,7 +917,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -970,7 +970,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1023,7 +1023,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
diff --git a/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-intrusion-detection.log-expected.json b/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-intrusion-detection.log-expected.json
index 788389aa5db..a291587dd78 100755
--- a/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-intrusion-detection.log-expected.json
+++ b/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-intrusion-detection.log-expected.json
@@ -12,7 +12,7 @@
"ip": "1.128.0.72"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -24,7 +24,6 @@
"provider": "intrusion_prevention",
"timezone": "America/Denver",
"type": [
- "denied",
"denied"
]
},
@@ -97,7 +96,7 @@
"ip": "1.128.0.72"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -109,7 +108,6 @@
"provider": "intrusion_prevention",
"timezone": "America/Denver",
"type": [
- "denied",
"denied"
]
},
@@ -179,7 +177,7 @@
"ip": "1.128.0.72"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -191,7 +189,6 @@
"provider": "intrusion_prevention",
"timezone": "America/Denver",
"type": [
- "denied",
"denied"
]
},
@@ -267,7 +264,7 @@
"ip": "1.128.0.72"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -279,7 +276,6 @@
"provider": "intrusion_prevention",
"timezone": "America/Denver",
"type": [
- "denied",
"denied"
]
},
@@ -355,7 +351,7 @@
"ip": "1.128.0.72"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -367,7 +363,6 @@
"provider": "intrusion_prevention",
"timezone": "America/Denver",
"type": [
- "denied",
"denied"
]
},
@@ -443,7 +438,7 @@
"ip": "1.128.0.72"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -455,7 +450,6 @@
"provider": "intrusion_prevention",
"timezone": "America/Denver",
"type": [
- "denied",
"denied"
]
},
@@ -531,7 +525,7 @@
"ip": "1.128.0.72"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -543,7 +537,6 @@
"provider": "intrusion_prevention",
"timezone": "America/Denver",
"type": [
- "denied",
"denied"
]
},
@@ -619,7 +612,7 @@
"ip": "1.128.0.72"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -631,7 +624,6 @@
"provider": "intrusion_prevention",
"timezone": "America/Denver",
"type": [
- "denied",
"denied"
]
},
@@ -707,7 +699,7 @@
"ip": "1.128.0.72"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -719,7 +711,6 @@
"provider": "intrusion_prevention",
"timezone": "America/Denver",
"type": [
- "denied",
"denied"
]
},
@@ -795,7 +786,7 @@
"ip": "1.128.0.72"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -807,7 +798,6 @@
"provider": "intrusion_prevention",
"timezone": "America/Denver",
"type": [
- "denied",
"denied"
]
},
diff --git a/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-session-event.log-expected.json b/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-session-event.log-expected.json
index 1ea8e94a93a..13d2d932eb3 100755
--- a/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-session-event.log-expected.json
+++ b/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-session-event.log-expected.json
@@ -33,14 +33,14 @@
"port": 9930
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"session"
],
- "id": 110221863965041,
+ "id": "110221863965041",
"kind": "alert",
"original": "\u003c174\u003eMay 19 11:52:37 INFO uvm[0]: {\"entitled\":true,\"protocol\":17,\"hostname\":\"Host1\",\"CServerPort\":9930,\"protocolName\":\"UDP\",\"serverLatitude\":36.551,\"localAddr\":\"10.0.0.21\",\"class\":\"class com.untangle.uvm.app.SessionEvent\",\"SServerAddr\":\"216.160.83.56\",\"remoteAddr\":\"216.160.83.56\",\"serverIntf\":1,\"CClientAddr\":\"10.0.0.0\",\"serverCountry\":\"US\",\"sessionId\":110221863965041,\"SClientAddr\":\"1.128.0.172\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":59881,\"timeStamp\":\"2023-05-19 11:52:37.962\",\"serverLongitude\":-97.822,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":59881,\"bypassed\":false,\"SServerPort\":9930,\"CServerAddr\":\"216.160.83.56\",\"tagsString\":\"\"}",
"provider": "session_event",
@@ -49,6 +49,9 @@
"info"
]
},
+ "host": {
+ "name": "Host1"
+ },
"log": {
"syslog": {
"facility": {
@@ -88,6 +91,9 @@
"vendor": "Arista"
},
"related": {
+ "hosts": [
+ "Host1"
+ ],
"ip": [
"216.160.83.56",
"10.0.0.0",
@@ -140,14 +146,14 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"session"
],
- "id": 110221863965040,
+ "id": "110221863965040",
"kind": "alert",
"original": "\u003c174\u003eMay 19 11:52:36 INFO uvm[0]: {\"entitled\":true,\"protocol\":17,\"hostname\":\"hp_printer\",\"CServerPort\":443,\"protocolName\":\"UDP\",\"serverLatitude\":36.551,\"localAddr\":\"10.0.0.6\",\"class\":\"class com.untangle.uvm.app.SessionEvent\",\"SServerAddr\":\"81.2.69.207\",\"remoteAddr\":\"81.2.69.207\",\"serverIntf\":1,\"CClientAddr\":\"10.0.0.6\",\"serverCountry\":\"US\",\"sessionId\":110221863965040,\"SClientAddr\":\"1.128.0.172\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":45028,\"timeStamp\":\"2023-05-19 11:52:36.589\",\"serverLongitude\":-97.822,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":45028,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"81.2.69.207\",\"tagsString\":\"\"}",
"provider": "session_event",
@@ -156,6 +162,9 @@
"info"
]
},
+ "host": {
+ "name": "hp_printer"
+ },
"log": {
"syslog": {
"facility": {
@@ -195,6 +204,9 @@
"vendor": "Arista"
},
"related": {
+ "hosts": [
+ "hp_printer"
+ ],
"ip": [
"81.2.69.207",
"10.0.0.6",
@@ -247,14 +259,14 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"session"
],
- "id": 110221863965038,
+ "id": "110221863965038",
"kind": "alert",
"original": "\u003c174\u003eMay 19 11:52:35 INFO uvm[0]: {\"entitled\":true,\"protocol\":17,\"hostname\":\"LAPTOP1\",\"CServerPort\":443,\"protocolName\":\"UDP\",\"serverLatitude\":36.551,\"localAddr\":\"10.0.0.17\",\"class\":\"class com.untangle.uvm.app.SessionEvent\",\"SServerAddr\":\"67.43.156.121\",\"remoteAddr\":\"67.43.156.121\",\"serverIntf\":1,\"CClientAddr\":\"10.0.0.17\",\"serverCountry\":\"US\",\"sessionId\":110221863965038,\"SClientAddr\":\"1.128.0.172\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":63136,\"timeStamp\":\"2023-05-19 11:52:35.486\",\"serverLongitude\":-91.0329,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":63136,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"67.43.156.121\",\"username\":\"john\",\"tagsString\":\"\"}",
"provider": "session_event",
@@ -263,6 +275,9 @@
"info"
]
},
+ "host": {
+ "name": "LAPTOP1"
+ },
"log": {
"syslog": {
"facility": {
@@ -302,6 +317,9 @@
"vendor": "Arista"
},
"related": {
+ "hosts": [
+ "LAPTOP1"
+ ],
"ip": [
"67.43.156.121",
"10.0.0.17",
@@ -348,14 +366,14 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"session"
],
- "id": 110221865374876,
+ "id": "110221865374876",
"kind": "alert",
"original": "\u003c174\u003eMay 22 16:25:58 INFO uvm[0]: {\"entitled\":true,\"protocol\":6,\"hostname\":\"ubuntu\",\"CServerPort\":80,\"protocolName\":\"TCP\",\"localAddr\":\"10.0.0.25\",\"class\":\"class com.untangle.uvm.app.SessionEvent\",\"SServerAddr\":\"169.254.169.254\",\"remoteAddr\":\"169.254.169.254\",\"serverIntf\":1,\"CClientAddr\":\"10.0.0.25\",\"serverCountry\":\"XU\",\"sessionId\":110221865374876,\"SClientAddr\":\"89.160.20.112\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":33646,\"timeStamp\":\"2023-05-22 16:25:58.947\",\"clientIntf\":2,\"policyId\":1,\"SClientPort\":33646,\"bypassed\":false,\"SServerPort\":80,\"CServerAddr\":\"169.254.169.254\",\"tagsString\":\"\"}",
"provider": "session_event",
@@ -364,6 +382,9 @@
"info"
]
},
+ "host": {
+ "name": "ubuntu"
+ },
"log": {
"syslog": {
"facility": {
@@ -403,6 +424,9 @@
"vendor": "Arista"
},
"related": {
+ "hosts": [
+ "ubuntu"
+ ],
"ip": [
"169.254.169.254",
"10.0.0.25",
@@ -455,14 +479,14 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"session"
],
- "id": 110221865374875,
+ "id": "110221865374875",
"kind": "alert",
"original": "\u003c174\u003eMay 22 16:25:58 INFO uvm[0]: {\"entitled\":true,\"protocol\":17,\"hostname\":\"iPhone\",\"CServerPort\":443,\"protocolName\":\"UDP\",\"serverLatitude\":37.751,\"localAddr\":\"10.0.0.10\",\"class\":\"class com.untangle.uvm.app.SessionEvent\",\"SServerAddr\":\"81.2.69.192\",\"remoteAddr\":\"81.2.69.192\",\"serverIntf\":1,\"CClientAddr\":\"10.0.0.10\",\"serverCountry\":\"US\",\"sessionId\":110221865374875,\"SClientAddr\":\"89.160.20.112\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":58377,\"timeStamp\":\"2023-05-22 16:25:58.908\",\"serverLongitude\":-97.822,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":58377,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"81.2.69.192\",\"username\":\"jane\",\"tagsString\":\"\"}",
"provider": "session_event",
@@ -471,6 +495,9 @@
"info"
]
},
+ "host": {
+ "name": "iPhone"
+ },
"log": {
"syslog": {
"facility": {
@@ -510,6 +537,9 @@
"vendor": "Arista"
},
"related": {
+ "hosts": [
+ "iPhone"
+ ],
"ip": [
"81.2.69.192",
"10.0.0.10",
@@ -556,14 +586,14 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"session"
],
- "id": 110221865374869,
+ "id": "110221865374869",
"kind": "alert",
"original": "\u003c174\u003eMay 22 16:25:58 INFO uvm[0]: {\"entitled\":true,\"protocol\":6,\"hostname\":\"ubuntu\",\"CServerPort\":443,\"protocolName\":\"TCP\",\"localAddr\":\"10.0.0.25\",\"class\":\"class com.untangle.uvm.app.SessionEvent\",\"SServerAddr\":\"169.254.169.254\",\"remoteAddr\":\"169.254.169.254\",\"serverIntf\":1,\"CClientAddr\":\"10.0.0.25\",\"serverCountry\":\"XU\",\"sessionId\":110221865374869,\"SClientAddr\":\"89.160.20.112\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":44558,\"timeStamp\":\"2023-05-22 16:25:58.889\",\"clientIntf\":2,\"policyId\":1,\"SClientPort\":12495,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"169.254.169.254\",\"tagsString\":\"\"}",
"provider": "session_event",
@@ -572,6 +602,9 @@
"info"
]
},
+ "host": {
+ "name": "ubuntu"
+ },
"log": {
"syslog": {
"facility": {
@@ -611,6 +644,9 @@
"vendor": "Arista"
},
"related": {
+ "hosts": [
+ "ubuntu"
+ ],
"ip": [
"169.254.169.254",
"10.0.0.25",
@@ -651,14 +687,14 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"session"
],
- "id": 110221865374868,
+ "id": "110221865374868",
"kind": "alert",
"original": "\u003c174\u003eMay 22 16:25:58 INFO uvm[0]: {\"entitled\":true,\"protocol\":6,\"hostname\":\"ubuntu\",\"CServerPort\":80,\"protocolName\":\"TCP\",\"localAddr\":\"10.0.0.25\",\"class\":\"class com.untangle.uvm.app.SessionEvent\",\"SServerAddr\":\"169.254.169.254\",\"remoteAddr\":\"169.254.169.254\",\"serverIntf\":1,\"CClientAddr\":\"10.0.0.25\",\"serverCountry\":\"XU\",\"sessionId\":110221865374868,\"SClientAddr\":\"89.160.20.112\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":33586,\"timeStamp\":\"2023-05-22 16:25:58.888\",\"clientIntf\":2,\"policyId\":1,\"SClientPort\":30896,\"bypassed\":false,\"SServerPort\":80,\"CServerAddr\":\"169.254.169.254\",\"tagsString\":\"\"}",
"provider": "session_event",
@@ -667,6 +703,9 @@
"info"
]
},
+ "host": {
+ "name": "ubuntu"
+ },
"log": {
"syslog": {
"facility": {
@@ -706,6 +745,9 @@
"vendor": "Arista"
},
"related": {
+ "hosts": [
+ "ubuntu"
+ ],
"ip": [
"169.254.169.254",
"10.0.0.25",
@@ -758,14 +800,14 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"session"
],
- "id": 110221865771938,
+ "id": "110221865771938",
"kind": "alert",
"original": "\u003c174\u003eMay 23 15:11:14 INFO uvm[0]: {\"entitled\":true,\"protocol\":6,\"hostname\":\"ubuntu\",\"CServerPort\":443,\"protocolName\":\"TCP\",\"serverLatitude\":37.751,\"localAddr\":\"10.0.0.25\",\"class\":\"class com.untangle.uvm.app.SessionEvent\",\"SServerAddr\":\"67.43.156.1\",\"remoteAddr\":\"67.43.156.1\",\"serverIntf\":1,\"CClientAddr\":\"10.0.0.25\",\"serverCountry\":\"US\",\"sessionId\":110221865771938,\"SClientAddr\":\"1.128.0.172\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":36050,\"timeStamp\":\"2023-05-23 15:11:14.323\",\"serverLongitude\":-97.822,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":36050,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"67.43.156.1\",\"tagsString\":\"\"}",
"provider": "session_event",
@@ -774,6 +816,9 @@
"info"
]
},
+ "host": {
+ "name": "ubuntu"
+ },
"log": {
"syslog": {
"facility": {
@@ -813,6 +858,9 @@
"vendor": "Arista"
},
"related": {
+ "hosts": [
+ "ubuntu"
+ ],
"ip": [
"67.43.156.1",
"10.0.0.25",
@@ -865,14 +913,14 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"session"
],
- "id": 110221865771937,
+ "id": "110221865771937",
"kind": "alert",
"original": "\u003c174\u003eMay 23 15:11:13 INFO uvm[0]: {\"entitled\":true,\"protocol\":6,\"hostname\":\"ubuntu\",\"CServerPort\":443,\"protocolName\":\"TCP\",\"serverLatitude\":37.751,\"localAddr\":\"10.0.0.25\",\"class\":\"class com.untangle.uvm.app.SessionEvent\",\"SServerAddr\":\"67.43.156.1\",\"remoteAddr\":\"67.43.156.1\",\"serverIntf\":1,\"CClientAddr\":\"10.0.0.25\",\"serverCountry\":\"US\",\"sessionId\":110221865771937,\"SClientAddr\":\"1.128.0.172\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":36048,\"timeStamp\":\"2023-05-23 15:11:13.104\",\"serverLongitude\":-97.822,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":34178,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"67.43.156.1\",\"tagsString\":\"\"}",
"provider": "session_event",
@@ -881,6 +929,9 @@
"info"
]
},
+ "host": {
+ "name": "ubuntu"
+ },
"log": {
"syslog": {
"facility": {
@@ -920,6 +971,9 @@
"vendor": "Arista"
},
"related": {
+ "hosts": [
+ "ubuntu"
+ ],
"ip": [
"67.43.156.1",
"10.0.0.25",
@@ -972,14 +1026,14 @@
"port": 9930
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"session"
],
- "id": 110221865771936,
+ "id": "110221865771936",
"kind": "alert",
"original": "\u003c174\u003eMay 23 15:11:12 INFO uvm[0]: {\"entitled\":true,\"protocol\":17,\"hostname\":\"hp_printer\",\"CServerPort\":9930,\"protocolName\":\"UDP\",\"serverLatitude\":39.0481,\"localAddr\":\"10.0.0.0\",\"class\":\"class com.untangle.uvm.app.SessionEvent\",\"SServerAddr\":\"175.16.199.25\",\"remoteAddr\":\"175.16.199.25\",\"serverIntf\":1,\"CClientAddr\":\"10.0.0.0\",\"serverCountry\":\"US\",\"sessionId\":110221865771936,\"SClientAddr\":\"1.128.0.172\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":37004,\"timeStamp\":\"2023-05-23 15:11:12.179\",\"serverLongitude\":-77.4728,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":37004,\"bypassed\":false,\"SServerPort\":9930,\"CServerAddr\":\"175.16.199.25\",\"tagsString\":\"\"}",
"provider": "session_event",
@@ -988,6 +1042,9 @@
"info"
]
},
+ "host": {
+ "name": "hp_printer"
+ },
"log": {
"syslog": {
"facility": {
@@ -1027,6 +1084,9 @@
"vendor": "Arista"
},
"related": {
+ "hosts": [
+ "hp_printer"
+ ],
"ip": [
"175.16.199.25",
"10.0.0.0",
@@ -1079,14 +1139,14 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"session"
],
- "id": 110221865771935,
+ "id": "110221865771935",
"kind": "alert",
"original": "\u003c174\u003eMay 23 15:11:11 INFO uvm[0]: {\"entitled\":true,\"protocol\":6,\"hostname\":\"ubuntu\",\"CServerPort\":443,\"protocolName\":\"TCP\",\"serverLatitude\":37.751,\"localAddr\":\"10.0.0.25\",\"class\":\"class com.untangle.uvm.app.SessionEvent\",\"SServerAddr\":\"67.43.156.1\",\"remoteAddr\":\"67.43.156.1\",\"serverIntf\":1,\"CClientAddr\":\"10.0.0.25\",\"serverCountry\":\"US\",\"sessionId\":110221865771935,\"SClientAddr\":\"1.128.0.172\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":36038,\"timeStamp\":\"2023-05-23 15:11:11.892\",\"serverLongitude\":-97.822,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":36038,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"67.43.156.1\",\"tagsString\":\"\"}",
"provider": "session_event",
@@ -1095,6 +1155,9 @@
"info"
]
},
+ "host": {
+ "name": "ubuntu"
+ },
"log": {
"syslog": {
"facility": {
@@ -1134,6 +1197,9 @@
"vendor": "Arista"
},
"related": {
+ "hosts": [
+ "ubuntu"
+ ],
"ip": [
"67.43.156.1",
"10.0.0.25",
@@ -1186,14 +1252,14 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"session"
],
- "id": 110221865771933,
+ "id": "110221865771933",
"kind": "alert",
"original": "\u003c174\u003eMay 23 15:11:10 INFO uvm[0]: {\"entitled\":true,\"protocol\":6,\"hostname\":\"ubuntu\",\"CServerPort\":443,\"protocolName\":\"TCP\",\"serverLatitude\":37.751,\"localAddr\":\"10.0.0.25\",\"class\":\"class com.untangle.uvm.app.SessionEvent\",\"SServerAddr\":\"67.43.156.1\",\"remoteAddr\":\"67.43.156.1\",\"serverIntf\":1,\"CClientAddr\":\"10.0.0.25\",\"serverCountry\":\"US\",\"sessionId\":110221865771933,\"SClientAddr\":\"1.128.0.172\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":36026,\"timeStamp\":\"2023-05-23 15:11:10.669\",\"serverLongitude\":-97.822,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":36026,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"67.43.156.1\",\"tagsString\":\"\"}",
"provider": "session_event",
@@ -1202,6 +1268,9 @@
"info"
]
},
+ "host": {
+ "name": "ubuntu"
+ },
"log": {
"syslog": {
"facility": {
@@ -1241,6 +1310,9 @@
"vendor": "Arista"
},
"related": {
+ "hosts": [
+ "ubuntu"
+ ],
"ip": [
"67.43.156.1",
"10.0.0.25",
@@ -1293,14 +1365,14 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"session"
],
- "id": 110221865771929,
+ "id": "110221865771929",
"kind": "alert",
"original": "\u003c174\u003eMay 23 15:11:09 INFO uvm[0]: {\"entitled\":true,\"protocol\":6,\"hostname\":\"ubuntu\",\"CServerPort\":443,\"protocolName\":\"TCP\",\"serverLatitude\":37.751,\"localAddr\":\"10.0.0.25\",\"class\":\"class com.untangle.uvm.app.SessionEvent\",\"SServerAddr\":\"67.43.156.1\",\"remoteAddr\":\"67.43.156.1\",\"serverIntf\":1,\"CClientAddr\":\"10.0.0.25\",\"serverCountry\":\"US\",\"sessionId\":110221865771929,\"SClientAddr\":\"1.128.0.172\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":36330,\"timeStamp\":\"2023-05-23 15:11:09.425\",\"serverLongitude\":-97.822,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":36330,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"67.43.156.1\",\"tagsString\":\"\"}",
"provider": "session_event",
@@ -1309,6 +1381,9 @@
"info"
]
},
+ "host": {
+ "name": "ubuntu"
+ },
"log": {
"syslog": {
"facility": {
@@ -1348,6 +1423,9 @@
"vendor": "Arista"
},
"related": {
+ "hosts": [
+ "ubuntu"
+ ],
"ip": [
"67.43.156.1",
"10.0.0.25",
@@ -1400,14 +1478,14 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"session"
],
- "id": 110221865771928,
+ "id": "110221865771928",
"kind": "alert",
"original": "\u003c174\u003eMay 23 15:11:08 INFO uvm[0]: {\"entitled\":true,\"protocol\":6,\"hostname\":\"ubuntu\",\"CServerPort\":443,\"protocolName\":\"TCP\",\"serverLatitude\":37.751,\"localAddr\":\"10.0.0.25\",\"class\":\"class com.untangle.uvm.app.SessionEvent\",\"SServerAddr\":\"67.43.156.1\",\"remoteAddr\":\"67.43.156.1\",\"serverIntf\":1,\"CClientAddr\":\"10.0.0.25\",\"serverCountry\":\"US\",\"sessionId\":110221865771928,\"SClientAddr\":\"1.128.0.172\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":36322,\"timeStamp\":\"2023-05-23 15:11:08.187\",\"serverLongitude\":-97.822,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":36322,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"67.43.156.1\",\"tagsString\":\"\"}",
"provider": "session_event",
@@ -1416,6 +1494,9 @@
"info"
]
},
+ "host": {
+ "name": "ubuntu"
+ },
"log": {
"syslog": {
"facility": {
@@ -1455,6 +1536,9 @@
"vendor": "Arista"
},
"related": {
+ "hosts": [
+ "ubuntu"
+ ],
"ip": [
"67.43.156.1",
"10.0.0.25",
@@ -1507,14 +1591,14 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"session"
],
- "id": 110221865771927,
+ "id": "110221865771927",
"kind": "alert",
"original": "\u003c174\u003eMay 23 15:11:06 INFO uvm[0]: {\"entitled\":true,\"protocol\":6,\"hostname\":\"ubuntu\",\"CServerPort\":443,\"protocolName\":\"TCP\",\"serverLatitude\":37.751,\"localAddr\":\"10.0.0.25\",\"class\":\"class com.untangle.uvm.app.SessionEvent\",\"SServerAddr\":\"67.43.156.1\",\"remoteAddr\":\"67.43.156.1\",\"serverIntf\":1,\"CClientAddr\":\"10.0.0.25\",\"serverCountry\":\"US\",\"sessionId\":110221865771927,\"SClientAddr\":\"1.128.0.172\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":36308,\"timeStamp\":\"2023-05-23 15:11:06.92\",\"serverLongitude\":-97.822,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":46905,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"67.43.156.1\",\"tagsString\":\"\"}",
"provider": "session_event",
@@ -1523,6 +1607,9 @@
"info"
]
},
+ "host": {
+ "name": "ubuntu"
+ },
"log": {
"syslog": {
"facility": {
@@ -1562,6 +1649,9 @@
"vendor": "Arista"
},
"related": {
+ "hosts": [
+ "ubuntu"
+ ],
"ip": [
"67.43.156.1",
"10.0.0.25",
@@ -1614,14 +1704,14 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"session"
],
- "id": 110221865771926,
+ "id": "110221865771926",
"kind": "alert",
"original": "\u003c174\u003eMay 23 15:11:05 INFO uvm[0]: {\"entitled\":true,\"protocol\":6,\"hostname\":\"ubuntu\",\"CServerPort\":443,\"protocolName\":\"TCP\",\"serverLatitude\":37.751,\"localAddr\":\"10.0.0.25\",\"class\":\"class com.untangle.uvm.app.SessionEvent\",\"SServerAddr\":\"67.43.156.1\",\"remoteAddr\":\"67.43.156.1\",\"serverIntf\":1,\"CClientAddr\":\"10.0.0.25\",\"serverCountry\":\"US\",\"sessionId\":110221865771926,\"SClientAddr\":\"1.128.0.172\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":36296,\"timeStamp\":\"2023-05-23 15:11:05.679\",\"serverLongitude\":-97.822,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":29004,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"67.43.156.1\",\"tagsString\":\"\"}",
"provider": "session_event",
@@ -1630,6 +1720,9 @@
"info"
]
},
+ "host": {
+ "name": "ubuntu"
+ },
"log": {
"syslog": {
"facility": {
@@ -1669,6 +1762,9 @@
"vendor": "Arista"
},
"related": {
+ "hosts": [
+ "ubuntu"
+ ],
"ip": [
"67.43.156.1",
"10.0.0.25",
@@ -1721,14 +1817,14 @@
"port": 9930
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"session"
],
- "id": 110221865771922,
+ "id": "110221865771922",
"kind": "alert",
"original": "\u003c174\u003eMay 23 15:11:05 INFO uvm[0]: {\"entitled\":true,\"protocol\":17,\"hostname\":\"hp_printer\",\"CServerPort\":9930,\"protocolName\":\"UDP\",\"serverLatitude\":39.0481,\"localAddr\":\"10.0.0.0\",\"class\":\"class com.untangle.uvm.app.SessionEvent\",\"SServerAddr\":\"175.16.199.25\",\"remoteAddr\":\"175.16.199.25\",\"serverIntf\":1,\"CClientAddr\":\"10.0.0.0\",\"serverCountry\":\"US\",\"sessionId\":110221865771922,\"SClientAddr\":\"1.128.0.172\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":59969,\"timeStamp\":\"2023-05-23 15:11:05.128\",\"serverLongitude\":-77.4728,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":59969,\"bypassed\":false,\"SServerPort\":9930,\"CServerAddr\":\"175.16.199.25\",\"tagsString\":\"\"}",
"provider": "session_event",
@@ -1737,6 +1833,9 @@
"info"
]
},
+ "host": {
+ "name": "hp_printer"
+ },
"log": {
"syslog": {
"facility": {
@@ -1776,6 +1875,9 @@
"vendor": "Arista"
},
"related": {
+ "hosts": [
+ "hp_printer"
+ ],
"ip": [
"175.16.199.25",
"10.0.0.0",
@@ -1828,14 +1930,14 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"session"
],
- "id": 110221865771920,
+ "id": "110221865771920",
"kind": "alert",
"original": "\u003c174\u003eMay 23 15:11:04 INFO uvm[0]: {\"entitled\":true,\"protocol\":6,\"hostname\":\"ubuntu\",\"CServerPort\":443,\"protocolName\":\"TCP\",\"serverLatitude\":37.751,\"localAddr\":\"10.0.0.25\",\"class\":\"class com.untangle.uvm.app.SessionEvent\",\"SServerAddr\":\"67.43.156.1\",\"remoteAddr\":\"67.43.156.1\",\"serverIntf\":1,\"CClientAddr\":\"10.0.0.25\",\"serverCountry\":\"US\",\"sessionId\":110221865771920,\"SClientAddr\":\"1.128.0.172\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":36286,\"timeStamp\":\"2023-05-23 15:11:04.435\",\"serverLongitude\":-97.822,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":41723,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"67.43.156.1\",\"tagsString\":\"\"}",
"provider": "session_event",
@@ -1844,6 +1946,9 @@
"info"
]
},
+ "host": {
+ "name": "ubuntu"
+ },
"log": {
"syslog": {
"facility": {
@@ -1883,6 +1988,9 @@
"vendor": "Arista"
},
"related": {
+ "hosts": [
+ "ubuntu"
+ ],
"ip": [
"67.43.156.1",
"10.0.0.25",
@@ -1923,14 +2031,14 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"session"
],
- "id": 110221865771919,
+ "id": "110221865771919",
"kind": "alert",
"original": "\u003c174\u003eMay 23 15:11:04 INFO uvm[0]: {\"entitled\":true,\"protocol\":6,\"hostname\":\"ubuntu\",\"CServerPort\":80,\"protocolName\":\"TCP\",\"localAddr\":\"10.0.0.25\",\"class\":\"class com.untangle.uvm.app.SessionEvent\",\"SServerAddr\":\"169.254.169.254\",\"remoteAddr\":\"169.254.169.254\",\"serverIntf\":1,\"CClientAddr\":\"10.0.0.25\",\"serverCountry\":\"XU\",\"sessionId\":110221865771919,\"SClientAddr\":\"1.128.0.172\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":54494,\"timeStamp\":\"2023-05-23 15:11:04.104\",\"clientIntf\":2,\"policyId\":1,\"SClientPort\":54494,\"bypassed\":false,\"SServerPort\":80,\"CServerAddr\":\"169.254.169.254\",\"tagsString\":\"\"}",
"provider": "session_event",
@@ -1939,6 +2047,9 @@
"info"
]
},
+ "host": {
+ "name": "ubuntu"
+ },
"log": {
"syslog": {
"facility": {
@@ -1978,6 +2089,9 @@
"vendor": "Arista"
},
"related": {
+ "hosts": [
+ "ubuntu"
+ ],
"ip": [
"169.254.169.254",
"10.0.0.25",
@@ -2030,14 +2144,14 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"session"
],
- "id": 110221865771918,
+ "id": "110221865771918",
"kind": "alert",
"original": "\u003c174\u003eMay 23 15:11:03 INFO uvm[0]: {\"entitled\":true,\"protocol\":6,\"hostname\":\"ubuntu\",\"CServerPort\":443,\"protocolName\":\"TCP\",\"serverLatitude\":37.751,\"localAddr\":\"10.0.0.25\",\"class\":\"class com.untangle.uvm.app.SessionEvent\",\"SServerAddr\":\"67.43.156.1\",\"remoteAddr\":\"67.43.156.1\",\"serverIntf\":1,\"CClientAddr\":\"10.0.0.25\",\"serverCountry\":\"US\",\"sessionId\":110221865771918,\"SClientAddr\":\"1.128.0.172\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":36274,\"timeStamp\":\"2023-05-23 15:11:03.201\",\"serverLongitude\":-97.822,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":36274,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"67.43.156.1\",\"tagsString\":\"\"}",
"provider": "session_event",
@@ -2046,6 +2160,9 @@
"info"
]
},
+ "host": {
+ "name": "ubuntu"
+ },
"log": {
"syslog": {
"facility": {
@@ -2085,6 +2202,9 @@
"vendor": "Arista"
},
"related": {
+ "hosts": [
+ "ubuntu"
+ ],
"ip": [
"67.43.156.1",
"10.0.0.25",
diff --git a/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-session-stats.log b/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-session-stats.log
new file mode 100755
index 00000000000..a2bc8e55fbd
--- /dev/null
+++ b/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-session-stats.log
@@ -0,0 +1,10 @@
+<174>Jul 8 08:58:34 INFO uvm[0]: {"timeStamp":"2023-07-08 08:58:34.93","s2pBytes":0,"p2sBytes":95,"endTime":1688828314930,"sessionId":110556429407325,"class":"class com.untangle.uvm.app.SessionStatsEvent","sessionEvent":{"entitled":true,"protocol":17,"hostname":"HP2A4366","CServerPort":9930,"protocolName":"UDP","serverLatitude":39.0469,"localAddr":"81.2.69.144","SServerAddr":"81.2.69.144","remoteAddr":"81.2.69.144","serverIntf":1,"CClientAddr":"81.2.69.144","serverCountry":"US","sessionId":110556429407325,"SClientAddr":"81.2.69.144","clientCountry":"XL","policyRuleId":0,"CClientPort":49825,"timeStamp":"2023-07-08 08:58:33.93","serverLongitude":-77.4903,"clientIntf":2,"policyId":1,"SClientPort":49825,"bypassed":false,"SServerPort":9930,"CServerAddr":"81.2.69.144","tagsString":""},"c2pBytes":95,"p2cBytes":0}
+<174>Jul 8 08:58:33 INFO uvm[0]: {"timeStamp":"2023-07-08 08:58:33.214","s2pBytes":0,"p2sBytes":0,"endTime":1688828313214,"sessionId":110556429407324,"class":"class com.untangle.uvm.app.SessionStatsEvent","sessionEvent":{"entitled":true,"protocol":17,"hostname":"Laptop","CServerPort":443,"protocolName":"UDP","serverLatitude":39.1027,"localAddr":"81.2.69.144","SServerAddr":"81.2.69.144","remoteAddr":"81.2.69.144","serverIntf":1,"CClientAddr":"81.2.69.144","serverCountry":"US","sessionId":110556429407324,"SClientAddr":"81.2.69.144","clientCountry":"XL","policyRuleId":0,"CClientPort":58830,"timeStamp":"2023-07-08 08:58:33.213","serverLongitude":-94.5778,"clientIntf":2,"policyId":1,"SClientPort":58830,"bypassed":false,"SServerPort":443,"CServerAddr":"81.2.69.144","tagsString":""},"c2pBytes":0,"p2cBytes":0}
+<174>Jul 8 08:58:28 INFO uvm[0]: {"timeStamp":"2023-07-08 08:58:28.079","s2pBytes":0,"p2sBytes":0,"endTime":1688828308079,"sessionId":110556429407319,"class":"class com.untangle.uvm.app.SessionStatsEvent","sessionEvent":{"entitled":true,"protocol":6,"hostname":"CAM_Nursery","CServerPort":443,"protocolName":"TCP","serverLatitude":39.0469,"localAddr":"81.2.69.144","SServerAddr":"81.2.69.144","remoteAddr":"81.2.69.144","serverIntf":1,"CClientAddr":"81.2.69.144","serverCountry":"US","sessionId":110556429407319,"SClientAddr":"81.2.69.144","clientCountry":"XL","policyRuleId":1,"CClientPort":48365,"timeStamp":"2023-07-08 08:58:28.079","serverLongitude":-77.4903,"clientIntf":2,"policyId":4,"SClientPort":48365,"bypassed":false,"SServerPort":443,"CServerAddr":"81.2.69.144","tagsString":""},"c2pBytes":0,"p2cBytes":0}
+<174>Jul 8 08:58:26 INFO uvm[0]: {"timeStamp":"2023-07-08 08:58:26.448","s2pBytes":7503,"p2sBytes":1433,"endTime":1688828306448,"sessionId":110556429407312,"class":"class com.untangle.uvm.app.SessionStatsEvent","sessionEvent":{"entitled":true,"protocol":6,"hostname":"Laptop","CServerPort":443,"protocolName":"TCP","serverLatitude":37.1835,"localAddr":"81.2.69.144","SServerAddr":"81.2.69.144","remoteAddr":"81.2.69.144","serverIntf":1,"CClientAddr":"81.2.69.144","serverCountry":"US","sessionId":110556429407312,"SClientAddr":"81.2.69.144","clientCountry":"XL","policyRuleId":0,"CClientPort":10758,"timeStamp":"2023-07-08 08:58:25.9","serverLongitude":-121.7714,"clientIntf":2,"policyId":1,"SClientPort":47467,"bypassed":false,"SServerPort":443,"CServerAddr":"81.2.69.144","tagsString":""},"c2pBytes":1433,"p2cBytes":7503}
+<174>Jul 8 08:58:25 INFO uvm[0]: {"timeStamp":"2023-07-08 08:58:25.448","s2pBytes":2686,"p2sBytes":6680,"endTime":1688828305448,"sessionId":110556429405867,"class":"class com.untangle.uvm.app.SessionStatsEvent","sessionEvent":{"entitled":true,"protocol":6,"hostname":"Laptop","CServerPort":443,"protocolName":"TCP","serverLatitude":39.1027,"localAddr":"81.2.69.144","SServerAddr":"81.2.69.144","remoteAddr":"81.2.69.144","serverIntf":1,"CClientAddr":"81.2.69.144","serverCountry":"US","sessionId":110556429405867,"SClientAddr":"81.2.69.144","clientCountry":"XL","policyRuleId":0,"CClientPort":10708,"timeStamp":"2023-07-08 08:55:31.672","serverLongitude":-94.5778,"clientIntf":2,"policyId":1,"SClientPort":46641,"bypassed":false,"SServerPort":443,"CServerAddr":"81.2.69.144","tagsString":""},"c2pBytes":6680,"p2cBytes":2686}
+<174>Jul 8 08:58:24 INFO uvm[0]: {"timeStamp":"2023-07-08 08:58:24.781","s2pBytes":0,"p2sBytes":95,"endTime":1688828304781,"sessionId":110556429407307,"class":"class com.untangle.uvm.app.SessionStatsEvent","sessionEvent":{"entitled":true,"protocol":17,"hostname":"HP2A4366","CServerPort":9930,"protocolName":"UDP","serverLatitude":39.0469,"localAddr":"81.2.69.144","SServerAddr":"81.2.69.144","remoteAddr":"81.2.69.144","serverIntf":1,"CClientAddr":"81.2.69.144","serverCountry":"US","sessionId":110556429407307,"SClientAddr":"81.2.69.144","clientCountry":"XL","policyRuleId":0,"CClientPort":57132,"timeStamp":"2023-07-08 08:58:23.78","serverLongitude":-77.4903,"clientIntf":2,"policyId":1,"SClientPort":57132,"bypassed":false,"SServerPort":9930,"CServerAddr":"81.2.69.144","tagsString":""},"c2pBytes":95,"p2cBytes":0}
+<174>Jul 8 08:58:23 INFO uvm[0]: {"timeStamp":"2023-07-08 08:58:23.591","s2pBytes":0,"p2sBytes":0,"endTime":1688828303591,"sessionId":110556429407306,"class":"class com.untangle.uvm.app.SessionStatsEvent","sessionEvent":{"entitled":true,"protocol":17,"hostname":"Laptop","CServerPort":443,"protocolName":"UDP","serverLatitude":39.1027,"localAddr":"81.2.69.144","SServerAddr":"81.2.69.144","remoteAddr":"81.2.69.144","serverIntf":1,"CClientAddr":"81.2.69.144","serverCountry":"US","sessionId":110556429407306,"SClientAddr":"81.2.69.144","clientCountry":"XL","policyRuleId":0,"CClientPort":58830,"timeStamp":"2023-07-08 08:58:23.591","serverLongitude":-94.5778,"clientIntf":2,"policyId":1,"SClientPort":58830,"bypassed":false,"SServerPort":443,"CServerAddr":"81.2.69.144","tagsString":""},"c2pBytes":0,"p2cBytes":0}
+<174>Jul 8 08:58:23 INFO uvm[0]: {"timeStamp":"2023-07-08 08:58:23.588","s2pBytes":0,"p2sBytes":0,"endTime":1688828303588,"sessionId":110556429407305,"class":"class com.untangle.uvm.app.SessionStatsEvent","sessionEvent":{"entitled":true,"protocol":17,"hostname":"Laptop","CServerPort":443,"protocolName":"UDP","serverLatitude":39.1027,"localAddr":"81.2.69.144","SServerAddr":"81.2.69.144","remoteAddr":"81.2.69.144","serverIntf":1,"CClientAddr":"81.2.69.144","serverCountry":"US","sessionId":110556429407305,"SClientAddr":"81.2.69.144","clientCountry":"XL","policyRuleId":0,"CClientPort":58830,"timeStamp":"2023-07-08 08:58:23.588","serverLongitude":-94.5778,"clientIntf":2,"policyId":1,"SClientPort":58830,"bypassed":false,"SServerPort":443,"CServerAddr":"81.2.69.144","tagsString":""},"c2pBytes":0,"p2cBytes":0}
+<174>Jul 8 08:58:22 INFO uvm[0]: {"timeStamp":"2023-07-08 08:58:22.406","s2pBytes":1444,"p2sBytes":2144,"endTime":1688828302406,"sessionId":110556429405872,"class":"class com.untangle.uvm.app.SessionStatsEvent","sessionEvent":{"entitled":true,"protocol":6,"hostname":"Laptop","CServerPort":443,"protocolName":"TCP","serverLatitude":39.1027,"localAddr":"81.2.69.144","SServerAddr":"81.2.69.144","remoteAddr":"81.2.69.144","serverIntf":1,"CClientAddr":"81.2.69.144","serverCountry":"US","sessionId":110556429405872,"SClientAddr":"81.2.69.144","clientCountry":"XL","policyRuleId":0,"CClientPort":10709,"timeStamp":"2023-07-08 08:55:32.106","serverLongitude":-94.5778,"clientIntf":2,"policyId":1,"SClientPort":43055,"bypassed":false,"SServerPort":443,"CServerAddr":"81.2.69.144","tagsString":""},"c2pBytes":2144,"p2cBytes":1444}
+<174>Jul 8 08:58:18 INFO uvm[0]: {"timeStamp":"2023-07-08 08:58:18.857","s2pBytes":17504157,"p2sBytes":110454,"endTime":1688828298857,"sessionId":110556429396427,"class":"class com.untangle.uvm.app.SessionStatsEvent","sessionEvent":{"entitled":true,"protocol":6,"hostname":"Galaxy-S22","CServerPort":443,"protocolName":"TCP","serverLatitude":37.751,"localAddr":"81.2.69.144","SServerAddr":"81.2.69.144","remoteAddr":"81.2.69.144","serverIntf":1,"CClientAddr":"81.2.69.144","serverCountry":"US","sessionId":110556429396427,"SClientAddr":"81.2.69.144","clientCountry":"XL","policyRuleId":0,"CClientPort":41980,"timeStamp":"2023-07-08 08:36:07.431","serverLongitude":-97.822,"clientIntf":2,"policyId":1,"SClientPort":48414,"bypassed":false,"SServerPort":443,"CServerAddr":"81.2.69.144","tagsString":""},"c2pBytes":110454,"p2cBytes":17504157}
\ No newline at end of file
diff --git a/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-session-stats.log-expected.json b/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-session-stats.log-expected.json
new file mode 100644
index 00000000000..12c0a957bb3
--- /dev/null
+++ b/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-session-stats.log-expected.json
@@ -0,0 +1,1294 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2023-07-08T08:58:34.930-06:00",
+ "arista": {
+ "bypassed": false,
+ "entitled": true,
+ "policy": {
+ "rule_id": 0
+ }
+ },
+ "destination": {
+ "bytes": 0,
+ "geo": {
+ "city_name": "London",
+ "continent_name": "Europe",
+ "country_iso_code": "GB",
+ "country_name": "United Kingdom",
+ "location": {
+ "lat": 51.5142,
+ "lon": -0.0931
+ },
+ "region_iso_code": "GB-ENG",
+ "region_name": "England"
+ },
+ "ip": "81.2.69.144",
+ "nat": {
+ "ip": "81.2.69.144",
+ "port": 9930
+ },
+ "port": 9930
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "category": [
+ "network",
+ "session"
+ ],
+ "duration": 1000000000,
+ "end": "2023-07-08T08:58:34.930-06:00",
+ "id": "110556429407325",
+ "kind": "event",
+ "original": "\u003c174\u003eJul 8 08:58:34 INFO uvm[0]: {\"timeStamp\":\"2023-07-08 08:58:34.93\",\"s2pBytes\":0,\"p2sBytes\":95,\"endTime\":1688828314930,\"sessionId\":110556429407325,\"class\":\"class com.untangle.uvm.app.SessionStatsEvent\",\"sessionEvent\":{\"entitled\":true,\"protocol\":17,\"hostname\":\"HP2A4366\",\"CServerPort\":9930,\"protocolName\":\"UDP\",\"serverLatitude\":39.0469,\"localAddr\":\"81.2.69.144\",\"SServerAddr\":\"81.2.69.144\",\"remoteAddr\":\"81.2.69.144\",\"serverIntf\":1,\"CClientAddr\":\"81.2.69.144\",\"serverCountry\":\"US\",\"sessionId\":110556429407325,\"SClientAddr\":\"81.2.69.144\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":49825,\"timeStamp\":\"2023-07-08 08:58:33.93\",\"serverLongitude\":-77.4903,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":49825,\"bypassed\":false,\"SServerPort\":9930,\"CServerAddr\":\"81.2.69.144\",\"tagsString\":\"\"},\"c2pBytes\":95,\"p2cBytes\":0}",
+ "provider": "session_stats",
+ "start": "2023-07-08T08:58:33.930-06:00",
+ "timezone": "America/Denver",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "name": "HP2A4366"
+ },
+ "log": {
+ "syslog": {
+ "facility": {
+ "code": 21,
+ "name": "Local 5"
+ },
+ "priority": 174,
+ "severity": {
+ "code": 6,
+ "name": "Informational"
+ }
+ }
+ },
+ "network": {
+ "bytes": 95,
+ "community_id": "1:MjgsceM+lYT714SKocJeB44Yb7I=",
+ "direction": "external",
+ "iana_number": "17",
+ "transport": "UDP"
+ },
+ "observer": {
+ "egress": {
+ "interface": {
+ "alias": "External",
+ "id": "1",
+ "name": "eth0"
+ }
+ },
+ "ingress": {
+ "interface": {
+ "alias": "Internal",
+ "id": "2",
+ "name": "eth1"
+ }
+ },
+ "product": "Arista NG Firewall",
+ "type": "firewall",
+ "vendor": "Arista"
+ },
+ "related": {
+ "hosts": [
+ "HP2A4366"
+ ],
+ "ip": [
+ "81.2.69.144"
+ ]
+ },
+ "rule": {
+ "ruleset": "1"
+ },
+ "source": {
+ "bytes": 95,
+ "geo": {
+ "city_name": "London",
+ "continent_name": "Europe",
+ "country_iso_code": "GB",
+ "country_name": "United Kingdom",
+ "location": {
+ "lat": 51.5142,
+ "lon": -0.0931
+ },
+ "region_iso_code": "GB-ENG",
+ "region_name": "England"
+ },
+ "ip": "81.2.69.144",
+ "nat": {
+ "ip": "81.2.69.144",
+ "port": 49825
+ },
+ "port": 49825
+ },
+ "tags": [
+ "forwarded",
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-07-08T08:58:33.214-06:00",
+ "arista": {
+ "bypassed": false,
+ "entitled": true,
+ "policy": {
+ "rule_id": 0
+ }
+ },
+ "destination": {
+ "bytes": 0,
+ "geo": {
+ "city_name": "London",
+ "continent_name": "Europe",
+ "country_iso_code": "GB",
+ "country_name": "United Kingdom",
+ "location": {
+ "lat": 51.5142,
+ "lon": -0.0931
+ },
+ "region_iso_code": "GB-ENG",
+ "region_name": "England"
+ },
+ "ip": "81.2.69.144",
+ "nat": {
+ "ip": "81.2.69.144",
+ "port": 443
+ },
+ "port": 443
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "category": [
+ "network",
+ "session"
+ ],
+ "duration": 1000000,
+ "end": "2023-07-08T08:58:33.214-06:00",
+ "id": "110556429407324",
+ "kind": "event",
+ "original": "\u003c174\u003eJul 8 08:58:33 INFO uvm[0]: {\"timeStamp\":\"2023-07-08 08:58:33.214\",\"s2pBytes\":0,\"p2sBytes\":0,\"endTime\":1688828313214,\"sessionId\":110556429407324,\"class\":\"class com.untangle.uvm.app.SessionStatsEvent\",\"sessionEvent\":{\"entitled\":true,\"protocol\":17,\"hostname\":\"Laptop\",\"CServerPort\":443,\"protocolName\":\"UDP\",\"serverLatitude\":39.1027,\"localAddr\":\"81.2.69.144\",\"SServerAddr\":\"81.2.69.144\",\"remoteAddr\":\"81.2.69.144\",\"serverIntf\":1,\"CClientAddr\":\"81.2.69.144\",\"serverCountry\":\"US\",\"sessionId\":110556429407324,\"SClientAddr\":\"81.2.69.144\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":58830,\"timeStamp\":\"2023-07-08 08:58:33.213\",\"serverLongitude\":-94.5778,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":58830,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"81.2.69.144\",\"tagsString\":\"\"},\"c2pBytes\":0,\"p2cBytes\":0}",
+ "provider": "session_stats",
+ "start": "2023-07-08T08:58:33.213-06:00",
+ "timezone": "America/Denver",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "name": "Laptop"
+ },
+ "log": {
+ "syslog": {
+ "facility": {
+ "code": 21,
+ "name": "Local 5"
+ },
+ "priority": 174,
+ "severity": {
+ "code": 6,
+ "name": "Informational"
+ }
+ }
+ },
+ "network": {
+ "bytes": 0,
+ "community_id": "1:L2ZTBSYSCrjkKdAg3CgEbEZIM+c=",
+ "direction": "external",
+ "iana_number": "17",
+ "transport": "UDP"
+ },
+ "observer": {
+ "egress": {
+ "interface": {
+ "alias": "External",
+ "id": "1",
+ "name": "eth0"
+ }
+ },
+ "ingress": {
+ "interface": {
+ "alias": "Internal",
+ "id": "2",
+ "name": "eth1"
+ }
+ },
+ "product": "Arista NG Firewall",
+ "type": "firewall",
+ "vendor": "Arista"
+ },
+ "related": {
+ "hosts": [
+ "Laptop"
+ ],
+ "ip": [
+ "81.2.69.144"
+ ]
+ },
+ "rule": {
+ "ruleset": "1"
+ },
+ "source": {
+ "bytes": 0,
+ "geo": {
+ "city_name": "London",
+ "continent_name": "Europe",
+ "country_iso_code": "GB",
+ "country_name": "United Kingdom",
+ "location": {
+ "lat": 51.5142,
+ "lon": -0.0931
+ },
+ "region_iso_code": "GB-ENG",
+ "region_name": "England"
+ },
+ "ip": "81.2.69.144",
+ "nat": {
+ "ip": "81.2.69.144",
+ "port": 58830
+ },
+ "port": 58830
+ },
+ "tags": [
+ "forwarded",
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-07-08T08:58:28.079-06:00",
+ "arista": {
+ "bypassed": false,
+ "entitled": true,
+ "policy": {
+ "rule_id": 1
+ }
+ },
+ "destination": {
+ "bytes": 0,
+ "geo": {
+ "city_name": "London",
+ "continent_name": "Europe",
+ "country_iso_code": "GB",
+ "country_name": "United Kingdom",
+ "location": {
+ "lat": 51.5142,
+ "lon": -0.0931
+ },
+ "region_iso_code": "GB-ENG",
+ "region_name": "England"
+ },
+ "ip": "81.2.69.144",
+ "nat": {
+ "ip": "81.2.69.144",
+ "port": 443
+ },
+ "port": 443
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "category": [
+ "network",
+ "session"
+ ],
+ "duration": 0,
+ "end": "2023-07-08T08:58:28.079-06:00",
+ "id": "110556429407319",
+ "kind": "event",
+ "original": "\u003c174\u003eJul 8 08:58:28 INFO uvm[0]: {\"timeStamp\":\"2023-07-08 08:58:28.079\",\"s2pBytes\":0,\"p2sBytes\":0,\"endTime\":1688828308079,\"sessionId\":110556429407319,\"class\":\"class com.untangle.uvm.app.SessionStatsEvent\",\"sessionEvent\":{\"entitled\":true,\"protocol\":6,\"hostname\":\"CAM_Nursery\",\"CServerPort\":443,\"protocolName\":\"TCP\",\"serverLatitude\":39.0469,\"localAddr\":\"81.2.69.144\",\"SServerAddr\":\"81.2.69.144\",\"remoteAddr\":\"81.2.69.144\",\"serverIntf\":1,\"CClientAddr\":\"81.2.69.144\",\"serverCountry\":\"US\",\"sessionId\":110556429407319,\"SClientAddr\":\"81.2.69.144\",\"clientCountry\":\"XL\",\"policyRuleId\":1,\"CClientPort\":48365,\"timeStamp\":\"2023-07-08 08:58:28.079\",\"serverLongitude\":-77.4903,\"clientIntf\":2,\"policyId\":4,\"SClientPort\":48365,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"81.2.69.144\",\"tagsString\":\"\"},\"c2pBytes\":0,\"p2cBytes\":0}",
+ "provider": "session_stats",
+ "start": "2023-07-08T08:58:28.079-06:00",
+ "timezone": "America/Denver",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "name": "CAM_Nursery"
+ },
+ "log": {
+ "syslog": {
+ "facility": {
+ "code": 21,
+ "name": "Local 5"
+ },
+ "priority": 174,
+ "severity": {
+ "code": 6,
+ "name": "Informational"
+ }
+ }
+ },
+ "network": {
+ "bytes": 0,
+ "community_id": "1:EIV++4SQGArmFP8PDRoA9GAWCmc=",
+ "direction": "external",
+ "iana_number": "6",
+ "transport": "TCP"
+ },
+ "observer": {
+ "egress": {
+ "interface": {
+ "alias": "External",
+ "id": "1",
+ "name": "eth0"
+ }
+ },
+ "ingress": {
+ "interface": {
+ "alias": "Internal",
+ "id": "2",
+ "name": "eth1"
+ }
+ },
+ "product": "Arista NG Firewall",
+ "type": "firewall",
+ "vendor": "Arista"
+ },
+ "related": {
+ "hosts": [
+ "CAM_Nursery"
+ ],
+ "ip": [
+ "81.2.69.144"
+ ]
+ },
+ "rule": {
+ "ruleset": "4"
+ },
+ "source": {
+ "bytes": 0,
+ "geo": {
+ "city_name": "London",
+ "continent_name": "Europe",
+ "country_iso_code": "GB",
+ "country_name": "United Kingdom",
+ "location": {
+ "lat": 51.5142,
+ "lon": -0.0931
+ },
+ "region_iso_code": "GB-ENG",
+ "region_name": "England"
+ },
+ "ip": "81.2.69.144",
+ "nat": {
+ "ip": "81.2.69.144",
+ "port": 48365
+ },
+ "port": 48365
+ },
+ "tags": [
+ "forwarded",
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-07-08T08:58:26.448-06:00",
+ "arista": {
+ "bypassed": false,
+ "entitled": true,
+ "policy": {
+ "rule_id": 0
+ }
+ },
+ "destination": {
+ "bytes": 7503,
+ "geo": {
+ "city_name": "London",
+ "continent_name": "Europe",
+ "country_iso_code": "GB",
+ "country_name": "United Kingdom",
+ "location": {
+ "lat": 51.5142,
+ "lon": -0.0931
+ },
+ "region_iso_code": "GB-ENG",
+ "region_name": "England"
+ },
+ "ip": "81.2.69.144",
+ "nat": {
+ "ip": "81.2.69.144",
+ "port": 443
+ },
+ "port": 443
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "category": [
+ "network",
+ "session"
+ ],
+ "duration": 548000000,
+ "end": "2023-07-08T08:58:26.448-06:00",
+ "id": "110556429407312",
+ "kind": "event",
+ "original": "\u003c174\u003eJul 8 08:58:26 INFO uvm[0]: {\"timeStamp\":\"2023-07-08 08:58:26.448\",\"s2pBytes\":7503,\"p2sBytes\":1433,\"endTime\":1688828306448,\"sessionId\":110556429407312,\"class\":\"class com.untangle.uvm.app.SessionStatsEvent\",\"sessionEvent\":{\"entitled\":true,\"protocol\":6,\"hostname\":\"Laptop\",\"CServerPort\":443,\"protocolName\":\"TCP\",\"serverLatitude\":37.1835,\"localAddr\":\"81.2.69.144\",\"SServerAddr\":\"81.2.69.144\",\"remoteAddr\":\"81.2.69.144\",\"serverIntf\":1,\"CClientAddr\":\"81.2.69.144\",\"serverCountry\":\"US\",\"sessionId\":110556429407312,\"SClientAddr\":\"81.2.69.144\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":10758,\"timeStamp\":\"2023-07-08 08:58:25.9\",\"serverLongitude\":-121.7714,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":47467,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"81.2.69.144\",\"tagsString\":\"\"},\"c2pBytes\":1433,\"p2cBytes\":7503}",
+ "provider": "session_stats",
+ "start": "2023-07-08T08:58:25.900-06:00",
+ "timezone": "America/Denver",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "name": "Laptop"
+ },
+ "log": {
+ "syslog": {
+ "facility": {
+ "code": 21,
+ "name": "Local 5"
+ },
+ "priority": 174,
+ "severity": {
+ "code": 6,
+ "name": "Informational"
+ }
+ }
+ },
+ "network": {
+ "bytes": 8936,
+ "community_id": "1:CHm3MlzLk/kmu3QOjAxbM+pYdj0=",
+ "direction": "external",
+ "iana_number": "6",
+ "transport": "TCP"
+ },
+ "observer": {
+ "egress": {
+ "interface": {
+ "alias": "External",
+ "id": "1",
+ "name": "eth0"
+ }
+ },
+ "ingress": {
+ "interface": {
+ "alias": "Internal",
+ "id": "2",
+ "name": "eth1"
+ }
+ },
+ "product": "Arista NG Firewall",
+ "type": "firewall",
+ "vendor": "Arista"
+ },
+ "related": {
+ "hosts": [
+ "Laptop"
+ ],
+ "ip": [
+ "81.2.69.144"
+ ]
+ },
+ "rule": {
+ "ruleset": "1"
+ },
+ "source": {
+ "bytes": 1433,
+ "geo": {
+ "city_name": "London",
+ "continent_name": "Europe",
+ "country_iso_code": "GB",
+ "country_name": "United Kingdom",
+ "location": {
+ "lat": 51.5142,
+ "lon": -0.0931
+ },
+ "region_iso_code": "GB-ENG",
+ "region_name": "England"
+ },
+ "ip": "81.2.69.144",
+ "nat": {
+ "ip": "81.2.69.144",
+ "port": 47467
+ },
+ "port": 10758
+ },
+ "tags": [
+ "forwarded",
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-07-08T08:58:25.448-06:00",
+ "arista": {
+ "bypassed": false,
+ "entitled": true,
+ "policy": {
+ "rule_id": 0
+ }
+ },
+ "destination": {
+ "bytes": 2686,
+ "geo": {
+ "city_name": "London",
+ "continent_name": "Europe",
+ "country_iso_code": "GB",
+ "country_name": "United Kingdom",
+ "location": {
+ "lat": 51.5142,
+ "lon": -0.0931
+ },
+ "region_iso_code": "GB-ENG",
+ "region_name": "England"
+ },
+ "ip": "81.2.69.144",
+ "nat": {
+ "ip": "81.2.69.144",
+ "port": 443
+ },
+ "port": 443
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "category": [
+ "network",
+ "session"
+ ],
+ "duration": 173776000000,
+ "end": "2023-07-08T08:58:25.448-06:00",
+ "id": "110556429405867",
+ "kind": "event",
+ "original": "\u003c174\u003eJul 8 08:58:25 INFO uvm[0]: {\"timeStamp\":\"2023-07-08 08:58:25.448\",\"s2pBytes\":2686,\"p2sBytes\":6680,\"endTime\":1688828305448,\"sessionId\":110556429405867,\"class\":\"class com.untangle.uvm.app.SessionStatsEvent\",\"sessionEvent\":{\"entitled\":true,\"protocol\":6,\"hostname\":\"Laptop\",\"CServerPort\":443,\"protocolName\":\"TCP\",\"serverLatitude\":39.1027,\"localAddr\":\"81.2.69.144\",\"SServerAddr\":\"81.2.69.144\",\"remoteAddr\":\"81.2.69.144\",\"serverIntf\":1,\"CClientAddr\":\"81.2.69.144\",\"serverCountry\":\"US\",\"sessionId\":110556429405867,\"SClientAddr\":\"81.2.69.144\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":10708,\"timeStamp\":\"2023-07-08 08:55:31.672\",\"serverLongitude\":-94.5778,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":46641,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"81.2.69.144\",\"tagsString\":\"\"},\"c2pBytes\":6680,\"p2cBytes\":2686}",
+ "provider": "session_stats",
+ "start": "2023-07-08T08:55:31.672-06:00",
+ "timezone": "America/Denver",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "name": "Laptop"
+ },
+ "log": {
+ "syslog": {
+ "facility": {
+ "code": 21,
+ "name": "Local 5"
+ },
+ "priority": 174,
+ "severity": {
+ "code": 6,
+ "name": "Informational"
+ }
+ }
+ },
+ "network": {
+ "bytes": 9366,
+ "community_id": "1:Zg2gKaUijKav5E48UMHCE4dFK+U=",
+ "direction": "external",
+ "iana_number": "6",
+ "transport": "TCP"
+ },
+ "observer": {
+ "egress": {
+ "interface": {
+ "alias": "External",
+ "id": "1",
+ "name": "eth0"
+ }
+ },
+ "ingress": {
+ "interface": {
+ "alias": "Internal",
+ "id": "2",
+ "name": "eth1"
+ }
+ },
+ "product": "Arista NG Firewall",
+ "type": "firewall",
+ "vendor": "Arista"
+ },
+ "related": {
+ "hosts": [
+ "Laptop"
+ ],
+ "ip": [
+ "81.2.69.144"
+ ]
+ },
+ "rule": {
+ "ruleset": "1"
+ },
+ "source": {
+ "bytes": 6680,
+ "geo": {
+ "city_name": "London",
+ "continent_name": "Europe",
+ "country_iso_code": "GB",
+ "country_name": "United Kingdom",
+ "location": {
+ "lat": 51.5142,
+ "lon": -0.0931
+ },
+ "region_iso_code": "GB-ENG",
+ "region_name": "England"
+ },
+ "ip": "81.2.69.144",
+ "nat": {
+ "ip": "81.2.69.144",
+ "port": 46641
+ },
+ "port": 10708
+ },
+ "tags": [
+ "forwarded",
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-07-08T08:58:24.781-06:00",
+ "arista": {
+ "bypassed": false,
+ "entitled": true,
+ "policy": {
+ "rule_id": 0
+ }
+ },
+ "destination": {
+ "bytes": 0,
+ "geo": {
+ "city_name": "London",
+ "continent_name": "Europe",
+ "country_iso_code": "GB",
+ "country_name": "United Kingdom",
+ "location": {
+ "lat": 51.5142,
+ "lon": -0.0931
+ },
+ "region_iso_code": "GB-ENG",
+ "region_name": "England"
+ },
+ "ip": "81.2.69.144",
+ "nat": {
+ "ip": "81.2.69.144",
+ "port": 9930
+ },
+ "port": 9930
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "category": [
+ "network",
+ "session"
+ ],
+ "duration": 1001000000,
+ "end": "2023-07-08T08:58:24.781-06:00",
+ "id": "110556429407307",
+ "kind": "event",
+ "original": "\u003c174\u003eJul 8 08:58:24 INFO uvm[0]: {\"timeStamp\":\"2023-07-08 08:58:24.781\",\"s2pBytes\":0,\"p2sBytes\":95,\"endTime\":1688828304781,\"sessionId\":110556429407307,\"class\":\"class com.untangle.uvm.app.SessionStatsEvent\",\"sessionEvent\":{\"entitled\":true,\"protocol\":17,\"hostname\":\"HP2A4366\",\"CServerPort\":9930,\"protocolName\":\"UDP\",\"serverLatitude\":39.0469,\"localAddr\":\"81.2.69.144\",\"SServerAddr\":\"81.2.69.144\",\"remoteAddr\":\"81.2.69.144\",\"serverIntf\":1,\"CClientAddr\":\"81.2.69.144\",\"serverCountry\":\"US\",\"sessionId\":110556429407307,\"SClientAddr\":\"81.2.69.144\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":57132,\"timeStamp\":\"2023-07-08 08:58:23.78\",\"serverLongitude\":-77.4903,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":57132,\"bypassed\":false,\"SServerPort\":9930,\"CServerAddr\":\"81.2.69.144\",\"tagsString\":\"\"},\"c2pBytes\":95,\"p2cBytes\":0}",
+ "provider": "session_stats",
+ "start": "2023-07-08T08:58:23.780-06:00",
+ "timezone": "America/Denver",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "name": "HP2A4366"
+ },
+ "log": {
+ "syslog": {
+ "facility": {
+ "code": 21,
+ "name": "Local 5"
+ },
+ "priority": 174,
+ "severity": {
+ "code": 6,
+ "name": "Informational"
+ }
+ }
+ },
+ "network": {
+ "bytes": 95,
+ "community_id": "1:RDKlgJTejFXsP2FWm646KKiJ0YM=",
+ "direction": "external",
+ "iana_number": "17",
+ "transport": "UDP"
+ },
+ "observer": {
+ "egress": {
+ "interface": {
+ "alias": "External",
+ "id": "1",
+ "name": "eth0"
+ }
+ },
+ "ingress": {
+ "interface": {
+ "alias": "Internal",
+ "id": "2",
+ "name": "eth1"
+ }
+ },
+ "product": "Arista NG Firewall",
+ "type": "firewall",
+ "vendor": "Arista"
+ },
+ "related": {
+ "hosts": [
+ "HP2A4366"
+ ],
+ "ip": [
+ "81.2.69.144"
+ ]
+ },
+ "rule": {
+ "ruleset": "1"
+ },
+ "source": {
+ "bytes": 95,
+ "geo": {
+ "city_name": "London",
+ "continent_name": "Europe",
+ "country_iso_code": "GB",
+ "country_name": "United Kingdom",
+ "location": {
+ "lat": 51.5142,
+ "lon": -0.0931
+ },
+ "region_iso_code": "GB-ENG",
+ "region_name": "England"
+ },
+ "ip": "81.2.69.144",
+ "nat": {
+ "ip": "81.2.69.144",
+ "port": 57132
+ },
+ "port": 57132
+ },
+ "tags": [
+ "forwarded",
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-07-08T08:58:23.591-06:00",
+ "arista": {
+ "bypassed": false,
+ "entitled": true,
+ "policy": {
+ "rule_id": 0
+ }
+ },
+ "destination": {
+ "bytes": 0,
+ "geo": {
+ "city_name": "London",
+ "continent_name": "Europe",
+ "country_iso_code": "GB",
+ "country_name": "United Kingdom",
+ "location": {
+ "lat": 51.5142,
+ "lon": -0.0931
+ },
+ "region_iso_code": "GB-ENG",
+ "region_name": "England"
+ },
+ "ip": "81.2.69.144",
+ "nat": {
+ "ip": "81.2.69.144",
+ "port": 443
+ },
+ "port": 443
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "category": [
+ "network",
+ "session"
+ ],
+ "duration": 0,
+ "end": "2023-07-08T08:58:23.591-06:00",
+ "id": "110556429407306",
+ "kind": "event",
+ "original": "\u003c174\u003eJul 8 08:58:23 INFO uvm[0]: {\"timeStamp\":\"2023-07-08 08:58:23.591\",\"s2pBytes\":0,\"p2sBytes\":0,\"endTime\":1688828303591,\"sessionId\":110556429407306,\"class\":\"class com.untangle.uvm.app.SessionStatsEvent\",\"sessionEvent\":{\"entitled\":true,\"protocol\":17,\"hostname\":\"Laptop\",\"CServerPort\":443,\"protocolName\":\"UDP\",\"serverLatitude\":39.1027,\"localAddr\":\"81.2.69.144\",\"SServerAddr\":\"81.2.69.144\",\"remoteAddr\":\"81.2.69.144\",\"serverIntf\":1,\"CClientAddr\":\"81.2.69.144\",\"serverCountry\":\"US\",\"sessionId\":110556429407306,\"SClientAddr\":\"81.2.69.144\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":58830,\"timeStamp\":\"2023-07-08 08:58:23.591\",\"serverLongitude\":-94.5778,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":58830,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"81.2.69.144\",\"tagsString\":\"\"},\"c2pBytes\":0,\"p2cBytes\":0}",
+ "provider": "session_stats",
+ "start": "2023-07-08T08:58:23.591-06:00",
+ "timezone": "America/Denver",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "name": "Laptop"
+ },
+ "log": {
+ "syslog": {
+ "facility": {
+ "code": 21,
+ "name": "Local 5"
+ },
+ "priority": 174,
+ "severity": {
+ "code": 6,
+ "name": "Informational"
+ }
+ }
+ },
+ "network": {
+ "bytes": 0,
+ "community_id": "1:L2ZTBSYSCrjkKdAg3CgEbEZIM+c=",
+ "direction": "external",
+ "iana_number": "17",
+ "transport": "UDP"
+ },
+ "observer": {
+ "egress": {
+ "interface": {
+ "alias": "External",
+ "id": "1",
+ "name": "eth0"
+ }
+ },
+ "ingress": {
+ "interface": {
+ "alias": "Internal",
+ "id": "2",
+ "name": "eth1"
+ }
+ },
+ "product": "Arista NG Firewall",
+ "type": "firewall",
+ "vendor": "Arista"
+ },
+ "related": {
+ "hosts": [
+ "Laptop"
+ ],
+ "ip": [
+ "81.2.69.144"
+ ]
+ },
+ "rule": {
+ "ruleset": "1"
+ },
+ "source": {
+ "bytes": 0,
+ "geo": {
+ "city_name": "London",
+ "continent_name": "Europe",
+ "country_iso_code": "GB",
+ "country_name": "United Kingdom",
+ "location": {
+ "lat": 51.5142,
+ "lon": -0.0931
+ },
+ "region_iso_code": "GB-ENG",
+ "region_name": "England"
+ },
+ "ip": "81.2.69.144",
+ "nat": {
+ "ip": "81.2.69.144",
+ "port": 58830
+ },
+ "port": 58830
+ },
+ "tags": [
+ "forwarded",
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-07-08T08:58:23.588-06:00",
+ "arista": {
+ "bypassed": false,
+ "entitled": true,
+ "policy": {
+ "rule_id": 0
+ }
+ },
+ "destination": {
+ "bytes": 0,
+ "geo": {
+ "city_name": "London",
+ "continent_name": "Europe",
+ "country_iso_code": "GB",
+ "country_name": "United Kingdom",
+ "location": {
+ "lat": 51.5142,
+ "lon": -0.0931
+ },
+ "region_iso_code": "GB-ENG",
+ "region_name": "England"
+ },
+ "ip": "81.2.69.144",
+ "nat": {
+ "ip": "81.2.69.144",
+ "port": 443
+ },
+ "port": 443
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "category": [
+ "network",
+ "session"
+ ],
+ "duration": 0,
+ "end": "2023-07-08T08:58:23.588-06:00",
+ "id": "110556429407305",
+ "kind": "event",
+ "original": "\u003c174\u003eJul 8 08:58:23 INFO uvm[0]: {\"timeStamp\":\"2023-07-08 08:58:23.588\",\"s2pBytes\":0,\"p2sBytes\":0,\"endTime\":1688828303588,\"sessionId\":110556429407305,\"class\":\"class com.untangle.uvm.app.SessionStatsEvent\",\"sessionEvent\":{\"entitled\":true,\"protocol\":17,\"hostname\":\"Laptop\",\"CServerPort\":443,\"protocolName\":\"UDP\",\"serverLatitude\":39.1027,\"localAddr\":\"81.2.69.144\",\"SServerAddr\":\"81.2.69.144\",\"remoteAddr\":\"81.2.69.144\",\"serverIntf\":1,\"CClientAddr\":\"81.2.69.144\",\"serverCountry\":\"US\",\"sessionId\":110556429407305,\"SClientAddr\":\"81.2.69.144\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":58830,\"timeStamp\":\"2023-07-08 08:58:23.588\",\"serverLongitude\":-94.5778,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":58830,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"81.2.69.144\",\"tagsString\":\"\"},\"c2pBytes\":0,\"p2cBytes\":0}",
+ "provider": "session_stats",
+ "start": "2023-07-08T08:58:23.588-06:00",
+ "timezone": "America/Denver",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "name": "Laptop"
+ },
+ "log": {
+ "syslog": {
+ "facility": {
+ "code": 21,
+ "name": "Local 5"
+ },
+ "priority": 174,
+ "severity": {
+ "code": 6,
+ "name": "Informational"
+ }
+ }
+ },
+ "network": {
+ "bytes": 0,
+ "community_id": "1:L2ZTBSYSCrjkKdAg3CgEbEZIM+c=",
+ "direction": "external",
+ "iana_number": "17",
+ "transport": "UDP"
+ },
+ "observer": {
+ "egress": {
+ "interface": {
+ "alias": "External",
+ "id": "1",
+ "name": "eth0"
+ }
+ },
+ "ingress": {
+ "interface": {
+ "alias": "Internal",
+ "id": "2",
+ "name": "eth1"
+ }
+ },
+ "product": "Arista NG Firewall",
+ "type": "firewall",
+ "vendor": "Arista"
+ },
+ "related": {
+ "hosts": [
+ "Laptop"
+ ],
+ "ip": [
+ "81.2.69.144"
+ ]
+ },
+ "rule": {
+ "ruleset": "1"
+ },
+ "source": {
+ "bytes": 0,
+ "geo": {
+ "city_name": "London",
+ "continent_name": "Europe",
+ "country_iso_code": "GB",
+ "country_name": "United Kingdom",
+ "location": {
+ "lat": 51.5142,
+ "lon": -0.0931
+ },
+ "region_iso_code": "GB-ENG",
+ "region_name": "England"
+ },
+ "ip": "81.2.69.144",
+ "nat": {
+ "ip": "81.2.69.144",
+ "port": 58830
+ },
+ "port": 58830
+ },
+ "tags": [
+ "forwarded",
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-07-08T08:58:22.406-06:00",
+ "arista": {
+ "bypassed": false,
+ "entitled": true,
+ "policy": {
+ "rule_id": 0
+ }
+ },
+ "destination": {
+ "bytes": 1444,
+ "geo": {
+ "city_name": "London",
+ "continent_name": "Europe",
+ "country_iso_code": "GB",
+ "country_name": "United Kingdom",
+ "location": {
+ "lat": 51.5142,
+ "lon": -0.0931
+ },
+ "region_iso_code": "GB-ENG",
+ "region_name": "England"
+ },
+ "ip": "81.2.69.144",
+ "nat": {
+ "ip": "81.2.69.144",
+ "port": 443
+ },
+ "port": 443
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "category": [
+ "network",
+ "session"
+ ],
+ "duration": 170300000000,
+ "end": "2023-07-08T08:58:22.406-06:00",
+ "id": "110556429405872",
+ "kind": "event",
+ "original": "\u003c174\u003eJul 8 08:58:22 INFO uvm[0]: {\"timeStamp\":\"2023-07-08 08:58:22.406\",\"s2pBytes\":1444,\"p2sBytes\":2144,\"endTime\":1688828302406,\"sessionId\":110556429405872,\"class\":\"class com.untangle.uvm.app.SessionStatsEvent\",\"sessionEvent\":{\"entitled\":true,\"protocol\":6,\"hostname\":\"Laptop\",\"CServerPort\":443,\"protocolName\":\"TCP\",\"serverLatitude\":39.1027,\"localAddr\":\"81.2.69.144\",\"SServerAddr\":\"81.2.69.144\",\"remoteAddr\":\"81.2.69.144\",\"serverIntf\":1,\"CClientAddr\":\"81.2.69.144\",\"serverCountry\":\"US\",\"sessionId\":110556429405872,\"SClientAddr\":\"81.2.69.144\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":10709,\"timeStamp\":\"2023-07-08 08:55:32.106\",\"serverLongitude\":-94.5778,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":43055,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"81.2.69.144\",\"tagsString\":\"\"},\"c2pBytes\":2144,\"p2cBytes\":1444}",
+ "provider": "session_stats",
+ "start": "2023-07-08T08:55:32.106-06:00",
+ "timezone": "America/Denver",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "name": "Laptop"
+ },
+ "log": {
+ "syslog": {
+ "facility": {
+ "code": 21,
+ "name": "Local 5"
+ },
+ "priority": 174,
+ "severity": {
+ "code": 6,
+ "name": "Informational"
+ }
+ }
+ },
+ "network": {
+ "bytes": 3588,
+ "community_id": "1:KPWIpUdgM6sUAxhqAtvgL2SUxyg=",
+ "direction": "external",
+ "iana_number": "6",
+ "transport": "TCP"
+ },
+ "observer": {
+ "egress": {
+ "interface": {
+ "alias": "External",
+ "id": "1",
+ "name": "eth0"
+ }
+ },
+ "ingress": {
+ "interface": {
+ "alias": "Internal",
+ "id": "2",
+ "name": "eth1"
+ }
+ },
+ "product": "Arista NG Firewall",
+ "type": "firewall",
+ "vendor": "Arista"
+ },
+ "related": {
+ "hosts": [
+ "Laptop"
+ ],
+ "ip": [
+ "81.2.69.144"
+ ]
+ },
+ "rule": {
+ "ruleset": "1"
+ },
+ "source": {
+ "bytes": 2144,
+ "geo": {
+ "city_name": "London",
+ "continent_name": "Europe",
+ "country_iso_code": "GB",
+ "country_name": "United Kingdom",
+ "location": {
+ "lat": 51.5142,
+ "lon": -0.0931
+ },
+ "region_iso_code": "GB-ENG",
+ "region_name": "England"
+ },
+ "ip": "81.2.69.144",
+ "nat": {
+ "ip": "81.2.69.144",
+ "port": 43055
+ },
+ "port": 10709
+ },
+ "tags": [
+ "forwarded",
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-07-08T08:58:18.857-06:00",
+ "arista": {
+ "bypassed": false,
+ "entitled": true,
+ "policy": {
+ "rule_id": 0
+ }
+ },
+ "destination": {
+ "bytes": 17504157,
+ "geo": {
+ "city_name": "London",
+ "continent_name": "Europe",
+ "country_iso_code": "GB",
+ "country_name": "United Kingdom",
+ "location": {
+ "lat": 51.5142,
+ "lon": -0.0931
+ },
+ "region_iso_code": "GB-ENG",
+ "region_name": "England"
+ },
+ "ip": "81.2.69.144",
+ "nat": {
+ "ip": "81.2.69.144",
+ "port": 443
+ },
+ "port": 443
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "category": [
+ "network",
+ "session"
+ ],
+ "duration": 1331426000000,
+ "end": "2023-07-08T08:58:18.857-06:00",
+ "id": "110556429396427",
+ "kind": "event",
+ "original": "\u003c174\u003eJul 8 08:58:18 INFO uvm[0]: {\"timeStamp\":\"2023-07-08 08:58:18.857\",\"s2pBytes\":17504157,\"p2sBytes\":110454,\"endTime\":1688828298857,\"sessionId\":110556429396427,\"class\":\"class com.untangle.uvm.app.SessionStatsEvent\",\"sessionEvent\":{\"entitled\":true,\"protocol\":6,\"hostname\":\"Galaxy-S22\",\"CServerPort\":443,\"protocolName\":\"TCP\",\"serverLatitude\":37.751,\"localAddr\":\"81.2.69.144\",\"SServerAddr\":\"81.2.69.144\",\"remoteAddr\":\"81.2.69.144\",\"serverIntf\":1,\"CClientAddr\":\"81.2.69.144\",\"serverCountry\":\"US\",\"sessionId\":110556429396427,\"SClientAddr\":\"81.2.69.144\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":41980,\"timeStamp\":\"2023-07-08 08:36:07.431\",\"serverLongitude\":-97.822,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":48414,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"81.2.69.144\",\"tagsString\":\"\"},\"c2pBytes\":110454,\"p2cBytes\":17504157}",
+ "provider": "session_stats",
+ "start": "2023-07-08T08:36:07.431-06:00",
+ "timezone": "America/Denver",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "name": "Galaxy-S22"
+ },
+ "log": {
+ "syslog": {
+ "facility": {
+ "code": 21,
+ "name": "Local 5"
+ },
+ "priority": 174,
+ "severity": {
+ "code": 6,
+ "name": "Informational"
+ }
+ }
+ },
+ "network": {
+ "bytes": 17614611,
+ "community_id": "1:UhoFSXFG4S2rRhOBUufP8nAvtvc=",
+ "direction": "external",
+ "iana_number": "6",
+ "transport": "TCP"
+ },
+ "observer": {
+ "egress": {
+ "interface": {
+ "alias": "External",
+ "id": "1",
+ "name": "eth0"
+ }
+ },
+ "ingress": {
+ "interface": {
+ "alias": "Internal",
+ "id": "2",
+ "name": "eth1"
+ }
+ },
+ "product": "Arista NG Firewall",
+ "type": "firewall",
+ "vendor": "Arista"
+ },
+ "related": {
+ "hosts": [
+ "Galaxy-S22"
+ ],
+ "ip": [
+ "81.2.69.144"
+ ]
+ },
+ "rule": {
+ "ruleset": "1"
+ },
+ "source": {
+ "bytes": 110454,
+ "geo": {
+ "city_name": "London",
+ "continent_name": "Europe",
+ "country_iso_code": "GB",
+ "country_name": "United Kingdom",
+ "location": {
+ "lat": 51.5142,
+ "lon": -0.0931
+ },
+ "region_iso_code": "GB-ENG",
+ "region_name": "England"
+ },
+ "ip": "81.2.69.144",
+ "nat": {
+ "ip": "81.2.69.144",
+ "port": 48414
+ },
+ "port": 41980
+ },
+ "tags": [
+ "forwarded",
+ "preserve_original_event"
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-system-stats.log-expected.json b/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-system-stats.log-expected.json
index 5e9957ba3f3..ca913425ef7 100755
--- a/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-system-stats.log-expected.json
+++ b/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-system-stats.log-expected.json
@@ -67,7 +67,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -171,7 +171,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -275,7 +275,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -379,7 +379,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -483,7 +483,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -587,7 +587,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -691,7 +691,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -795,7 +795,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -899,7 +899,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1003,7 +1003,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1107,7 +1107,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1211,7 +1211,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1315,7 +1315,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1419,7 +1419,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1523,7 +1523,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1627,7 +1627,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1731,7 +1731,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1835,7 +1835,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1939,7 +1939,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -2043,7 +2043,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
diff --git a/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-web-filter.log-expected.json b/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-web-filter.log-expected.json
index 00fc4acee2d..9d3accf5b2e 100755
--- a/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-web-filter.log-expected.json
+++ b/packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-web-filter.log-expected.json
@@ -31,14 +31,14 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"web"
],
- "id": 110221865792041,
+ "id": "110221865792041",
"kind": "event",
"original": "\u003c174\u003eMay 23 16:34:28 INFO uvm[0]: {\"reason\":\"DEFAULT\",\"appName\":\"web_filter\",\"requestLine\":\"GET http://sync.hydra.opendns.com/\",\"sessionEvent\":{\"entitled\":true,\"protocol\":6,\"hostname\":\"M31525W10\",\"CServerPort\":443,\"protocolName\":\"TCP\",\"serverLatitude\":37.3313,\"localAddr\":\"10.0.1.17\",\"SServerAddr\":\"81.2.69.199\",\"remoteAddr\":\"81.2.69.199\",\"serverIntf\":1,\"CClientAddr\":\"10.0.1.17\",\"serverCountry\":\"US\",\"sessionId\":110221865792041,\"SClientAddr\":\"81.2.69.142\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":53010,\"timeStamp\":\"2023-05-23 16:34:28.7\",\"serverLongitude\":-121.8401,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":28113,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"81.2.69.199\",\"username\":\"johndoe\",\"tagsString\":\"\"},\"timeStamp\":\"2023-05-23 16:34:28.737\",\"flagged\":false,\"blocked\":false,\"category\":\"Computer and Internet Security\",\"ruleId\":2,\"class\":\"class com.untangle.app.web_filter.WebFilterEvent\",\"categoryId\":2}",
"outcome": "success",
@@ -51,6 +51,9 @@
"allowed"
]
},
+ "host": {
+ "name": "M31525W10"
+ },
"http": {
"request": {
"method": "GET"
@@ -95,6 +98,9 @@
"vendor": "Arista"
},
"related": {
+ "hosts": [
+ "M31525W10"
+ ],
"ip": [
"81.2.69.199",
"10.0.1.17",
@@ -163,14 +169,14 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"web"
],
- "id": 110221865792037,
+ "id": "110221865792037",
"kind": "event",
"original": "\u003c174\u003eMay 23 16:34:28 INFO uvm[0]: {\"reason\":\"DEFAULT\",\"appName\":\"web_filter\",\"requestLine\":\"GET http://api.github.com/\",\"sessionEvent\":{\"entitled\":true,\"protocol\":6,\"hostname\":\"ubuntu\",\"CServerPort\":443,\"protocolName\":\"TCP\",\"serverLatitude\":37.751,\"localAddr\":\"10.0.0.25\",\"SServerAddr\":\"81.2.69.144\",\"remoteAddr\":\"81.2.69.144\",\"serverIntf\":1,\"CClientAddr\":\"10.0.0.25\",\"serverCountry\":\"US\",\"sessionId\":110221865792037,\"SClientAddr\":\"81.2.69.142\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":32836,\"timeStamp\":\"2023-05-23 16:34:28.64\",\"serverLongitude\":-97.822,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":23625,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"81.2.69.144\",\"tagsString\":\"\"},\"timeStamp\":\"2023-05-23 16:34:28.682\",\"flagged\":false,\"blocked\":false,\"category\":\"Computer and Internet Info\",\"ruleId\":5,\"class\":\"class com.untangle.app.web_filter.WebFilterEvent\",\"categoryId\":5}",
"outcome": "success",
@@ -183,6 +189,9 @@
"allowed"
]
},
+ "host": {
+ "name": "ubuntu"
+ },
"http": {
"request": {
"method": "GET"
@@ -227,6 +236,9 @@
"vendor": "Arista"
},
"related": {
+ "hosts": [
+ "ubuntu"
+ ],
"ip": [
"81.2.69.144",
"10.0.0.25",
@@ -289,14 +301,14 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"web"
],
- "id": 110221865792030,
+ "id": "110221865792030",
"kind": "event",
"original": "\u003c174\u003eMay 23 16:34:27 INFO uvm[0]: {\"reason\":\"DEFAULT\",\"appName\":\"web_filter\",\"requestLine\":\"GET http://graph-fallback.instagram.com/\",\"sessionEvent\":{\"entitled\":true,\"protocol\":6,\"hostname\":\"iPhone\",\"CServerPort\":443,\"protocolName\":\"TCP\",\"serverLatitude\":37.751,\"localAddr\":\"10.0.1.10\",\"SServerAddr\":\"175.16.199.37\",\"remoteAddr\":\"175.16.199.37\",\"serverIntf\":1,\"CClientAddr\":\"10.0.1.10\",\"serverCountry\":\"US\",\"sessionId\":110221865792030,\"SClientAddr\":\"81.2.69.142\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":51495,\"timeStamp\":\"2023-05-23 16:34:27.742\",\"serverLongitude\":-97.822,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":32934,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"175.16.199.37\",\"username\":\"janedoe\",\"tagsString\":\"\"},\"timeStamp\":\"2023-05-23 16:34:27.768\",\"flagged\":false,\"blocked\":false,\"category\":\"Image and Video Search\",\"ruleId\":78,\"class\":\"class com.untangle.app.web_filter.WebFilterEvent\",\"categoryId\":78}",
"outcome": "success",
@@ -309,6 +321,9 @@
"allowed"
]
},
+ "host": {
+ "name": "iPhone"
+ },
"http": {
"request": {
"method": "GET"
@@ -353,6 +368,9 @@
"vendor": "Arista"
},
"related": {
+ "hosts": [
+ "iPhone"
+ ],
"ip": [
"175.16.199.37",
"10.0.1.10",
@@ -421,14 +439,14 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"web"
],
- "id": 110221865792017,
+ "id": "110221865792017",
"kind": "event",
"original": "\u003c174\u003eMay 23 16:34:25 INFO uvm[0]: {\"reason\":\"DEFAULT\",\"appName\":\"web_filter\",\"requestLine\":\"GET http://api.github.com/\",\"sessionEvent\":{\"entitled\":true,\"protocol\":6,\"hostname\":\"ubuntu\",\"CServerPort\":443,\"protocolName\":\"TCP\",\"serverLatitude\":37.751,\"localAddr\":\"10.0.0.25\",\"SServerAddr\":\"81.2.69.144\",\"remoteAddr\":\"81.2.69.144\",\"serverIntf\":1,\"CClientAddr\":\"10.0.0.25\",\"serverCountry\":\"US\",\"sessionId\":110221865792017,\"SClientAddr\":\"81.2.69.142\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":32808,\"timeStamp\":\"2023-05-23 16:34:25.022\",\"serverLongitude\":-97.822,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":38426,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"81.2.69.144\",\"tagsString\":\"\"},\"timeStamp\":\"2023-05-23 16:34:25.065\",\"flagged\":false,\"blocked\":false,\"category\":\"Computer and Internet Info\",\"ruleId\":5,\"class\":\"class com.untangle.app.web_filter.WebFilterEvent\",\"categoryId\":5}",
"outcome": "success",
@@ -441,6 +459,9 @@
"allowed"
]
},
+ "host": {
+ "name": "ubuntu"
+ },
"http": {
"request": {
"method": "GET"
@@ -485,6 +506,9 @@
"vendor": "Arista"
},
"related": {
+ "hosts": [
+ "ubuntu"
+ ],
"ip": [
"81.2.69.144",
"10.0.0.25",
@@ -541,14 +565,14 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"web"
],
- "id": 110221865792015,
+ "id": "110221865792015",
"kind": "event",
"original": "\u003c174\u003eMay 23 16:34:24 INFO uvm[0]: {\"reason\":\"BLOCK_CATEGORY\",\"appName\":\"web_filter\",\"requestLine\":\"GET http://mozilla.cloudflare-dns.com/\",\"sessionEvent\":{\"entitled\":true,\"protocol\":6,\"hostname\":\"ubuntu\",\"CServerPort\":443,\"protocolName\":\"TCP\",\"serverLatitude\":37.751,\"localAddr\":\"10.0.0.25\",\"SServerAddr\":\"1.128.0.0\",\"remoteAddr\":\"1.128.0.0\",\"serverIntf\":1,\"CClientAddr\":\"10.0.0.25\",\"serverCountry\":\"US\",\"sessionId\":110221865792015,\"SClientAddr\":\"81.2.69.142\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":49260,\"timeStamp\":\"2023-05-23 16:34:24.38\",\"serverLongitude\":-97.822,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":10240,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"1.128.0.0\",\"tagsString\":\"\"},\"timeStamp\":\"2023-05-23 16:34:24.393\",\"flagged\":true,\"blocked\":true,\"category\":\"Proxy Avoidance and Anonymizers\",\"ruleId\":58,\"class\":\"class com.untangle.app.web_filter.WebFilterEvent\",\"categoryId\":58}",
"outcome": "failure",
@@ -561,6 +585,9 @@
"denied"
]
},
+ "host": {
+ "name": "ubuntu"
+ },
"http": {
"request": {
"method": "GET"
@@ -605,6 +632,9 @@
"vendor": "Arista"
},
"related": {
+ "hosts": [
+ "ubuntu"
+ ],
"ip": [
"1.128.0.0",
"10.0.0.25",
@@ -667,14 +697,14 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"web"
],
- "id": 110221865792014,
+ "id": "110221865792014",
"kind": "event",
"original": "\u003c174\u003eMay 23 16:34:23 INFO uvm[0]: {\"reason\":\"DEFAULT\",\"appName\":\"web_filter\",\"requestLine\":\"GET http://api.github.com/\",\"sessionEvent\":{\"entitled\":true,\"protocol\":6,\"hostname\":\"ubuntu\",\"CServerPort\":443,\"protocolName\":\"TCP\",\"serverLatitude\":37.751,\"localAddr\":\"10.0.0.25\",\"SServerAddr\":\"81.2.69.144\",\"remoteAddr\":\"81.2.69.144\",\"serverIntf\":1,\"CClientAddr\":\"10.0.0.25\",\"serverCountry\":\"US\",\"sessionId\":110221865792014,\"SClientAddr\":\"81.2.69.142\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":32794,\"timeStamp\":\"2023-05-23 16:34:23.812\",\"serverLongitude\":-97.822,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":16885,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"81.2.69.144\",\"tagsString\":\"\"},\"timeStamp\":\"2023-05-23 16:34:23.856\",\"flagged\":false,\"blocked\":false,\"category\":\"Computer and Internet Info\",\"ruleId\":5,\"class\":\"class com.untangle.app.web_filter.WebFilterEvent\",\"categoryId\":5}",
"outcome": "success",
@@ -687,6 +717,9 @@
"allowed"
]
},
+ "host": {
+ "name": "ubuntu"
+ },
"http": {
"request": {
"method": "GET"
@@ -731,6 +764,9 @@
"vendor": "Arista"
},
"related": {
+ "hosts": [
+ "ubuntu"
+ ],
"ip": [
"81.2.69.144",
"10.0.0.25",
@@ -793,14 +829,14 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"web"
],
- "id": 110221865971300,
+ "id": "110221865971300",
"kind": "event",
"original": "\u003c174\u003eMay 24 08:27:39 INFO uvm[0]: {\"reason\":\"DEFAULT\",\"appName\":\"web_filter\",\"requestLine\":\"POST http://[81.2.69.142:80]/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php\",\"sessionEvent\":{\"entitled\":true,\"clientLongitude\":9.491,\"protocol\":6,\"hostname\":\"Proxy\",\"CServerPort\":80,\"protocolName\":\"TCP\",\"localAddr\":\"10.0.0.55\",\"SServerAddr\":\"10.0.0.55\",\"remoteAddr\":\"67.43.156.27\",\"serverIntf\":2,\"CClientAddr\":\"67.43.156.27\",\"serverCountry\":\"XL\",\"sessionId\":110221865971300,\"SClientAddr\":\"67.43.156.27\",\"clientLatitude\":51.2993,\"clientCountry\":\"DE\",\"policyRuleId\":0,\"CClientPort\":41146,\"timeStamp\":\"2023-05-24 08:27:39.499\",\"clientIntf\":1,\"policyId\":1,\"SClientPort\":41146,\"bypassed\":false,\"SServerPort\":80,\"CServerAddr\":\"81.2.69.142\",\"tagsString\":\"\"},\"timeStamp\":\"2023-05-24 08:27:39.666\",\"flagged\":false,\"blocked\":false,\"category\":\"Entertainment and Arts\",\"ruleId\":21,\"class\":\"class com.untangle.app.web_filter.WebFilterEvent\",\"categoryId\":21}",
"outcome": "success",
@@ -813,6 +849,9 @@
"allowed"
]
},
+ "host": {
+ "name": "Proxy"
+ },
"http": {
"request": {
"method": "POST"
@@ -857,6 +896,9 @@
"vendor": "Arista"
},
"related": {
+ "hosts": [
+ "Proxy"
+ ],
"ip": [
"81.2.69.142",
"10.0.0.55",
@@ -927,14 +969,14 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"web"
],
- "id": 110221865956519,
+ "id": "110221865956519",
"kind": "event",
"original": "\u003c174\u003eMay 24 07:58:28 INFO uvm[0]: {\"reason\":\"DEFAULT\",\"appName\":\"web_filter\",\"requestLine\":\"POST http://ocsp.digicert.com/\",\"sessionEvent\":{\"entitled\":true,\"protocol\":6,\"hostname\":\"ubuntu\",\"CServerPort\":80,\"protocolName\":\"TCP\",\"serverLatitude\":37.751,\"localAddr\":\"10.0.0.25\",\"SServerAddr\":\"175.16.199.20\",\"remoteAddr\":\"175.16.199.20\",\"serverIntf\":1,\"CClientAddr\":\"10.0.0.25\",\"serverCountry\":\"US\",\"sessionId\":110221865956519,\"SClientAddr\":\"81.2.69.142\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":55862,\"timeStamp\":\"2023-05-24 07:58:28.456\",\"serverLongitude\":-97.822,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":19642,\"bypassed\":false,\"SServerPort\":80,\"CServerAddr\":\"175.16.199.20\",\"tagsString\":\"\"},\"timeStamp\":\"2023-05-24 07:58:28.473\",\"flagged\":false,\"blocked\":false,\"category\":\"Computer and Internet Security\",\"ruleId\":2,\"class\":\"class com.untangle.app.web_filter.WebFilterEvent\",\"categoryId\":2}",
"outcome": "success",
@@ -947,6 +989,9 @@
"allowed"
]
},
+ "host": {
+ "name": "ubuntu"
+ },
"http": {
"request": {
"method": "POST"
@@ -991,6 +1036,9 @@
"vendor": "Arista"
},
"related": {
+ "hosts": [
+ "ubuntu"
+ ],
"ip": [
"175.16.199.20",
"10.0.0.25",
@@ -1053,14 +1101,14 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"web"
],
- "id": 110221866049740,
+ "id": "110221866049740",
"kind": "event",
"original": "\u003c174\u003eMay 24 11:41:00 INFO uvm[0]: {\"reason\":\"BLOCK_URL\",\"appName\":\"web_filter\",\"requestLine\":\"GET http://ssl.google-analytics.com/\",\"sessionEvent\":{\"entitled\":true,\"protocol\":6,\"hostname\":\"Galaxy-S22\",\"CServerPort\":443,\"protocolName\":\"TCP\",\"serverLatitude\":37.751,\"localAddr\":\"10.0.1.6\",\"SServerAddr\":\"67.43.156.22\",\"remoteAddr\":\"67.43.156.22\",\"serverIntf\":1,\"CClientAddr\":\"10.0.1.6\",\"serverCountry\":\"US\",\"sessionId\":110221866049740,\"SClientAddr\":\"81.2.69.142\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":39554,\"timeStamp\":\"2023-05-24 11:41:00.11\",\"serverLongitude\":-97.822,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":21617,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"67.43.156.22\",\"tagsString\":\"\"},\"timeStamp\":\"2023-05-24 11:41:00.14\",\"flagged\":true,\"blocked\":true,\"ruleId\":1662,\"class\":\"class com.untangle.app.web_filter.WebFilterEvent\",\"categoryId\":5}",
"outcome": "failure",
@@ -1073,6 +1121,9 @@
"denied"
]
},
+ "host": {
+ "name": "Galaxy-S22"
+ },
"http": {
"request": {
"method": "GET"
@@ -1117,6 +1168,9 @@
"vendor": "Arista"
},
"related": {
+ "hosts": [
+ "Galaxy-S22"
+ ],
"ip": [
"67.43.156.22",
"10.0.1.6",
@@ -1178,14 +1232,14 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
"network",
"web"
],
- "id": 110221866046822,
+ "id": "110221866046822",
"kind": "event",
"original": "\u003c174\u003eMay 24 11:31:05 INFO uvm[0]: {\"reason\":\"BLOCK_URL\",\"appName\":\"web_filter\",\"requestLine\":\"GET http://config.ads.vungle.com/\",\"sessionEvent\":{\"entitled\":true,\"protocol\":6,\"hostname\":\"iPhone\",\"CServerPort\":443,\"protocolName\":\"TCP\",\"serverLatitude\":39.0481,\"localAddr\":\"10.0.1.10\",\"SServerAddr\":\"67.43.156.0\",\"remoteAddr\":\"67.43.156.0\",\"serverIntf\":1,\"CClientAddr\":\"10.0.1.10\",\"serverCountry\":\"US\",\"sessionId\":110221866046822,\"SClientAddr\":\"81.2.69.142\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":54996,\"timeStamp\":\"2023-05-24 11:31:05.591\",\"serverLongitude\":-77.4728,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":22100,\"bypassed\":false,\"SServerPort\":443,\"CServerAddr\":\"67.43.156.0\",\"username\":\"janedoe\",\"tagsString\":\"\"},\"timeStamp\":\"2023-05-24 11:31:05.645\",\"flagged\":true,\"blocked\":true,\"category\":\"vungle.com\",\"ruleId\":2883,\"class\":\"class com.untangle.app.web_filter.WebFilterEvent\",\"categoryId\":52}",
"outcome": "failure",
@@ -1198,6 +1252,9 @@
"denied"
]
},
+ "host": {
+ "name": "iPhone"
+ },
"http": {
"request": {
"method": "GET"
@@ -1242,6 +1299,9 @@
"vendor": "Arista"
},
"related": {
+ "hosts": [
+ "iPhone"
+ ],
"ip": [
"67.43.156.0",
"10.0.1.10",
diff --git a/packages/arista_ngfw/data_stream/log/agent/stream/tcp.yml.hbs b/packages/arista_ngfw/data_stream/log/agent/stream/tcp.yml.hbs
index 1a4bc0a1f01..5c72e476ba7 100755
--- a/packages/arista_ngfw/data_stream/log/agent/stream/tcp.yml.hbs
+++ b/packages/arista_ngfw/data_stream/log/agent/stream/tcp.yml.hbs
@@ -11,24 +11,20 @@ publisher_pipeline.disable_host: true
{{/contains}}
fields_under_root: true
fields:
-{{#if tz_offset}}
_conf:
+{{#if tz_offset}}
tz_offset: "{{tz_offset}}"
{{/if}}
{{#if interface_id_1_name}}
- _conf:
interface_id_1_name: "{{interface_id_1_name}}"
{{/if}}
{{#if interface_id_1_alias}}
- _conf:
interface_id_1_alias: "{{interface_id_1_alias}}"
{{/if}}
{{#if interface_id_2_name}}
- _conf:
interface_id_2_name: "{{interface_id_2_name}}"
{{/if}}
{{#if interface_id_2_alias}}
- _conf:
interface_id_2_alias: "{{interface_id_2_alias}}"
{{/if}}
processors:
diff --git a/packages/arista_ngfw/data_stream/log/agent/stream/udp.yml.hbs b/packages/arista_ngfw/data_stream/log/agent/stream/udp.yml.hbs
index 8a8c232deed..6456a0ac64d 100755
--- a/packages/arista_ngfw/data_stream/log/agent/stream/udp.yml.hbs
+++ b/packages/arista_ngfw/data_stream/log/agent/stream/udp.yml.hbs
@@ -14,24 +14,20 @@ publisher_pipeline.disable_host: true
{{/contains}}
fields_under_root: true
fields:
-{{#if tz_offset}}
_conf:
+{{#if tz_offset}}
tz_offset: "{{tz_offset}}"
{{/if}}
{{#if interface_id_1_name}}
- _conf:
interface_id_1_name: "{{interface_id_1_name}}"
{{/if}}
{{#if interface_id_1_alias}}
- _conf:
interface_id_1_alias: "{{interface_id_1_alias}}"
{{/if}}
{{#if interface_id_2_name}}
- _conf:
interface_id_2_name: "{{interface_id_2_name}}"
{{/if}}
{{#if interface_id_2_alias}}
- _conf:
interface_id_2_alias: "{{interface_id_2_alias}}"
{{/if}}
processors:
diff --git a/packages/arista_ngfw/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/arista_ngfw/data_stream/log/elasticsearch/ingest_pipeline/default.yml
index 15d227654bd..eb7146edfa1 100755
--- a/packages/arista_ngfw/data_stream/log/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/arista_ngfw/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -10,7 +10,7 @@ processors:
ignore_missing: true
- set:
field: ecs.version
- value: '8.8.0'
+ value: '8.9.0'
- grok:
field: event.original
patterns:
@@ -77,6 +77,14 @@ processors:
return;
}
ctx.log.syslog.severity.name = params[(ctx.log.syslog.severity.code).toString()];
+
+ # Remove port number from syslog source, and put to ECS log.syslog.hostname
+ - gsub:
+ if: ctx.log?.source?.address != null && ctx.log.source.address != ''
+ field: log.source.address
+ pattern: :.*
+ replacement: ''
+ target_field: log.syslog.hostname
# Parse the JSON message to arista.*
- json:
@@ -96,6 +104,7 @@ processors:
'class com.untangle.uvm.logging.InterfaceStatEvent',
'class com.untangle.app.intrusion_prevention.IntrusionPreventionLogEvent',
'class com.untangle.uvm.app.SessionEvent',
+ 'class com.untangle.uvm.app.SessionStatsEvent',
'class com.untangle.uvm.logging.SystemStatEvent',
'class com.untangle.app.web_filter.WebFilterEvent'
];
@@ -139,6 +148,11 @@ processors:
if: ctx.arista?.class == 'class com.untangle.app.http.HttpRequestEvent' || ctx.arista?.class == 'class com.untangle.app.http.HttpResponseEvent'
name: '{{ IngestPipeline "http_event" }}'
ignore_missing_pipeline: true
+ - pipeline:
+ description: Use a separate pipeline for SessionStatsEvent events
+ if: ctx.arista?.class == 'class com.untangle.uvm.app.SessionStatsEvent'
+ name: '{{ IngestPipeline "session_stats" }}'
+ ignore_missing_pipeline: true
############################
## ECS @timestamp Mapping ##
@@ -170,6 +184,7 @@ processors:
- "ISO8601"
- "yyyy-MM-dd HH:mm:ss.SSS"
- "yyyy-MM-dd HH:mm:ss.SS"
+ - "yyyy-MM-dd HH:mm:ss.S"
on_failure:
# Try to re-parse as UTC to catch when TZ is invalid or unknown.
- remove:
@@ -182,6 +197,7 @@ processors:
- "ISO8601"
- "yyyy-MM-dd HH:mm:ss.SSS"
- "yyyy-MM-dd HH:mm:ss.SS"
+ - "yyyy-MM-dd HH:mm:ss.S"
on_failure:
- append:
field: error.message
@@ -206,6 +222,7 @@ processors:
- "ISO8601"
- "yyyy-MM-dd HH:mm:ss.SSS"
- "yyyy-MM-dd HH:mm:ss.SS"
+ - "yyyy-MM-dd HH:mm:ss.S"
on_failure:
- append:
field: error.message
@@ -360,6 +377,10 @@ processors:
field: arista.sessionId
target_field: event.id
ignore_missing: true
+ - convert:
+ field: event.id
+ type: string
+ ignore_missing: true
- script:
lang: painless
source: |
@@ -388,6 +409,70 @@ processors:
ctx.event.type = 'denied';
}
}
+ # Parse event.start
+ - date:
+ if: ctx.event?.start != null
+ timezone: "{{{ event.timezone }}}"
+ field: event.start
+ target_field: event.start
+ formats:
+ - "ISO8601"
+ - "yyyy-MM-dd HH:mm:ss.SSS"
+ - "yyyy-MM-dd HH:mm:ss.SS"
+ - "yyyy-MM-dd HH:mm:ss.S"
+ on_failure:
+ # Try to re-parse as UTC to catch when TZ is invalid or unknown.
+ - remove:
+ field: event.timezone
+ ignore_missing: true
+ - date:
+ if: ctx.event?.start != null
+ field: event.start
+ target_field: event.start
+ formats:
+ - "ISO8601"
+ - "yyyy-MM-dd HH:mm:ss.SSS"
+ - "yyyy-MM-dd HH:mm:ss.SS"
+ - "yyyy-MM-dd HH:mm:ss.S"
+ on_failure:
+ - append:
+ field: error.message
+ value: "Error parsing date from field `event.start`. Value of field: {{{ event.start }}}: {{{ _ingest.on_failure_message }}}"
+ - remove:
+ field: event.end
+ # Parse event.end from Unix MS
+ - date:
+ if: ctx.event?.end != null
+ timezone: "{{{ event.timezone }}}"
+ field: event.end
+ target_field: event.end
+ formats:
+ - "UNIX_MS"
+ on_failure:
+ # Try to re-parse as UTC to catch when TZ is invalid or unknown.
+ - remove:
+ field: event.timezone
+ ignore_missing: true
+ - date:
+ if: ctx.event?.end != null
+ field: event.end
+ target_field: event.end
+ formats:
+ - "UNIX_MS"
+ on_failure:
+ - append:
+ field: error.message
+ value: "Error parsing date from field `event.end`. Value of field: {{{ event.end }}}: {{{ _ingest.on_failure_message }}}"
+ - remove:
+ field: event.end
+ # Calculate event.duration from event.start and event.end
+ - script:
+ lang: painless
+ if: ctx.event?.start != null && ctx.event?.end != null
+ source: >-
+ Instant eventstart = ZonedDateTime.parse(ctx.event?.start).toInstant();
+ Instant eventend = ZonedDateTime.parse(ctx.event?.end).toInstant();
+ ctx.event['duration'] = ChronoUnit.NANOS.between(eventstart, eventend);
# Enrich event fields based on arista.class
- script:
lang: painless
@@ -456,7 +541,6 @@ processors:
- session
type:
- info
- - change
provider: session_stats
"class com.untangle.uvm.DeviceTableEvent":
kind: event
@@ -500,10 +584,14 @@ processors:
}
if (ctx.event.category.contains('network') || ctx.event.category.contains('intrusion_detection')) {
if (ctx.event.outcome == 'success') {
- ctx.event.type.add('allowed');
+ if (ctx.event?.type == null || !ctx.event.type.contains('allowed')) {
+ ctx.event.type.add('allowed');
+ }
}
if (ctx.event.outcome == 'failure') {
- ctx.event.type.add('denied');
+ if (ctx.event?.type == null || !ctx.event.type.contains('denied')) {
+ ctx.event.type.add('denied');
+ }
}
}
@@ -522,6 +610,38 @@ processors:
field: arista.protocolName
target_field: network.transport
ignore_missing: true
+ - script:
+ description: Calculate network.bytes
+ if: (ctx.source?.bytes != null || ctx.destination?.bytes != null) && ctx.network?.bytes == null
+ ignore_failure: true
+ lang: painless
+ source: |
+ if (ctx.network == null) {
+ ctx.network = new HashMap();
+ }
+ if (ctx.source.bytes != null && ctx.destination.bytes != null) {
+ ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes
+ } else if (ctx.source.bytes == null && ctx.destination.bytes != null) {
+ ctx.network.bytes = ctx.destination.bytes
+ } else if (ctx.source.bytes != null && ctx.destination.bytes == null) {
+ ctx.network.bytes = ctx.source.bytes
+ }
+ - script:
+ description: Calculate network.packets
+ if: (ctx.source?.packets != null || ctx.destination?.packets != null) && ctx.network?.packets == null
+ ignore_failure: true
+ lang: painless
+ source: |
+ if (ctx.network == null) {
+ ctx.network = new HashMap();
+ }
+ if (ctx.source.packets != null && ctx.destination.packets != null) {
+ ctx.network.packets = ctx.source.packets + ctx.destination.packets
+ } else if (ctx.source.packets == null && ctx.destination.packets != null) {
+ ctx.network.packets = ctx.destination.packets
+ } else if (ctx.source.packets != null && ctx.destination.packets == null) {
+ ctx.network.packets = ctx.source.packets
+ }
- script:
description: Calculate network.direction if zones are not configured
lang: painless
@@ -717,10 +837,23 @@ processors:
target_field: user.name
ignore_missing: true
+ ######################
+ ## ECS Host Mapping ##
+ ######################
+ - rename:
+ field: arista.hostname
+ target_field: host.name
+ ignore_missing: true
+
#########################
## ECS Related Mapping ##
#########################
# Hosts
+ - append:
+ if: ctx.host?.name != null
+ field: related.hosts
+ value: '{{{host.name}}}'
+ allow_duplicates: false
- append:
if: ctx.destination?.domain != null
field: related.hosts
@@ -789,7 +922,6 @@ processors:
- arista.clientLatitude
- arista.clientLongitude
- arista.filterPrefix
- - arista.hostname
- arista.localAddr
- arista.remoteAddr
- arista.httpRequestEvent.sessionEvent
diff --git a/packages/arista_ngfw/data_stream/log/elasticsearch/ingest_pipeline/session_stats.yml b/packages/arista_ngfw/data_stream/log/elasticsearch/ingest_pipeline/session_stats.yml
new file mode 100755
index 00000000000..c2c8e9bb48c
--- /dev/null
+++ b/packages/arista_ngfw/data_stream/log/elasticsearch/ingest_pipeline/session_stats.yml
@@ -0,0 +1,32 @@
+---
+description: Pipeline for processing Arista NG Firewall session stats
+processors:
+ ########################
+ ## Session Statistics ##
+ ########################
+ - rename:
+ field: arista.endTime
+ target_field: event.end
+ ignore_missing: true
+ - rename:
+ field: arista.sessionEvent.timeStamp
+ target_field: event.start
+ ignore_missing: true
+
+ ##############
+ ## Clean Up ##
+ ##############
+ - remove:
+ description: Remove Arista fields that are not necessary after parsing to ECS
+ field:
+ - arista.p2cBytes
+ - arista.p2sBytes
+ - arista.sessionEvent.sessionId
+ ignore_missing: true
+on_failure:
+ - set:
+ field: event.kind
+ value: pipeline_error
+ - append:
+ field: error.message
+ value: '{{{ _ingest.on_failure_message }}}'
diff --git a/packages/arista_ngfw/data_stream/log/fields/ecs.yml b/packages/arista_ngfw/data_stream/log/fields/ecs.yml
index 376b8ff4da4..232889bbf3b 100755
--- a/packages/arista_ngfw/data_stream/log/fields/ecs.yml
+++ b/packages/arista_ngfw/data_stream/log/fields/ecs.yml
@@ -78,6 +78,8 @@
name: event.duration
- external: ecs
name: event.end
+- external: ecs
+ name: event.id
- external: ecs
name: event.ingested
- external: ecs
@@ -128,6 +130,8 @@
name: log.syslog.facility.code
- external: ecs
name: log.syslog.facility.name
+- external: ecs
+ name: log.syslog.hostname
- external: ecs
name: log.syslog.severity.code
- external: ecs
@@ -230,6 +234,8 @@
name: source.domain
- external: ecs
name: source.geo.city_name
+- external: ecs
+ name: source.geo.continent_code
- external: ecs
name: source.geo.continent_name
- external: ecs
@@ -238,10 +244,14 @@
name: source.geo.country_name
- external: ecs
name: source.geo.location
+- external: ecs
+ name: source.geo.postal_code
- external: ecs
name: source.geo.region_iso_code
- external: ecs
name: source.geo.region_name
+- external: ecs
+ name: source.geo.timezone
- external: ecs
name: source.ip
- external: ecs
diff --git a/packages/arista_ngfw/data_stream/log/fields/fields.yml b/packages/arista_ngfw/data_stream/log/fields/fields.yml
index 3bc0f00d2e0..83476a4a247 100755
--- a/packages/arista_ngfw/data_stream/log/fields/fields.yml
+++ b/packages/arista_ngfw/data_stream/log/fields/fields.yml
@@ -107,30 +107,30 @@
- name: swap
type: group
fields:
- - name: free
- type: group
- fields:
- - name: bytes
- type: integer
- description: Swap memory free in bytes
- - name: pct
- type: float
- description: Percentage of swap memory free
- - name: total
- type: group
- fields:
- - name: bytes
- type: integer
- description: Total swap memory in bytes
- - name: used
- type: group
- fields:
- - name: bytes
- type: integer
- description: Swap memory used in bytes
- - name: pct
- type: float
- description: Percentage of swap memory used
+ - name: free
+ type: group
+ fields:
+ - name: bytes
+ type: integer
+ description: Swap memory free in bytes
+ - name: pct
+ type: float
+ description: Percentage of swap memory free
+ - name: total
+ type: group
+ fields:
+ - name: bytes
+ type: integer
+ description: Total swap memory in bytes
+ - name: used
+ type: group
+ fields:
+ - name: bytes
+ type: integer
+ description: Swap memory used in bytes
+ - name: pct
+ type: float
+ description: Percentage of swap memory used
- name: total
type: group
fields:
diff --git a/packages/arista_ngfw/data_stream/log/manifest.yml b/packages/arista_ngfw/data_stream/log/manifest.yml
index 49829778814..f17d34c24a6 100755
--- a/packages/arista_ngfw/data_stream/log/manifest.yml
+++ b/packages/arista_ngfw/data_stream/log/manifest.yml
@@ -45,6 +45,7 @@ streams:
show_user: false
description: >
Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
- name: tz_offset
type: text
title: Timezone
@@ -53,34 +54,34 @@ streams:
show_user: false
default: UTC
description: IANA time zone or time offset (e.g. `America/Denver` or `-06:00`) to use when interpreting syslog timestamps without a time zone.
- - name: interface_id_0_name
+ - name: interface_id_1_name
type: text
- title: Device name for interface ID 0
+ title: Device name for interface ID 1
multi: false
required: false
show_user: false
- description: Optional device name of the firewall's interface with ID 0 (e.g. `eth0`).
- - name: interface_id_0_alias
+ description: Optional device name of the firewall's interface with ID 1 (e.g. `eth0`).
+ - name: interface_id_1_alias
type: text
- title: Alias for interface ID 0
+ title: Alias for interface ID 1
multi: false
required: false
show_user: false
- description: Optional alias of the firewall's interface with ID 0 (e.g. `External`).
- - name: interface_id_1_name
+ description: Optional alias of the firewall's interface with ID 1 (e.g. `External` or `WAN`).
+ - name: interface_id_2_name
type: text
- title: Device name for interface ID 1
+ title: Device name for interface ID 2
multi: false
required: false
show_user: false
- description: Optional device name of the firewall's interface with ID 0 (e.g. `eth1`).
- - name: interface_id_1_alias
+ description: Optional device name of the firewall's interface with ID 2 (e.g. `eth1`).
+ - name: interface_id_2_alias
type: text
- title: Alias for interface ID 1
+ title: Alias for interface ID 2
multi: false
required: false
show_user: false
- description: Optional alias of the firewall's interface with ID 0 (e.g. `Internal`).
+ description: Optional alias of the firewall's interface with ID 2 (e.g. `Internal` or `LAN`).
- input: udp
title: Arista NG Firewall logs
description: Collect Arista NG Firewall logs via UDP
@@ -125,6 +126,7 @@ streams:
show_user: false
description: >
Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
- name: tz_offset
type: text
title: Timezone
@@ -146,7 +148,7 @@ streams:
multi: false
required: false
show_user: false
- description: Optional alias of the firewall's interface with ID 1 (e.g. `External`).
+ description: Optional alias of the firewall's interface with ID 1 (e.g. `External` or `WAN`).
- name: interface_id_2_name
type: text
title: Device name for interface ID 2
@@ -160,4 +162,4 @@ streams:
multi: false
required: false
show_user: false
- description: Optional alias of the firewall's interface with ID 2 (e.g. `Internal`).
+ description: Optional alias of the firewall's interface with ID 2 (e.g. `Internal` or `LAN`).
diff --git a/packages/arista_ngfw/data_stream/log/sample_event.json b/packages/arista_ngfw/data_stream/log/sample_event.json
index b177398b364..6c09aaf72bd 100755
--- a/packages/arista_ngfw/data_stream/log/sample_event.json
+++ b/packages/arista_ngfw/data_stream/log/sample_event.json
@@ -11,8 +11,10 @@
},
"event": {
"entitled": true,
- "category": ["session"],
- "original": "<174>May 19 11:52:37 INFO uvm[0]: {\"entitled\":true,\"protocol\":17,\"hostname\":\"Host1\",\"CServerPort\":9930,\"protocolName\":\"UDP\",\"serverLatitude\":37.751,\"localAddr\":\"10.0.0.10\",\"class\":\"class com.untangle.uvm.app.SessionEvent\",\"SServerAddr\":\"18.214.195.29\",\"remoteAddr\":\"18.214.195.29\",\"serverIntf\":1,\"CClientAddr\":\"10.0.0.10\",\"serverCountry\":\"US\",\"sessionId\":110221863965041,\"SClientAddr\":\"66.113.13.6\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":59881,\"timeStamp\":\"2023-05-19 11:52:37.962\",\"serverLongitude\":-97.822,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":59881,\"bypassed\":false,\"SServerPort\":9930,\"CServerAddr\":\"18.214.195.29\",\"tagsString\":\"\"}",
+ "category": [
+ "session"
+ ],
+ "original": "\u003c174\u003eMay 19 11:52:37 INFO uvm[0]: {\"entitled\":true,\"protocol\":17,\"hostname\":\"Host1\",\"CServerPort\":9930,\"protocolName\":\"UDP\",\"serverLatitude\":37.751,\"localAddr\":\"10.0.0.10\",\"class\":\"class com.untangle.uvm.app.SessionEvent\",\"SServerAddr\":\"18.214.195.29\",\"remoteAddr\":\"18.214.195.29\",\"serverIntf\":1,\"CClientAddr\":\"10.0.0.10\",\"serverCountry\":\"US\",\"sessionId\":110221863965041,\"SClientAddr\":\"66.113.13.6\",\"clientCountry\":\"XL\",\"policyRuleId\":0,\"CClientPort\":59881,\"timeStamp\":\"2023-05-19 11:52:37.962\",\"serverLongitude\":-97.822,\"clientIntf\":2,\"policyId\":1,\"SClientPort\":59881,\"bypassed\":false,\"SServerPort\":9930,\"CServerAddr\":\"18.214.195.29\",\"tagsString\":\"\"}",
"module": "arista_ngfw",
"kind": "event",
"dataset": "arista_ngfw.log",
diff --git a/packages/arista_ngfw/docs/README.md b/packages/arista_ngfw/docs/README.md
index 58de4478900..5d3939681b8 100755
--- a/packages/arista_ngfw/docs/README.md
+++ b/packages/arista_ngfw/docs/README.md
@@ -15,6 +15,7 @@ Arista NG Firewall supports several syslog output rules that may be configured o
* Interface Stat Event
* Intrusion Prevention Log Event
* Session Event
+* Session Stats Event
* System Stat Event
* Web Filter Event
@@ -206,19 +207,20 @@ An example event for `log` looks as following:
| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
-| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date |
| event.dataset | Event dataset | constant_keyword |
-| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long |
-| event.end | event.end contains the date when the event ended or when the activity was last observed. | date |
+| event.duration | Duration of the event in nanoseconds. If `event.start` and `event.end` are known this value should be the difference between the end and start time. | long |
+| event.end | `event.end` contains the date when the event ended or when the activity was last observed. | date |
+| event.id | Unique ID to describe the event. | keyword |
| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
-| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword |
| event.module | Event module | constant_keyword |
| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword |
| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword |
| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long |
-| event.start | event.start contains the date when the event started or when the activity was first observed. | date |
+| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date |
| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
| file.hash.sha256 | SHA256 hash. | keyword |
@@ -256,6 +258,7 @@ An example event for `log` looks as following:
| log.source.address | Source address from which the log event was read / sent from. | keyword |
| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long |
| log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword |
+| log.syslog.hostname | The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector. | keyword |
| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long |
| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long |
| log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword |
@@ -311,12 +314,15 @@ An example event for `log` looks as following:
| source.bytes | Bytes sent from the source to the destination. | long |
| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
| source.geo.city_name | City name. | keyword |
+| source.geo.continent_code | Two-letter code representing continent's name. | keyword |
| source.geo.continent_name | Name of the continent. | keyword |
| source.geo.country_iso_code | Country ISO code. | keyword |
| source.geo.country_name | Country name. | keyword |
| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword |
| source.geo.region_iso_code | Region ISO code. | keyword |
| source.geo.region_name | Region name. | keyword |
+| source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword |
| source.ip | IP address of the source (IPv4 or IPv6). | ip |
| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip |
| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long |
diff --git a/packages/arista_ngfw/kibana/tags.yml b/packages/arista_ngfw/kibana/tags.yml
new file mode 100644
index 00000000000..47f20a8f551
--- /dev/null
+++ b/packages/arista_ngfw/kibana/tags.yml
@@ -0,0 +1,4 @@
+- text: Security Solution
+ asset_types:
+ - dashboard
+ - search
diff --git a/packages/arista_ngfw/manifest.yml b/packages/arista_ngfw/manifest.yml
index 8bcea8ab559..585352a58c2 100755
--- a/packages/arista_ngfw/manifest.yml
+++ b/packages/arista_ngfw/manifest.yml
@@ -1,7 +1,7 @@
-format_version: 2.5.1
+format_version: "3.0.0"
name: arista_ngfw
title: "Arista NG Firewall"
-version: 0.0.1
+version: "0.5.0"
source:
license: "Elastic-2.0"
description: "Collect logs and metrics from Arista NG Firewall."
@@ -9,8 +9,10 @@ type: integration
categories:
- network
conditions:
- kibana.version: "^8.6.2"
- elastic.subscription: "basic"
+ kibana:
+ version: "^8.6.2"
+ elastic:
+ subscription: "basic"
icons:
- src: /img/arista-logo.svg
title: Arista logo
@@ -29,3 +31,4 @@ policy_templates:
description: Collects logs from Arista NG Firewall via UDP
owner:
github: elastic/security-external-integrations
+ type: elastic
diff --git a/packages/atlassian_bitbucket/_dev/build/build.yml b/packages/atlassian_bitbucket/_dev/build/build.yml
index 074278e5b1f..c8eeec8cacf 100644
--- a/packages/atlassian_bitbucket/_dev/build/build.yml
+++ b/packages/atlassian_bitbucket/_dev/build/build.yml
@@ -1,3 +1,3 @@
dependencies:
ecs:
- reference: git@v8.8.0
+ reference: git@v8.9.0
diff --git a/packages/atlassian_bitbucket/changelog.yml b/packages/atlassian_bitbucket/changelog.yml
index 38b44257b86..e76286778ee 100644
--- a/packages/atlassian_bitbucket/changelog.yml
+++ b/packages/atlassian_bitbucket/changelog.yml
@@ -1,4 +1,34 @@
# newer versions go on top
+- version: 1.17.0
+ changes:
+ - description: "The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest."
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7883
+- version: "1.16.0"
+ changes:
+ - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7789
+- version: "1.15.0"
+ changes:
+ - description: Add ability to set condition for logfile logs.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7371
+- version: "1.14.0"
+ changes:
+ - description: Update package to ECS 8.9.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7107
+- version: "1.13.0"
+ changes:
+ - description: Document duration units.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6992
+- version: "1.12.0"
+ changes:
+ - description: Document valid duration units.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6706
- version: "1.11.0"
changes:
- description: Ensure event.kind is correctly set for pipeline errors.
diff --git a/packages/atlassian_bitbucket/data_stream/audit/_dev/test/pipeline/test-audit-api.log-expected.json b/packages/atlassian_bitbucket/data_stream/audit/_dev/test/pipeline/test-audit-api.log-expected.json
index 6ccb8b5e14e..aac3580bb75 100644
--- a/packages/atlassian_bitbucket/data_stream/audit/_dev/test/pipeline/test-audit-api.log-expected.json
+++ b/packages/atlassian_bitbucket/data_stream/audit/_dev/test/pipeline/test-audit-api.log-expected.json
@@ -27,7 +27,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.userdeleted",
@@ -112,7 +112,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.userrenamed",
@@ -189,7 +189,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.usercredentialupdated",
@@ -264,7 +264,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.groupdeleted",
@@ -352,7 +352,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.groupmembershipdeleted",
@@ -445,7 +445,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.groupmembershipscreated.user",
@@ -523,7 +523,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.groupcreated",
@@ -611,7 +611,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.groupmembershipscreated.user",
@@ -688,7 +688,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.usercreated",
@@ -768,7 +768,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -837,7 +837,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -892,7 +892,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.config.updated",
@@ -954,7 +954,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.config.updated",
@@ -1016,7 +1016,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.config.updated",
@@ -1078,7 +1078,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.config.updated",
@@ -1140,7 +1140,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.config.updated",
@@ -1202,7 +1202,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.config.updated",
@@ -1264,7 +1264,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.config.updated",
@@ -1326,7 +1326,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.config.updated",
@@ -1401,7 +1401,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -1470,7 +1470,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -1539,7 +1539,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -1608,7 +1608,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -1675,7 +1675,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.search.audit.action.elasticsearchconfigurationchange",
@@ -1728,7 +1728,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.applicationconfiguration.audit.action.applicationsetup",
@@ -1801,7 +1801,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.globalpermissiongranted",
@@ -1874,7 +1874,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.globalpermissiongrantrequested",
@@ -1953,7 +1953,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.groupmembershipscreated.user",
@@ -2031,7 +2031,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.usercreated",
@@ -2097,7 +2097,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.license.audit.action.licensechanged",
@@ -2164,7 +2164,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.applicationconfiguration.audit.action.baseurlchanged",
@@ -2230,7 +2230,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -2283,7 +2283,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -2336,7 +2336,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -2389,7 +2389,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -2442,7 +2442,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -2495,7 +2495,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -2548,7 +2548,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -2601,7 +2601,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -2654,7 +2654,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -2707,7 +2707,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -2760,7 +2760,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -2813,7 +2813,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -2866,7 +2866,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -2919,7 +2919,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -2972,7 +2972,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -3025,7 +3025,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -3078,7 +3078,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -3131,7 +3131,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -3184,7 +3184,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -3237,7 +3237,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -3290,7 +3290,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -3343,7 +3343,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -3396,7 +3396,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -3449,7 +3449,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -3502,7 +3502,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -3555,7 +3555,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -3608,7 +3608,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -3661,7 +3661,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -3714,7 +3714,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -3767,7 +3767,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -3820,7 +3820,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -3873,7 +3873,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -3926,7 +3926,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -3979,7 +3979,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -4032,7 +4032,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -4085,7 +4085,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -4138,7 +4138,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -4191,7 +4191,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -4244,7 +4244,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -4297,7 +4297,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -4350,7 +4350,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -4403,7 +4403,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -4456,7 +4456,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -4509,7 +4509,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -4562,7 +4562,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -4615,7 +4615,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -4668,7 +4668,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -4721,7 +4721,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -4774,7 +4774,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -4827,7 +4827,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -4880,7 +4880,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -4933,7 +4933,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -4986,7 +4986,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -5039,7 +5039,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -5092,7 +5092,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -5145,7 +5145,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -5198,7 +5198,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -5251,7 +5251,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -5304,7 +5304,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -5357,7 +5357,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -5410,7 +5410,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -5463,7 +5463,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -5516,7 +5516,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -5569,7 +5569,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -5622,7 +5622,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -5675,7 +5675,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -5728,7 +5728,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -5781,7 +5781,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -5834,7 +5834,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -5887,7 +5887,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -5940,7 +5940,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -5993,7 +5993,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -6046,7 +6046,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -6099,7 +6099,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -6152,7 +6152,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -6205,7 +6205,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -6258,7 +6258,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -6311,7 +6311,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -6364,7 +6364,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -6417,7 +6417,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -6470,7 +6470,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -6523,7 +6523,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -6576,7 +6576,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -6629,7 +6629,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -6682,7 +6682,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -6735,7 +6735,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -6788,7 +6788,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -6841,7 +6841,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -6894,7 +6894,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -6947,7 +6947,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -7000,7 +7000,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -7053,7 +7053,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -7106,7 +7106,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -7159,7 +7159,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -7212,7 +7212,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -7265,7 +7265,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -7318,7 +7318,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -7371,7 +7371,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -7424,7 +7424,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -7477,7 +7477,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -7530,7 +7530,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -7583,7 +7583,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -7636,7 +7636,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -7689,7 +7689,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -7742,7 +7742,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -7795,7 +7795,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -7848,7 +7848,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -7901,7 +7901,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -7954,7 +7954,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -8007,7 +8007,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -8060,7 +8060,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -8113,7 +8113,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -8166,7 +8166,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -8219,7 +8219,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -8272,7 +8272,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -8325,7 +8325,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -8378,7 +8378,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -8431,7 +8431,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -8484,7 +8484,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -8537,7 +8537,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -8590,7 +8590,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -8643,7 +8643,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -8696,7 +8696,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -8749,7 +8749,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -8802,7 +8802,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -8855,7 +8855,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -8908,7 +8908,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -8961,7 +8961,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -9014,7 +9014,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -9067,7 +9067,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -9120,7 +9120,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -9173,7 +9173,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -9226,7 +9226,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -9279,7 +9279,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -9332,7 +9332,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -9385,7 +9385,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -9438,7 +9438,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -9491,7 +9491,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -9544,7 +9544,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -9597,7 +9597,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -9650,7 +9650,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -9703,7 +9703,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -9756,7 +9756,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.plugin.audit.action.pluginenabled",
@@ -9810,7 +9810,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.applicationconfiguration.audit.action.displaynamechanged",
@@ -9860,7 +9860,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.groupcreated",
@@ -9917,7 +9917,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.directorycreated",
diff --git a/packages/atlassian_bitbucket/data_stream/audit/_dev/test/pipeline/test-audit-files.log-expected.json b/packages/atlassian_bitbucket/data_stream/audit/_dev/test/pipeline/test-audit-files.log-expected.json
index de8c7fe8a32..e860c167c7c 100644
--- a/packages/atlassian_bitbucket/data_stream/audit/_dev/test/pipeline/test-audit-files.log-expected.json
+++ b/packages/atlassian_bitbucket/data_stream/audit/_dev/test/pipeline/test-audit-files.log-expected.json
@@ -45,7 +45,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.groupmembershipscreated.user",
@@ -134,7 +134,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.globalpermissiongrantrequested",
@@ -208,7 +208,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.globalpermissiongranted",
@@ -270,7 +270,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.applicationconfiguration.audit.action.applicationsetup",
@@ -339,7 +339,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.search.audit.action.elasticsearchconfigurationchange",
@@ -403,7 +403,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -474,7 +474,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -545,7 +545,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -616,7 +616,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -674,7 +674,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.config.updated",
@@ -738,7 +738,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.config.updated",
@@ -802,7 +802,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.config.updated",
@@ -866,7 +866,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.config.updated",
@@ -930,7 +930,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.config.updated",
@@ -994,7 +994,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.config.updated",
@@ -1058,7 +1058,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.config.updated",
@@ -1121,7 +1121,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.config.updated",
@@ -1198,7 +1198,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -1269,7 +1269,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -1333,7 +1333,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.usercreated",
@@ -1423,7 +1423,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.groupmembershipscreated.user",
@@ -1502,7 +1502,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.groupcreated",
@@ -1591,7 +1591,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.groupmembershipscreated.user",
@@ -1685,7 +1685,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.groupmembershipdeleted",
@@ -1764,7 +1764,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.groupdeleted",
@@ -1838,7 +1838,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.usercredentialupdated",
@@ -1927,7 +1927,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.userrenamed",
@@ -2005,7 +2005,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.userdeleted",
@@ -2077,7 +2077,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.authenticationsuccess",
@@ -2154,7 +2154,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -2233,7 +2233,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.projectpermissiongranted",
@@ -2304,7 +2304,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.project.audit.action.projectcreated",
@@ -2393,7 +2393,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.access.tokens.audit.action.accesstokencreated.personal",
@@ -2481,7 +2481,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.access.tokens.audit.action.accesstokenmodified.personal",
@@ -2569,7 +2569,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.access.tokens.audit.action.accesstokenmodified.personal",
@@ -2659,7 +2659,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.access.tokens.audit.action.accesstokendeleted.personal",
@@ -2727,7 +2727,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.authenticationsuccess",
@@ -2804,7 +2804,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -2854,7 +2854,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.web.audit.action.logoutsuccess",
@@ -2926,7 +2926,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.authenticationfailure",
@@ -2994,7 +2994,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.authenticationsuccess",
@@ -3062,7 +3062,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.authenticationsuccess",
@@ -3139,7 +3139,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -3203,7 +3203,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.usercredentialupdated",
@@ -3298,7 +3298,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.ssh.audit.action.sshkeycreated",
@@ -3398,7 +3398,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.plugins.gpg.audit.action.gpgevent.created",
@@ -3498,7 +3498,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.plugins.gpg.audit.action.gpgevent.deleted",
@@ -3588,7 +3588,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.ssh.audit.action.sshkeydeleted",
@@ -3661,7 +3661,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.authenticationfailure",
@@ -3729,7 +3729,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.authenticationsuccess",
@@ -3806,7 +3806,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -3856,7 +3856,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.scm.git.lfs.audit.action.gitlfsfeatureenabled",
@@ -3920,7 +3920,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.project.audit.action.projectcreationrequested",
@@ -3999,7 +3999,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.projectpermissiongranted",
@@ -4070,7 +4070,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.project.audit.action.projectcreated",
@@ -4164,7 +4164,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.branch.audit.action.projectbranchmodelconfigurationcreated",
@@ -4233,7 +4233,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.repository.audit.action.repositorycreationrequested",
@@ -4307,7 +4307,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.repository.audit.action.repositorycreated",
@@ -4376,7 +4376,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.repository.audit.action.repositoryaccessed",
@@ -4450,7 +4450,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.repository.audit.action.repositoryaccessed",
@@ -4524,7 +4524,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.repository.audit.action.repositoryaccessed",
@@ -4603,7 +4603,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.repository.audit.action.repositorymodificationrequested",
@@ -4682,7 +4682,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.repository.audit.action.repositorymodified",
@@ -4756,7 +4756,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.repository.audit.action.repositoryaccessed",
@@ -4845,7 +4845,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.repositorypermissiongrantrequested",
@@ -4936,7 +4936,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.repositorypermissiongranted",
@@ -5027,7 +5027,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.ssh.audit.action.sshkeycreated",
@@ -5132,7 +5132,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.ssh.audit.action.sshaccesskeygranted.repository",
@@ -5222,7 +5222,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.repositorypermissiongrantrequested",
@@ -5313,7 +5313,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.repositorypermissiongranted",
@@ -5404,7 +5404,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.access.tokens.audit.action.accesstokencreated.repository",
@@ -5494,7 +5494,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.access.tokens.audit.action.accesstokenmodified.repository",
@@ -5584,7 +5584,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.access.tokens.audit.action.accesstokendeleted.repository",
@@ -5674,7 +5674,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.repositorypermissionrevocationrequested",
@@ -5765,7 +5765,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.repositorypermissionrevoked",
@@ -5856,7 +5856,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.ssh.audit.action.sshkeydeleted",
@@ -5961,7 +5961,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.ssh.audit.action.sshaccesskeyrevoked.repository",
@@ -6036,7 +6036,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.repository.audit.action.repositoryaccessed",
@@ -6103,7 +6103,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.authenticationsuccess",
@@ -6180,7 +6180,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -6244,7 +6244,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.project.audit.action.projectcreationrequested",
@@ -6323,7 +6323,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.projectpermissiongranted",
@@ -6394,7 +6394,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.project.audit.action.projectcreated",
@@ -6488,7 +6488,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.branch.audit.action.projectbranchmodelconfigurationcreated",
@@ -6557,7 +6557,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.repository.audit.action.repositoryaccessed",
@@ -6644,7 +6644,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.repository.audit.action.repositorymodificationrequested",
@@ -6731,7 +6731,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.repository.audit.action.repositorymodified",
@@ -6805,7 +6805,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.repository.audit.action.repositoryaccessed",
@@ -6872,7 +6872,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.authenticationsuccess",
@@ -6949,7 +6949,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -7018,7 +7018,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.repository.audit.action.repositorydeletionrequested",
@@ -7092,7 +7092,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.repository.audit.action.repositorydeleted",
@@ -7159,7 +7159,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.authenticationsuccess",
@@ -7236,7 +7236,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -7300,7 +7300,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.project.audit.action.projectdeletionrequested",
@@ -7369,7 +7369,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.project.audit.action.projectdeleted",
@@ -7436,7 +7436,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.authenticationsuccess",
@@ -7513,7 +7513,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -7577,7 +7577,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.project.audit.action.projectmodificationrequested",
@@ -7664,7 +7664,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.project.audit.action.projectmodified",
@@ -7731,7 +7731,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bitbucket.service.user.audit.action.authenticationsuccess",
@@ -7808,7 +7808,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
diff --git a/packages/atlassian_bitbucket/data_stream/audit/agent/stream/stream.yml.hbs b/packages/atlassian_bitbucket/data_stream/audit/agent/stream/stream.yml.hbs
index c6e5ed4c737..de5eea39419 100644
--- a/packages/atlassian_bitbucket/data_stream/audit/agent/stream/stream.yml.hbs
+++ b/packages/atlassian_bitbucket/data_stream/audit/agent/stream/stream.yml.hbs
@@ -16,4 +16,7 @@ exclude_files: [".gz$"]
{{#if processors}}
processors:
{{processors}}
+{{/if}}
+{{#if condition}}
+condition: {{ condition }}
{{/if}}
\ No newline at end of file
diff --git a/packages/atlassian_bitbucket/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/atlassian_bitbucket/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
index 9e382ff921a..cf3b186dfbe 100644
--- a/packages/atlassian_bitbucket/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/atlassian_bitbucket/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
@@ -3,7 +3,7 @@ description: Pipeline for processing sample logs
processors:
- set:
field: ecs.version
- value: '8.8.0'
+ value: '8.9.0'
- rename:
field: message
target_field: event.original
diff --git a/packages/atlassian_bitbucket/data_stream/audit/manifest.yml b/packages/atlassian_bitbucket/data_stream/audit/manifest.yml
index 8db8b796cb2..9ac09bca15d 100644
--- a/packages/atlassian_bitbucket/data_stream/audit/manifest.yml
+++ b/packages/atlassian_bitbucket/data_stream/audit/manifest.yml
@@ -39,6 +39,13 @@ streams:
description: >
Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+ - name: condition
+ title: Condition
+ description: Condition to filter when to collect this input. See [Dynamic Input Configuration](https://www.elastic.co/guide/en/fleet/current/dynamic-input-configuration.html) for details.
+ type: text
+ multi: false
+ required: false
+ show_user: false
- input: httpjson
title: Bitbucket audit logs via Bitbucket audit API
description: Collect Bitbucket audit logs via Bitbucket audit API
@@ -83,6 +90,7 @@ streams:
- name: http_client_timeout
type: text
title: HTTP Client Timeout
+ description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.
multi: false
required: false
show_user: true
@@ -100,7 +108,7 @@ streams:
multi: false
required: true
show_user: true
- description: Interval at which the logs will be pulled. The value must be between 2m and 1h.
+ description: Interval at which the logs will be pulled. The value must be between 2m and 1h. Supported units for this parameter are h/m/s.
default: 1h
- name: initial_interval
type: text
@@ -108,7 +116,7 @@ streams:
multi: false
required: true
show_user: false
- description: Initial interval for the first API call. Defaults to 24 hours.
+ description: Initial interval for the first API call. Defaults to 24 hours. Supported units for this parameter are h/m/s.
default: 24h
- name: ssl
type: yaml
diff --git a/packages/atlassian_bitbucket/data_stream/audit/sample_event.json b/packages/atlassian_bitbucket/data_stream/audit/sample_event.json
index cb39dfd7155..14d71545721 100644
--- a/packages/atlassian_bitbucket/data_stream/audit/sample_event.json
+++ b/packages/atlassian_bitbucket/data_stream/audit/sample_event.json
@@ -38,7 +38,7 @@
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7",
diff --git a/packages/atlassian_bitbucket/docs/README.md b/packages/atlassian_bitbucket/docs/README.md
index 054a28b9b70..c1c2e294c4b 100644
--- a/packages/atlassian_bitbucket/docs/README.md
+++ b/packages/atlassian_bitbucket/docs/README.md
@@ -43,7 +43,7 @@ The Bitbucket integration collects audit logs from the audit log files or the au
| data_stream.type | Data stream type. | constant_keyword |
| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
| error.message | Error message. | match_only_text |
-| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date |
| event.dataset | Event dataset | constant_keyword |
| event.module | Event module | constant_keyword |
| group.id | Unique identifier for the group on the system/platform. | keyword |
@@ -149,7 +149,7 @@ An example event for `audit` looks as following:
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7",
diff --git a/packages/atlassian_bitbucket/kibana/tags.yml b/packages/atlassian_bitbucket/kibana/tags.yml
new file mode 100644
index 00000000000..47f20a8f551
--- /dev/null
+++ b/packages/atlassian_bitbucket/kibana/tags.yml
@@ -0,0 +1,4 @@
+- text: Security Solution
+ asset_types:
+ - dashboard
+ - search
diff --git a/packages/atlassian_bitbucket/manifest.yml b/packages/atlassian_bitbucket/manifest.yml
index ba7bb253fb6..6e894ba5aaa 100644
--- a/packages/atlassian_bitbucket/manifest.yml
+++ b/packages/atlassian_bitbucket/manifest.yml
@@ -1,14 +1,15 @@
-format_version: 2.7.0
+format_version: "3.0.0"
name: atlassian_bitbucket
title: Atlassian Bitbucket
-version: "1.11.0"
+version: "1.17.0"
description: Collect logs from Atlassian Bitbucket with Elastic Agent.
type: integration
categories:
- security
- productivity_security
conditions:
- kibana.version: "^8.7.1"
+ kibana:
+ version: "^8.7.1"
icons:
- src: /img/bitbucket-logo.svg
title: Bitbucket Logo
@@ -27,3 +28,4 @@ policy_templates:
description: "Collecting audit logs from Bitbucket via API"
owner:
github: elastic/security-external-integrations
+ type: elastic
diff --git a/packages/atlassian_confluence/_dev/build/build.yml b/packages/atlassian_confluence/_dev/build/build.yml
index 074278e5b1f..c8eeec8cacf 100644
--- a/packages/atlassian_confluence/_dev/build/build.yml
+++ b/packages/atlassian_confluence/_dev/build/build.yml
@@ -1,3 +1,3 @@
dependencies:
ecs:
- reference: git@v8.8.0
+ reference: git@v8.9.0
diff --git a/packages/atlassian_confluence/_dev/deploy/docker/files/config.yml b/packages/atlassian_confluence/_dev/deploy/docker/files/config.yml
index a97c2d8b674..24cf78ba397 100644
--- a/packages/atlassian_confluence/_dev/deploy/docker/files/config.yml
+++ b/packages/atlassian_confluence/_dev/deploy/docker/files/config.yml
@@ -17,8 +17,10 @@ rules:
request_headers:
authorization: Basic dGVzdC51c2VyOmFiYzEyMw==
query_params:
- from: "{from:.*}"
- to: "{to:.*}"
+ from: >-
+ {from:[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}(?:\.[0-9]{1,3})?(?:(?:[+-][0-9]{4})|Z)?}
+ to: >-
+ {to:[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}(?:\.[0-9]{1,3})?(?:(?:[+-][0-9]{4})|Z)?}
limit: "2"
responses:
- status_code: 200
@@ -30,8 +32,8 @@ rules:
request_headers:
authorization: Basic dGVzdC51c2VyOmFiYzEyMw==
query_params:
- startDate: "{startDate:.*}"
- endDate: "{endDate:.*}"
+ startDate: "{startDate:[0-9]+}"
+ endDate: "{endDate:[0-9]+}"
start: "2"
limit: "2"
responses:
@@ -43,8 +45,8 @@ rules:
request_headers:
authorization: Basic dGVzdC51c2VyOmFiYzEyMw==
query_params:
- startDate: "{startDate:.*}"
- endDate: "{endDate:.*}"
+ startDate: "{startDate:[0-9]+}"
+ endDate: "{endDate:[0-9]+}"
limit: "2"
start: "0"
responses:
diff --git a/packages/atlassian_confluence/_dev/deploy/docker/files/test-audit.log b/packages/atlassian_confluence/_dev/deploy/docker/files/test-audit.log
index 3e67c696e76..bbe87e110fb 100644
--- a/packages/atlassian_confluence/_dev/deploy/docker/files/test-audit.log
+++ b/packages/atlassian_confluence/_dev/deploy/docker/files/test-audit.log
@@ -4,4 +4,4 @@
{"affectedObjects":[{"id":"2c9580827d4a06e8017d4a0e9dda0001","name":"Another User","type":"User"}],"auditType":{"action":"User created","actionI18nKey":"audit.logging.summary.user.created","area":"USER_MANAGEMENT","category":"Users and groups","categoryI18nKey":"audit.logging.category.user.management","level":"BASE"},"author":{"id":"2c9580827d4a06e8017d4a07c3e10000","name":"test.user","type":"user"},"changedValues":[{"i18nKey":"Display name","key":"Display name","to":"Another User"},{"i18nKey":"Email","key":"Email","to":"another.user@example.como"},{"i18nKey":"Username","key":"Username","to":"another.user"},{"i18nKey":"Active","key":"Active","to":"Yes"}],"extraAttributes":[],"method":"Browser","source":"81.2.69.143","system":"http://confluence.internal:8090","timestamp":{"epochSecond":1637625013,"nano":842000000},"version":"1.0"}
{"affectedObjects":[{"id":"confluence-users","name":"confluence-users","type":"Group"},{"id":"2c9580827d4a06e8017d4a0e9dda0001","name":"another.user","type":"User"}],"auditType":{"action":"User added to group","actionI18nKey":"audit.logging.summary.group.membership.added","area":"USER_MANAGEMENT","category":"Users and groups","categoryI18nKey":"audit.logging.category.user.management","level":"BASE"},"author":{"id":"2c9580827d4a06e8017d4a07c3e10000","name":"test.user","type":"user"},"changedValues":[],"extraAttributes":[],"method":"Browser","source":"81.2.69.143","system":"http://confluence.internal:8090","timestamp":{"epochSecond":1637625013,"nano":966000000},"version":"1.0"}
{"affectedObjects":[{"id":"confluence-administrators","name":"confluence-administrators","type":"Group"},{"id":"2c9580827d4a06e8017d4a0e9dda0001","name":"another.user","type":"User"}],"auditType":{"action":"User added to group","actionI18nKey":"audit.logging.summary.group.membership.added","area":"USER_MANAGEMENT","category":"Users and groups","categoryI18nKey":"audit.logging.category.user.management","level":"BASE"},"author":{"id":"2c9580827d4a06e8017d4a07c3e10000","name":"test.user","type":"user"},"changedValues":[],"extraAttributes":[],"method":"Browser","source":"81.2.69.143","system":"http://confluence.internal:8090","timestamp":{"epochSecond":1637625032,"nano":205000000},"version":"1.0"}
-{"affectedObjects":[],"auditType":{"action":"Audit Log search performed","actionI18nKey":"atlassian.audit.event.action.audit.search","area":"AUDIT_LOG","category":"Auditing","categoryI18nKey":"atlassian.audit.event.category.audit","level":"BASE"},"author":{"id":"2c9580827d4a06e8017d4a07c3e10000","name":"test.user","type":"user"},"changedValues":[],"extraAttributes":[{"name":"Results returned","nameI18nKey":"atlassian.audit.event.attribute.results","value":"63"},{"name":"Query","nameI18nKey":"atlassian.audit.event.attribute.query","value":""},{"name":"ID Range","nameI18nKey":"atlassian.audit.event.attribute.id","value":"1 - 63"},{"name":"Timestamp Range","nameI18nKey":"atlassian.audit.event.attribute.timestamp","value":"2021-11-22T23:42:45.791Z - 2021-11-22T23:50:32.205Z"}],"method":"Browser","source":"81.2.69.143","system":"http://confluence.internal:8090","timestamp":{"epochSecond":1637625035,"nano":770000000},"version":"1.0"}
\ No newline at end of file
+{"affectedObjects":[],"auditType":{"action":"Audit Log search performed","actionI18nKey":"atlassian.audit.event.action.audit.search","area":"AUDIT_LOG","category":"Auditing","categoryI18nKey":"atlassian.audit.event.category.audit","level":"BASE"},"author":{"id":"2c9580827d4a06e8017d4a07c3e10000","name":"test.user","type":"user"},"changedValues":[],"extraAttributes":[{"name":"Results returned","nameI18nKey":"atlassian.audit.event.attribute.results","value":"63"},{"name":"Query","nameI18nKey":"atlassian.audit.event.attribute.query","value":""},{"name":"ID Range","nameI18nKey":"atlassian.audit.event.attribute.id","value":"1 - 63"},{"name":"Timestamp Range","nameI18nKey":"atlassian.audit.event.attribute.timestamp","value":"2021-11-22T23:42:45.791Z - 2021-11-22T23:50:32.205Z"}],"method":"Browser","source":"81.2.69.143","system":"http://confluence.internal:8090","timestamp":{"epochSecond":1637625035,"nano":770000000},"version":"1.0"}
diff --git a/packages/atlassian_confluence/changelog.yml b/packages/atlassian_confluence/changelog.yml
index b88e89768e7..973e4580169 100644
--- a/packages/atlassian_confluence/changelog.yml
+++ b/packages/atlassian_confluence/changelog.yml
@@ -1,4 +1,44 @@
# newer versions go on top
+- version: 1.18.0
+ changes:
+ - description: "The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest."
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7883
+- version: "1.17.0"
+ changes:
+ - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7789
+- version: "1.16.2"
+ changes:
+ - description: Ensure pagination request timestamps are properly encoded.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7802
+- version: "1.16.1"
+ changes:
+ - description: Fixed cursor timestamp handling.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7647
+- version: "1.16.0"
+ changes:
+ - description: Add ability to set condition for logfile logs.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7370
+- version: "1.15.0"
+ changes:
+ - description: Update package to ECS 8.9.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7107
+- version: "1.14.0"
+ changes:
+ - description: Document duration units.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6992
+- version: "1.13.0"
+ changes:
+ - description: Document valid duration units.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6706
- version: "1.12.0"
changes:
- description: Ensure event.kind is correctly set for pipeline errors.
diff --git a/packages/atlassian_confluence/data_stream/audit/_dev/test/pipeline/test-audit-api.log-expected.json b/packages/atlassian_confluence/data_stream/audit/_dev/test/pipeline/test-audit-api.log-expected.json
index 7f9f40c77f1..6abb40531aa 100644
--- a/packages/atlassian_confluence/data_stream/audit/_dev/test/pipeline/test-audit-api.log-expected.json
+++ b/packages/atlassian_confluence/data_stream/audit/_dev/test/pipeline/test-audit-api.log-expected.json
@@ -35,7 +35,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -119,7 +119,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -203,7 +203,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -287,7 +287,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -371,7 +371,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -455,7 +455,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -539,7 +539,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -623,7 +623,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -707,7 +707,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -801,7 +801,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -899,7 +899,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -997,7 +997,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -1088,7 +1088,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -1186,7 +1186,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -1284,7 +1284,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -1382,7 +1382,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -1473,7 +1473,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -1571,7 +1571,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -1669,7 +1669,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -1767,7 +1767,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -1858,7 +1858,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -1956,7 +1956,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -2054,7 +2054,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -2152,7 +2152,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -2243,7 +2243,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -2341,7 +2341,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -2439,7 +2439,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -2537,7 +2537,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -2628,7 +2628,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -2726,7 +2726,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -2824,7 +2824,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -2922,7 +2922,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -3013,7 +3013,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -3111,7 +3111,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -3209,7 +3209,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -3307,7 +3307,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -3398,7 +3398,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -3496,7 +3496,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -3594,7 +3594,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -3692,7 +3692,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -3783,7 +3783,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -3881,7 +3881,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -3979,7 +3979,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -4077,7 +4077,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -4175,7 +4175,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -4273,7 +4273,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -4364,7 +4364,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -4462,7 +4462,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -4560,7 +4560,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -4658,7 +4658,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -4749,7 +4749,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -4847,7 +4847,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -4945,7 +4945,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -5043,7 +5043,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -5134,7 +5134,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -5232,7 +5232,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -5330,7 +5330,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -5428,7 +5428,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -5519,7 +5519,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -5617,7 +5617,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -5715,7 +5715,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -5813,7 +5813,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -5906,7 +5906,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -5995,7 +5995,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -6084,7 +6084,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -6173,7 +6173,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -6262,7 +6262,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -6351,7 +6351,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -6440,7 +6440,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -6522,7 +6522,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -6611,7 +6611,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -6700,7 +6700,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -6789,7 +6789,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -6878,7 +6878,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -6967,7 +6967,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -7049,7 +7049,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -7138,7 +7138,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -7227,7 +7227,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -7316,7 +7316,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -7398,7 +7398,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -7487,7 +7487,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -7576,7 +7576,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -7665,7 +7665,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -7747,7 +7747,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -7836,7 +7836,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -7925,7 +7925,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -8014,7 +8014,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -8096,7 +8096,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -8185,7 +8185,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -8274,7 +8274,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -8363,7 +8363,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -8445,7 +8445,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -8534,7 +8534,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -8623,7 +8623,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -8712,7 +8712,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -8794,7 +8794,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -8883,7 +8883,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -8972,7 +8972,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -9061,7 +9061,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -9143,7 +9143,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -9225,7 +9225,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -9314,7 +9314,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -9403,7 +9403,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -9492,7 +9492,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -9574,7 +9574,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -9663,7 +9663,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -9752,7 +9752,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -9841,7 +9841,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -9930,7 +9930,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -10019,7 +10019,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -10101,7 +10101,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -10190,7 +10190,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -10279,7 +10279,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -10368,7 +10368,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -10450,7 +10450,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.removed",
@@ -10552,7 +10552,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.config.updated",
@@ -10626,7 +10626,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.import",
@@ -10711,7 +10711,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -10796,7 +10796,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -10881,7 +10881,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -10966,7 +10966,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -11051,7 +11051,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -11121,7 +11121,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.config.updated",
@@ -11195,7 +11195,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -11289,7 +11289,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -11376,7 +11376,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -11470,7 +11470,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -11564,7 +11564,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -11651,7 +11651,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -11745,7 +11745,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -11839,7 +11839,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -11926,7 +11926,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -12020,7 +12020,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -12114,7 +12114,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -12201,7 +12201,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -12295,7 +12295,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -12389,7 +12389,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -12476,7 +12476,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -12570,7 +12570,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -12664,7 +12664,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -12751,7 +12751,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -12845,7 +12845,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -12939,7 +12939,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -13026,7 +13026,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -13120,7 +13120,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -13214,7 +13214,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -13301,7 +13301,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -13395,7 +13395,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -13489,7 +13489,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -13583,7 +13583,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -13670,7 +13670,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -13764,7 +13764,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -13858,7 +13858,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -13945,7 +13945,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -14039,7 +14039,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -14133,7 +14133,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -14220,7 +14220,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -14314,7 +14314,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -14408,7 +14408,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -14495,7 +14495,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -14589,7 +14589,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -14683,7 +14683,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -14760,7 +14760,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.group.membership.added",
@@ -14848,7 +14848,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.group.membership.added",
@@ -14952,7 +14952,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.user.created",
@@ -15049,7 +15049,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.global.permission.added",
@@ -15132,7 +15132,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.global.permission.added",
@@ -15215,7 +15215,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.global.permission.added",
@@ -15298,7 +15298,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.global.permission.added",
@@ -15381,7 +15381,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.global.permission.added",
@@ -15464,7 +15464,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.global.permission.added",
@@ -15547,7 +15547,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.global.permission.added",
@@ -15630,7 +15630,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.global.permission.added",
@@ -15701,7 +15701,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.group.created",
@@ -15776,7 +15776,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.group.created",
@@ -15941,7 +15941,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.directory.added",
@@ -16008,7 +16008,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.import",
@@ -16073,7 +16073,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.plugin.enabled",
@@ -16138,7 +16138,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.plugin.enabled",
@@ -16213,7 +16213,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.user.renamed",
@@ -16284,7 +16284,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.user.updated",
@@ -16361,7 +16361,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.user.updated",
diff --git a/packages/atlassian_confluence/data_stream/audit/_dev/test/pipeline/test-audit-cloud.log-expected.json b/packages/atlassian_confluence/data_stream/audit/_dev/test/pipeline/test-audit-cloud.log-expected.json
index d1972212414..9c7f80b16f2 100644
--- a/packages/atlassian_confluence/data_stream/audit/_dev/test/pipeline/test-audit-cloud.log-expected.json
+++ b/packages/atlassian_confluence/data_stream/audit/_dev/test/pipeline/test-audit-cloud.log-expected.json
@@ -18,7 +18,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Space logo uploaded",
@@ -75,7 +75,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Space logo uploaded",
@@ -132,7 +132,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Space logo uploaded",
@@ -211,7 +211,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Space configuration updated",
@@ -290,7 +290,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Space created",
@@ -374,7 +374,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Space configuration updated",
@@ -458,7 +458,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Space created",
@@ -519,7 +519,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "User added to group",
@@ -593,7 +593,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "User added to group",
@@ -680,7 +680,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "User created",
@@ -748,7 +748,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "User added to group",
@@ -834,7 +834,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "User created",
@@ -901,7 +901,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "User added to group",
@@ -975,7 +975,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "User added to group",
@@ -1049,7 +1049,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "User added to group",
@@ -1123,7 +1123,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "User added to group",
@@ -1193,7 +1193,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Group created",
@@ -1261,7 +1261,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "User added to group",
@@ -1335,7 +1335,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "User added to group",
@@ -1409,7 +1409,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "User added to group",
@@ -1479,7 +1479,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Group created",
@@ -1547,7 +1547,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "User added to group",
@@ -1621,7 +1621,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "User added to group",
@@ -1695,7 +1695,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "User added to group",
@@ -1769,7 +1769,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "User added to group",
@@ -1839,7 +1839,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Group created",
@@ -1925,7 +1925,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Space configuration updated",
@@ -2004,7 +2004,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Space created",
@@ -2065,7 +2065,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "User added to group",
@@ -2139,7 +2139,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "User added to group",
@@ -2226,7 +2226,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "User created",
@@ -2294,7 +2294,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "User added to group",
@@ -2372,7 +2372,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "User details updated",
@@ -2429,7 +2429,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "User deactivated",
@@ -2497,7 +2497,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Page archived",
@@ -2562,7 +2562,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "User details updated",
@@ -2619,7 +2619,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "User deactivated",
diff --git a/packages/atlassian_confluence/data_stream/audit/_dev/test/pipeline/test-audit-files.log-expected.json b/packages/atlassian_confluence/data_stream/audit/_dev/test/pipeline/test-audit-files.log-expected.json
index c8bbb132b5b..0e61db4174b 100644
--- a/packages/atlassian_confluence/data_stream/audit/_dev/test/pipeline/test-audit-files.log-expected.json
+++ b/packages/atlassian_confluence/data_stream/audit/_dev/test/pipeline/test-audit-files.log-expected.json
@@ -22,7 +22,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.plugin.enabled",
@@ -89,7 +89,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.plugin.enabled",
@@ -157,7 +157,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.import",
@@ -316,7 +316,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.directory.added",
@@ -384,7 +384,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.group.created",
@@ -460,7 +460,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.group.created",
@@ -548,7 +548,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.global.permission.added",
@@ -632,7 +632,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.global.permission.added",
@@ -716,7 +716,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.global.permission.added",
@@ -800,7 +800,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.global.permission.added",
@@ -884,7 +884,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.global.permission.added",
@@ -968,7 +968,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.global.permission.added",
@@ -1052,7 +1052,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.global.permission.added",
@@ -1136,7 +1136,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.global.permission.added",
@@ -1230,7 +1230,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.user.created",
@@ -1321,7 +1321,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.group.membership.added",
@@ -1409,7 +1409,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.group.membership.added",
@@ -1514,7 +1514,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -1608,7 +1608,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -1696,7 +1696,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -1790,7 +1790,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -1884,7 +1884,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -1972,7 +1972,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -2066,7 +2066,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -2160,7 +2160,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -2248,7 +2248,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -2342,7 +2342,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -2436,7 +2436,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -2524,7 +2524,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -2618,7 +2618,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -2712,7 +2712,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -2806,7 +2806,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -2894,7 +2894,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -2988,7 +2988,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -3082,7 +3082,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -3170,7 +3170,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -3264,7 +3264,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -3358,7 +3358,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -3446,7 +3446,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -3540,7 +3540,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -3634,7 +3634,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -3722,7 +3722,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -3816,7 +3816,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -3910,7 +3910,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -3998,7 +3998,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -4092,7 +4092,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -4186,7 +4186,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -4274,7 +4274,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -4368,7 +4368,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -4462,7 +4462,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -4550,7 +4550,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -4644,7 +4644,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -4738,7 +4738,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -4826,7 +4826,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -4920,7 +4920,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -5014,7 +5014,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.space.permission.added",
@@ -5086,7 +5086,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.config.updated",
@@ -5152,7 +5152,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -5235,7 +5235,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -5309,7 +5309,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.global.settings.edited",
@@ -5402,7 +5402,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.user.created",
@@ -5493,7 +5493,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.group.membership.added",
@@ -5581,7 +5581,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "audit.logging.summary.group.membership.added",
@@ -5678,7 +5678,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
diff --git a/packages/atlassian_confluence/data_stream/audit/_dev/test/system/test-api-cloud-config.yml b/packages/atlassian_confluence/data_stream/audit/_dev/test/system/test-api-cloud-config.yml
index db15df6d8e1..88bf262f0a1 100644
--- a/packages/atlassian_confluence/data_stream/audit/_dev/test/system/test-api-cloud-config.yml
+++ b/packages/atlassian_confluence/data_stream/audit/_dev/test/system/test-api-cloud-config.yml
@@ -12,3 +12,5 @@ data_stream:
verification_mode: none
atlassian_cloud: true
enable_request_tracer: true
+assert:
+ hit_count: 4
diff --git a/packages/atlassian_confluence/data_stream/audit/_dev/test/system/test-api-config.yml b/packages/atlassian_confluence/data_stream/audit/_dev/test/system/test-api-config.yml
index eea4c31f5b4..6935a554b04 100644
--- a/packages/atlassian_confluence/data_stream/audit/_dev/test/system/test-api-config.yml
+++ b/packages/atlassian_confluence/data_stream/audit/_dev/test/system/test-api-config.yml
@@ -11,3 +11,5 @@ data_stream:
ssl: |-
verification_mode: none
enable_request_tracer: true
+assert:
+ hit_count: 4
diff --git a/packages/atlassian_confluence/data_stream/audit/_dev/test/system/test-files-config.yml b/packages/atlassian_confluence/data_stream/audit/_dev/test/system/test-files-config.yml
index ff9fef0ba62..93d752173f0 100644
--- a/packages/atlassian_confluence/data_stream/audit/_dev/test/system/test-files-config.yml
+++ b/packages/atlassian_confluence/data_stream/audit/_dev/test/system/test-files-config.yml
@@ -6,3 +6,5 @@ data_stream:
- "{{SERVICE_LOGS_DIR}}/*.log"
preserve_original_event: true
enable_request_tracer: true
+assert:
+ hit_count: 7
diff --git a/packages/atlassian_confluence/data_stream/audit/agent/stream/httpjson.yml.hbs b/packages/atlassian_confluence/data_stream/audit/agent/stream/httpjson.yml.hbs
index 1c347fb6371..f7a60434f49 100644
--- a/packages/atlassian_confluence/data_stream/audit/agent/stream/httpjson.yml.hbs
+++ b/packages/atlassian_confluence/data_stream/audit/agent/stream/httpjson.yml.hbs
@@ -50,19 +50,20 @@ response.split:
response.pagination:
- set:
- target: url.value
- value: >
- [[sprintf "%s/wiki/rest/api/audit?endDate=%s&startDate=%s&start=%d&limit=%s"
- "{{api_url}}"
- (.last_response.url.params.Get "endDate")
- (.last_response.url.params.Get "startDate")
- (add (toInt .last_response.body.start) (toInt .last_response.body.limit))
- "{{ limit }}"]]
- fail_on_template_error: true
-
+ target: url.params.endDate
+ value: '[[.last_response.url.params.Get "endDate"]]'
+ - set:
+ target: url.params.startDate
+ value: '[[.last_response.url.params.Get "startDate"]]'
+ - set:
+ target: url.params.start
+ value: '[[add (toInt .last_response.body.start) (toInt .last_response.body.limit)]]'
+ - set:
+ target: url.params.limit
+ value: '{{limit}}'
cursor:
last_timestamp:
- value: '[[.first_event.creationDate]]'
+ value: '[[(toInt .first_event.creationDate)]]'
fields_under_root: true
fields:
diff --git a/packages/atlassian_confluence/data_stream/audit/agent/stream/stream.yml.hbs b/packages/atlassian_confluence/data_stream/audit/agent/stream/stream.yml.hbs
index c6e5ed4c737..de5eea39419 100644
--- a/packages/atlassian_confluence/data_stream/audit/agent/stream/stream.yml.hbs
+++ b/packages/atlassian_confluence/data_stream/audit/agent/stream/stream.yml.hbs
@@ -16,4 +16,7 @@ exclude_files: [".gz$"]
{{#if processors}}
processors:
{{processors}}
+{{/if}}
+{{#if condition}}
+condition: {{ condition }}
{{/if}}
\ No newline at end of file
diff --git a/packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
index dc470649e8a..34fbe017856 100644
--- a/packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
@@ -3,7 +3,7 @@ description: Pipeline for processing Atlassian Confluence audit logs.
processors:
- set:
field: ecs.version
- value: '8.8.0'
+ value: '8.9.0'
- rename:
field: message
target_field: event.original
diff --git a/packages/atlassian_confluence/data_stream/audit/manifest.yml b/packages/atlassian_confluence/data_stream/audit/manifest.yml
index 3f8a438cee5..f713df4dd04 100644
--- a/packages/atlassian_confluence/data_stream/audit/manifest.yml
+++ b/packages/atlassian_confluence/data_stream/audit/manifest.yml
@@ -39,6 +39,13 @@ streams:
description: >
Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+ - name: condition
+ title: Condition
+ description: Condition to filter when to collect this input. See [Dynamic Input Configuration](https://www.elastic.co/guide/en/fleet/current/dynamic-input-configuration.html) for details.
+ type: text
+ multi: false
+ required: false
+ show_user: false
- input: httpjson
title: Confluence audit logs via Confluence audit API
description: Collect Confluence audit logs via Confluence audit API
@@ -91,6 +98,7 @@ streams:
- name: http_client_timeout
type: text
title: HTTP Client Timeout
+ description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.
multi: false
required: false
show_user: true
@@ -108,7 +116,7 @@ streams:
multi: false
required: true
show_user: true
- description: Interval at which the logs will be pulled. The value must be between 2m and 1h.
+ description: Interval at which the logs will be pulled. The value must be between 2m and 1h. Supported units for this parameter are h/m/s.
default: 1h
- name: initial_interval
type: text
@@ -116,7 +124,7 @@ streams:
multi: false
required: true
show_user: false
- description: Initial interval for the first API call. Defaults to 24 hours.
+ description: Initial interval for the first API call. Defaults to 24 hours. Supported units for this parameter are h/m/s.
default: 24h
- name: ssl
type: yaml
diff --git a/packages/atlassian_confluence/data_stream/audit/sample_event.json b/packages/atlassian_confluence/data_stream/audit/sample_event.json
index 8bc3b9bd90d..6ac6837fb7b 100644
--- a/packages/atlassian_confluence/data_stream/audit/sample_event.json
+++ b/packages/atlassian_confluence/data_stream/audit/sample_event.json
@@ -47,7 +47,7 @@
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "cdda426a-7e47-48c4-b2f5-b9f1ad5bf08a",
diff --git a/packages/atlassian_confluence/docs/README.md b/packages/atlassian_confluence/docs/README.md
index 8fc58e3bbf4..4879445c029 100644
--- a/packages/atlassian_confluence/docs/README.md
+++ b/packages/atlassian_confluence/docs/README.md
@@ -50,9 +50,9 @@ The Confluence integration collects audit logs from the audit log files or the a
| error.message | Error message. | match_only_text |
| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
-| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date |
| event.dataset | Event dataset | constant_keyword |
-| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword |
| event.module | Event module | constant_keyword |
| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
@@ -170,7 +170,7 @@ An example event for `audit` looks as following:
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "cdda426a-7e47-48c4-b2f5-b9f1ad5bf08a",
diff --git a/packages/atlassian_confluence/kibana/tags.yml b/packages/atlassian_confluence/kibana/tags.yml
new file mode 100644
index 00000000000..47f20a8f551
--- /dev/null
+++ b/packages/atlassian_confluence/kibana/tags.yml
@@ -0,0 +1,4 @@
+- text: Security Solution
+ asset_types:
+ - dashboard
+ - search
diff --git a/packages/atlassian_confluence/manifest.yml b/packages/atlassian_confluence/manifest.yml
index 3607716abac..54a03d67898 100644
--- a/packages/atlassian_confluence/manifest.yml
+++ b/packages/atlassian_confluence/manifest.yml
@@ -1,14 +1,15 @@
-format_version: 2.7.0
+format_version: "3.0.0"
name: atlassian_confluence
title: Atlassian Confluence
-version: "1.12.0"
+version: "1.18.0"
description: Collect logs from Atlassian Confluence with Elastic Agent.
type: integration
categories:
- security
- productivity_security
conditions:
- kibana.version: "^8.7.1"
+ kibana:
+ version: "^8.7.1"
icons:
- src: /img/confluence-logo.svg
title: Confluence Logo
@@ -27,3 +28,4 @@ policy_templates:
description: "Collecting audit logs from Confluence via API"
owner:
github: elastic/security-external-integrations
+ type: elastic
diff --git a/packages/atlassian_jira/_dev/build/build.yml b/packages/atlassian_jira/_dev/build/build.yml
index 074278e5b1f..c8eeec8cacf 100644
--- a/packages/atlassian_jira/_dev/build/build.yml
+++ b/packages/atlassian_jira/_dev/build/build.yml
@@ -1,3 +1,3 @@
dependencies:
ecs:
- reference: git@v8.8.0
+ reference: git@v8.9.0
diff --git a/packages/atlassian_jira/_dev/deploy/docker/files/config.yml b/packages/atlassian_jira/_dev/deploy/docker/files/config.yml
index f8e5c104b55..b8c137ab436 100644
--- a/packages/atlassian_jira/_dev/deploy/docker/files/config.yml
+++ b/packages/atlassian_jira/_dev/deploy/docker/files/config.yml
@@ -17,8 +17,10 @@ rules:
request_headers:
authorization: Basic dGVzdC51c2VyOmFiYzEyMw==
query_params:
- from: "{from:.*}"
- to: "{to:.*}"
+ from: >-
+ {from:[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}(?:\.[0-9]{1,3})?(?:(?:[+-][0-9]{4})|Z)?}
+ to: >-
+ {to:[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}(?:\.[0-9]{1,3})?(?:(?:[+-][0-9]{4})|Z)?}
limit: "2"
responses:
- status_code: 200
@@ -30,8 +32,10 @@ rules:
request_headers:
authorization: Basic dGVzdC51c2VyOmFiYzEyMw==
query_params:
- from: "{from:.*}"
- to: "{to:.*}"
+ from: >-
+ {from:[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}(?:\.[0-9]{1,3})?(?:(?:[+-][0-9]{4})|Z)?}
+ to: >-
+ {to:[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}(?:\.[0-9]{1,3})?(?:(?:[+-][0-9]{4})|Z)?}
offset: "2"
limit: "2"
responses:
@@ -43,8 +47,10 @@ rules:
request_headers:
authorization: Basic dGVzdC51c2VyOmFiYzEyMw==
query_params:
- from: "{from:.*}"
- to: "{to:.*}"
+ from: >-
+ {from:[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}(?:\.[0-9]{1,3})?(?:(?:[+-][0-9]{4})|Z)?}
+ to: >-
+ {to:[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}(?:\.[0-9]{1,3})?(?:(?:[+-][0-9]{4})|Z)?}
limit: "2"
offset: "0"
responses:
diff --git a/packages/atlassian_jira/changelog.yml b/packages/atlassian_jira/changelog.yml
index 36ee1964f06..94a9f86cba2 100644
--- a/packages/atlassian_jira/changelog.yml
+++ b/packages/atlassian_jira/changelog.yml
@@ -1,4 +1,39 @@
# newer versions go on top
+- version: 1.18.0
+ changes:
+ - description: "The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest."
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7883
+- version: "1.17.0"
+ changes:
+ - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7789
+- version: "1.16.1"
+ changes:
+ - description: Ensure from/to timestamps are properly encoded.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7759
+- version: "1.16.0"
+ changes:
+ - description: Add ability to set condition for logfile logs.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7369
+- version: "1.15.0"
+ changes:
+ - description: Update package to ECS 8.9.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7107
+- version: "1.14.0"
+ changes:
+ - description: Document duration units.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6992
+- version: "1.13.0"
+ changes:
+ - description: Document valid duration units.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6706
- version: "1.12.0"
changes:
- description: Ensure event.kind is correctly set for pipeline errors.
diff --git a/packages/atlassian_jira/data_stream/audit/_dev/test/pipeline/test-audit-api.log-expected.json b/packages/atlassian_jira/data_stream/audit/_dev/test/pipeline/test-audit-api.log-expected.json
index a77a4ca60f3..89ea0586859 100644
--- a/packages/atlassian_jira/data_stream/audit/_dev/test/pipeline/test-audit-api.log-expected.json
+++ b/packages/atlassian_jira/data_stream/audit/_dev/test/pipeline/test-audit-api.log-expected.json
@@ -3,7 +3,7 @@
{
"@timestamp": "2021-11-22T00:34:47.536Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -86,7 +86,7 @@
{
"@timestamp": "2021-11-22T00:34:40.008Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -169,7 +169,7 @@
{
"@timestamp": "2021-11-22T00:34:23.154Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "personal.access.tokens.audit.log.summary.token.created",
@@ -238,7 +238,7 @@
{
"@timestamp": "2021-11-22T00:32:20.234Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -309,7 +309,7 @@
{
"@timestamp": "2021-11-22T00:31:52.991Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -380,7 +380,7 @@
{
"@timestamp": "2021-11-22T00:31:37.412Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -451,7 +451,7 @@
{
"@timestamp": "2021-11-22T00:31:26.455Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -522,7 +522,7 @@
{
"@timestamp": "2021-11-22T00:30:59.449Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -593,7 +593,7 @@
{
"@timestamp": "2021-11-22T00:26:03.206Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -664,7 +664,7 @@
{
"@timestamp": "2021-11-22T00:12:02.856Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -735,7 +735,7 @@
{
"@timestamp": "2021-11-22T00:08:34.545Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.version.created",
@@ -806,7 +806,7 @@
{
"@timestamp": "2021-11-22T00:08:34.543Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.version.created",
@@ -882,7 +882,7 @@
{
"@timestamp": "2021-11-22T00:08:34.535Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.version.released",
@@ -946,7 +946,7 @@
{
"@timestamp": "2021-11-22T00:08:34.521Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.version.created",
@@ -1022,7 +1022,7 @@
{
"@timestamp": "2021-11-22T00:08:34.506Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.project.roles.changed",
@@ -1092,7 +1092,7 @@
{
"@timestamp": "2021-11-22T00:08:34.297Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.project.created",
@@ -1185,7 +1185,7 @@
{
"@timestamp": "2021-11-22T00:08:34.266Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.added.to.project",
@@ -1249,7 +1249,7 @@
{
"@timestamp": "2021-11-22T00:08:34.249Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.removed.from.project",
@@ -1317,7 +1317,7 @@
{
"@timestamp": "2021-11-22T00:08:34.243Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -1387,7 +1387,7 @@
{
"@timestamp": "2021-11-22T00:08:34.241Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -1457,7 +1457,7 @@
{
"@timestamp": "2021-11-22T00:08:34.239Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -1527,7 +1527,7 @@
{
"@timestamp": "2021-11-22T00:08:34.236Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -1597,7 +1597,7 @@
{
"@timestamp": "2021-11-22T00:08:34.235Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -1667,7 +1667,7 @@
{
"@timestamp": "2021-11-22T00:08:34.233Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -1737,7 +1737,7 @@
{
"@timestamp": "2021-11-22T00:08:34.231Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -1812,7 +1812,7 @@
{
"@timestamp": "2021-11-22T00:08:34.229Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -1882,7 +1882,7 @@
{
"@timestamp": "2021-11-22T00:08:34.227Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -1957,7 +1957,7 @@
{
"@timestamp": "2021-11-22T00:08:34.225Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -2027,7 +2027,7 @@
{
"@timestamp": "2021-11-22T00:08:34.223Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -2097,7 +2097,7 @@
{
"@timestamp": "2021-11-22T00:08:34.221Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -2172,7 +2172,7 @@
{
"@timestamp": "2021-11-22T00:08:34.219Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -2242,7 +2242,7 @@
{
"@timestamp": "2021-11-22T00:08:34.217Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -2317,7 +2317,7 @@
{
"@timestamp": "2021-11-22T00:08:34.215Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -2387,7 +2387,7 @@
{
"@timestamp": "2021-11-22T00:08:34.212Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -2462,7 +2462,7 @@
{
"@timestamp": "2021-11-22T00:08:34.210Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -2537,7 +2537,7 @@
{
"@timestamp": "2021-11-22T00:08:34.208Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -2607,7 +2607,7 @@
{
"@timestamp": "2021-11-22T00:08:34.204Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -2682,7 +2682,7 @@
{
"@timestamp": "2021-11-22T00:08:34.190Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -2752,7 +2752,7 @@
{
"@timestamp": "2021-11-22T00:08:34.187Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -2822,7 +2822,7 @@
{
"@timestamp": "2021-11-22T00:08:34.184Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -2897,7 +2897,7 @@
{
"@timestamp": "2021-11-22T00:08:34.182Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -2967,7 +2967,7 @@
{
"@timestamp": "2021-11-22T00:08:34.180Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -3037,7 +3037,7 @@
{
"@timestamp": "2021-11-22T00:08:34.178Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -3107,7 +3107,7 @@
{
"@timestamp": "2021-11-22T00:08:34.176Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -3177,7 +3177,7 @@
{
"@timestamp": "2021-11-22T00:08:34.174Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -3247,7 +3247,7 @@
{
"@timestamp": "2021-11-22T00:08:34.173Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -3322,7 +3322,7 @@
{
"@timestamp": "2021-11-22T00:08:34.171Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -3392,7 +3392,7 @@
{
"@timestamp": "2021-11-22T00:08:34.168Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -3462,7 +3462,7 @@
{
"@timestamp": "2021-11-22T00:08:34.166Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -3532,7 +3532,7 @@
{
"@timestamp": "2021-11-22T00:08:34.165Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -3602,7 +3602,7 @@
{
"@timestamp": "2021-11-22T00:08:34.163Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -3672,7 +3672,7 @@
{
"@timestamp": "2021-11-22T00:08:34.151Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -3742,7 +3742,7 @@
{
"@timestamp": "2021-11-22T00:08:34.142Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.created",
@@ -3812,7 +3812,7 @@
{
"@timestamp": "2021-11-22T00:08:34.072Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Board created",
@@ -3876,7 +3876,7 @@
{
"@timestamp": "2021-11-22T00:08:33.887Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.filter.created",
@@ -3973,7 +3973,7 @@
{
"@timestamp": "2021-11-22T00:08:33.746Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.workflow.scheme.added.to.project",
@@ -4037,7 +4037,7 @@
{
"@timestamp": "2021-11-22T00:08:33.732Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.workflow.scheme.created",
@@ -4107,7 +4107,7 @@
{
"@timestamp": "2021-11-22T00:08:33.710Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.workflow.created",
@@ -4187,7 +4187,7 @@
{
"@timestamp": "2021-11-22T00:08:33.537Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.resolutions.created",
@@ -4252,7 +4252,7 @@
{
"@timestamp": "2021-11-22T00:08:33.536Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.resolutions.created",
@@ -4317,7 +4317,7 @@
{
"@timestamp": "2021-11-22T00:08:33.535Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.resolutions.created",
@@ -4382,7 +4382,7 @@
{
"@timestamp": "2021-11-22T00:08:33.534Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.resolutions.created",
@@ -4447,7 +4447,7 @@
{
"@timestamp": "2021-11-22T00:07:09.088Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.customfield.created",
@@ -4522,7 +4522,7 @@
{
"@timestamp": "2021-11-22T00:07:09.037Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.issue.type.created",
@@ -4582,7 +4582,7 @@
{
"@timestamp": "2021-11-22T00:07:02.794Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.customfield.created",
@@ -4657,7 +4657,7 @@
{
"@timestamp": "2021-11-22T00:07:02.725Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.customfield.created",
@@ -4732,7 +4732,7 @@
{
"@timestamp": "2021-11-22T00:07:02.694Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.customfield.created",
@@ -4807,7 +4807,7 @@
{
"@timestamp": "2021-11-22T00:07:01.669Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.customfield.created",
@@ -4882,7 +4882,7 @@
{
"@timestamp": "2021-11-22T00:07:01.644Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.customfield.created",
@@ -4957,7 +4957,7 @@
{
"@timestamp": "2021-11-22T00:06:59.522Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.customfield.created",
@@ -5032,7 +5032,7 @@
{
"@timestamp": "2021-11-22T00:06:59.485Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.issue.type.created",
@@ -5092,7 +5092,7 @@
{
"@timestamp": "2021-11-22T00:06:59.340Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.customfield.updated",
@@ -5150,7 +5150,7 @@
{
"@timestamp": "2021-11-22T00:06:59.332Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.customfield.updated",
@@ -5208,7 +5208,7 @@
{
"@timestamp": "2021-11-22T00:06:59.313Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.customfield.created",
@@ -5278,7 +5278,7 @@
{
"@timestamp": "2021-11-22T00:06:59.266Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.customfield.created",
@@ -5353,7 +5353,7 @@
{
"@timestamp": "2021-11-22T00:06:59.224Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.customfield.created",
@@ -5428,7 +5428,7 @@
{
"@timestamp": "2021-11-22T00:06:58.990Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.customfield.updated",
@@ -5486,7 +5486,7 @@
{
"@timestamp": "2021-11-22T00:06:58.974Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.customfield.created",
@@ -5556,7 +5556,7 @@
{
"@timestamp": "2021-11-22T00:06:58.318Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.customfield.created",
@@ -5626,7 +5626,7 @@
{
"@timestamp": "2021-11-22T00:06:57.162Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -5701,7 +5701,7 @@
{
"@timestamp": "2021-11-22T00:06:57.158Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -5776,7 +5776,7 @@
{
"@timestamp": "2021-11-22T00:06:57.138Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -5851,7 +5851,7 @@
{
"@timestamp": "2021-11-22T00:06:49.756Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.user.added.to.group",
@@ -5926,7 +5926,7 @@
{
"@timestamp": "2021-11-22T00:06:49.754Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.global.permission.added",
@@ -5999,7 +5999,7 @@
{
"@timestamp": "2021-11-22T00:06:49.752Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.global.permission.added",
@@ -6072,7 +6072,7 @@
{
"@timestamp": "2021-11-22T00:06:49.751Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.global.permission.added",
@@ -6145,7 +6145,7 @@
{
"@timestamp": "2021-11-22T00:06:49.750Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.global.permission.added",
@@ -6218,7 +6218,7 @@
{
"@timestamp": "2021-11-22T00:06:49.734Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.user.added.to.group",
@@ -6293,7 +6293,7 @@
{
"@timestamp": "2021-11-22T00:06:49.600Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.user.created",
@@ -6387,7 +6387,7 @@
{
"@timestamp": "2021-11-22T00:05:08.596Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.system.license.added",
@@ -6481,7 +6481,7 @@
{
"@timestamp": "2021-11-22T00:05:08.584Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.global.permission.added",
@@ -6554,7 +6554,7 @@
{
"@timestamp": "2021-11-22T00:05:08.583Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.global.permission.added",
@@ -6627,7 +6627,7 @@
{
"@timestamp": "2021-11-22T00:05:08.581Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.global.permission.added",
@@ -6700,7 +6700,7 @@
{
"@timestamp": "2021-11-22T00:05:08.579Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.global.permission.added",
@@ -6773,7 +6773,7 @@
{
"@timestamp": "2021-11-22T00:05:08.514Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.group.created",
@@ -6837,7 +6837,7 @@
{
"@timestamp": "2021-11-28T18:18:26.076Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.user.renamed",
@@ -6910,7 +6910,7 @@
{
"@timestamp": "2021-11-28T18:23:20.278Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.user.updated",
@@ -6988,7 +6988,7 @@
{
"@timestamp": "2021-11-28T18:23:13.741Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.user.updated",
diff --git a/packages/atlassian_jira/data_stream/audit/_dev/test/pipeline/test-audit-cloud.log-expected.json b/packages/atlassian_jira/data_stream/audit/_dev/test/pipeline/test-audit-cloud.log-expected.json
index 78b43c90019..3577ec78b28 100644
--- a/packages/atlassian_jira/data_stream/audit/_dev/test/pipeline/test-audit-cloud.log-expected.json
+++ b/packages/atlassian_jira/data_stream/audit/_dev/test/pipeline/test-audit-cloud.log-expected.json
@@ -3,7 +3,7 @@
{
"@timestamp": "2022-01-24T08:48:05.645Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Project deleted",
@@ -36,7 +36,7 @@
{
"@timestamp": "2022-01-24T08:48:05.316Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Field Configuration scheme deleted",
@@ -69,7 +69,7 @@
{
"@timestamp": "2022-01-24T08:48:05.097Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Field Configuration scheme updated",
@@ -114,7 +114,7 @@
{
"@timestamp": "2022-01-24T08:48:04.939Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Field Configuration scheme updated",
@@ -159,7 +159,7 @@
{
"@timestamp": "2022-01-24T08:48:04.716Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Field Configuration scheme updated",
@@ -204,7 +204,7 @@
{
"@timestamp": "2022-01-24T08:48:04.530Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Field Configuration scheme updated",
@@ -249,7 +249,7 @@
{
"@timestamp": "2022-01-24T08:48:04.167Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Field Configuration scheme updated",
@@ -294,7 +294,7 @@
{
"@timestamp": "2022-01-24T08:48:04.020Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Workflow scheme deleted",
@@ -327,7 +327,7 @@
{
"@timestamp": "2022-01-24T08:48:03.965Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Workflow deleted",
@@ -360,7 +360,7 @@
{
"@timestamp": "2022-01-24T08:48:03.371Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Notification scheme deleted",
@@ -393,7 +393,7 @@
{
"@timestamp": "2022-01-24T08:48:03.355Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Project role deleted",
@@ -426,7 +426,7 @@
{
"@timestamp": "2022-01-24T08:48:03.339Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Project role deleted",
@@ -459,7 +459,7 @@
{
"@timestamp": "2022-01-24T08:48:03.322Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Project role deleted",
@@ -492,7 +492,7 @@
{
"@timestamp": "2022-01-24T08:48:03.305Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Project role deleted",
@@ -525,7 +525,7 @@
{
"@timestamp": "2022-01-24T08:48:03.259Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Issue Security scheme deleted",
@@ -558,7 +558,7 @@
{
"@timestamp": "2022-01-24T08:48:03.223Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Permission scheme deleted",
@@ -591,7 +591,7 @@
{
"@timestamp": "2022-01-18T08:43:02.838Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "User added to group",
@@ -650,7 +650,7 @@
{
"@timestamp": "2022-01-18T08:43:02.768Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "User added to group",
@@ -709,7 +709,7 @@
{
"@timestamp": "2022-01-18T08:43:02.602Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "User created",
@@ -766,7 +766,7 @@
{
"@timestamp": "2022-01-14T16:37:07.126Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "User added to group",
@@ -825,7 +825,7 @@
{
"@timestamp": "2022-01-14T16:37:07.019Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "User created",
@@ -882,7 +882,7 @@
{
"@timestamp": "2022-01-10T12:44:41.065Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "User's password changed",
@@ -938,7 +938,7 @@
{
"@timestamp": "2022-01-06T09:49:07.418Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Workflow updated",
@@ -983,7 +983,7 @@
{
"@timestamp": "2022-01-05T07:23:49.369Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Workflow updated",
@@ -1019,7 +1019,7 @@
{
"@timestamp": "2022-01-05T07:23:49.162Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Workflow updated",
@@ -1064,7 +1064,7 @@
{
"@timestamp": "2021-12-13T14:10:35.436Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Workflow updated",
@@ -1109,7 +1109,7 @@
{
"@timestamp": "2021-12-10T11:57:29.971Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "User's password changed",
@@ -1165,7 +1165,7 @@
{
"@timestamp": "2021-12-10T11:53:37.982Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "User created",
@@ -1242,7 +1242,7 @@
{
"@timestamp": "2021-12-10T11:52:39.940Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Customer invited notification changed",
@@ -1307,7 +1307,7 @@
{
"@timestamp": "2021-12-07T17:15:05.069Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "User created",
@@ -1384,7 +1384,7 @@
{
"@timestamp": "2021-12-07T17:03:54.188Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Customer permissions changed",
@@ -1449,7 +1449,7 @@
{
"@timestamp": "2021-12-07T16:56:48.122Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Request type deleted",
@@ -1533,7 +1533,7 @@
{
"@timestamp": "2021-12-07T16:56:24.940Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Request type deleted",
@@ -1617,7 +1617,7 @@
{
"@timestamp": "2021-12-07T16:56:07.861Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Request type deleted",
@@ -1701,7 +1701,7 @@
{
"@timestamp": "2021-12-07T16:54:03.906Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Request type deleted",
@@ -1785,7 +1785,7 @@
{
"@timestamp": "2021-12-07T16:46:02.950Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "User added to group",
@@ -1844,7 +1844,7 @@
{
"@timestamp": "2021-12-07T16:46:02.944Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "User added to group",
@@ -1903,7 +1903,7 @@
{
"@timestamp": "2021-12-07T16:46:02.939Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "User added to group",
@@ -1962,7 +1962,7 @@
{
"@timestamp": "2021-12-07T16:46:02.932Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "User added to group",
@@ -2021,7 +2021,7 @@
{
"@timestamp": "2021-12-07T16:45:24.007Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Group created",
@@ -2062,7 +2062,7 @@
{
"@timestamp": "2021-12-07T16:29:41.490Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Project created",
@@ -2155,7 +2155,7 @@
{
"@timestamp": "2021-12-07T16:29:38.789Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Custom email channel turned on",
@@ -2223,7 +2223,7 @@
{
"@timestamp": "2021-12-07T16:29:38.773Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Cloud Email settings created",
@@ -2281,7 +2281,7 @@
{
"@timestamp": "2021-12-07T16:29:38.426Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Cloud email channel turned on",
@@ -2349,7 +2349,7 @@
{
"@timestamp": "2021-12-07T16:29:36.956Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Project component created",
@@ -2440,7 +2440,7 @@
{
"@timestamp": "2021-12-07T16:29:36.930Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Project component created",
@@ -2531,7 +2531,7 @@
{
"@timestamp": "2021-12-07T16:29:36.903Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Project component created",
@@ -2622,7 +2622,7 @@
{
"@timestamp": "2021-12-07T16:29:36.877Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Project component created",
@@ -2713,7 +2713,7 @@
{
"@timestamp": "2021-12-07T16:29:36.849Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Project component created",
@@ -2804,7 +2804,7 @@
{
"@timestamp": "2021-12-07T16:29:36.823Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Project component created",
@@ -2895,7 +2895,7 @@
{
"@timestamp": "2021-12-07T16:29:36.797Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Project component created",
@@ -2986,7 +2986,7 @@
{
"@timestamp": "2021-12-07T16:29:36.770Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Project component created",
@@ -3077,7 +3077,7 @@
{
"@timestamp": "2021-12-07T16:29:36.743Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Project component created",
@@ -3168,7 +3168,7 @@
{
"@timestamp": "2021-12-07T16:29:36.717Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Project component created",
@@ -3259,7 +3259,7 @@
{
"@timestamp": "2021-12-07T16:29:36.691Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Project component created",
@@ -3350,7 +3350,7 @@
{
"@timestamp": "2021-12-07T16:29:36.664Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Project component created",
@@ -3441,7 +3441,7 @@
{
"@timestamp": "2021-12-07T16:29:36.637Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Project component created",
@@ -3532,7 +3532,7 @@
{
"@timestamp": "2021-12-07T16:29:36.609Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Project component created",
@@ -3623,7 +3623,7 @@
{
"@timestamp": "2021-12-07T16:29:36.561Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Project component created",
@@ -3714,7 +3714,7 @@
{
"@timestamp": "2021-12-07T16:29:36.529Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Project component created",
@@ -3805,7 +3805,7 @@
{
"@timestamp": "2021-12-07T16:29:36.499Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Workflow scheme added to project",
@@ -3867,7 +3867,7 @@
{
"@timestamp": "2021-12-07T16:29:36.468Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Workflow updated",
@@ -3931,7 +3931,7 @@
{
"@timestamp": "2021-12-07T16:29:36.448Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Workflow updated",
@@ -3988,7 +3988,7 @@
{
"@timestamp": "2021-12-07T16:29:36.421Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Workflow created",
@@ -4056,7 +4056,7 @@
{
"@timestamp": "2021-12-07T16:29:36.329Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Workflow updated",
@@ -4120,7 +4120,7 @@
{
"@timestamp": "2021-12-07T16:29:36.310Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Workflow updated",
@@ -4177,7 +4177,7 @@
{
"@timestamp": "2021-12-07T16:29:36.283Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Workflow created",
@@ -4245,7 +4245,7 @@
{
"@timestamp": "2021-12-07T16:29:36.186Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Workflow updated",
@@ -4309,7 +4309,7 @@
{
"@timestamp": "2021-11-18T10:58:11.410Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Field Configuration scheme updated",
@@ -4378,7 +4378,7 @@
{
"@timestamp": "2021-11-18T10:58:11.132Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Field Configuration scheme updated",
@@ -4447,7 +4447,7 @@
{
"@timestamp": "2021-11-18T10:58:10.771Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Workflow scheme added to project",
@@ -4509,7 +4509,7 @@
{
"@timestamp": "2021-11-18T10:58:10.754Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Workflow scheme created",
@@ -4577,7 +4577,7 @@
{
"@timestamp": "2021-11-18T10:58:10.744Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Workflow created",
@@ -4641,7 +4641,7 @@
{
"@timestamp": "2021-11-18T10:58:10.473Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Field Configuration scheme updated",
@@ -4710,7 +4710,7 @@
{
"@timestamp": "2021-11-18T10:58:10.265Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Field Configuration scheme updated",
@@ -4781,7 +4781,7 @@
{
"@timestamp": "2021-11-18T10:58:10.174Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Field Configuration scheme added to project",
@@ -4843,7 +4843,7 @@
{
"@timestamp": "2021-11-18T10:58:10.146Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Field Configuration scheme created",
@@ -4912,7 +4912,7 @@
{
"@timestamp": "2021-11-18T10:58:10.114Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Issue Security scheme added to project",
@@ -4974,7 +4974,7 @@
{
"@timestamp": "2021-11-18T10:58:10.062Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Permission scheme added to project",
@@ -5036,7 +5036,7 @@
{
"@timestamp": "2021-11-17T16:00:37.374Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "User updated",
@@ -5083,7 +5083,7 @@
{
"@timestamp": "2021-11-16T09:25:56.725Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "User updated",
@@ -5130,7 +5130,7 @@
{
"@timestamp": "2021-11-16T08:48:05.867Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Custom field created",
diff --git a/packages/atlassian_jira/data_stream/audit/_dev/test/pipeline/test-audit-files.log-expected.json b/packages/atlassian_jira/data_stream/audit/_dev/test/pipeline/test-audit-files.log-expected.json
index 68f2e2256a0..18bfd08f362 100644
--- a/packages/atlassian_jira/data_stream/audit/_dev/test/pipeline/test-audit-files.log-expected.json
+++ b/packages/atlassian_jira/data_stream/audit/_dev/test/pipeline/test-audit-files.log-expected.json
@@ -3,7 +3,7 @@
{
"@timestamp": "2021-11-22T00:05:08.514Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.group.created",
@@ -68,7 +68,7 @@
{
"@timestamp": "2021-11-22T00:05:08.579Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.global.permission.added",
@@ -143,7 +143,7 @@
{
"@timestamp": "2021-11-22T00:05:08.581Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.global.permission.added",
@@ -218,7 +218,7 @@
{
"@timestamp": "2021-11-22T00:05:08.583Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.global.permission.added",
@@ -293,7 +293,7 @@
{
"@timestamp": "2021-11-22T00:05:08.584Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.global.permission.added",
@@ -368,7 +368,7 @@
{
"@timestamp": "2021-11-22T00:05:08.596Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.system.license.added",
@@ -464,7 +464,7 @@
{
"@timestamp": "2021-11-22T00:06:49.600Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.user.created",
@@ -559,7 +559,7 @@
{
"@timestamp": "2021-11-22T00:06:49.734Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.user.added.to.group",
@@ -634,7 +634,7 @@
{
"@timestamp": "2021-11-22T00:06:49.750Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.global.permission.added",
@@ -709,7 +709,7 @@
{
"@timestamp": "2021-11-22T00:06:49.751Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.global.permission.added",
@@ -784,7 +784,7 @@
{
"@timestamp": "2021-11-22T00:06:49.752Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.global.permission.added",
@@ -859,7 +859,7 @@
{
"@timestamp": "2021-11-22T00:06:49.754Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.global.permission.added",
@@ -934,7 +934,7 @@
{
"@timestamp": "2021-11-22T00:06:49.756Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.user.added.to.group",
@@ -1009,7 +1009,7 @@
{
"@timestamp": "2021-11-22T00:06:57.138Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -1085,7 +1085,7 @@
{
"@timestamp": "2021-11-22T00:06:57.158Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -1161,7 +1161,7 @@
{
"@timestamp": "2021-11-22T00:06:57.162Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -1237,7 +1237,7 @@
{
"@timestamp": "2021-11-22T00:06:58.318Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.customfield.created",
@@ -1308,7 +1308,7 @@
{
"@timestamp": "2021-11-22T00:06:58.974Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.customfield.created",
@@ -1379,7 +1379,7 @@
{
"@timestamp": "2021-11-22T00:06:58.990Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.customfield.updated",
@@ -1438,7 +1438,7 @@
{
"@timestamp": "2021-11-22T00:06:59.224Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.customfield.created",
@@ -1514,7 +1514,7 @@
{
"@timestamp": "2021-11-22T00:06:59.266Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.customfield.created",
@@ -1590,7 +1590,7 @@
{
"@timestamp": "2021-11-22T00:06:59.313Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.customfield.created",
@@ -1661,7 +1661,7 @@
{
"@timestamp": "2021-11-22T00:06:59.332Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.customfield.updated",
@@ -1720,7 +1720,7 @@
{
"@timestamp": "2021-11-22T00:06:59.340Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.customfield.updated",
@@ -1779,7 +1779,7 @@
{
"@timestamp": "2021-11-22T00:06:59.485Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.issue.type.created",
@@ -1841,7 +1841,7 @@
{
"@timestamp": "2021-11-22T00:06:59.522Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.customfield.created",
@@ -1917,7 +1917,7 @@
{
"@timestamp": "2021-11-22T00:07:01.644Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.customfield.created",
@@ -1993,7 +1993,7 @@
{
"@timestamp": "2021-11-22T00:07:01.669Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.customfield.created",
@@ -2069,7 +2069,7 @@
{
"@timestamp": "2021-11-22T00:07:02.694Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.customfield.created",
@@ -2145,7 +2145,7 @@
{
"@timestamp": "2021-11-22T00:07:02.725Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.customfield.created",
@@ -2221,7 +2221,7 @@
{
"@timestamp": "2021-11-22T00:07:02.794Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.customfield.created",
@@ -2297,7 +2297,7 @@
{
"@timestamp": "2021-11-22T00:07:09.370Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.issue.type.created",
@@ -2359,7 +2359,7 @@
{
"@timestamp": "2021-11-22T00:07:09.880Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.customfield.created",
@@ -2435,7 +2435,7 @@
{
"@timestamp": "2021-11-22T00:08:33.534Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.resolutions.created",
@@ -2501,7 +2501,7 @@
{
"@timestamp": "2021-11-22T00:08:33.535Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.resolutions.created",
@@ -2567,7 +2567,7 @@
{
"@timestamp": "2021-11-22T00:08:33.536Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.resolutions.created",
@@ -2633,7 +2633,7 @@
{
"@timestamp": "2021-11-22T00:08:33.537Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.resolutions.created",
@@ -2699,7 +2699,7 @@
{
"@timestamp": "2021-11-22T00:08:33.710Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.workflow.created",
@@ -2780,7 +2780,7 @@
{
"@timestamp": "2021-11-22T00:08:33.732Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.workflow.scheme.created",
@@ -2851,7 +2851,7 @@
{
"@timestamp": "2021-11-22T00:08:33.746Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.workflow.scheme.added.to.project",
@@ -2915,7 +2915,7 @@
{
"@timestamp": "2021-11-22T00:08:33.887Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.filter.created",
@@ -3011,7 +3011,7 @@
{
"@timestamp": "2021-11-22T00:08:34.720Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Board created",
@@ -3075,7 +3075,7 @@
{
"@timestamp": "2021-11-22T00:08:34.142Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.created",
@@ -3146,7 +3146,7 @@
{
"@timestamp": "2021-11-22T00:08:34.151Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -3217,7 +3217,7 @@
{
"@timestamp": "2021-11-22T00:08:34.163Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -3288,7 +3288,7 @@
{
"@timestamp": "2021-11-22T00:08:34.165Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -3359,7 +3359,7 @@
{
"@timestamp": "2021-11-22T00:08:34.166Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -3430,7 +3430,7 @@
{
"@timestamp": "2021-11-22T00:08:34.168Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -3501,7 +3501,7 @@
{
"@timestamp": "2021-11-22T00:08:34.171Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -3572,7 +3572,7 @@
{
"@timestamp": "2021-11-22T00:08:34.173Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -3648,7 +3648,7 @@
{
"@timestamp": "2021-11-22T00:08:34.174Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -3719,7 +3719,7 @@
{
"@timestamp": "2021-11-22T00:08:34.176Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -3790,7 +3790,7 @@
{
"@timestamp": "2021-11-22T00:08:34.178Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -3861,7 +3861,7 @@
{
"@timestamp": "2021-11-22T00:08:34.180Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -3932,7 +3932,7 @@
{
"@timestamp": "2021-11-22T00:08:34.182Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -4003,7 +4003,7 @@
{
"@timestamp": "2021-11-22T00:08:34.184Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -4079,7 +4079,7 @@
{
"@timestamp": "2021-11-22T00:08:34.187Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -4150,7 +4150,7 @@
{
"@timestamp": "2021-11-22T00:08:34.190Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -4221,7 +4221,7 @@
{
"@timestamp": "2021-11-22T00:08:34.204Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -4297,7 +4297,7 @@
{
"@timestamp": "2021-11-22T00:08:34.208Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -4368,7 +4368,7 @@
{
"@timestamp": "2021-11-22T00:08:34.210Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -4444,7 +4444,7 @@
{
"@timestamp": "2021-11-22T00:08:34.212Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -4520,7 +4520,7 @@
{
"@timestamp": "2021-11-22T00:08:34.215Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -4591,7 +4591,7 @@
{
"@timestamp": "2021-11-22T00:08:34.217Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -4667,7 +4667,7 @@
{
"@timestamp": "2021-11-22T00:08:34.219Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -4738,7 +4738,7 @@
{
"@timestamp": "2021-11-22T00:08:34.221Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -4814,7 +4814,7 @@
{
"@timestamp": "2021-11-22T00:08:34.223Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -4885,7 +4885,7 @@
{
"@timestamp": "2021-11-22T00:08:34.225Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -4956,7 +4956,7 @@
{
"@timestamp": "2021-11-22T00:08:34.227Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -5032,7 +5032,7 @@
{
"@timestamp": "2021-11-22T00:08:34.229Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -5103,7 +5103,7 @@
{
"@timestamp": "2021-11-22T00:08:34.231Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -5179,7 +5179,7 @@
{
"@timestamp": "2021-11-22T00:08:34.233Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -5250,7 +5250,7 @@
{
"@timestamp": "2021-11-22T00:08:34.235Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -5321,7 +5321,7 @@
{
"@timestamp": "2021-11-22T00:08:34.236Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -5392,7 +5392,7 @@
{
"@timestamp": "2021-11-22T00:08:34.239Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -5463,7 +5463,7 @@
{
"@timestamp": "2021-11-22T00:08:34.241Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -5534,7 +5534,7 @@
{
"@timestamp": "2021-11-22T00:08:34.243Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.updated",
@@ -5605,7 +5605,7 @@
{
"@timestamp": "2021-11-22T00:08:34.249Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.removed.from.project",
@@ -5685,7 +5685,7 @@
{
"@timestamp": "2021-11-22T00:08:34.266Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.permission.scheme.added.to.project",
@@ -5749,7 +5749,7 @@
{
"@timestamp": "2021-11-22T00:08:34.297Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.project.created",
@@ -5842,7 +5842,7 @@
{
"@timestamp": "2021-11-22T00:08:34.506Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.project.roles.changed",
@@ -5913,7 +5913,7 @@
{
"@timestamp": "2021-11-22T00:08:34.521Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.version.created",
@@ -5989,7 +5989,7 @@
{
"@timestamp": "2021-11-22T00:08:34.535Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.version.released",
@@ -6065,7 +6065,7 @@
{
"@timestamp": "2021-11-22T00:08:34.543Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.version.created",
@@ -6141,7 +6141,7 @@
{
"@timestamp": "2021-11-22T00:08:34.545Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.version.created",
@@ -6212,7 +6212,7 @@
{
"@timestamp": "2021-11-22T00:12:02.856Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "atlassian.audit.event.action.audit.search",
@@ -6285,7 +6285,7 @@
{
"@timestamp": "2021-11-26T19:35:10.718Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.user.login.failed",
@@ -6360,7 +6360,7 @@
{
"@timestamp": "2021-11-26T19:33:29.363Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "jira.auditing.user.logged.in",
diff --git a/packages/atlassian_jira/data_stream/audit/_dev/test/system/test-api-cloud-config.yml b/packages/atlassian_jira/data_stream/audit/_dev/test/system/test-api-cloud-config.yml
index d9246e659ab..758ef91207b 100644
--- a/packages/atlassian_jira/data_stream/audit/_dev/test/system/test-api-cloud-config.yml
+++ b/packages/atlassian_jira/data_stream/audit/_dev/test/system/test-api-cloud-config.yml
@@ -12,3 +12,5 @@ data_stream:
verification_mode: none
atlassian_cloud: true
enable_request_tracer: true
+assert:
+ hit_count: 4
diff --git a/packages/atlassian_jira/data_stream/audit/_dev/test/system/test-api-config.yml b/packages/atlassian_jira/data_stream/audit/_dev/test/system/test-api-config.yml
index 484e30156e9..2b92134c930 100644
--- a/packages/atlassian_jira/data_stream/audit/_dev/test/system/test-api-config.yml
+++ b/packages/atlassian_jira/data_stream/audit/_dev/test/system/test-api-config.yml
@@ -11,3 +11,5 @@ data_stream:
ssl: |-
verification_mode: none
enable_request_tracer: true
+assert:
+ hit_count: 4
diff --git a/packages/atlassian_jira/data_stream/audit/_dev/test/system/test-files-config.yml b/packages/atlassian_jira/data_stream/audit/_dev/test/system/test-files-config.yml
index e23566788c6..e8e49f812b5 100644
--- a/packages/atlassian_jira/data_stream/audit/_dev/test/system/test-files-config.yml
+++ b/packages/atlassian_jira/data_stream/audit/_dev/test/system/test-files-config.yml
@@ -6,3 +6,5 @@ data_stream:
- "{{SERVICE_LOGS_DIR}}/*.log"
preserve_original_event: true
enable_request_tracer: true
+assert:
+ hit_count: 7
diff --git a/packages/atlassian_jira/data_stream/audit/agent/stream/httpjson.yml.hbs b/packages/atlassian_jira/data_stream/audit/agent/stream/httpjson.yml.hbs
index d114d3d0b2b..2311e670025 100644
--- a/packages/atlassian_jira/data_stream/audit/agent/stream/httpjson.yml.hbs
+++ b/packages/atlassian_jira/data_stream/audit/agent/stream/httpjson.yml.hbs
@@ -47,9 +47,17 @@ response.split:
ignore_empty_value: true
response.pagination:
- set:
- target: url.value
- value: '[[sprintf "%s/rest/api/3/auditing/record?from=%s&to=%s&offset=%d&limit=%s" "{{api_url}}" (.last_response.url.params.Get "from") (.last_response.url.params.Get "to") (add (toInt .last_response.body.offset) (toInt "{{ limit }}")) "{{ limit }}"]]'
- fail_on_template_error: true
+ target: url.params.from
+ value: '[[.last_response.url.params.Get "from"]]'
+ - set:
+ target: url.params.to
+ value: '[[.last_response.url.params.Get "to"]]'
+ - set:
+ target: url.params.offset
+ value: '[[add (toInt .last_response.body.offset) (toInt "{{ limit }}")]]'
+ - set:
+ target: url.params.limit
+ value: '{{limit}}'
cursor:
last_timestamp:
value: "[[.first_event.created]]"
diff --git a/packages/atlassian_jira/data_stream/audit/agent/stream/stream.yml.hbs b/packages/atlassian_jira/data_stream/audit/agent/stream/stream.yml.hbs
index c6e5ed4c737..de5eea39419 100644
--- a/packages/atlassian_jira/data_stream/audit/agent/stream/stream.yml.hbs
+++ b/packages/atlassian_jira/data_stream/audit/agent/stream/stream.yml.hbs
@@ -16,4 +16,7 @@ exclude_files: [".gz$"]
{{#if processors}}
processors:
{{processors}}
+{{/if}}
+{{#if condition}}
+condition: {{ condition }}
{{/if}}
\ No newline at end of file
diff --git a/packages/atlassian_jira/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/atlassian_jira/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
index 5589776a268..4d1d2c8bc1c 100644
--- a/packages/atlassian_jira/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/atlassian_jira/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
@@ -3,7 +3,7 @@ description: Pipeline for processing Atlassian Jira audit logs.
processors:
- set:
field: ecs.version
- value: '8.8.0'
+ value: '8.9.0'
- rename:
field: message
target_field: event.original
diff --git a/packages/atlassian_jira/data_stream/audit/manifest.yml b/packages/atlassian_jira/data_stream/audit/manifest.yml
index 4d6214a9666..bca38d19d60 100644
--- a/packages/atlassian_jira/data_stream/audit/manifest.yml
+++ b/packages/atlassian_jira/data_stream/audit/manifest.yml
@@ -39,6 +39,13 @@ streams:
description: >
Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+ - name: condition
+ title: Condition
+ description: Condition to filter when to collect this input. See [Dynamic Input Configuration](https://www.elastic.co/guide/en/fleet/current/dynamic-input-configuration.html) for details.
+ type: text
+ multi: false
+ required: false
+ show_user: false
- input: httpjson
title: Jira audit logs via Jira audit API
description: Collect Jira audit logs via Jira audit API
@@ -91,6 +98,7 @@ streams:
- name: http_client_timeout
type: text
title: HTTP Client Timeout
+ description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.
multi: false
required: false
show_user: true
@@ -108,7 +116,7 @@ streams:
multi: false
required: true
show_user: true
- description: Interval at which the logs will be pulled. The value must be between 2m and 1h.
+ description: Interval at which the logs will be pulled. The value must be between 2m and 1h. Supported units for this parameter are h/m/s.
default: 1h
- name: initial_interval
type: text
@@ -116,7 +124,7 @@ streams:
multi: false
required: true
show_user: false
- description: Initial interval for the first API call. Defaults to 24 hours.
+ description: Initial interval for the first API call. Defaults to 24 hours. Supported units for this parameter are h/m/s.
default: 24h
- name: ssl
type: yaml
diff --git a/packages/atlassian_jira/data_stream/audit/sample_event.json b/packages/atlassian_jira/data_stream/audit/sample_event.json
index 938e33cf94d..ff59b5e9ee8 100644
--- a/packages/atlassian_jira/data_stream/audit/sample_event.json
+++ b/packages/atlassian_jira/data_stream/audit/sample_event.json
@@ -13,7 +13,7 @@
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "cdda426a-7e47-48c4-b2f5-b9f1ad5bf08a",
diff --git a/packages/atlassian_jira/docs/README.md b/packages/atlassian_jira/docs/README.md
index 32863e6cc8e..90e27bcbae2 100644
--- a/packages/atlassian_jira/docs/README.md
+++ b/packages/atlassian_jira/docs/README.md
@@ -39,10 +39,10 @@ The Jira integration collects audit logs from the audit log files or the audit A
| error.message | Error message. | match_only_text |
| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
-| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date |
| event.dataset | Event dataset | constant_keyword |
| event.id | Unique ID to describe the event. | keyword |
-| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword |
| event.module | Event module | constant_keyword |
| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
@@ -135,7 +135,7 @@ An example event for `audit` looks as following:
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "cdda426a-7e47-48c4-b2f5-b9f1ad5bf08a",
diff --git a/packages/atlassian_jira/kibana/tags.yml b/packages/atlassian_jira/kibana/tags.yml
new file mode 100644
index 00000000000..47f20a8f551
--- /dev/null
+++ b/packages/atlassian_jira/kibana/tags.yml
@@ -0,0 +1,4 @@
+- text: Security Solution
+ asset_types:
+ - dashboard
+ - search
diff --git a/packages/atlassian_jira/manifest.yml b/packages/atlassian_jira/manifest.yml
index 45bccdc7309..42732a978c6 100644
--- a/packages/atlassian_jira/manifest.yml
+++ b/packages/atlassian_jira/manifest.yml
@@ -1,14 +1,15 @@
-format_version: 2.7.0
+format_version: "3.0.0"
name: atlassian_jira
title: Atlassian Jira
-version: "1.12.0"
+version: "1.18.0"
description: Collect logs from Atlassian Jira with Elastic Agent.
type: integration
categories:
- security
- productivity_security
conditions:
- kibana.version: "^8.7.1"
+ kibana:
+ version: "^8.7.1"
icons:
- src: /img/jira-software-logo.svg
title: Jira Software Logo
@@ -27,3 +28,4 @@ policy_templates:
description: "Collecting audit logs from Jira via API"
owner:
github: elastic/security-external-integrations
+ type: elastic
diff --git a/packages/auditd/_dev/build/build.yml b/packages/auditd/_dev/build/build.yml
index 074278e5b1f..c8eeec8cacf 100644
--- a/packages/auditd/_dev/build/build.yml
+++ b/packages/auditd/_dev/build/build.yml
@@ -1,3 +1,3 @@
dependencies:
ecs:
- reference: git@v8.8.0
+ reference: git@v8.9.0
diff --git a/packages/auditd/changelog.yml b/packages/auditd/changelog.yml
index 78b862e781b..a3e168e841e 100644
--- a/packages/auditd/changelog.yml
+++ b/packages/auditd/changelog.yml
@@ -1,4 +1,29 @@
# newer versions go on top
+- version: 3.14.0
+ changes:
+ - description: "The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest."
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7883
+- version: "3.13.1"
+ changes:
+ - description: Remove the unnecessary permission for the package to write to arbitrary `logs-*` data streams.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7800
+- version: "3.13.0"
+ changes:
+ - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7789
+- version: "3.12.0"
+ changes:
+ - description: Update package to ECS 8.9.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7107
+- version: "3.11.0"
+ changes:
+ - description: Convert dashboards to Lens.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6912
- version: "3.10.0"
changes:
- description: Ensure event.kind is correctly set for pipeline errors.
diff --git a/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-raw.log-expected.json b/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-raw.log-expected.json
index 425b78ab455..3ec15e03621 100644
--- a/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-raw.log-expected.json
+++ b/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-raw.log-expected.json
@@ -15,7 +15,7 @@
"address": "192.168.0.0"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "mac_ipsec_event",
@@ -50,7 +50,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "syscall",
@@ -119,7 +119,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -175,7 +175,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -243,7 +243,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -275,7 +275,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "proctitle",
@@ -295,7 +295,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "proctitle",
@@ -322,7 +322,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -364,7 +364,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -402,7 +402,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -437,7 +437,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "execve",
@@ -465,7 +465,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -497,7 +497,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -545,7 +545,7 @@
"runtime": "kvm"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -587,7 +587,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -630,7 +630,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -669,7 +669,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -712,7 +712,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -751,7 +751,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -797,7 +797,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -843,7 +843,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -889,7 +889,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -937,7 +937,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -982,7 +982,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -1049,7 +1049,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -1118,7 +1118,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -1165,7 +1165,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -1208,7 +1208,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -1251,7 +1251,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -1284,7 +1284,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -1335,7 +1335,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -1386,7 +1386,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -1436,7 +1436,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -1481,7 +1481,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -1529,7 +1529,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -1573,7 +1573,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -1635,7 +1635,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -1705,7 +1705,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -1752,7 +1752,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -1786,7 +1786,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "cwd",
@@ -1816,7 +1816,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "path",
@@ -1840,7 +1840,7 @@
"log": {}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "unknown[1329]",
@@ -1870,7 +1870,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bprm_fcaps",
@@ -1890,7 +1890,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "sockaddr",
@@ -1910,7 +1910,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ckaddr",
@@ -1930,7 +1930,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -1962,7 +1962,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
diff --git a/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-useradd.log-expected.json b/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-useradd.log-expected.json
index 4d8095ad3d5..bfec757c6fe 100644
--- a/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-useradd.log-expected.json
+++ b/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-useradd.log-expected.json
@@ -14,7 +14,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -70,7 +70,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -125,7 +125,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -181,7 +181,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -239,7 +239,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -287,7 +287,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -343,7 +343,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -395,7 +395,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
diff --git a/packages/auditd/data_stream/log/_dev/test/pipeline/test-truncated-execve.log-expected.json b/packages/auditd/data_stream/log/_dev/test/pipeline/test-truncated-execve.log-expected.json
index ac31b0356d7..08762875b18 100644
--- a/packages/auditd/data_stream/log/_dev/test/pipeline/test-truncated-execve.log-expected.json
+++ b/packages/auditd/data_stream/log/_dev/test/pipeline/test-truncated-execve.log-expected.json
@@ -8,7 +8,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "execve",
@@ -36,7 +36,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "execve",
@@ -131,7 +131,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "execve",
@@ -226,7 +226,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "execve",
diff --git a/packages/auditd/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/auditd/data_stream/log/elasticsearch/ingest_pipeline/default.yml
index 234cf9e9541..3585d8ebd89 100644
--- a/packages/auditd/data_stream/log/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/auditd/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -3,7 +3,7 @@ description: Pipeline for parsing Linux auditd logs
processors:
- set:
field: ecs.version
- value: '8.8.0'
+ value: '8.9.0'
- rename:
field: message
target_field: event.original
diff --git a/packages/auditd/data_stream/log/manifest.yml b/packages/auditd/data_stream/log/manifest.yml
index cd819a63321..285926867fe 100644
--- a/packages/auditd/data_stream/log/manifest.yml
+++ b/packages/auditd/data_stream/log/manifest.yml
@@ -39,6 +39,3 @@ streams:
template_path: log.yml.hbs
title: Auditd logs
description: Collect Auditd logs using log input
-# Ensures agents have permissions to write data to `logs-*-*`
-elasticsearch.dynamic_dataset: true
-elasticsearch.dynamic_namespace: true
diff --git a/packages/auditd/data_stream/log/sample_event.json b/packages/auditd/data_stream/log/sample_event.json
index 834bcbe4c7b..62d9eeeb32c 100644
--- a/packages/auditd/data_stream/log/sample_event.json
+++ b/packages/auditd/data_stream/log/sample_event.json
@@ -19,7 +19,7 @@
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "0e729d36-7ce3-4bd5-885c-ec10bc843703",
diff --git a/packages/auditd/docs/README.md b/packages/auditd/docs/README.md
index 4bb5b7dfa19..3a7ceef58e7 100644
--- a/packages/auditd/docs/README.md
+++ b/packages/auditd/docs/README.md
@@ -34,7 +34,7 @@ An example event for `log` looks as following:
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "0e729d36-7ce3-4bd5-885c-ec10bc843703",
diff --git a/packages/auditd/img/kibana-audit-auditd.png b/packages/auditd/img/kibana-audit-auditd.png
index 732afa18dc1..992d2050bc6 100644
Binary files a/packages/auditd/img/kibana-audit-auditd.png and b/packages/auditd/img/kibana-audit-auditd.png differ
diff --git a/packages/auditd/kibana/dashboard/auditd-dfbb49f0-0a0f-11e7-8a62-2d05eaaac5cb.json b/packages/auditd/kibana/dashboard/auditd-dfbb49f0-0a0f-11e7-8a62-2d05eaaac5cb.json
index 954f6e65b68..59e8b2d7d72 100644
--- a/packages/auditd/kibana/dashboard/auditd-dfbb49f0-0a0f-11e7-8a62-2d05eaaac5cb.json
+++ b/packages/auditd/kibana/dashboard/auditd-dfbb49f0-0a0f-11e7-8a62-2d05eaaac5cb.json
@@ -1,80 +1,163 @@
{
- "id": "auditd-dfbb49f0-0a0f-11e7-8a62-2d05eaaac5cb",
- "type": "dashboard",
- "namespaces": [
- "default"
- ],
- "updated_at": "2022-11-18T19:35:54.269Z",
- "version": "WzU4MSwxXQ==",
"attributes": {
"description": "Dashboard for the Auditd Logs integration",
- "hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [],
- "highlightAll": true,
"query": {
"language": "kuery",
- "query": "data_stream.dataset:auditd.log"
- },
- "version": true
+ "query": ""
+ }
}
},
"optionsJSON": {
- "darkTheme": false
+ "hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "useMargins": true
},
"panelsJSON": [
{
"embeddableConfig": {
- "enhancements": {},
- "savedVis": {
- "title": "Event types breakdown [Logs Auditd]",
- "description": "",
- "uiState": {},
- "params": {
- "addLegend": true,
- "addTooltip": true,
- "distinctColors": true,
- "isDonut": true,
- "legendPosition": "right",
- "palette": {
- "name": "kibana_palette",
- "type": "palette"
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-268abb75-6a25-4d15-98a8-cd383cfa56ad",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "4e83c50a-a580-4fbf-92e4-5cb6d8c23040",
+ "type": "index-pattern"
}
- },
- "type": "pie",
- "data": {
- "aggs": [
- {
- "enabled": true,
- "id": "1",
- "params": {},
- "schema": "metric",
- "type": "count"
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "268abb75-6a25-4d15-98a8-cd383cfa56ad": {
+ "columnOrder": [
+ "b6aac333-e1f1-4d1e-a276-0129ed3f0a47",
+ "44687592-390d-4ef9-9aaa-f16d11611ab3"
+ ],
+ "columns": {
+ "44687592-390d-4ef9-9aaa-f16d11611ab3": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "b6aac333-e1f1-4d1e-a276-0129ed3f0a47": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "event.action: Descending",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "44687592-390d-4ef9-9aaa-f16d11611ab3",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 50
+ },
+ "scale": "ordinal",
+ "sourceField": "event.action"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
},
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
{
- "enabled": true,
- "id": "2",
- "params": {
- "field": "event.action",
- "order": "desc",
- "orderBy": "1",
- "size": 50
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "4e83c50a-a580-4fbf-92e4-5cb6d8c23040",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "auditd.log"
+ },
+ "type": "phrase"
},
- "schema": "segment",
- "type": "terms"
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "auditd.log"
+ }
+ }
}
],
- "searchSource": {
- "filter": [],
- "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
- "query": {
- "language": "kuery",
- "query": ""
- }
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "emptySizeRatio": 0.3,
+ "layerId": "268abb75-6a25-4d15-98a8-cd383cfa56ad",
+ "layerType": "data",
+ "legendDisplay": "hide",
+ "legendMaxLines": 1,
+ "legendPosition": "right",
+ "legendSize": "auto",
+ "metrics": [
+ "44687592-390d-4ef9-9aaa-f16d11611ab3"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "percentDecimals": 2,
+ "primaryGroups": [
+ "b6aac333-e1f1-4d1e-a276-0129ed3f0a47"
+ ],
+ "secondaryGroups": [],
+ "showValuesInLegend": true,
+ "truncateLegend": true
+ }
+ ],
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "shape": "donut"
}
- }
- }
+ },
+ "title": "Event types breakdown [Logs Auditd] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 16,
@@ -84,79 +167,183 @@
"y": 0
},
"panelIndex": "1",
- "type": "visualization",
- "version": "8.0.0"
+ "title": "Event types breakdown [Logs Auditd]",
+ "type": "lens",
+ "version": "8.7.1"
},
{
"embeddableConfig": {
- "enhancements": {},
- "vis": {
- "params": {
- "sort": {
- "columnIndex": null,
- "direction": null
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-28cee599-81fc-4a20-90b4-b2c4eaae2ab5",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "f7c3dfc7-b3d1-48d7-89e5-04f017ef19db",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "92347886-7ba3-4991-a1fb-336f02f3a957",
+ "type": "index-pattern"
}
- }
- },
- "savedVis": {
- "title": "Top Exec Commands [Logs Auditd]",
- "description": "",
- "uiState": {
- "vis": {
- "params": {
- "sort": {
- "columnIndex": null,
- "direction": null
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "28cee599-81fc-4a20-90b4-b2c4eaae2ab5": {
+ "columnOrder": [
+ "a068bc18-290a-449e-8c30-5f15e8649ee9",
+ "dcf733cc-7a35-4a3d-807d-8fc643778a56"
+ ],
+ "columns": {
+ "a068bc18-290a-449e-8c30-5f15e8649ee9": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Command (arg 0)",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "dcf733cc-7a35-4a3d-807d-8fc643778a56",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 30
+ },
+ "scale": "ordinal",
+ "sourceField": "auditd.log.a0"
+ },
+ "dcf733cc-7a35-4a3d-807d-8fc643778a56": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ }
}
+ },
+ "textBased": {
+ "layers": {}
}
- }
- },
- "params": {
- "perPage": 10,
- "showMeticsAtAllLevels": false,
- "showPartialRows": false,
- "showToolbar": true,
- "showTotal": false,
- "sort": {
- "columnIndex": null,
- "direction": null
},
- "totalFunc": "sum"
- },
- "type": "table",
- "data": {
- "aggs": [
+ "filters": [
{
- "enabled": true,
- "id": "1",
- "params": {},
- "schema": "metric",
- "type": "count"
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "f7c3dfc7-b3d1-48d7-89e5-04f017ef19db",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "auditd.log"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "auditd.log"
+ }
+ }
},
{
- "enabled": true,
- "id": "2",
- "params": {
- "customLabel": "Command (arg 0)",
- "field": "auditd.log.a0",
- "order": "desc",
- "orderBy": "1",
- "size": 30
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.action",
+ "index": "92347886-7ba3-4991-a1fb-336f02f3a957",
+ "key": "event.action",
+ "negate": false,
+ "params": [
+ "execve",
+ "EXECVE"
+ ],
+ "type": "phrases",
+ "value": [
+ "execve",
+ "EXECVE"
+ ]
},
- "schema": "bucket",
- "type": "terms"
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.action": "execve"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.action": "EXECVE"
+ }
+ }
+ ]
+ }
+ }
}
],
- "searchSource": {
- "filter": [],
- "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
- "query": {
- "language": "kuery",
- "query": "event.action:\"EXECVE\" or event.action:\"execve\""
- }
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "dcf733cc-7a35-4a3d-807d-8fc643778a56"
+ },
+ {
+ "alignment": "left",
+ "columnId": "a068bc18-290a-449e-8c30-5f15e8649ee9"
+ }
+ ],
+ "headerRowHeight": "single",
+ "layerId": "28cee599-81fc-4a20-90b4-b2c4eaae2ab5",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 10
+ },
+ "rowHeight": "single"
}
- }
- }
+ },
+ "title": "Top Exec Commands [Logs Auditd] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 16,
@@ -166,142 +353,348 @@
"y": 0
},
"panelIndex": "2",
- "type": "visualization",
- "version": "8.0.0"
+ "title": "Top Exec Commands [Logs Auditd]",
+ "type": "lens",
+ "version": "8.7.1"
},
{
"embeddableConfig": {
+ "columns": [
+ "event.action",
+ "auditd.log.sequence",
+ "user.name"
+ ],
"enhancements": {},
- "savedVis": {
- "title": "Event Results [Logs Auditd]",
- "description": "",
- "uiState": {},
- "params": {
- "expression": ".es(q=\"data_stream.dataset:auditd.log NOT event.outcome:failure\").label(\"Success\"), .es(q=\"event.outcome:failed\").label(\"Failure\").title(\"Audit Event Results\")",
- "interval": "auto"
- },
- "type": "timelion",
- "data": {
- "aggs": [],
- "searchSource": {}
- }
- }
+ "sort": [
+ "@timestamp",
+ "desc"
+ ]
},
"gridData": {
- "h": 12,
- "i": "3",
- "w": 24,
+ "h": 20,
+ "i": "7",
+ "w": 48,
"x": 0,
- "y": 16
+ "y": 28
},
- "panelIndex": "3",
- "type": "visualization",
- "version": "8.0.0"
+ "panelIndex": "7",
+ "panelRefName": "panel_7",
+ "type": "search",
+ "version": "8.7.1"
},
{
"embeddableConfig": {
- "enhancements": {},
- "savedVis": {
- "title": "Event Account Tag Cloud [Logs Auditd]",
- "description": "",
- "uiState": {},
- "params": {
- "maxFontSize": 42,
- "minFontSize": 15,
- "orientation": "single",
- "palette": {
- "name": "kibana_palette",
- "type": "palette"
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-ae879eb4-2960-4017-8f6b-c197afeee50a",
+ "type": "index-pattern"
},
- "scale": "linear"
- },
- "type": "tagcloud",
- "data": {
- "aggs": [
- {
- "enabled": true,
- "id": "1",
- "params": {},
- "schema": "metric",
- "type": "count"
+ {
+ "id": "logs-*",
+ "name": "95a20581-c922-4ed5-bc68-41fffa8f54fd",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "ae879eb4-2960-4017-8f6b-c197afeee50a": {
+ "columnOrder": [
+ "5eea746e-b928-417f-8c8f-1f67e8fd20f3",
+ "e35805cb-5fd3-40ee-9b3d-db265c90b083"
+ ],
+ "columns": {
+ "5eea746e-b928-417f-8c8f-1f67e8fd20f3": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "User",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "e35805cb-5fd3-40ee-9b3d-db265c90b083",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 20
+ },
+ "scale": "ordinal",
+ "sourceField": "user.name"
+ },
+ "e35805cb-5fd3-40ee-9b3d-db265c90b083": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
},
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
{
- "enabled": true,
- "id": "2",
- "params": {
- "field": "user.name",
- "order": "desc",
- "orderBy": "1",
- "size": 15
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "95a20581-c922-4ed5-bc68-41fffa8f54fd",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "auditd.log"
+ },
+ "type": "phrase"
},
- "schema": "segment",
- "type": "terms"
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "auditd.log"
+ }
+ }
}
],
- "searchSource": {
- "filter": [],
- "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
- "query": {
- "language": "kuery",
- "query": ""
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "e35805cb-5fd3-40ee-9b3d-db265c90b083",
+ "isTransposed": false
+ },
+ {
+ "columnId": "5eea746e-b928-417f-8c8f-1f67e8fd20f3",
+ "isTransposed": false
+ }
+ ],
+ "layerId": "ae879eb4-2960-4017-8f6b-c197afeee50a",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 10
}
}
- }
- }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 16,
- "i": "6",
+ "i": "d84a9a87-e40f-465c-9114-4d343ffb6481",
"w": 16,
"x": 16,
"y": 0
},
- "panelIndex": "6",
- "type": "visualization",
- "version": "8.0.0"
+ "panelIndex": "d84a9a87-e40f-465c-9114-4d343ffb6481",
+ "title": "Event Account Tag Cloud [Logs Auditd]",
+ "type": "lens",
+ "version": "8.7.1"
},
{
"embeddableConfig": {
- "columns": [
- "event.action",
- "auditd.log.sequence",
- "user.name"
- ],
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-bf383f3b-ce0d-4140-b125-6ae874b33d64",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "2ff77656-7170-48ea-8bfa-af5bc71685c7",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "bf383f3b-ce0d-4140-b125-6ae874b33d64": {
+ "columnOrder": [
+ "5bff5789-d6a7-4386-9bd8-e338b7a42795",
+ "07fcd4be-419b-4b7e-8a75-977124eb980a",
+ "99a27a3b-e672-4c17-a8c2-3518a907cedc"
+ ],
+ "columns": {
+ "07fcd4be-419b-4b7e-8a75-977124eb980a": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "event.outcome : \"success\" "
+ },
+ "isBucketed": false,
+ "label": "Success",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "5bff5789-d6a7-4386-9bd8-e338b7a42795": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "99a27a3b-e672-4c17-a8c2-3518a907cedc": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "event.outcome : \"failure\""
+ },
+ "isBucketed": false,
+ "label": "Failure",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "2ff77656-7170-48ea-8bfa-af5bc71685c7",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "auditd.log"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "auditd.log"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "layers": [
+ {
+ "accessors": [
+ "07fcd4be-419b-4b7e-8a75-977124eb980a",
+ "99a27a3b-e672-4c17-a8c2-3518a907cedc"
+ ],
+ "layerId": "bf383f3b-ce0d-4140-b125-6ae874b33d64",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "line",
+ "showGridlines": false,
+ "xAccessor": "5bff5789-d6a7-4386-9bd8-e338b7a42795",
+ "yConfig": [
+ {
+ "color": "#e7664c",
+ "forAccessor": "99a27a3b-e672-4c17-a8c2-3518a907cedc"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "line",
+ "title": "Empty XY chart",
+ "valueLabels": "hide",
+ "yTitle": "Count"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
"enhancements": {},
- "sort": [
- "@timestamp",
- "desc"
- ]
+ "hidePanelTitles": false
},
"gridData": {
"h": 12,
- "i": "7",
- "w": 48,
+ "i": "e1817f83-5b41-4dd8-8108-ffe725dc9cd2",
+ "w": 24,
"x": 0,
- "y": 28
+ "y": 16
},
- "panelIndex": "7",
- "panelRefName": "panel_7",
- "type": "search",
- "version": "8.0.0"
+ "panelIndex": "e1817f83-5b41-4dd8-8108-ffe725dc9cd2",
+ "title": "Event Results [Logs Auditd]",
+ "type": "lens",
+ "version": "8.7.1"
},
{
- "version": "8.1.0",
- "type": "map",
- "gridData": {
- "h": 12,
- "i": "09f4ba02-a62c-410f-8d43-31e9e5278826",
- "w": 24,
- "x": 24,
- "y": 16
- },
- "panelIndex": "09f4ba02-a62c-410f-8d43-31e9e5278826",
"embeddableConfig": {
"attributes": {
"description": "",
"layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true,\"lightModeDefault\":\"road_map_desaturated\"},\"id\":\"623a62b9-8745-4fec-8738-bbe6fb8c16aa\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{\"type\":\"TILE\"},\"includeInFitToBounds\":true,\"type\":\"EMS_VECTOR_TILE\"},{\"alpha\":0.75,\"id\":\"efef3e71-f9ce-4a8e-8c27-68ad0d047d9b\",\"includeInFitToBounds\":true,\"joins\":[],\"label\":\"Event Address Geo Location [Logs Auditd]\",\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"applyForceRefresh\":true,\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"geoField\":\"source.geo.location\",\"id\":\"8155deb8-6760-42ad-b14a-dd20958bcb52\",\"metrics\":[{\"type\":\"count\"}],\"requestType\":\"point\",\"resolution\":\"MOST_FINE\",\"type\":\"ES_GEO_GRID\",\"indexPatternRefName\":\"layer_1_source_index_pattern\"},\"style\":{\"isTimeAware\":true,\"properties\":{\"fillColor\":{\"options\":{\"color\":\"Yellow to Red\",\"colorCategory\":\"palette_0\",\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3},\"type\":\"ORDINAL\"},\"type\":\"DYNAMIC\"},\"icon\":{\"options\":{\"value\":\"marker\"},\"type\":\"STATIC\"},\"iconOrientation\":{\"options\":{\"orientation\":0},\"type\":\"STATIC\"},\"iconSize\":{\"options\":{\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3},\"maxSize\":18,\"minSize\":7},\"type\":\"DYNAMIC\"},\"labelBorderColor\":{\"options\":{\"color\":\"#FFFFFF\"},\"type\":\"STATIC\"},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}},\"labelColor\":{\"options\":{\"color\":\"#000000\"},\"type\":\"STATIC\"},\"labelSize\":{\"options\":{\"size\":14},\"type\":\"STATIC\"},\"labelText\":{\"options\":{\"value\":\"\"},\"type\":\"STATIC\"},\"lineColor\":{\"options\":{\"color\":\"#3d3d3d\"},\"type\":\"STATIC\"},\"lineWidth\":{\"options\":{\"size\":1},\"type\":\"STATIC\"},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}}},\"type\":\"VECTOR\"},\"type\":\"GEOJSON_VECTOR\",\"visible\":true}]",
- "mapStateJSON": "{\"zoom\":1.78,\"center\":{\"lon\":0,\"lat\":16.40767},\"timeFilters\":{\"from\":\"now-15m\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":true,\"interval\":0},\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filters\":[],\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"disableInteractive\":false,\"disableTooltipControl\":false,\"hideToolbarOverlay\":false,\"hideLayerControl\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"browserLocation\":{\"zoom\":2},\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"}}",
- "references": [],
+ "mapStateJSON": "{\"adHocDataViews\":[],\"zoom\":1,\"center\":{\"lon\":63.63073,\"lat\":33.13755},\"timeFilters\":{\"from\":\"now-10y\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":true,\"interval\":0},\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filters\":[{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"field\":\"data_stream.dataset\",\"params\":{\"query\":\"auditd.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"auditd.log\"}},\"$state\":{\"store\":\"appState\"}}],\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"customIcons\":[],\"disableInteractive\":false,\"disableTooltipControl\":false,\"hideToolbarOverlay\":false,\"hideLayerControl\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"browserLocation\":{\"zoom\":2},\"keydownScrollZoom\":false,\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"}}",
"title": "Event Address Geo Location [Logs Auditd]",
"uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}"
},
@@ -309,26 +702,66 @@
"hiddenLayers": [],
"isLayerTOCOpen": true,
"mapBuffer": {
- "maxLat": 66.51326,
- "maxLon": 90,
- "minLat": -66.51326,
- "minLon": -90
+ "maxLat": 85.05113,
+ "maxLon": 360,
+ "minLat": 0,
+ "minLon": -180
},
"mapCenter": {
- "lat": 16.40767,
- "lon": 0,
- "zoom": 1.78
+ "lat": 48.14226,
+ "lon": 63.63073,
+ "zoom": 1
},
- "openTOCDetails": [],
- "type": "map"
- }
+ "openTOCDetails": []
+ },
+ "gridData": {
+ "h": 12,
+ "i": "09f4ba02-a62c-410f-8d43-31e9e5278826",
+ "w": 24,
+ "x": 24,
+ "y": 16
+ },
+ "panelIndex": "09f4ba02-a62c-410f-8d43-31e9e5278826",
+ "type": "map",
+ "version": "8.7.1"
}
],
"timeRestore": false,
"title": "[Logs Auditd] Audit Events",
"version": 1
},
+ "coreMigrationVersion": "8.7.1",
+ "created_at": "2023-07-11T08:18:32.283Z",
+ "id": "auditd-dfbb49f0-0a0f-11e7-8a62-2d05eaaac5cb",
+ "migrationVersion": {
+ "dashboard": "8.7.0"
+ },
"references": [
+ {
+ "id": "logs-*",
+ "name": "1:indexpattern-datasource-layer-268abb75-6a25-4d15-98a8-cd383cfa56ad",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "1:4e83c50a-a580-4fbf-92e4-5cb6d8c23040",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "2:indexpattern-datasource-layer-28cee599-81fc-4a20-90b4-b2c4eaae2ab5",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "2:f7c3dfc7-b3d1-48d7-89e5-04f017ef19db",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "2:92347886-7ba3-4991-a1fb-336f02f3a957",
+ "type": "index-pattern"
+ },
{
"id": "auditd-4ac0a370-0a11-11e7-8b04-eb22a5669f27",
"name": "7:panel_7",
@@ -336,27 +769,29 @@
},
{
"id": "logs-*",
- "name": "09f4ba02-a62c-410f-8d43-31e9e5278826:layer_1_source_index_pattern",
+ "name": "d84a9a87-e40f-465c-9114-4d343ffb6481:indexpattern-datasource-layer-ae879eb4-2960-4017-8f6b-c197afeee50a",
"type": "index-pattern"
},
{
- "type": "index-pattern",
- "name": "1:kibanaSavedObjectMeta.searchSourceJSON.index",
- "id": "logs-*"
+ "id": "logs-*",
+ "name": "d84a9a87-e40f-465c-9114-4d343ffb6481:95a20581-c922-4ed5-bc68-41fffa8f54fd",
+ "type": "index-pattern"
},
{
- "type": "index-pattern",
- "name": "2:kibanaSavedObjectMeta.searchSourceJSON.index",
- "id": "logs-*"
+ "id": "logs-*",
+ "name": "e1817f83-5b41-4dd8-8108-ffe725dc9cd2:indexpattern-datasource-layer-bf383f3b-ce0d-4140-b125-6ae874b33d64",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e1817f83-5b41-4dd8-8108-ffe725dc9cd2:2ff77656-7170-48ea-8bfa-af5bc71685c7",
+ "type": "index-pattern"
},
{
- "type": "index-pattern",
- "name": "6:kibanaSavedObjectMeta.searchSourceJSON.index",
- "id": "logs-*"
+ "id": "logs-*",
+ "name": "09f4ba02-a62c-410f-8d43-31e9e5278826:layer_1_source_index_pattern",
+ "type": "index-pattern"
}
],
- "migrationVersion": {
- "dashboard": "8.1.0"
- },
- "coreMigrationVersion": "8.1.0"
+ "type": "dashboard"
}
\ No newline at end of file
diff --git a/packages/auditd/kibana/search/auditd-4ac0a370-0a11-11e7-8b04-eb22a5669f27.json b/packages/auditd/kibana/search/auditd-4ac0a370-0a11-11e7-8b04-eb22a5669f27.json
index 730335ce1c4..758d69e9d4a 100644
--- a/packages/auditd/kibana/search/auditd-4ac0a370-0a11-11e7-8b04-eb22a5669f27.json
+++ b/packages/auditd/kibana/search/auditd-4ac0a370-0a11-11e7-8b04-eb22a5669f27.json
@@ -6,15 +6,41 @@
"user.name"
],
"description": "",
+ "grid": {},
+ "hideChart": false,
"hits": 0,
+ "isTextBasedQuery": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
- "filter": [],
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "auditd.log"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "auditd.log"
+ }
+ }
+ }
+ ],
"highlightAll": true,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
"query": {
"language": "kuery",
- "query": "data_stream.dataset:auditd.log"
+ "query": ""
},
"version": true
}
@@ -25,10 +51,13 @@
"desc"
]
],
+ "timeRestore": false,
"title": "Audit Events [Logs Auditd]",
+ "usesAdHocDataView": false,
"version": 1
},
- "coreMigrationVersion": "8.0.0",
+ "coreMigrationVersion": "8.7.1",
+ "created_at": "2023-07-11T08:06:38.981Z",
"id": "auditd-4ac0a370-0a11-11e7-8b04-eb22a5669f27",
"migrationVersion": {
"search": "8.0.0"
@@ -38,6 +67,11 @@
"id": "logs-*",
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
}
],
"type": "search"
diff --git a/packages/auditd/kibana/tags.yml b/packages/auditd/kibana/tags.yml
new file mode 100644
index 00000000000..47f20a8f551
--- /dev/null
+++ b/packages/auditd/kibana/tags.yml
@@ -0,0 +1,4 @@
+- text: Security Solution
+ asset_types:
+ - dashboard
+ - search
diff --git a/packages/auditd/manifest.yml b/packages/auditd/manifest.yml
index 2d82e245199..c1234416c31 100644
--- a/packages/auditd/manifest.yml
+++ b/packages/auditd/manifest.yml
@@ -1,6 +1,6 @@
name: auditd
title: Auditd Logs
-version: "3.10.0"
+version: "3.14.0"
description: Collect logs from Linux audit daemon with Elastic Agent.
type: integration
icons:
@@ -8,12 +8,13 @@ icons:
title: linux
size: 299x354
type: image/svg+xml
-format_version: 2.7.0
+format_version: "3.0.0"
categories:
- security
- auditd
conditions:
- kibana.version: ^8.1.0
+ kibana:
+ version: ^8.7.1
screenshots:
- src: /img/kibana-audit-auditd.png
title: Auditd Kibana Dashboard
@@ -29,3 +30,4 @@ policy_templates:
description: "Collecting application logs from Auditd instances (input: logfile)"
owner:
github: elastic/security-external-integrations
+ type: elastic
diff --git a/packages/auditd_manager/_dev/build/build.yml b/packages/auditd_manager/_dev/build/build.yml
index 074278e5b1f..c8eeec8cacf 100644
--- a/packages/auditd_manager/_dev/build/build.yml
+++ b/packages/auditd_manager/_dev/build/build.yml
@@ -1,3 +1,3 @@
dependencies:
ecs:
- reference: git@v8.8.0
+ reference: git@v8.9.0
diff --git a/packages/auditd_manager/changelog.yml b/packages/auditd_manager/changelog.yml
index 707d2d084d6..ebaa4330f0b 100644
--- a/packages/auditd_manager/changelog.yml
+++ b/packages/auditd_manager/changelog.yml
@@ -1,4 +1,24 @@
# newer versions go on top
+- version: 1.14.0
+ changes:
+ - description: "The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest."
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7883
+- version: "1.13.0"
+ changes:
+ - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7789
+- version: "1.12.0"
+ changes:
+ - description: Update package to ECS 8.9.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7107
+- version: "1.11.0"
+ changes:
+ - description: Convert visualizations to lens.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6884
- version: "1.10.0"
changes:
- description: Ensure event.kind is correctly set for pipeline errors.
diff --git a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-auditlogin-events.json-expected.json b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-auditlogin-events.json-expected.json
index 3c730ab1109..e1d00a37d07 100644
--- a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-auditlogin-events.json-expected.json
+++ b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-auditlogin-events.json-expected.json
@@ -30,7 +30,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "changed-login-id-to",
@@ -100,7 +100,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "changed-login-id-to",
@@ -171,7 +171,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "changed-login-id-to",
diff --git a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-centos7-events.json-expected.json b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-centos7-events.json-expected.json
index 4ed0612dbc2..f99ecccdedd 100644
--- a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-centos7-events.json-expected.json
+++ b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-centos7-events.json-expected.json
@@ -42,7 +42,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "started-session",
@@ -124,7 +124,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "added-group-account-to",
@@ -209,7 +209,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "added-user-account",
@@ -296,7 +296,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "modified-user-account",
@@ -383,7 +383,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "modified-user-account",
@@ -470,7 +470,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "modified-user-account",
@@ -557,7 +557,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "modified-user-account",
@@ -644,7 +644,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "modified-user-account",
diff --git a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-chown-events.json-expected.json b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-chown-events.json-expected.json
index 5296a3b7732..e8a09dfd0b5 100644
--- a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-chown-events.json-expected.json
+++ b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-chown-events.json-expected.json
@@ -92,7 +92,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "changed-file-ownership-of",
diff --git a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-passwd-events.json-expected.json b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-passwd-events.json-expected.json
index 6eb8e2f97cf..c50f5bc87f4 100644
--- a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-passwd-events.json-expected.json
+++ b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-passwd-events.json-expected.json
@@ -35,7 +35,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "changed-password",
@@ -115,7 +115,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "changed-password",
@@ -195,7 +195,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "changed-password",
@@ -276,7 +276,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "was-authorized",
diff --git a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-setuid-events.json-expected.json b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-setuid-events.json-expected.json
index 910ff6b683b..82334b5b207 100644
--- a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-setuid-events.json-expected.json
+++ b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-setuid-events.json-expected.json
@@ -60,7 +60,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "changed-identity-of",
@@ -167,7 +167,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "changed-identity-of",
@@ -266,7 +266,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "changed-identity-of",
diff --git a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-sudo-asuser-events.json-expected.json b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-sudo-asuser-events.json-expected.json
index 147b8b96e32..706e76e2b02 100644
--- a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-sudo-asuser-events.json-expected.json
+++ b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-sudo-asuser-events.json-expected.json
@@ -35,7 +35,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "authenticated",
@@ -110,7 +110,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "was-authorized",
@@ -180,7 +180,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ran-command",
@@ -245,7 +245,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "refreshed-credentials",
@@ -319,7 +319,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "started-session",
diff --git a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-sudo-events.json-expected.json b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-sudo-events.json-expected.json
index b96cbf1d7fd..f4e2b24d4ea 100644
--- a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-sudo-events.json-expected.json
+++ b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-sudo-events.json-expected.json
@@ -35,7 +35,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "authenticated",
@@ -110,7 +110,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "was-authorized",
@@ -180,7 +180,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ran-command",
@@ -245,7 +245,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "refreshed-credentials",
@@ -319,7 +319,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "started-session",
@@ -400,7 +400,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "authenticated",
@@ -475,7 +475,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "acquired-credentials",
@@ -550,7 +550,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "was-authorized",
@@ -625,7 +625,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "authenticated",
@@ -699,7 +699,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "started-session",
@@ -780,7 +780,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "refreshed-credentials",
@@ -850,7 +850,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ran-command",
@@ -915,7 +915,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "was-authorized",
@@ -990,7 +990,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "authenticated",
@@ -1066,7 +1066,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "changed-role-to",
@@ -1125,7 +1125,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "started-session",
@@ -1206,7 +1206,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "disposed-credentials",
@@ -1281,7 +1281,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ended-session",
@@ -1356,7 +1356,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "disposed-credentials",
@@ -1431,7 +1431,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ended-session",
diff --git a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-useradd-events.json-expected.json b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-useradd-events.json-expected.json
index b221c3cfb91..985573c5979 100644
--- a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-useradd-events.json-expected.json
+++ b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-useradd-events.json-expected.json
@@ -33,7 +33,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "added-group-account-to",
@@ -112,7 +112,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "added-group-account-to",
@@ -190,7 +190,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "added-group-account-to",
@@ -269,7 +269,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "added-user-account",
@@ -350,7 +350,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "was-authorized",
@@ -425,7 +425,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "changed-password",
@@ -506,7 +506,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "authenticated",
@@ -581,7 +581,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "was-authorized",
diff --git a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-userlogin-events.json-expected.json b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-userlogin-events.json-expected.json
index 62d208b7b85..96f61b2fa07 100644
--- a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-userlogin-events.json-expected.json
+++ b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-userlogin-events.json-expected.json
@@ -27,7 +27,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "logged-in",
@@ -101,7 +101,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "logged-in",
@@ -172,7 +172,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "authenticated",
@@ -247,7 +247,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "acquired-credentials",
diff --git a/packages/auditd_manager/data_stream/auditd/elasticsearch/ingest_pipeline/default.yml b/packages/auditd_manager/data_stream/auditd/elasticsearch/ingest_pipeline/default.yml
index d55b7ef47e7..40b9f318b42 100644
--- a/packages/auditd_manager/data_stream/auditd/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/auditd_manager/data_stream/auditd/elasticsearch/ingest_pipeline/default.yml
@@ -3,7 +3,7 @@ description: Pipeline for parsing Linux auditd logs
processors:
- set:
field: ecs.version
- value: '8.8.0'
+ value: '8.9.0'
- rename:
field: event.original
target_field: auditd.messages
diff --git a/packages/auditd_manager/data_stream/auditd/sample_event.json b/packages/auditd_manager/data_stream/auditd/sample_event.json
index b79ec4a4362..4a6319657b3 100644
--- a/packages/auditd_manager/data_stream/auditd/sample_event.json
+++ b/packages/auditd_manager/data_stream/auditd/sample_event.json
@@ -72,7 +72,7 @@
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "753ce520-4f32-45b1-9212-c4dcc9d575a1",
diff --git a/packages/auditd_manager/docs/README.md b/packages/auditd_manager/docs/README.md
index 9cb90af8408..cc4349b52a2 100644
--- a/packages/auditd_manager/docs/README.md
+++ b/packages/auditd_manager/docs/README.md
@@ -184,7 +184,7 @@ An example event for `auditd` looks as following:
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "753ce520-4f32-45b1-9212-c4dcc9d575a1",
diff --git a/packages/auditd_manager/kibana/dashboard/auditd_manager-693a5f40-c243-11e7-8692-232bd1143e8a.json b/packages/auditd_manager/kibana/dashboard/auditd_manager-693a5f40-c243-11e7-8692-232bd1143e8a.json
index fa68cd21aaf..aab685a1abe 100644
--- a/packages/auditd_manager/kibana/dashboard/auditd_manager-693a5f40-c243-11e7-8692-232bd1143e8a.json
+++ b/packages/auditd_manager/kibana/dashboard/auditd_manager-693a5f40-c243-11e7-8692-232bd1143e8a.json
@@ -1,20 +1,20 @@
{
"attributes": {
"description": "Summary of socket related syscall events.",
- "hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [],
- "highlightAll": true,
"query": {
"language": "kuery",
"query": "data_stream.dataset:auditd_manager.auditd"
- },
- "version": true
+ }
}
},
"optionsJSON": {
- "darkTheme": false,
+ "hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
"useMargins": false
},
"panelsJSON": [
@@ -54,84 +54,187 @@
},
"panelIndex": "2b0bfe71-70d5-431c-a7ae-45b965ce1b16",
"type": "visualization",
- "version": "8.2.0"
+ "version": "8.7.1"
},
{
"embeddableConfig": {
- "enhancements": {},
- "savedVis": {
- "data": {
- "aggs": [],
- "searchSource": {}
- },
- "description": "",
- "params": {
- "axis_formatter": "number",
- "axis_position": "left",
- "axis_scale": "normal",
- "background_color_rules": [
- {
- "id": "95b603d0-c252-11e7-8a68-93ffe9ec5950"
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_logs-*/@timestamp": {
+ "allowNoIndex": false,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "logs-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "logs-*"
}
- ],
- "bar_color_rules": [
- {
- "id": "2cebb0c0-c252-11e7-8a68-93ffe9ec5950"
- }
- ],
- "drop_last_bucket": 1,
- "filter": {
- "language": "lucene",
- "query": "auditd.summary.object.type:socket"
},
- "gauge_color_rules": [
- {
- "id": "6c891740-c252-11e7-8a68-93ffe9ec5950"
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "6f2c7b9b-b7cc-420e-8c6c-25dd321bb34e": {
+ "columnOrder": [
+ "f8f13e30-c28f-4a15-a981-e89f47681039",
+ "8ea7b083-c77b-482d-b2d9-0bb0ac129f9a",
+ "3153da94-1835-4467-9c24-22b676fc2c3b"
+ ],
+ "columns": {
+ "3153da94-1835-4467-9c24-22b676fc2c3b": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "syscall",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "8ea7b083-c77b-482d-b2d9-0bb0ac129f9a": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of auditd.data.syscall",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {},
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "auditd.data.syscall"
+ },
+ "f8f13e30-c28f-4a15-a981-e89f47681039": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
}
- ],
- "gauge_inner_width": 10,
- "gauge_style": "half",
- "gauge_width": 10,
- "id": "61ca57f0-469d-11e7-af02-69e470af7417",
- "index_pattern": "logs-*",
- "interval": "auto",
- "legend_position": "left",
- "max_lines_legend": 1,
- "series": [
+ },
+ "filters": [],
+ "internalReferences": [
{
- "axis_position": "right",
- "chart_type": "line",
- "color": "#68BC00",
- "fill": 0.5,
- "formatter": "number",
- "id": "61ca57f1-469d-11e7-af02-69e470af7417",
- "label": "syscall",
- "line_width": 1,
- "metrics": [
- {
- "id": "61ca57f2-469d-11e7-af02-69e470af7417",
- "type": "count"
- }
- ],
- "point_size": 1,
- "seperate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "auditd.data.syscall"
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "indexpattern-datasource-layer-6f2c7b9b-b7cc-420e-8c6c-25dd321bb34e",
+ "type": "index-pattern"
}
],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "tooltip_mode": "show_all",
- "truncate_legend": 1,
- "type": "timeseries",
- "use_kibana_indexes": false
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fillOpacity": 0.5,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "3153da94-1835-4467-9c24-22b676fc2c3b"
+ ],
+ "layerId": "6f2c7b9b-b7cc-420e-8c6c-25dd321bb34e",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "area",
+ "splitAccessor": "8ea7b083-c77b-482d-b2d9-0bb0ac129f9a",
+ "xAccessor": "f8f13e30-c28f-4a15-a981-e89f47681039",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "#68BC00",
+ "forAccessor": "3153da94-1835-4467-9c24-22b676fc2c3b"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "left",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yLeftScale": "linear",
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yRightScale": "linear"
+ }
},
- "type": "metrics",
- "uiState": {}
- }
+ "title": "[Auditd Manager] Socket Syscalls Time Series",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 12,
@@ -142,97 +245,149 @@
},
"panelIndex": "a9f3b71d-3b8f-44c0-b581-ba208c117e05",
"title": "[Auditd Manager] Socket Syscalls Time Series",
- "type": "visualization",
- "version": "8.2.0"
+ "type": "lens",
+ "version": "8.7.1"
},
{
"embeddableConfig": {
- "enhancements": {},
- "savedVis": {
- "data": {
- "aggs": [
- {
- "enabled": true,
- "id": "1",
- "params": {
- "emptyAsNull": false
- },
- "schema": "metric",
- "type": "count"
- },
- {
- "enabled": true,
- "id": "2",
- "params": {
- "customLabel": "Socket Family",
- "field": "auditd.data.socket.family",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "1",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 10
- },
- "schema": "segment",
- "type": "terms"
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-7df070bc-ffd5-4146-857b-10eab8abf204",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "7df070bc-ffd5-4146-857b-10eab8abf204": {
+ "columnOrder": [
+ "4faacaea-2366-4cb6-8be7-d9edb52d62c5",
+ "47ced22f-c64f-4725-a6c0-1eba33893788",
+ "5f6e3d3a-1c74-45fd-a64a-bd706ee2affc"
+ ],
+ "columns": {
+ "47ced22f-c64f-4725-a6c0-1eba33893788": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Syscall",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "5f6e3d3a-1c74-45fd-a64a-bd706ee2affc",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "auditd.data.syscall"
+ },
+ "4faacaea-2366-4cb6-8be7-d9edb52d62c5": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Socket Family",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "5f6e3d3a-1c74-45fd-a64a-bd706ee2affc",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "auditd.data.socket.family"
+ },
+ "5f6e3d3a-1c74-45fd-a64a-bd706ee2affc": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
},
- {
- "enabled": true,
- "id": "3",
- "params": {
- "customLabel": "Syscall",
- "field": "auditd.data.syscall",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "1",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 10
- },
- "schema": "segment",
- "type": "terms"
+ "textBased": {
+ "layers": {}
}
- ],
- "searchSource": {
- "filter": [],
- "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "description": "",
- "params": {
- "addTooltip": true,
- "distinctColors": true,
- "emptySizeRatio": 0.3,
- "isDonut": true,
- "labels": {
- "last_level": false,
- "percentDecimals": 2,
- "position": "default",
- "show": true,
- "truncate": 100,
- "values": true,
- "valuesFormat": "percent"
},
- "legendDisplay": "show",
- "legendPosition": "left",
- "maxLegendLines": 1,
- "nestedLegend": false,
- "palette": {
- "name": "kibana_palette",
- "type": "palette"
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
},
- "truncateLegend": true,
- "type": "pie"
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "emptySizeRatio": 0.3,
+ "layerId": "7df070bc-ffd5-4146-857b-10eab8abf204",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "legendMaxLines": 1,
+ "legendPosition": "left",
+ "legendSize": "auto",
+ "metrics": [
+ "5f6e3d3a-1c74-45fd-a64a-bd706ee2affc"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "percentDecimals": 2,
+ "primaryGroups": [
+ "4faacaea-2366-4cb6-8be7-d9edb52d62c5",
+ "47ced22f-c64f-4725-a6c0-1eba33893788"
+ ],
+ "secondaryGroups": [],
+ "showValuesInLegend": true,
+ "truncateLegend": true
+ }
+ ],
+ "palette": {
+ "name": "kibana_palette",
+ "type": "palette"
+ },
+ "shape": "donut"
+ }
},
- "type": "pie",
- "uiState": {}
- }
+ "title": "[Auditd Manager] Socket Families",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 16,
@@ -243,139 +398,232 @@
},
"panelIndex": "843ccc25-3963-4bd5-838e-b40019bcf3c5",
"title": "[Auditd Manager] Socket Families",
- "type": "visualization",
- "version": "8.2.0"
+ "type": "lens",
+ "version": "8.7.1"
},
{
"embeddableConfig": {
- "enhancements": {},
- "savedVis": {
- "data": {
- "aggs": [
- {
- "enabled": true,
- "id": "1",
- "params": {
- "emptyAsNull": false
- },
- "schema": "metric",
- "type": "count"
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-0fdad548-2d4c-4f5f-bb7b-10ceec531d12",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "5053b104-b820-4440-8e9a-51f20ee17734",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "cda5582e-d10c-46ac-acd7-fc3cdde53507",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "0fdad548-2d4c-4f5f-bb7b-10ceec531d12": {
+ "columnOrder": [
+ "2bed2077-cd1c-4ac6-b471-39eac0fb4046",
+ "5146916b-1de1-49fa-b097-25a5e1a2e5bd",
+ "acb67a19-dfc2-41f3-8b76-a8ab913dad88",
+ "99e1868f-199d-430f-8bbc-e8fcac542e72"
+ ],
+ "columns": {
+ "2bed2077-cd1c-4ac6-b471-39eac0fb4046": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Exe",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "type": "alphabetical"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 50
+ },
+ "scale": "ordinal",
+ "sourceField": "auditd.summary.how"
+ },
+ "5146916b-1de1-49fa-b097-25a5e1a2e5bd": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Address",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "type": "alphabetical"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "auditd.summary.object.primary"
+ },
+ "99e1868f-199d-430f-8bbc-e8fcac542e72": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "acb67a19-dfc2-41f3-8b76-a8ab913dad88": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Port",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "type": "alphabetical"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "auditd.summary.object.secondary"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
},
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
{
- "enabled": true,
- "id": "2",
- "params": {
- "customLabel": "Exe",
- "field": "auditd.summary.how",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "_key",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 50
+ "$state": {
+ "store": "appState"
},
- "schema": "bucket",
- "type": "terms"
- },
- {
- "enabled": true,
- "id": "3",
- "params": {
- "customLabel": "Address",
- "field": "auditd.summary.object.primary",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "_key",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 10
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "5053b104-b820-4440-8e9a-51f20ee17734",
+ "key": "auditd.data.syscall",
+ "negate": false,
+ "params": {
+ "query": "bind",
+ "type": "phrase"
+ },
+ "type": "phrase",
+ "value": "bind"
},
- "schema": "bucket",
- "type": "terms"
+ "query": {
+ "match": {
+ "auditd.data.syscall": {
+ "query": "bind",
+ "type": "phrase"
+ }
+ }
+ }
},
{
- "enabled": true,
- "id": "4",
- "params": {
- "customLabel": "Port",
- "field": "auditd.summary.object.secondary",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "_key",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 10
+ "$state": {
+ "store": "appState"
},
- "schema": "bucket",
- "type": "terms"
- }
- ],
- "searchSource": {
- "filter": [
- {
- "$state": {
- "store": "appState"
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "cda5582e-d10c-46ac-acd7-fc3cdde53507",
+ "key": "auditd.data.socket.family",
+ "negate": true,
+ "params": {
+ "query": "netlink",
+ "type": "phrase"
},
- "meta": {
- "alias": null,
- "apply": true,
- "disabled": false,
- "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
- "key": "auditd.summary.object.secondary",
- "negate": true,
- "params": {
- "query": "0",
+ "type": "phrase",
+ "value": "netlink"
+ },
+ "query": {
+ "match": {
+ "auditd.data.socket.family": {
+ "query": "netlink",
"type": "phrase"
- },
- "type": "phrase",
- "value": "0"
- },
- "query": {
- "match": {
- "auditd.summary.object.secondary": {
- "query": "0",
- "type": "phrase"
- }
}
}
}
- ],
- "query": {
- "language": "kuery",
- "query": ""
}
- }
- },
- "description": "",
- "params": {
- "autoFitRowToContent": false,
- "perPage": 10,
- "percentageCol": "",
- "showMetricsAtAllLevels": false,
- "showPartialRows": false,
- "showToolbar": true,
- "showTotal": false,
- "sort": {
- "columnIndex": null,
- "direction": null
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
},
- "totalFunc": "sum"
- },
- "type": "table",
- "uiState": {
- "vis": {
- "params": {
- "sort": {
- "columnIndex": null,
- "direction": null
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "99e1868f-199d-430f-8bbc-e8fcac542e72"
+ },
+ {
+ "alignment": "left",
+ "columnId": "2bed2077-cd1c-4ac6-b471-39eac0fb4046"
+ },
+ {
+ "alignment": "left",
+ "columnId": "5146916b-1de1-49fa-b097-25a5e1a2e5bd"
+ },
+ {
+ "alignment": "left",
+ "columnId": "acb67a19-dfc2-41f3-8b76-a8ab913dad88"
}
- }
+ ],
+ "headerRowHeight": "single",
+ "layerId": "0fdad548-2d4c-4f5f-bb7b-10ceec531d12",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 10
+ },
+ "rowHeight": "single"
}
- }
- }
+ },
+ "title": "[Auditd Manager] Bind (non-ephemeral)",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 16,
@@ -386,111 +634,226 @@
},
"panelIndex": "1e9272d7-090a-443b-bc0c-3d8afae53e76",
"title": "[Auditd Manager] Bind (non-ephemeral)",
- "type": "visualization",
- "version": "8.2.0"
+ "type": "lens",
+ "version": "8.7.1"
},
{
"embeddableConfig": {
- "enhancements": {},
- "savedVis": {
- "data": {
- "aggs": [
- {
- "enabled": true,
- "id": "1",
- "params": {
- "emptyAsNull": false
- },
- "schema": "metric",
- "type": "count"
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-36e6b76b-a5bb-4186-a272-36155591b7df",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "8ac0926a-dbce-486b-8dd5-5404260d49dd",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "a62d3b3a-edf4-4401-9cda-b808f971a34b",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "36e6b76b-a5bb-4186-a272-36155591b7df": {
+ "columnOrder": [
+ "82686a61-388e-4090-9774-92a0674e6002",
+ "3105082a-3ef9-449f-b5a1-f70ddf3dc5a3",
+ "8a6a27cd-21ec-4de3-b80d-fcc88f6733b8",
+ "9b2b05a9-c5a5-4113-b19c-0277064071b7"
+ ],
+ "columns": {
+ "3105082a-3ef9-449f-b5a1-f70ddf3dc5a3": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Address",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "9b2b05a9-c5a5-4113-b19c-0277064071b7",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "auditd.summary.object.primary"
+ },
+ "82686a61-388e-4090-9774-92a0674e6002": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Exe",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "9b2b05a9-c5a5-4113-b19c-0277064071b7",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 50
+ },
+ "scale": "ordinal",
+ "sourceField": "process.executable"
+ },
+ "8a6a27cd-21ec-4de3-b80d-fcc88f6733b8": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Port",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "9b2b05a9-c5a5-4113-b19c-0277064071b7",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "auditd.summary.object.secondary"
+ },
+ "9b2b05a9-c5a5-4113-b19c-0277064071b7": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
},
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
{
- "enabled": true,
- "id": "2",
- "params": {
- "customLabel": "Exe",
- "field": "process.executable",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "1",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 50
+ "$state": {
+ "store": "appState"
},
- "schema": "bucket",
- "type": "terms"
- },
- {
- "enabled": true,
- "id": "3",
- "params": {
- "customLabel": "Address",
- "field": "auditd.summary.object.primary",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "1",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 10
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "8ac0926a-dbce-486b-8dd5-5404260d49dd",
+ "key": "event.action",
+ "negate": false,
+ "params": {
+ "query": "connected-to",
+ "type": "phrase"
+ },
+ "type": "phrase",
+ "value": "connected-to"
},
- "schema": "bucket",
- "type": "terms"
+ "query": {
+ "match": {
+ "event.action": {
+ "query": "connected-to",
+ "type": "phrase"
+ }
+ }
+ }
},
{
- "enabled": true,
- "id": "4",
- "params": {
- "customLabel": "Port",
- "field": "auditd.summary.object.secondary",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "1",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 5
+ "$state": {
+ "store": "appState"
},
- "schema": "bucket",
- "type": "terms"
+ "exists": {
+ "field": "auditd.summary.object.primary"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "a62d3b3a-edf4-4401-9cda-b808f971a34b",
+ "key": "auditd.summary.object.primary",
+ "negate": false,
+ "type": "exists",
+ "value": "exists"
+ }
}
],
- "searchSource": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "description": "",
- "params": {
- "autoFitRowToContent": false,
- "perPage": 10,
- "percentageCol": "",
- "showMetricsAtAllLevels": false,
- "showPartialRows": false,
- "showToolbar": true,
- "showTotal": false,
- "sort": {
- "columnIndex": null,
- "direction": null
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
},
- "totalFunc": "sum"
- },
- "type": "table",
- "uiState": {
- "vis": {
- "params": {
- "sort": {
- "columnIndex": null,
- "direction": null
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "9b2b05a9-c5a5-4113-b19c-0277064071b7"
+ },
+ {
+ "alignment": "left",
+ "columnId": "82686a61-388e-4090-9774-92a0674e6002"
+ },
+ {
+ "alignment": "left",
+ "columnId": "3105082a-3ef9-449f-b5a1-f70ddf3dc5a3"
+ },
+ {
+ "alignment": "left",
+ "columnId": "8a6a27cd-21ec-4de3-b80d-fcc88f6733b8"
}
- }
+ ],
+ "headerRowHeight": "single",
+ "layerId": "36e6b76b-a5bb-4186-a272-36155591b7df",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 10
+ },
+ "rowHeight": "single"
}
- }
- }
+ },
+ "title": "[Auditd Manager] Connect",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 20,
@@ -501,102 +864,224 @@
},
"panelIndex": "d91afd3e-4c8e-41d9-b038-78bcffbe1e0e",
"title": "[Auditd Manager] Connect",
- "type": "visualization",
- "version": "8.2.0"
+ "type": "lens",
+ "version": "8.7.1"
},
{
"embeddableConfig": {
- "enhancements": {},
- "savedVis": {
- "data": {
- "aggs": [
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-8ea6aeca-6215-4465-81a7-bd46429d4cc6",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "8fdaf811-0e78-4077-8678-4c9f3fbb16b5",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "621fda46-21b3-4491-8fca-6c05b2e17f21",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "c67db52e-5701-4331-bc5b-a59b4609c07f",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "8ea6aeca-6215-4465-81a7-bd46429d4cc6": {
+ "columnOrder": [
+ "cc83fa51-52f9-4d6c-ade2-24b45d3e08e2",
+ "8044abd2-b585-418b-9bdc-7dbbdf43fb6c",
+ "ac149086-2751-4279-8b0f-a5f24c9580cc"
+ ],
+ "columns": {
+ "8044abd2-b585-418b-9bdc-7dbbdf43fb6c": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Syscall",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "ac149086-2751-4279-8b0f-a5f24c9580cc",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "auditd.data.syscall"
+ },
+ "ac149086-2751-4279-8b0f-a5f24c9580cc": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Unique Addresses",
+ "operationType": "unique_count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "auditd.summary.object.primary"
+ },
+ "cc83fa51-52f9-4d6c-ade2-24b45d3e08e2": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Exe",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "ac149086-2751-4279-8b0f-a5f24c9580cc",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 50
+ },
+ "scale": "ordinal",
+ "sourceField": "process.executable"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
{
- "enabled": true,
- "id": "1",
- "params": {
- "customLabel": "Unique Addresses",
- "emptyAsNull": false,
- "field": "auditd.summary.object.primary"
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "8fdaf811-0e78-4077-8678-4c9f3fbb16b5",
+ "key": "auditd.summary.object.type",
+ "negate": false,
+ "params": {
+ "query": "socket",
+ "type": "phrase"
+ },
+ "type": "phrase",
+ "value": "socket"
},
- "schema": "metric",
- "type": "cardinality"
+ "query": {
+ "match": {
+ "auditd.summary.object.type": {
+ "query": "socket",
+ "type": "phrase"
+ }
+ }
+ }
},
{
- "enabled": true,
- "id": "2",
- "params": {
- "customLabel": "Exe",
- "field": "process.executable",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "1",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 50
+ "$state": {
+ "store": "appState"
+ },
+ "exists": {
+ "field": "auditd.summary.object.primary"
},
- "schema": "bucket",
- "type": "terms"
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "621fda46-21b3-4491-8fca-6c05b2e17f21",
+ "key": "auditd.summary.object.primary",
+ "negate": false,
+ "type": "exists",
+ "value": "exists"
+ }
},
{
- "enabled": true,
- "id": "3",
- "params": {
- "customLabel": "Syscall",
- "field": "auditd.data.syscall",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "1",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 5
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "c67db52e-5701-4331-bc5b-a59b4609c07f",
+ "key": "query",
+ "negate": false,
+ "type": "custom",
+ "value": "{\"terms\":{\"auditd.data.syscall\":[\"accept\",\"accept4\",\"recvfrom\",\"recvmsg\"]}}"
},
- "schema": "bucket",
- "type": "terms"
+ "query": {
+ "terms": {
+ "auditd.data.syscall": [
+ "accept",
+ "accept4",
+ "recvfrom",
+ "recvmsg"
+ ]
+ }
+ }
}
],
- "searchSource": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "description": "",
- "params": {
- "autoFitRowToContent": false,
- "perPage": 10,
- "percentageCol": "",
- "showMetricsAtAllLevels": false,
- "showPartialRows": false,
- "showToolbar": true,
- "showTotal": false,
- "sort": {
- "columnIndex": null,
- "direction": null
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
},
- "totalFunc": "sum"
- },
- "type": "table",
- "uiState": {
- "spy": {
- "mode": {
- "fill": false,
- "name": null
- }
- },
- "vis": {
- "params": {
- "sort": {
- "columnIndex": null,
- "direction": null
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "ac149086-2751-4279-8b0f-a5f24c9580cc"
+ },
+ {
+ "alignment": "left",
+ "columnId": "cc83fa51-52f9-4d6c-ade2-24b45d3e08e2"
+ },
+ {
+ "alignment": "left",
+ "columnId": "8044abd2-b585-418b-9bdc-7dbbdf43fb6c"
}
- }
+ ],
+ "headerRowHeight": "single",
+ "layerId": "8ea6aeca-6215-4465-81a7-bd46429d4cc6",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 10
+ },
+ "rowHeight": "single"
}
- }
- }
+ },
+ "title": "[Auditd Manager] Accept / Recvfrom Unique Address Table",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 20,
@@ -607,44 +1092,75 @@
},
"panelIndex": "cd08c022-92e5-4012-a94d-6e459948c42c",
"title": "[Auditd Manager] Accept / Recvfrom Unique Address Table",
- "type": "visualization",
- "version": "8.2.0"
+ "type": "lens",
+ "version": "8.7.1"
}
],
"timeRestore": false,
"title": "[Auditd Manager] Sockets",
"version": 1
},
- "coreMigrationVersion": "8.2.0",
+ "coreMigrationVersion": "8.7.1",
+ "created_at": "2023-07-10T02:29:32.917Z",
"id": "auditd_manager-693a5f40-c243-11e7-8692-232bd1143e8a",
"migrationVersion": {
- "dashboard": "8.2.0"
+ "dashboard": "8.7.0"
},
"references": [
{
"id": "logs-*",
- "name": "843ccc25-3963-4bd5-838e-b40019bcf3c5:kibanaSavedObjectMeta.searchSourceJSON.index",
+ "name": "843ccc25-3963-4bd5-838e-b40019bcf3c5:indexpattern-datasource-layer-7df070bc-ffd5-4146-857b-10eab8abf204",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "1e9272d7-090a-443b-bc0c-3d8afae53e76:indexpattern-datasource-layer-0fdad548-2d4c-4f5f-bb7b-10ceec531d12",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "1e9272d7-090a-443b-bc0c-3d8afae53e76:5053b104-b820-4440-8e9a-51f20ee17734",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "1e9272d7-090a-443b-bc0c-3d8afae53e76:cda5582e-d10c-46ac-acd7-fc3cdde53507",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "d91afd3e-4c8e-41d9-b038-78bcffbe1e0e:indexpattern-datasource-layer-36e6b76b-a5bb-4186-a272-36155591b7df",
"type": "index-pattern"
},
{
- "id": "auditd_manager-b4c93470-c240-11e7-8692-232bd1143e8a",
- "name": "1e9272d7-090a-443b-bc0c-3d8afae53e76:search_0",
- "type": "search"
+ "id": "logs-*",
+ "name": "d91afd3e-4c8e-41d9-b038-78bcffbe1e0e:8ac0926a-dbce-486b-8dd5-5404260d49dd",
+ "type": "index-pattern"
},
{
"id": "logs-*",
- "name": "1e9272d7-090a-443b-bc0c-3d8afae53e76:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "name": "d91afd3e-4c8e-41d9-b038-78bcffbe1e0e:a62d3b3a-edf4-4401-9cda-b808f971a34b",
"type": "index-pattern"
},
{
- "id": "auditd_manager-5438b030-c246-11e7-8692-232bd1143e8a",
- "name": "d91afd3e-4c8e-41d9-b038-78bcffbe1e0e:search_0",
- "type": "search"
+ "id": "logs-*",
+ "name": "cd08c022-92e5-4012-a94d-6e459948c42c:indexpattern-datasource-layer-8ea6aeca-6215-4465-81a7-bd46429d4cc6",
+ "type": "index-pattern"
},
{
- "id": "auditd_manager-e8734160-c24c-11e7-8692-232bd1143e8a",
- "name": "cd08c022-92e5-4012-a94d-6e459948c42c:search_0",
- "type": "search"
+ "id": "logs-*",
+ "name": "cd08c022-92e5-4012-a94d-6e459948c42c:8fdaf811-0e78-4077-8678-4c9f3fbb16b5",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "cd08c022-92e5-4012-a94d-6e459948c42c:621fda46-21b3-4491-8fca-6c05b2e17f21",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "cd08c022-92e5-4012-a94d-6e459948c42c:c67db52e-5701-4331-bc5b-a59b4609c07f",
+ "type": "index-pattern"
}
],
"type": "dashboard"
diff --git a/packages/auditd_manager/kibana/dashboard/auditd_manager-7de391b0-c1ca-11e7-8995-936807a28b16.json b/packages/auditd_manager/kibana/dashboard/auditd_manager-7de391b0-c1ca-11e7-8995-936807a28b16.json
index da1deead6e9..419a40211ff 100644
--- a/packages/auditd_manager/kibana/dashboard/auditd_manager-7de391b0-c1ca-11e7-8995-936807a28b16.json
+++ b/packages/auditd_manager/kibana/dashboard/auditd_manager-7de391b0-c1ca-11e7-8995-936807a28b16.json
@@ -1,20 +1,20 @@
{
"attributes": {
"description": "Overview of kernel executions",
- "hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [],
- "highlightAll": true,
"query": {
"language": "kuery",
"query": "data_stream.dataset:auditd_manager.auditd"
- },
- "version": true
+ }
}
},
"optionsJSON": {
- "darkTheme": false,
+ "hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
"useMargins": false
},
"panelsJSON": [
@@ -27,12 +27,12 @@
"i": "6",
"w": 48,
"x": 0,
- "y": 16
+ "y": 20
},
"panelIndex": "6",
"panelRefName": "panel_6",
"type": "search",
- "version": "8.2.0"
+ "version": "8.7.1"
},
{
"embeddableConfig": {
@@ -70,236 +70,503 @@
},
"panelIndex": "f2ce7c72-d0f9-41a5-8738-11d4820c0774",
"type": "visualization",
- "version": "8.2.0"
+ "version": "8.7.1"
},
{
"embeddableConfig": {
- "enhancements": {},
- "savedVis": {
- "data": {
- "aggs": [
- {
- "enabled": true,
- "id": "1",
- "params": {
- "emptyAsNull": false
- },
- "schema": "metric",
- "type": "count"
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-d97ac597-b722-44d2-b31b-c15ab798a8cb",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "f007de01-b77c-4903-a874-bbaa7cc89c0d",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "d97ac597-b722-44d2-b31b-c15ab798a8cb": {
+ "columnOrder": [
+ "e48d9f60-ccd8-4d20-92f0-c66e88f5741c",
+ "b588dcef-329b-4a6c-b68b-d28efcce9864"
+ ],
+ "columns": {
+ "b588dcef-329b-4a6c-b68b-d28efcce9864": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "e48d9f60-ccd8-4d20-92f0-c66e88f5741c": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Process Executions",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "b588dcef-329b-4a6c-b68b-d28efcce9864",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "process.executable"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
},
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
{
- "enabled": true,
- "id": "2",
- "params": {
- "field": "auditd.summary.actor.primary",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "1",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 10
+ "$state": {
+ "store": "appState"
},
- "schema": "segment",
- "type": "terms"
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "f007de01-b77c-4903-a874-bbaa7cc89c0d",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "auditd_manager.auditd"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "auditd_manager.auditd"
+ }
+ }
}
],
- "searchSource": {
- "filter": [],
- "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "description": "",
- "params": {
- "maxFontSize": 45,
- "minFontSize": 18,
- "orientation": "single",
- "palette": {
- "name": "kibana_palette",
- "type": "palette"
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
},
- "scale": "linear",
- "showLabel": true
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "b588dcef-329b-4a6c-b68b-d28efcce9864"
+ ],
+ "layerId": "d97ac597-b722-44d2-b31b-c15ab798a8cb",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_horizontal",
+ "showGridlines": false,
+ "xAccessor": "e48d9f60-ccd8-4d20-92f0-c66e88f5741c"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "bar_horizontal",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
},
- "type": "tagcloud",
- "uiState": {}
- }
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
- "h": 12,
- "i": "4dd0c4a9-2eeb-4bba-bcdb-ca6c2e389e67",
+ "h": 16,
+ "i": "c0882fb9-803b-4285-9905-a199040ae307",
"w": 16,
- "x": 32,
+ "x": 0,
"y": 4
},
- "panelIndex": "4dd0c4a9-2eeb-4bba-bcdb-ca6c2e389e67",
- "title": "[Auditd Manager] Primary Username Tag Cloud",
- "type": "visualization",
- "version": "8.2.0"
+ "panelIndex": "c0882fb9-803b-4285-9905-a199040ae307",
+ "title": "[Auditd Manager] Executable Name",
+ "type": "lens",
+ "version": "8.7.1"
},
{
"embeddableConfig": {
- "enhancements": {},
- "savedVis": {
- "data": {
- "aggs": [
- {
- "enabled": true,
- "id": "1",
- "params": {
- "emptyAsNull": false
- },
- "schema": "metric",
- "type": "count"
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-bfebf24f-1a17-4ded-88bb-a27e6498e08d",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "54f4f0d0-7e6c-4427-bb4b-d34f9e1c869f",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "bfebf24f-1a17-4ded-88bb-a27e6498e08d": {
+ "columnOrder": [
+ "f21b9a77-984a-42c2-bed7-5a38cf476967",
+ "bf0c85a3-f3ea-48b0-b26d-01f9501cb7ed"
+ ],
+ "columns": {
+ "bf0c85a3-f3ea-48b0-b26d-01f9501cb7ed": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "f21b9a77-984a-42c2-bed7-5a38cf476967": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "auditd.data.exit: Descending",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "bf0c85a3-f3ea-48b0-b26d-01f9501cb7ed",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "auditd.data.exit"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
},
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
{
- "enabled": true,
- "id": "2",
- "params": {
- "field": "process.executable",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "1",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 10
+ "$state": {
+ "store": "appState"
},
- "schema": "segment",
- "type": "terms"
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "54f4f0d0-7e6c-4427-bb4b-d34f9e1c869f",
+ "key": "event.action",
+ "negate": false,
+ "params": {
+ "query": "executed",
+ "type": "phrase"
+ },
+ "type": "phrase",
+ "value": "executed"
+ },
+ "query": {
+ "match": {
+ "event.action": {
+ "query": "executed",
+ "type": "phrase"
+ }
+ }
+ }
}
],
- "searchSource": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "description": "",
- "params": {
- "maxFontSize": 45,
- "minFontSize": 14,
- "orientation": "single",
- "palette": {
- "name": "kibana_palette",
- "type": "palette"
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
},
- "scale": "linear",
- "showLabel": true
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "emptySizeRatio": 0.3,
+ "layerId": "bfebf24f-1a17-4ded-88bb-a27e6498e08d",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "legendMaxLines": 1,
+ "legendPosition": "right",
+ "legendSize": "auto",
+ "metrics": [
+ "bf0c85a3-f3ea-48b0-b26d-01f9501cb7ed"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "percentDecimals": 2,
+ "primaryGroups": [
+ "f21b9a77-984a-42c2-bed7-5a38cf476967"
+ ],
+ "secondaryGroups": [],
+ "showValuesInLegend": true,
+ "truncateLegend": true
+ }
+ ],
+ "palette": {
+ "name": "kibana_palette",
+ "type": "palette"
+ },
+ "shape": "donut"
+ }
},
- "type": "tagcloud",
- "uiState": {}
- }
+ "title": "[Auditd Manager] Error Codes",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
- "h": 12,
- "i": "459f779e-e668-4048-a1d5-fa5806262646",
+ "h": 16,
+ "i": "b65a07a2-a0d7-4dab-921a-8afbe066d025",
"w": 16,
- "x": 0,
+ "x": 16,
"y": 4
},
- "panelIndex": "459f779e-e668-4048-a1d5-fa5806262646",
- "title": "[Auditd Manager] Executable Name Tag Cloud",
- "type": "visualization",
- "version": "8.2.0"
+ "panelIndex": "b65a07a2-a0d7-4dab-921a-8afbe066d025",
+ "title": "[Auditd Manager] Error Codes",
+ "type": "lens",
+ "version": "8.7.1"
},
{
"embeddableConfig": {
- "enhancements": {},
- "savedVis": {
- "data": {
- "aggs": [
- {
- "enabled": true,
- "id": "1",
- "params": {
- "emptyAsNull": false
- },
- "schema": "metric",
- "type": "count"
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-d97ac597-b722-44d2-b31b-c15ab798a8cb",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "303edb2f-7535-49c8-925e-36c703ee4af2",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "d97ac597-b722-44d2-b31b-c15ab798a8cb": {
+ "columnOrder": [
+ "d5693408-d1ac-4064-99c9-35224ca28799",
+ "cbc38c21-1f20-4e63-a246-4e432b56e401"
+ ],
+ "columns": {
+ "cbc38c21-1f20-4e63-a246-4e432b56e401": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "d5693408-d1ac-4064-99c9-35224ca28799": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Primary Username",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "cbc38c21-1f20-4e63-a246-4e432b56e401",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "auditd.summary.actor.primary"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
},
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
{
- "enabled": true,
- "id": "2",
- "params": {
- "field": "auditd.data.exit",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "1",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 10
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "index": "303edb2f-7535-49c8-925e-36c703ee4af2",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "auditd_manager.auditd"
+ },
+ "type": "phrase"
},
- "schema": "segment",
- "type": "terms"
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "auditd_manager.auditd"
+ }
+ }
}
],
- "searchSource": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "description": "Command executions",
- "params": {
- "addTooltip": true,
- "distinctColors": true,
- "emptySizeRatio": 0.3,
- "isDonut": true,
- "labels": {
- "last_level": false,
- "percentDecimals": 2,
- "position": "default",
- "show": true,
- "truncate": 100,
- "values": true,
- "valuesFormat": "percent"
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
},
- "legendDisplay": "show",
- "legendPosition": "right",
- "maxLegendLines": 1,
- "nestedLegend": false,
- "palette": {
- "name": "kibana_palette",
- "type": "palette"
- },
- "truncateLegend": true,
- "type": "pie"
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "cbc38c21-1f20-4e63-a246-4e432b56e401"
+ ],
+ "layerId": "d97ac597-b722-44d2-b31b-c15ab798a8cb",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_horizontal",
+ "showGridlines": false,
+ "xAccessor": "d5693408-d1ac-4064-99c9-35224ca28799"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "bar_horizontal",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
},
- "type": "pie",
- "uiState": {}
- }
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
- "h": 12,
- "i": "b65a07a2-a0d7-4dab-921a-8afbe066d025",
+ "h": 16,
+ "i": "12f23f3b-9f6b-4a8f-8ad4-24961fe39077",
"w": 16,
- "x": 16,
+ "x": 32,
"y": 4
},
- "panelIndex": "b65a07a2-a0d7-4dab-921a-8afbe066d025",
- "title": "[Auditd Manager] Error Codes",
- "type": "visualization",
- "version": "8.2.0"
+ "panelIndex": "12f23f3b-9f6b-4a8f-8ad4-24961fe39077",
+ "title": "[Auditd Manager] Primary Username",
+ "type": "lens",
+ "version": "8.7.1"
}
],
"timeRestore": false,
"title": "[Auditd Manager] Executions",
"version": 1
},
- "coreMigrationVersion": "8.2.0",
+ "coreMigrationVersion": "8.7.1",
+ "created_at": "2023-07-10T02:43:45.113Z",
"id": "auditd_manager-7de391b0-c1ca-11e7-8995-936807a28b16",
"migrationVersion": {
- "dashboard": "8.2.0"
+ "dashboard": "8.7.0"
},
"references": [
{
@@ -309,18 +576,33 @@
},
{
"id": "logs-*",
- "name": "4dd0c4a9-2eeb-4bba-bcdb-ca6c2e389e67:kibanaSavedObjectMeta.searchSourceJSON.index",
+ "name": "c0882fb9-803b-4285-9905-a199040ae307:indexpattern-datasource-layer-d97ac597-b722-44d2-b31b-c15ab798a8cb",
"type": "index-pattern"
},
{
- "id": "auditd_manager-d382f5b0-c1c6-11e7-8995-936807a28b16",
- "name": "459f779e-e668-4048-a1d5-fa5806262646:search_0",
- "type": "search"
+ "id": "logs-*",
+ "name": "c0882fb9-803b-4285-9905-a199040ae307:f007de01-b77c-4903-a874-bbaa7cc89c0d",
+ "type": "index-pattern"
},
{
- "id": "auditd_manager-d382f5b0-c1c6-11e7-8995-936807a28b16",
- "name": "b65a07a2-a0d7-4dab-921a-8afbe066d025:search_0",
- "type": "search"
+ "id": "logs-*",
+ "name": "b65a07a2-a0d7-4dab-921a-8afbe066d025:indexpattern-datasource-layer-bfebf24f-1a17-4ded-88bb-a27e6498e08d",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "b65a07a2-a0d7-4dab-921a-8afbe066d025:54f4f0d0-7e6c-4427-bb4b-d34f9e1c869f",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "12f23f3b-9f6b-4a8f-8ad4-24961fe39077:indexpattern-datasource-layer-d97ac597-b722-44d2-b31b-c15ab798a8cb",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "12f23f3b-9f6b-4a8f-8ad4-24961fe39077:303edb2f-7535-49c8-925e-36c703ee4af2",
+ "type": "index-pattern"
}
],
"type": "dashboard"
diff --git a/packages/auditd_manager/kibana/dashboard/auditd_manager-c0ac2c00-c1c0-11e7-8995-936807a28b16.json b/packages/auditd_manager/kibana/dashboard/auditd_manager-c0ac2c00-c1c0-11e7-8995-936807a28b16.json
index 0a6c0b20a2b..ff9ee8e3ee6 100644
--- a/packages/auditd_manager/kibana/dashboard/auditd_manager-c0ac2c00-c1c0-11e7-8995-936807a28b16.json
+++ b/packages/auditd_manager/kibana/dashboard/auditd_manager-c0ac2c00-c1c0-11e7-8995-936807a28b16.json
@@ -1,20 +1,20 @@
{
"attributes": {
"description": "Summary of Linux kernel audit events.",
- "hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [],
- "highlightAll": true,
"query": {
"language": "kuery",
"query": "data_stream.dataset:auditd_manager.auditd"
- },
- "version": true
+ }
}
},
"optionsJSON": {
- "darkTheme": false,
+ "hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
"useMargins": false
},
"panelsJSON": [
@@ -32,7 +32,7 @@
"panelIndex": "5",
"panelRefName": "panel_5",
"type": "search",
- "version": "8.2.0"
+ "version": "8.7.1"
},
{
"embeddableConfig": {
@@ -70,84 +70,187 @@
},
"panelIndex": "7969164a-3810-485c-b3ad-948b1930f6d0",
"type": "visualization",
- "version": "8.2.0"
+ "version": "8.7.1"
},
{
"embeddableConfig": {
- "enhancements": {},
- "savedVis": {
- "data": {
- "aggs": [],
- "searchSource": {}
- },
- "description": "",
- "params": {
- "axis_formatter": "number",
- "axis_position": "left",
- "axis_scale": "normal",
- "background_color_rules": [
- {
- "id": "58c95a20-c1bd-11e7-938f-ab0645b6c431"
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_logs-*/@timestamp": {
+ "allowNoIndex": false,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "logs-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "logs-*"
}
- ],
- "bar_color_rules": [
- {
- "id": "5bfc71a0-c1bd-11e7-938f-ab0645b6c431"
- }
- ],
- "drop_last_bucket": 1,
- "filter": {
- "language": "lucene",
- "query": ""
},
- "gauge_color_rules": [
- {
- "id": "5d20a650-c1bd-11e7-938f-ab0645b6c431"
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "9c301e87-19cd-4dd1-8b91-7c4ad341f32b": {
+ "columnOrder": [
+ "ac0c48ae-49a1-4780-8f35-4673ef2b3b98",
+ "aeef965a-7948-4d1a-95f6-eac67d8eddbf",
+ "6e7ab90b-eb12-4f1b-b84e-da769dcb16ea"
+ ],
+ "columns": {
+ "6e7ab90b-eb12-4f1b-b84e-da769dcb16ea": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Actions",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "ac0c48ae-49a1-4780-8f35-4673ef2b3b98": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "aeef965a-7948-4d1a-95f6-eac67d8eddbf": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of event.action",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {},
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "event.action"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
}
- ],
- "gauge_inner_width": 10,
- "gauge_style": "half",
- "gauge_width": 10,
- "id": "61ca57f0-469d-11e7-af02-69e470af7417",
- "index_pattern": "logs-*",
- "interval": "auto",
- "legend_position": "left",
- "max_lines_legend": 1,
- "series": [
+ },
+ "filters": [],
+ "internalReferences": [
{
- "axis_position": "right",
- "chart_type": "line",
- "color": "#68BC00",
- "fill": 0.5,
- "formatter": "number",
- "id": "61ca57f1-469d-11e7-af02-69e470af7417",
- "label": "Actions",
- "line_width": 1,
- "metrics": [
- {
- "id": "6b9fb2d0-c1bc-11e7-938f-ab0645b6c431",
- "type": "count"
- }
- ],
- "point_size": 1,
- "seperate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "event.action"
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "indexpattern-datasource-layer-9c301e87-19cd-4dd1-8b91-7c4ad341f32b",
+ "type": "index-pattern"
}
],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "tooltip_mode": "show_all",
- "truncate_legend": 1,
- "type": "timeseries",
- "use_kibana_indexes": false
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fillOpacity": 0.5,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "6e7ab90b-eb12-4f1b-b84e-da769dcb16ea"
+ ],
+ "layerId": "9c301e87-19cd-4dd1-8b91-7c4ad341f32b",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "area",
+ "splitAccessor": "aeef965a-7948-4d1a-95f6-eac67d8eddbf",
+ "xAccessor": "ac0c48ae-49a1-4780-8f35-4673ef2b3b98",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "#68BC00",
+ "forAccessor": "6e7ab90b-eb12-4f1b-b84e-da769dcb16ea"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "left",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yLeftScale": "linear",
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yRightScale": "linear"
+ }
},
- "type": "metrics",
- "uiState": {}
- }
+ "title": "[Auditd Manager] Event Actions",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 12,
@@ -158,97 +261,149 @@
},
"panelIndex": "c89b1ae9-3f74-4088-bb68-a0fdcf3aad94",
"title": "[Auditd Manager] Event Actions",
- "type": "visualization",
- "version": "8.2.0"
+ "type": "lens",
+ "version": "8.7.1"
},
{
"embeddableConfig": {
- "enhancements": {},
- "savedVis": {
- "data": {
- "aggs": [
- {
- "enabled": true,
- "id": "1",
- "params": {
- "emptyAsNull": false
- },
- "schema": "metric",
- "type": "count"
- },
- {
- "enabled": true,
- "id": "2",
- "params": {
- "customLabel": "Category",
- "field": "event.category",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "1",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 5
- },
- "schema": "segment",
- "type": "terms"
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-cf8a8037-9889-427c-ab8a-5d12f51f6c6b",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "cf8a8037-9889-427c-ab8a-5d12f51f6c6b": {
+ "columnOrder": [
+ "382ebc96-7f8b-4bf8-b2be-ff648ea5e6b5",
+ "b9b47b41-dcd0-4d8b-afb6-d3747c69f983",
+ "cd9af377-634d-4d78-98bb-19cbb156bbe9"
+ ],
+ "columns": {
+ "382ebc96-7f8b-4bf8-b2be-ff648ea5e6b5": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Category",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "cd9af377-634d-4d78-98bb-19cbb156bbe9",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "event.category"
+ },
+ "b9b47b41-dcd0-4d8b-afb6-d3747c69f983": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Action",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "cd9af377-634d-4d78-98bb-19cbb156bbe9",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 20
+ },
+ "scale": "ordinal",
+ "sourceField": "event.action"
+ },
+ "cd9af377-634d-4d78-98bb-19cbb156bbe9": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
},
- {
- "enabled": true,
- "id": "3",
- "params": {
- "customLabel": "Action",
- "field": "event.action",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "1",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 20
- },
- "schema": "segment",
- "type": "terms"
- }
- ],
- "searchSource": {
- "filter": [],
- "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
- "query": {
- "language": "kuery",
- "query": ""
+ "textBased": {
+ "layers": {}
}
- }
- },
- "description": "",
- "params": {
- "addTooltip": true,
- "distinctColors": true,
- "emptySizeRatio": 0.3,
- "isDonut": true,
- "labels": {
- "last_level": false,
- "percentDecimals": 2,
- "position": "default",
- "show": true,
- "truncate": 100,
- "values": true,
- "valuesFormat": "percent"
},
- "legendDisplay": "show",
- "legendPosition": "right",
- "maxLegendLines": 1,
- "nestedLegend": false,
- "palette": {
- "name": "kibana_palette",
- "type": "palette"
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
},
- "truncateLegend": true,
- "type": "pie"
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "emptySizeRatio": 0.3,
+ "layerId": "cf8a8037-9889-427c-ab8a-5d12f51f6c6b",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "legendMaxLines": 1,
+ "legendPosition": "right",
+ "legendSize": "auto",
+ "metrics": [
+ "cd9af377-634d-4d78-98bb-19cbb156bbe9"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "percentDecimals": 2,
+ "primaryGroups": [
+ "382ebc96-7f8b-4bf8-b2be-ff648ea5e6b5",
+ "b9b47b41-dcd0-4d8b-afb6-d3747c69f983"
+ ],
+ "secondaryGroups": [],
+ "showValuesInLegend": true,
+ "truncateLegend": true
+ }
+ ],
+ "palette": {
+ "name": "kibana_palette",
+ "type": "palette"
+ },
+ "shape": "donut"
+ }
},
- "type": "pie",
- "uiState": {}
- }
+ "title": "[Auditd Manager] Event Categories",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 12,
@@ -259,18 +414,19 @@
},
"panelIndex": "af0b3b3c-90d5-4490-a2d0-9c0050d2adf5",
"title": "[Auditd Manager] Event Categories",
- "type": "visualization",
- "version": "8.2.0"
+ "type": "lens",
+ "version": "8.7.1"
}
],
"timeRestore": false,
"title": "[Auditd Manager] Overview",
"version": 1
},
- "coreMigrationVersion": "8.2.0",
+ "coreMigrationVersion": "8.7.1",
+ "created_at": "2023-07-10T02:45:19.714Z",
"id": "auditd_manager-c0ac2c00-c1c0-11e7-8995-936807a28b16",
"migrationVersion": {
- "dashboard": "8.2.0"
+ "dashboard": "8.7.0"
},
"references": [
{
@@ -278,14 +434,9 @@
"name": "5:panel_5",
"type": "search"
},
- {
- "id": "auditd_manager-0f10c430-c1c3-11e7-8995-936807a28b16",
- "name": "af0b3b3c-90d5-4490-a2d0-9c0050d2adf5:search_0",
- "type": "search"
- },
{
"id": "logs-*",
- "name": "af0b3b3c-90d5-4490-a2d0-9c0050d2adf5:kibanaSavedObjectMeta.searchSourceJSON.index",
+ "name": "af0b3b3c-90d5-4490-a2d0-9c0050d2adf5:indexpattern-datasource-layer-cf8a8037-9889-427c-ab8a-5d12f51f6c6b",
"type": "index-pattern"
}
],
diff --git a/packages/auditd_manager/kibana/search/auditd_manager-0f10c430-c1c3-11e7-8995-936807a28b16.json b/packages/auditd_manager/kibana/search/auditd_manager-0f10c430-c1c3-11e7-8995-936807a28b16.json
index 0121ff18569..2bf4e80f681 100644
--- a/packages/auditd_manager/kibana/search/auditd_manager-0f10c430-c1c3-11e7-8995-936807a28b16.json
+++ b/packages/auditd_manager/kibana/search/auditd_manager-0f10c430-c1c3-11e7-8995-936807a28b16.json
@@ -34,7 +34,8 @@
"title": "[Auditd Manager] Audit Event Table",
"version": 1
},
- "coreMigrationVersion": "8.2.0",
+ "coreMigrationVersion": "8.7.1",
+ "created_at": "2023-07-10T02:37:41.847Z",
"id": "auditd_manager-0f10c430-c1c3-11e7-8995-936807a28b16",
"migrationVersion": {
"search": "8.0.0"
diff --git a/packages/auditd_manager/kibana/search/auditd_manager-5438b030-c246-11e7-8692-232bd1143e8a.json b/packages/auditd_manager/kibana/search/auditd_manager-5438b030-c246-11e7-8692-232bd1143e8a.json
index 44c728a25cf..e1cf6c440b8 100644
--- a/packages/auditd_manager/kibana/search/auditd_manager-5438b030-c246-11e7-8692-232bd1143e8a.json
+++ b/packages/auditd_manager/kibana/search/auditd_manager-5438b030-c246-11e7-8692-232bd1143e8a.json
@@ -76,7 +76,8 @@
"title": "[Auditd Manager] Socket Connects",
"version": 1
},
- "coreMigrationVersion": "8.2.0",
+ "coreMigrationVersion": "8.7.1",
+ "created_at": "2023-07-10T02:14:23.255Z",
"id": "auditd_manager-5438b030-c246-11e7-8692-232bd1143e8a",
"migrationVersion": {
"search": "8.0.0"
diff --git a/packages/auditd_manager/kibana/search/auditd_manager-b4c93470-c240-11e7-8692-232bd1143e8a.json b/packages/auditd_manager/kibana/search/auditd_manager-b4c93470-c240-11e7-8692-232bd1143e8a.json
index cf533f1ec4a..47f9b990755 100644
--- a/packages/auditd_manager/kibana/search/auditd_manager-b4c93470-c240-11e7-8692-232bd1143e8a.json
+++ b/packages/auditd_manager/kibana/search/auditd_manager-b4c93470-c240-11e7-8692-232bd1143e8a.json
@@ -84,7 +84,8 @@
"title": "[Auditd Manager] Socket Binds",
"version": 1
},
- "coreMigrationVersion": "8.2.0",
+ "coreMigrationVersion": "8.7.1",
+ "created_at": "2023-07-10T02:14:23.255Z",
"id": "auditd_manager-b4c93470-c240-11e7-8692-232bd1143e8a",
"migrationVersion": {
"search": "8.0.0"
diff --git a/packages/auditd_manager/kibana/search/auditd_manager-d382f5b0-c1c6-11e7-8995-936807a28b16.json b/packages/auditd_manager/kibana/search/auditd_manager-d382f5b0-c1c6-11e7-8995-936807a28b16.json
index 7aed260733d..14d7a68d00c 100644
--- a/packages/auditd_manager/kibana/search/auditd_manager-d382f5b0-c1c6-11e7-8995-936807a28b16.json
+++ b/packages/auditd_manager/kibana/search/auditd_manager-d382f5b0-c1c6-11e7-8995-936807a28b16.json
@@ -57,7 +57,8 @@
"title": "[Auditd Manager] Process Executions",
"version": 1
},
- "coreMigrationVersion": "8.2.0",
+ "coreMigrationVersion": "8.7.1",
+ "created_at": "2023-07-10T02:37:41.847Z",
"id": "auditd_manager-d382f5b0-c1c6-11e7-8995-936807a28b16",
"migrationVersion": {
"search": "8.0.0"
diff --git a/packages/auditd_manager/kibana/search/auditd_manager-e8734160-c24c-11e7-8692-232bd1143e8a.json b/packages/auditd_manager/kibana/search/auditd_manager-e8734160-c24c-11e7-8692-232bd1143e8a.json
index 0553a811b95..c81a159b25a 100644
--- a/packages/auditd_manager/kibana/search/auditd_manager-e8734160-c24c-11e7-8692-232bd1143e8a.json
+++ b/packages/auditd_manager/kibana/search/auditd_manager-e8734160-c24c-11e7-8692-232bd1143e8a.json
@@ -99,7 +99,8 @@
"title": "[Auditd Manager] Socket Accept / Recvfrom",
"version": 1
},
- "coreMigrationVersion": "8.2.0",
+ "coreMigrationVersion": "8.7.1",
+ "created_at": "2023-07-10T02:14:23.255Z",
"id": "auditd_manager-e8734160-c24c-11e7-8692-232bd1143e8a",
"migrationVersion": {
"search": "8.0.0"
diff --git a/packages/auditd_manager/kibana/tags.yml b/packages/auditd_manager/kibana/tags.yml
new file mode 100644
index 00000000000..47f20a8f551
--- /dev/null
+++ b/packages/auditd_manager/kibana/tags.yml
@@ -0,0 +1,4 @@
+- text: Security Solution
+ asset_types:
+ - dashboard
+ - search
diff --git a/packages/auditd_manager/manifest.yml b/packages/auditd_manager/manifest.yml
index 336bd6cee4f..6261ef94dc1 100644
--- a/packages/auditd_manager/manifest.yml
+++ b/packages/auditd_manager/manifest.yml
@@ -1,14 +1,15 @@
-format_version: 2.7.0
+format_version: "3.0.0"
name: auditd_manager
title: "Auditd Manager"
-version: "1.10.0"
+version: "1.14.0"
description: "The Auditd Manager Integration receives audit events from the Linux Audit Framework that is a part of the Linux kernel."
type: integration
categories:
- security
- auditd
conditions:
- kibana.version: "^8.4.0"
+ kibana:
+ version: "^8.7.1"
screenshots:
- src: /img/overview.png
title: Overview Dashboard
@@ -37,3 +38,4 @@ policy_templates:
description: Collecting auditd events
owner:
github: elastic/security-external-integrations
+ type: elastic
diff --git a/packages/auth0/_dev/build/build.yml b/packages/auth0/_dev/build/build.yml
index 074278e5b1f..c8eeec8cacf 100644
--- a/packages/auth0/_dev/build/build.yml
+++ b/packages/auth0/_dev/build/build.yml
@@ -1,3 +1,3 @@
dependencies:
ecs:
- reference: git@v8.8.0
+ reference: git@v8.9.0
diff --git a/packages/auth0/changelog.yml b/packages/auth0/changelog.yml
index 9ab0d4aa51d..da3b27f647b 100644
--- a/packages/auth0/changelog.yml
+++ b/packages/auth0/changelog.yml
@@ -1,4 +1,24 @@
# newer versions go on top
+- version: 1.12.0
+ changes:
+ - description: "The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest."
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7883
+- version: "1.11.0"
+ changes:
+ - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7789
+- version: "1.10.0"
+ changes:
+ - description: Update package to ECS 8.9.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7107
+- version: "1.9.0"
+ changes:
+ - description: Convert visualizations to lens.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6905
- version: "1.8.0"
changes:
- description: Ensure event.kind is correctly set for pipeline errors.
diff --git a/packages/auth0/data_stream/logs/_dev/test/pipeline/test-login-failure.json-expected.json b/packages/auth0/data_stream/logs/_dev/test/pipeline/test-login-failure.json-expected.json
index 9f5d16c7e8d..a38c678fe44 100644
--- a/packages/auth0/data_stream/logs/_dev/test/pipeline/test-login-failure.json-expected.json
+++ b/packages/auth0/data_stream/logs/_dev/test/pipeline/test-login-failure.json-expected.json
@@ -38,7 +38,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "failed-login",
@@ -124,7 +124,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "failed-login",
@@ -211,7 +211,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "failed-login",
@@ -284,7 +284,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "invalid-username-or-email",
@@ -360,7 +360,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "incorrect-password",
diff --git a/packages/auth0/data_stream/logs/_dev/test/pipeline/test-login-success.json-expected.json b/packages/auth0/data_stream/logs/_dev/test/pipeline/test-login-success.json-expected.json
index 7cd3f4ea058..7c878204610 100644
--- a/packages/auth0/data_stream/logs/_dev/test/pipeline/test-login-success.json-expected.json
+++ b/packages/auth0/data_stream/logs/_dev/test/pipeline/test-login-success.json-expected.json
@@ -61,7 +61,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "successful-login",
@@ -189,7 +189,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "successful-login",
@@ -264,7 +264,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "successful-login",
@@ -390,7 +390,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "successful-login",
@@ -516,7 +516,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "successful-login",
@@ -630,7 +630,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "successful-login",
@@ -744,7 +744,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "successful-login",
@@ -858,7 +858,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "successful-login",
@@ -935,7 +935,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "successful-login",
@@ -1051,7 +1051,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "successful-login",
@@ -1179,7 +1179,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "successful-login",
@@ -1295,7 +1295,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "successful-login",
@@ -1411,7 +1411,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "successful-login",
@@ -1527,7 +1527,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "successful-login",
@@ -1643,7 +1643,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "successful-login",
@@ -1759,7 +1759,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "successful-login",
@@ -1875,7 +1875,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "successful-login",
@@ -1991,7 +1991,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "successful-login",
@@ -2107,7 +2107,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "successful-login",
@@ -2223,7 +2223,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "successful-login",
@@ -2351,7 +2351,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "successful-login",
@@ -2479,7 +2479,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "successful-login",
diff --git a/packages/auth0/data_stream/logs/_dev/test/pipeline/test-logout-success.json-expected.json b/packages/auth0/data_stream/logs/_dev/test/pipeline/test-logout-success.json-expected.json
index 48d6a1cc95a..8bbdfc971b6 100644
--- a/packages/auth0/data_stream/logs/_dev/test/pipeline/test-logout-success.json-expected.json
+++ b/packages/auth0/data_stream/logs/_dev/test/pipeline/test-logout-success.json-expected.json
@@ -24,7 +24,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "user-logout-successful",
@@ -101,7 +101,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "user-logout-successful",
@@ -178,7 +178,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "user-logout-successful",
diff --git a/packages/auth0/data_stream/logs/_dev/test/pipeline/test-mgmt-api-success.json-expected.json b/packages/auth0/data_stream/logs/_dev/test/pipeline/test-mgmt-api-success.json-expected.json
index 08afe6741f9..d51598365ba 100644
--- a/packages/auth0/data_stream/logs/_dev/test/pipeline/test-mgmt-api-success.json-expected.json
+++ b/packages/auth0/data_stream/logs/_dev/test/pipeline/test-mgmt-api-success.json-expected.json
@@ -54,7 +54,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -169,7 +169,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -309,7 +309,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -680,7 +680,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -780,7 +780,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -939,7 +939,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -1178,7 +1178,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -1280,7 +1280,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -1519,7 +1519,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -1623,7 +1623,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -1733,7 +1733,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -1972,7 +1972,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -2211,7 +2211,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -2320,7 +2320,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -2435,7 +2435,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -2544,7 +2544,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -2646,7 +2646,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -2761,7 +2761,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -2870,7 +2870,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -2972,7 +2972,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -3065,7 +3065,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -3175,7 +3175,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -3284,7 +3284,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -3377,7 +3377,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -3487,7 +3487,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -3580,7 +3580,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -3690,7 +3690,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -3805,7 +3805,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -3907,7 +3907,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -4006,7 +4006,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -4122,7 +4122,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -4361,7 +4361,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -4459,7 +4459,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -4688,7 +4688,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -4913,7 +4913,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -5013,7 +5013,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -5115,7 +5115,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -5223,7 +5223,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -5331,7 +5331,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -5433,7 +5433,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op",
@@ -5538,7 +5538,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op-secrets-returned",
@@ -5639,7 +5639,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-mgmt-api-op-secrets-returned",
diff --git a/packages/auth0/data_stream/logs/_dev/test/pipeline/test-signup-failure.json-expected.json b/packages/auth0/data_stream/logs/_dev/test/pipeline/test-signup-failure.json-expected.json
index 0bf766e285d..6a12e41843e 100644
--- a/packages/auth0/data_stream/logs/_dev/test/pipeline/test-signup-failure.json-expected.json
+++ b/packages/auth0/data_stream/logs/_dev/test/pipeline/test-signup-failure.json-expected.json
@@ -72,7 +72,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "user-signup-failed",
diff --git a/packages/auth0/data_stream/logs/_dev/test/pipeline/test-signup-success.json-expected.json b/packages/auth0/data_stream/logs/_dev/test/pipeline/test-signup-success.json-expected.json
index 7eab71d7e1f..d8539054136 100644
--- a/packages/auth0/data_stream/logs/_dev/test/pipeline/test-signup-success.json-expected.json
+++ b/packages/auth0/data_stream/logs/_dev/test/pipeline/test-signup-success.json-expected.json
@@ -27,7 +27,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-signup",
@@ -101,7 +101,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-signup",
@@ -181,7 +181,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-signup",
@@ -255,7 +255,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-signup",
@@ -329,7 +329,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-signup",
diff --git a/packages/auth0/data_stream/logs/_dev/test/pipeline/test-token-xchg-success.json-expected.json b/packages/auth0/data_stream/logs/_dev/test/pipeline/test-token-xchg-success.json-expected.json
index 6dc8107163e..a3c94a50578 100644
--- a/packages/auth0/data_stream/logs/_dev/test/pipeline/test-token-xchg-success.json-expected.json
+++ b/packages/auth0/data_stream/logs/_dev/test/pipeline/test-token-xchg-success.json-expected.json
@@ -18,7 +18,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-exchange-auth-code-for-access-token",
@@ -88,7 +88,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-exchange-auth-code-for-access-token",
@@ -158,7 +158,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-exchange-auth-code-for-access-token",
@@ -228,7 +228,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-exchange-auth-code-for-access-token",
@@ -298,7 +298,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-exchange-auth-code-for-access-token",
@@ -368,7 +368,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-exchange-auth-code-for-access-token",
@@ -438,7 +438,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-exchange-auth-code-for-access-token",
@@ -508,7 +508,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-exchange-auth-code-for-access-token",
@@ -578,7 +578,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-exchange-auth-code-for-access-token",
@@ -648,7 +648,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-exchange-auth-code-for-access-token",
@@ -718,7 +718,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-exchange-auth-code-for-access-token",
@@ -788,7 +788,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-exchange-auth-code-for-access-token",
@@ -858,7 +858,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-exchange-auth-code-for-access-token",
@@ -928,7 +928,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-exchange-auth-code-for-access-token",
@@ -998,7 +998,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-exchange-auth-code-for-access-token",
@@ -1068,7 +1068,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-exchange-auth-code-for-access-token",
@@ -1138,7 +1138,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-exchange-auth-code-for-access-token",
@@ -1208,7 +1208,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-exchange-auth-code-for-access-token",
@@ -1278,7 +1278,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-exchange-auth-code-for-access-token",
@@ -1348,7 +1348,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-exchange-auth-code-for-access-token",
@@ -1418,7 +1418,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "success-exchange-auth-code-for-access-token",
diff --git a/packages/auth0/data_stream/logs/_dev/test/pipeline/test-user-behaviour-fail.json-expected.json b/packages/auth0/data_stream/logs/_dev/test/pipeline/test-user-behaviour-fail.json-expected.json
index 0bc84a8b1a1..a6955d0532d 100644
--- a/packages/auth0/data_stream/logs/_dev/test/pipeline/test-user-behaviour-fail.json-expected.json
+++ b/packages/auth0/data_stream/logs/_dev/test/pipeline/test-user-behaviour-fail.json-expected.json
@@ -20,7 +20,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "failed-to-send-email-notification",
@@ -58,7 +58,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "failed-to-send-email-notification",
diff --git a/packages/auth0/data_stream/logs/_dev/test/pipeline/test-user-behaviour-success.json-expected.json b/packages/auth0/data_stream/logs/_dev/test/pipeline/test-user-behaviour-success.json-expected.json
index 6c37a218a24..96e55201cf5 100644
--- a/packages/auth0/data_stream/logs/_dev/test/pipeline/test-user-behaviour-success.json-expected.json
+++ b/packages/auth0/data_stream/logs/_dev/test/pipeline/test-user-behaviour-success.json-expected.json
@@ -35,7 +35,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "sent-verification-email",
diff --git a/packages/auth0/data_stream/logs/elasticsearch/ingest_pipeline/default.yml b/packages/auth0/data_stream/logs/elasticsearch/ingest_pipeline/default.yml
index 76bf031abd1..36dc17865b2 100644
--- a/packages/auth0/data_stream/logs/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/auth0/data_stream/logs/elasticsearch/ingest_pipeline/default.yml
@@ -3,7 +3,7 @@ description: Pipeline for processing Auth0 log stream events
processors:
- set:
field: ecs.version
- value: '8.8.0'
+ value: '8.9.0'
- set:
field: auth0.logs.data
copy_from: json.data
diff --git a/packages/auth0/data_stream/logs/sample_event.json b/packages/auth0/data_stream/logs/sample_event.json
index 4c5d9bef9f1..5f2add17204 100644
--- a/packages/auth0/data_stream/logs/sample_event.json
+++ b/packages/auth0/data_stream/logs/sample_event.json
@@ -83,7 +83,7 @@
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "2c778b7a-e0be-4a84-8c7c-e0142f3690df",
diff --git a/packages/auth0/docs/README.md b/packages/auth0/docs/README.md
index c10c1192bb1..cba81cf1c25 100644
--- a/packages/auth0/docs/README.md
+++ b/packages/auth0/docs/README.md
@@ -95,11 +95,11 @@ The Auth0 logs dataset provides events from Auth0 log stream. All Auth0 log even
| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
-| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date |
| event.dataset | Event timestamp. | constant_keyword |
| event.id | Unique ID to describe the event. | keyword |
| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
-| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword |
| event.module | Event timestamp. | constant_keyword |
| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
@@ -256,7 +256,7 @@ An example event for `logs` looks as following:
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "2c778b7a-e0be-4a84-8c7c-e0142f3690df",
diff --git a/packages/auth0/kibana/dashboard/auth0-29fb7200-4062-11ec-b18d-ef6bf98b26bf.json b/packages/auth0/kibana/dashboard/auth0-29fb7200-4062-11ec-b18d-ef6bf98b26bf.json
index 24a20bd5d71..5fdc17c4d40 100644
--- a/packages/auth0/kibana/dashboard/auth0-29fb7200-4062-11ec-b18d-ef6bf98b26bf.json
+++ b/packages/auth0/kibana/dashboard/auth0-29fb7200-4062-11ec-b18d-ef6bf98b26bf.json
@@ -1,14 +1,6 @@
{
- "id": "auth0-29fb7200-4062-11ec-b18d-ef6bf98b26bf",
- "type": "dashboard",
- "namespaces": [
- "default"
- ],
- "updated_at": "2022-11-18T20:58:16.014Z",
- "version": "WzU3NCwxXQ==",
"attributes": {
"description": "",
- "hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [],
@@ -21,20 +13,12 @@
"optionsJSON": {
"hidePanelTitles": false,
"syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
"useMargins": true
},
"panelsJSON": [
{
- "version": "8.1.0",
- "type": "lens",
- "gridData": {
- "h": 10,
- "i": "1a13814d-17bf-42cf-8ef9-2dc599fb6766",
- "w": 15,
- "x": 0,
- "y": 0
- },
- "panelIndex": "1a13814d-17bf-42cf-8ef9-2dc599fb6766",
"embeddableConfig": {
"attributes": {
"references": [
@@ -56,7 +40,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"c9215ac0-57f7-4fbb-af81-9f5bb365a238": {
"columnOrder": [
@@ -104,13 +88,13 @@
"meta": {
"alias": null,
"disabled": false,
+ "index": "filter-index-pattern-0",
"key": "data_stream.dataset",
"negate": false,
"params": {
"query": "auth0.logs"
},
- "type": "phrase",
- "index": "filter-index-pattern-0"
+ "type": "phrase"
},
"query": {
"match_phrase": {
@@ -127,15 +111,18 @@
"layers": [
{
"categoryDisplay": "default",
- "groups": [
- "ad18389f-67bd-47ae-bd5e-7a0a8a74ef31"
- ],
"layerId": "c9215ac0-57f7-4fbb-af81-9f5bb365a238",
"layerType": "data",
"legendDisplay": "default",
- "metric": "becf928d-1e95-4cf0-a37f-e4eb735dcc27",
+ "legendSize": "auto",
+ "metrics": [
+ "becf928d-1e95-4cf0-a37f-e4eb735dcc27"
+ ],
"nestedLegend": false,
- "numberDisplay": "percent"
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "ad18389f-67bd-47ae-bd5e-7a0a8a74ef31"
+ ]
}
],
"shape": "pie"
@@ -146,22 +133,21 @@
"visualizationType": "lnsPie"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Auth0 Log Stream Event Types"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
"h": 10,
- "i": "6089a77e-3c96-4414-9932-eda55ced3d07",
- "w": 14,
- "x": 15,
+ "i": "1a13814d-17bf-42cf-8ef9-2dc599fb6766",
+ "w": 15,
+ "x": 0,
"y": 0
},
- "panelIndex": "6089a77e-3c96-4414-9932-eda55ced3d07",
+ "panelIndex": "1a13814d-17bf-42cf-8ef9-2dc599fb6766",
+ "title": "Auth0 Log Stream Event Types",
+ "type": "lens",
+ "version": "8.7.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -183,7 +169,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"1f92a60a-ed7e-42e4-b03c-4a3fb37e1a35": {
"columnOrder": [
@@ -197,6 +183,7 @@
"label": "@timestamp",
"operationType": "date_histogram",
"params": {
+ "includeEmptyRows": true,
"interval": "auto"
},
"scale": "interval",
@@ -224,13 +211,13 @@
"meta": {
"alias": null,
"disabled": false,
+ "index": "filter-index-pattern-0",
"key": "data_stream.dataset",
"negate": false,
"params": {
"query": "auth0.logs"
},
- "type": "phrase",
- "index": "filter-index-pattern-0"
+ "type": "phrase"
},
"query": {
"match_phrase": {
@@ -259,6 +246,7 @@
],
"legend": {
"isVisible": true,
+ "legendSize": "auto",
"position": "right"
},
"preferredSeriesType": "line",
@@ -277,250 +265,269 @@
"visualizationType": "lnsXY"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Rate of events"
- },
- {
- "version": "8.1.0",
- "type": "visualization",
"gridData": {
"h": 10,
- "i": "5124c723-8890-477e-aad5-bc4fd529bd46",
- "w": 9,
- "x": 29,
+ "i": "6089a77e-3c96-4414-9932-eda55ced3d07",
+ "w": 14,
+ "x": 15,
"y": 0
},
- "panelIndex": "5124c723-8890-477e-aad5-bc4fd529bd46",
+ "panelIndex": "6089a77e-3c96-4414-9932-eda55ced3d07",
+ "title": "Rate of events",
+ "type": "lens",
+ "version": "8.7.1"
+ },
+ {
"embeddableConfig": {
- "enhancements": {},
- "hidePanelTitles": false,
- "savedVis": {
- "data": {
- "aggs": [
- {
- "enabled": true,
- "id": "1",
- "params": {},
- "schema": "metric",
- "type": "count"
- }
- ],
- "searchSource": {
- "filter": [
- {
- "$state": {
- "store": "appState"
- },
- "meta": {
- "alias": null,
- "disabled": false,
- "index": "logs-*",
- "key": "data_stream.dataset",
- "negate": false,
- "params": {
- "query": "auth0.logs"
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-f4e91fff-3766-4adf-bcbf-f0ceb8ea19fa",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "3b88d295-b9e0-412b-9bff-d6e5893a485a",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "335cb626-370d-4e95-9a6c-4f231edeb186",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "f4e91fff-3766-4adf-bcbf-f0ceb8ea19fa": {
+ "columnOrder": [
+ "7c1be01f-a2e6-41e3-80e6-088855e73800"
+ ],
+ "columns": {
+ "7c1be01f-a2e6-41e3-80e6-088855e73800": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
},
- "type": "phrase"
- },
- "query": {
- "match_phrase": {
- "data_stream.dataset": "auth0.logs"
- }
+ "incompleteColumns": {}
}
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
},
- {
- "$state": {
- "store": "appState"
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "3b88d295-b9e0-412b-9bff-d6e5893a485a",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "auth0.logs"
},
- "meta": {
- "alias": null,
- "disabled": false,
- "index": "logs-*",
- "key": "event.category",
- "negate": false,
- "params": {
- "query": "Login - Failure"
- },
- "type": "phrase"
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "auth0.logs"
+ }
+ }
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "335cb626-370d-4e95-9a6c-4f231edeb186",
+ "key": "event.category",
+ "negate": false,
+ "params": {
+ "query": "Login - Failure"
},
- "query": {
- "match_phrase": {
- "event.category": "Login - Failure"
- }
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.category": "Login - Failure"
}
}
- ],
- "index": "logs-*",
- "query": {
- "language": "kuery",
- "query": ""
}
- }
- },
- "description": "",
- "params": {
- "addLegend": false,
- "addTooltip": true,
- "metric": {
- "colorSchema": "Green to Red",
- "colorsRange": [
- {
- "from": 0,
- "to": 10000
- }
- ],
- "invertColors": false,
- "labels": {
- "show": true
- },
- "metricColorMode": "None",
- "percentageMode": false,
- "style": {
- "bgColor": false,
- "bgFill": "#000",
- "fontSize": 60,
- "labelColor": false,
- "subText": ""
- },
- "useRanges": false
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
},
- "type": "metric"
+ "visualization": {
+ "layerId": "f4e91fff-3766-4adf-bcbf-f0ceb8ea19fa",
+ "layerType": "data",
+ "metricAccessor": "7c1be01f-a2e6-41e3-80e6-088855e73800"
+ }
},
- "title": "",
- "type": "metric",
- "uiState": {}
+ "title": "Number of Failed Logins",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
},
- "type": "visualization"
+ "enhancements": {},
+ "hidePanelTitles": false
},
- "title": "Number of Failed Logins"
- },
- {
- "version": "8.1.0",
- "type": "visualization",
"gridData": {
"h": 10,
- "i": "cb337534-d263-480b-b6a3-80cc4f14d73b",
- "w": 10,
- "x": 38,
+ "i": "5124c723-8890-477e-aad5-bc4fd529bd46",
+ "w": 9,
+ "x": 29,
"y": 0
},
- "panelIndex": "cb337534-d263-480b-b6a3-80cc4f14d73b",
+ "panelIndex": "5124c723-8890-477e-aad5-bc4fd529bd46",
+ "type": "lens",
+ "version": "8.7.1"
+ },
+ {
"embeddableConfig": {
- "enhancements": {},
- "hidePanelTitles": false,
- "savedVis": {
- "data": {
- "aggs": [
- {
- "enabled": true,
- "id": "1",
- "params": {},
- "schema": "metric",
- "type": "count"
- }
- ],
- "searchSource": {
- "filter": [
- {
- "$state": {
- "store": "appState"
- },
- "meta": {
- "alias": null,
- "disabled": false,
- "index": "logs-*",
- "key": "data_stream.dataset",
- "negate": false,
- "params": {
- "query": "auth0.logs"
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-f637aea7-1a8a-4c6f-bea3-83b1910bd16d",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "f5f62b07-86eb-481b-b6b5-308fdf2ee125",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "fefc1a3f-fa1c-455f-9f0e-836cb58b93b4",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "f637aea7-1a8a-4c6f-bea3-83b1910bd16d": {
+ "columnOrder": [
+ "07d7e830-73dc-4cc0-9426-892fc45589d4"
+ ],
+ "columns": {
+ "07d7e830-73dc-4cc0-9426-892fc45589d4": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
},
- "type": "phrase"
- },
- "query": {
- "match_phrase": {
- "data_stream.dataset": "auth0.logs"
- }
+ "incompleteColumns": {}
}
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
},
- {
- "$state": {
- "store": "appState"
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "f5f62b07-86eb-481b-b6b5-308fdf2ee125",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "auth0.logs"
},
- "meta": {
- "alias": null,
- "disabled": false,
- "index": "logs-*",
- "key": "event.category",
- "negate": false,
- "params": {
- "query": "Signup - Success"
- },
- "type": "phrase"
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "auth0.logs"
+ }
+ }
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "fefc1a3f-fa1c-455f-9f0e-836cb58b93b4",
+ "key": "event.category",
+ "negate": false,
+ "params": {
+ "query": "Signup - Success"
},
- "query": {
- "match_phrase": {
- "event.category": "Signup - Success"
- }
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.category": "Signup - Success"
}
}
- ],
- "index": "logs-*",
- "query": {
- "language": "kuery",
- "query": ""
}
- }
- },
- "description": "",
- "params": {
- "addLegend": false,
- "addTooltip": true,
- "metric": {
- "colorSchema": "Green to Red",
- "colorsRange": [
- {
- "from": 0,
- "to": 10000
- }
- ],
- "invertColors": false,
- "labels": {
- "show": true
- },
- "metricColorMode": "None",
- "percentageMode": false,
- "style": {
- "bgColor": false,
- "bgFill": "#000",
- "fontSize": 60,
- "labelColor": false,
- "subText": ""
- },
- "useRanges": false
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
},
- "type": "metric"
+ "visualization": {
+ "layerId": "f637aea7-1a8a-4c6f-bea3-83b1910bd16d",
+ "layerType": "data",
+ "metricAccessor": "07d7e830-73dc-4cc0-9426-892fc45589d4"
+ }
},
- "title": "",
- "type": "metric",
- "uiState": {}
+ "title": "Number of Successful Signups",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
},
- "type": "visualization"
+ "enhancements": {},
+ "hidePanelTitles": false
},
- "title": "Number of Successful Signups"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
- "h": 12,
- "i": "d00429d4-502f-41d8-8a2b-7300859930ea",
- "w": 15,
- "x": 0,
- "y": 10
+ "h": 10,
+ "i": "cb337534-d263-480b-b6a3-80cc4f14d73b",
+ "w": 10,
+ "x": 38,
+ "y": 0
},
- "panelIndex": "d00429d4-502f-41d8-8a2b-7300859930ea",
+ "panelIndex": "cb337534-d263-480b-b6a3-80cc4f14d73b",
+ "type": "lens",
+ "version": "8.7.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -547,7 +554,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"e7270679-c5d0-496a-9fd2-7409b402bdb0": {
"columnOrder": [
@@ -569,6 +576,7 @@
"label": "@timestamp",
"operationType": "date_histogram",
"params": {
+ "includeEmptyRows": true,
"interval": "auto"
},
"scale": "interval",
@@ -588,13 +596,13 @@
"meta": {
"alias": null,
"disabled": false,
+ "index": "filter-index-pattern-0",
"key": "data_stream.dataset",
"negate": false,
"params": {
"query": "auth0.logs"
},
- "type": "phrase",
- "index": "filter-index-pattern-0"
+ "type": "phrase"
},
"query": {
"match_phrase": {
@@ -609,13 +617,13 @@
"meta": {
"alias": null,
"disabled": false,
+ "index": "filter-index-pattern-1",
"key": "event.category",
"negate": false,
"params": {
"query": "Login - Success"
},
- "type": "phrase",
- "index": "filter-index-pattern-1"
+ "type": "phrase"
},
"query": {
"match_phrase": {
@@ -660,6 +668,7 @@
],
"legend": {
"isVisible": true,
+ "legendSize": "auto",
"position": "right"
},
"preferredSeriesType": "line",
@@ -682,22 +691,21 @@
"visualizationType": "lnsXY"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Rate of Successful Logins"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
"h": 12,
- "i": "c1a1b718-c5f1-4029-9fda-0cd7ed38b3a8",
- "w": 14,
- "x": 15,
+ "i": "d00429d4-502f-41d8-8a2b-7300859930ea",
+ "w": 15,
+ "x": 0,
"y": 10
},
- "panelIndex": "c1a1b718-c5f1-4029-9fda-0cd7ed38b3a8",
+ "panelIndex": "d00429d4-502f-41d8-8a2b-7300859930ea",
+ "title": "Rate of Successful Logins",
+ "type": "lens",
+ "version": "8.7.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -724,7 +732,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"4fc38bcd-1242-43bb-a213-0c6fe6e7a26e": {
"columnOrder": [
@@ -738,6 +746,7 @@
"label": "@timestamp",
"operationType": "date_histogram",
"params": {
+ "includeEmptyRows": true,
"interval": "auto"
},
"scale": "interval",
@@ -765,13 +774,13 @@
"meta": {
"alias": null,
"disabled": false,
+ "index": "filter-index-pattern-0",
"key": "data_stream.dataset",
"negate": false,
"params": {
"query": "auth0.logs"
},
- "type": "phrase",
- "index": "filter-index-pattern-0"
+ "type": "phrase"
},
"query": {
"match_phrase": {
@@ -786,13 +795,13 @@
"meta": {
"alias": null,
"disabled": false,
+ "index": "filter-index-pattern-1",
"key": "event.category",
"negate": false,
"params": {
"query": "Login - Failure"
},
- "type": "phrase",
- "index": "filter-index-pattern-1"
+ "type": "phrase"
},
"query": {
"match_phrase": {
@@ -821,6 +830,7 @@
],
"legend": {
"isVisible": true,
+ "legendSize": "auto",
"position": "right"
},
"preferredSeriesType": "line",
@@ -839,120 +849,155 @@
"visualizationType": "lnsXY"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Rate of Failed Logins"
+ "gridData": {
+ "h": 12,
+ "i": "c1a1b718-c5f1-4029-9fda-0cd7ed38b3a8",
+ "w": 14,
+ "x": 15,
+ "y": 10
+ },
+ "panelIndex": "c1a1b718-c5f1-4029-9fda-0cd7ed38b3a8",
+ "title": "Rate of Failed Logins",
+ "type": "lens",
+ "version": "8.7.1"
},
{
"embeddableConfig": {
- "enhancements": {},
- "savedVis": {
- "title": "IP Addresses of failed logins",
- "description": "",
- "uiState": {},
- "params": {
- "maxFontSize": 72,
- "minFontSize": 18,
- "orientation": "single",
- "palette": {
- "name": "default",
- "type": "palette"
- },
- "scale": "linear",
- "showLabel": true
- },
- "type": "tagcloud",
- "data": {
- "aggs": [
- {
- "enabled": true,
- "id": "1",
- "params": {},
- "schema": "metric",
- "type": "count"
- },
- {
- "enabled": true,
- "id": "2",
- "params": {
- "field": "auth0.logs.data.ip",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "1",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 10
- },
- "schema": "segment",
- "type": "terms"
- }
- ],
- "searchSource": {
- "filter": [
- {
- "$state": {
- "store": "appState"
- },
- "meta": {
- "alias": null,
- "disabled": false,
- "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
- "key": "data_stream.dataset",
- "negate": false,
- "params": {
- "query": "auth0.logs"
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-e62e3521-0ee8-4488-931d-4474a54c10a7",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "e62e3521-0ee8-4488-931d-4474a54c10a7": {
+ "columnOrder": [
+ "80cab385-f007-47be-80af-a825f0381d20",
+ "9b47063f-6502-47ca-80be-f0b98869fc5e"
+ ],
+ "columns": {
+ "80cab385-f007-47be-80af-a825f0381d20": {
+ "customLabel": true,
+ "dataType": "ip",
+ "isBucketed": true,
+ "label": "IP Address",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "9b47063f-6502-47ca-80be-f0b98869fc5e",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "auth0.logs.data.ip"
+ },
+ "9b47063f-6502-47ca-80be-f0b98869fc5e": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
},
- "type": "phrase"
- },
- "query": {
- "match_phrase": {
- "data_stream.dataset": "auth0.logs"
- }
+ "incompleteColumns": {},
+ "sampling": 1
}
- },
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
{
- "$state": {
- "store": "appState"
- },
- "meta": {
- "alias": null,
- "disabled": false,
- "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "key": "event.category",
- "negate": false,
- "params": {
- "query": "Login - Failure"
- },
- "type": "phrase"
- },
- "query": {
- "match_phrase": {
- "event.category": "Login - Failure"
- }
- }
+ "accessors": [
+ "9b47063f-6502-47ca-80be-f0b98869fc5e"
+ ],
+ "layerId": "e62e3521-0ee8-4488-931d-4474a54c10a7",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_horizontal",
+ "showGridlines": false,
+ "xAccessor": "80cab385-f007-47be-80af-a825f0381d20"
}
],
- "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
- "query": {
- "language": "kuery",
- "query": ""
- }
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "bar_horizontal",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
}
- }
- }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 12,
- "i": "d6323397-e8a4-4869-ad2b-d48ee5b5a70a",
+ "i": "7f0587d4-ef04-4913-9ccb-cd2c93f470df",
"w": 19,
"x": 29,
"y": 10
},
- "panelIndex": "d6323397-e8a4-4869-ad2b-d48ee5b5a70a",
- "type": "visualization",
- "version": "8.0.0"
+ "panelIndex": "7f0587d4-ef04-4913-9ccb-cd2c93f470df",
+ "title": "IP Addresses of failed logins",
+ "type": "lens",
+ "version": "8.7.1"
},
{
"embeddableConfig": {
@@ -968,13 +1013,19 @@
"panelIndex": "253f1007-1537-4012-a663-48bccf233f4c",
"panelRefName": "panel_253f1007-1537-4012-a663-48bccf233f4c",
"type": "search",
- "version": "7.15.1"
+ "version": "8.7.1"
}
],
"timeRestore": false,
"title": "Auth0",
"version": 1
},
+ "coreMigrationVersion": "8.7.1",
+ "created_at": "2023-07-11T05:13:37.961Z",
+ "id": "auth0-29fb7200-4062-11ec-b18d-ef6bf98b26bf",
+ "migrationVersion": {
+ "dashboard": "8.7.0"
+ },
"references": [
{
"id": "logs-*",
@@ -1008,32 +1059,32 @@
},
{
"id": "logs-*",
- "name": "5124c723-8890-477e-aad5-bc4fd529bd46:kibanaSavedObjectMeta.searchSourceJSON.index",
+ "name": "5124c723-8890-477e-aad5-bc4fd529bd46:indexpattern-datasource-layer-f4e91fff-3766-4adf-bcbf-f0ceb8ea19fa",
"type": "index-pattern"
},
{
"id": "logs-*",
- "name": "5124c723-8890-477e-aad5-bc4fd529bd46:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "name": "5124c723-8890-477e-aad5-bc4fd529bd46:3b88d295-b9e0-412b-9bff-d6e5893a485a",
"type": "index-pattern"
},
{
"id": "logs-*",
- "name": "5124c723-8890-477e-aad5-bc4fd529bd46:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "name": "5124c723-8890-477e-aad5-bc4fd529bd46:335cb626-370d-4e95-9a6c-4f231edeb186",
"type": "index-pattern"
},
{
"id": "logs-*",
- "name": "cb337534-d263-480b-b6a3-80cc4f14d73b:kibanaSavedObjectMeta.searchSourceJSON.index",
+ "name": "cb337534-d263-480b-b6a3-80cc4f14d73b:indexpattern-datasource-layer-f637aea7-1a8a-4c6f-bea3-83b1910bd16d",
"type": "index-pattern"
},
{
"id": "logs-*",
- "name": "cb337534-d263-480b-b6a3-80cc4f14d73b:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "name": "cb337534-d263-480b-b6a3-80cc4f14d73b:f5f62b07-86eb-481b-b6b5-308fdf2ee125",
"type": "index-pattern"
},
{
"id": "logs-*",
- "name": "cb337534-d263-480b-b6a3-80cc4f14d73b:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "name": "cb337534-d263-480b-b6a3-80cc4f14d73b:fefc1a3f-fa1c-455f-9f0e-836cb58b93b4",
"type": "index-pattern"
},
{
@@ -1076,29 +1127,16 @@
"name": "c1a1b718-c5f1-4029-9fda-0cd7ed38b3a8:filter-index-pattern-1",
"type": "index-pattern"
},
+ {
+ "id": "logs-*",
+ "name": "7f0587d4-ef04-4913-9ccb-cd2c93f470df:indexpattern-datasource-layer-e62e3521-0ee8-4488-931d-4474a54c10a7",
+ "type": "index-pattern"
+ },
{
"id": "auth0-629b19e0-4061-11ec-b18d-ef6bf98b26bf",
"name": "253f1007-1537-4012-a663-48bccf233f4c:panel_253f1007-1537-4012-a663-48bccf233f4c",
"type": "search"
- },
- {
- "type": "index-pattern",
- "name": "d6323397-e8a4-4869-ad2b-d48ee5b5a70a:kibanaSavedObjectMeta.searchSourceJSON.index",
- "id": "logs-*"
- },
- {
- "type": "index-pattern",
- "name": "d6323397-e8a4-4869-ad2b-d48ee5b5a70a:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
- "id": "logs-*"
- },
- {
- "type": "index-pattern",
- "name": "d6323397-e8a4-4869-ad2b-d48ee5b5a70a:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
- "id": "logs-*"
}
],
- "migrationVersion": {
- "dashboard": "8.1.0"
- },
- "coreMigrationVersion": "8.1.0"
+ "type": "dashboard"
}
\ No newline at end of file
diff --git a/packages/auth0/kibana/search/auth0-629b19e0-4061-11ec-b18d-ef6bf98b26bf.json b/packages/auth0/kibana/search/auth0-629b19e0-4061-11ec-b18d-ef6bf98b26bf.json
index a8e0f8b2f4b..d504b9c6981 100644
--- a/packages/auth0/kibana/search/auth0-629b19e0-4061-11ec-b18d-ef6bf98b26bf.json
+++ b/packages/auth0/kibana/search/auth0-629b19e0-4061-11ec-b18d-ef6bf98b26bf.json
@@ -40,10 +40,11 @@
"title": "Auth0 logs",
"version": 1
},
- "coreMigrationVersion": "7.15.1",
+ "coreMigrationVersion": "8.7.1",
+ "created_at": "2023-07-11T05:07:28.181Z",
"id": "auth0-629b19e0-4061-11ec-b18d-ef6bf98b26bf",
"migrationVersion": {
- "search": "7.9.3"
+ "search": "8.0.0"
},
"references": [
{
diff --git a/packages/auth0/kibana/tags.yml b/packages/auth0/kibana/tags.yml
new file mode 100644
index 00000000000..47f20a8f551
--- /dev/null
+++ b/packages/auth0/kibana/tags.yml
@@ -0,0 +1,4 @@
+- text: Security Solution
+ asset_types:
+ - dashboard
+ - search
diff --git a/packages/auth0/manifest.yml b/packages/auth0/manifest.yml
index 9568b2786e3..e94bab3dab8 100644
--- a/packages/auth0/manifest.yml
+++ b/packages/auth0/manifest.yml
@@ -1,14 +1,15 @@
-format_version: 2.7.0
+format_version: "3.0.0"
name: auth0
title: "Auth0"
-version: "1.8.0"
+version: "1.12.0"
description: Collect logs from Auth0 with Elastic Agent.
type: integration
categories:
- security
- iam
conditions:
- kibana.version: ^8.1.0
+ kibana:
+ version: ^8.7.1
screenshots:
- src: /img/auth0-screenshot.png
title: Auth0 Dashboard
@@ -29,3 +30,4 @@ policy_templates:
description: Collecting Auth0 log stream events via Webhooks.
owner:
github: elastic/security-external-integrations
+ type: elastic
diff --git a/packages/aws/_dev/build/docs/apigateway.md b/packages/aws/_dev/build/docs/apigateway.md
index 92b5ea98ccf..241a73692f1 100644
--- a/packages/aws/_dev/build/docs/apigateway.md
+++ b/packages/aws/_dev/build/docs/apigateway.md
@@ -2,7 +2,7 @@
The AWS API Gateway integration allows you to monitor [API Gateway](https://aws.amazon.com/api-gateway/) — a centralized API management service.
-Use the AWS API Gateway integration to collect metrics related to your HTTP, REST or WebSockets APIs. Then visualize that data in Kibana, create alerts to notify you if something goes wrong, and reference metrics when troubleshooting an issue.
+Use the AWS API Gateway integration to collect metrics and logs related to your HTTP, REST or WebSockets APIs. Then visualize that data in Kibana, create alerts to notify you if something goes wrong, and reference metrics when troubleshooting an issue.
For example, you could use this integration to examine metrics related to error rates, response codes, and latency. You can pinpoint problematic areas, identify error-prone API endpoints, and troubleshoot performance issues.
@@ -10,7 +10,29 @@ For example, you could use this integration to examine metrics related to error
## Data streams
-The API Gateway integration collects one type of data: metrics.
+The API Gateway integration collects two types of data: metrics and logs.
+
+**Logs** help you keep a record of events happening in Amazon API Gateway.
+Logs collected by the Amazon API Gateway integration include the HTTP method, status code, request details and more.
+
+AWS API Gateway allows you to set up Custom Access Logging to gain deeper insights into the requests and responses through your API by making use of context variables ([HTTP](https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-logging-variables.html), [WebSockets](https://docs.aws.amazon.com/apigateway/latest/developerguide/websocket-api-logging.html)), input, stage and util variables ([REST](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-mapping-template-reference.html)).
+
+The Elastic integration for AWS API Gateway supports the following Log Format by API type:
+
+HTTP:
+```{"requestId": "$context.requestId","ip": "$context.identity.sourceIp","requestTime": "$context.requestTime","httpMethod": "$context.httpMethod","routeKey": "$context.routeKey","status": "$context.status","protocol": "$context.protocol","responseLength": "$context.responseLength",apiId": "$context.apiId", "domainName": "$context.domainName", "stage": "$context.stage"}```
+
+REST:
+```{"requestId": "$context.requestId","ip": "$context.identity.sourceIp","caller": "$context.identity.caller","user": "$context.identity.user""requestTime": "$context.requestTime","httpMethod": "$context.httpMethod","resourcePath": "$context.resourcePath","status": "$context.status","protocol": "$context.protocol","responseLength": "$context.responseLength",apiId": "$context.apiId", "domainName": "$context.domainName", "stage": "$context.stage"}```
+
+WebSockets:
+```{"requestId": "$context.requestId","ip": "$context.identity.sourceIp","caller": "$context.identity.caller","user": "$context.identity.user","requestTime": "$context.requestTime","eventType": "$context.eventType","routeKey": "$context.routeKey","status": "$context.status","connectionId": "$context.connectionId", apiId": "$context.apiId", "domainName": "$context.domainName", "stage": "$context.stage"}```
+
+Beyond the standard Log Formats we provide, you can use a wide range of fields for each API type when enabling Custom Access Logging.
+
+To utilize these fields in the integration, create custom pipelines. These pipelines will process field names or values. You'll also need to create a custom mapping to store your data efficiently. For more information on how to do this, check out our [official documentation](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).
+
+See more details in the [Logs reference](#logs-reference).
**Metrics** give you insight into the state of API Gateway.
Metrics collected by the AWS API Gateway integration include the number of client and server errors, request and error counts and cache counts.
@@ -43,4 +65,10 @@ For step-by-step instructions on how to set up an integration, see the
{{event "apigateway_metrics"}}
-{{fields "apigateway_metrics"}}
\ No newline at end of file
+{{fields "apigateway_metrics"}}
+
+## Logs reference
+
+{{event "apigateway_logs"}}
+
+{{fields "apigateway_logs"}}
\ No newline at end of file
diff --git a/packages/aws/_dev/build/docs/emr.md b/packages/aws/_dev/build/docs/emr.md
index 831b28f6489..4c88fa8b1d5 100644
--- a/packages/aws/_dev/build/docs/emr.md
+++ b/packages/aws/_dev/build/docs/emr.md
@@ -10,11 +10,14 @@ For example, you could use this data to track Amazon EMR cluster progress and cl
## Data streams
-The Amazon EMR integration collects one type of data: metrics.
+The Amazon EMR integration collects two types of data: metrics and logs.
**Metrics** give you insight into the state of Amazon EMR.
The metrics collected by the Amazon EMR integration include cluster progress, cluster state, cluster or node storage, and more. See more details in the [Metrics reference](#metrics-reference)
+**Logs** help you keep a record of events happening in Amazon EMR.
+Logs collected by the Amazon EMR integration include the cluster status, node status details and more.
+
## Requirements
You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it.
@@ -41,4 +44,10 @@ For step-by-step instructions on how to set up an integration, see the
{{event "emr_metrics"}}
-{{fields "emr_metrics"}}
\ No newline at end of file
+{{fields "emr_metrics"}}
+
+## Logs reference
+
+{{event "emr_logs"}}
+
+{{fields "emr_logs"}}
\ No newline at end of file
diff --git a/packages/aws/changelog.yml b/packages/aws/changelog.yml
index 3585a4070df..4127f05d915 100644
--- a/packages/aws/changelog.yml
+++ b/packages/aws/changelog.yml
@@ -1,7 +1,187 @@
# newer versions go on top
+- version: "2.2.1"
+ changes:
+ - description: Fix GuardDuty API call parameter.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7785
+- version: "2.2.0"
+ changes:
+ - description: Add AWS API Gateway metrics dashboard Stage filter, control groups and clean up
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7702
+- version: "2.1.2"
+ changes:
+ - description: Fix AWS API Gateway metrics dashboard
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7675
+- version: "2.1.1"
+ changes:
+ - description: Improve AWS API Gateway dashboard
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7541
+- version: "2.1.0"
+ changes:
+ - description: Enable TSDB by default for EC2 metrics data stream. This improves storage usage and query performance. For more details, see https://www.elastic.co/guide/en/elasticsearch/reference/current/tsds.html.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7497
+- version: "2.0.0"
+ changes:
+ - description: Remove deprecated option for "Cloudwatch via S3"from the AWS CloudWatch integration. If you are using it take note that logs WON'T BE ingested via this route anymore once you update.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6247
+- version: "1.53.5"
+ changes:
+ - description: Set metric type in EC2 data stream fields.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7490
+- version: "1.53.4"
+ changes:
+ - description: Add dimension fields to EC2 data stream.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7487
+- version: "1.53.3"
+ changes:
+ - description: Add missing fields definition for ec2
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7425
+- version: "1.53.2"
+ changes:
+ - description: Remove the remove processor since rename processor removes old field already.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7331
+- version: "1.53.1"
+ changes:
+ - description: Disable TSDB on AWS Billing.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7435
+- version: "1.53.0"
+ changes:
+ - description: Add AWS API Gateway custom acccess logging fields.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7151
+- version: "1.52.1"
+ changes:
+ - description: Use default color for AWS dashboards metric charts.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7129
+- version: "1.52.0"
+ changes:
+ - description: Enable TSDB by default for cloudwatch metrics data stream. This improves storage usage and query performance. For more details, see https://www.elastic.co/guide/en/elasticsearch/reference/current/tsds.html.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7262
+- version: "1.51.1"
+ changes:
+ - description: Use object metric type for the cloudwatch metrics
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7327
+- version: "1.51.0"
+ changes:
+ - description: Add standalone S3 option for vpcflow
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6936
+- version: "1.50.6"
+ changes:
+ - description: Add metric_type metadata to the cloudwatch data_stream
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6999
+- version: "1.50.5"
+ changes:
+ - description: Migrate AWS Security Hub dashboards to lens.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6871
+- version: "1.50.4"
+ changes:
+ - description: Migrate AWS VPC dashboard visualizations to lens.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6962
+- version: "1.50.3"
+ changes:
+ - description: Add EMR logs dashboard.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7075
+- version: "1.50.2"
+ changes:
+ - description: Migrate AWS Billing dashboard visualizations to lens.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6644
+- version: "1.50.1"
+ changes:
+ - description: Add AWS API Gateway logs dashboard.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6683
+- version: "1.50.0"
+ changes:
+ - description: Add EMR logs data stream.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6895
+- version: "1.49.0"
+ changes:
+ - description: Add API Gateway logs datastream
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6530
+- version: "1.48.0"
+ changes:
+ - description: Adding missing fields for the CloudTrail datastream - add option for standalone S3 bucket
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6915
+- version: "1.47.1"
+ changes:
+ - description: Migrate AWS Redshift dashboard input controls.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6865
+- version: "1.47.0"
+ changes:
+ - description: Migrate AWS S3 Server Access Log Overview dashboard visualizations to lens.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6487
+- version: "1.46.9"
+ changes:
+ - description: Migrate AWS Network Firewall dashboard input controls.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6995
+- version: "1.46.8"
+ changes:
+ - description: Add dimensions metadata to the cloudwatch data_stream
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6827
+- version: "1.46.7"
+ changes:
+ - description: Enable time series data streams for the API Gateway and EMR data streams. This improves storage usage and query performance. For more details, see https://www.elastic.co/guide/en/elasticsearch/reference/current/tsds.html.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6969
+- version: "1.46.6"
+ changes:
+ - description: Update metric type and set dimension fields for AWS EMR data stream.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6964
+- version: "1.46.5"
+ changes:
+ - description: Fix metric type for API Gateway metric fields.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6952
+- version: "1.46.4"
+ changes:
+ - description: Set dimensions fields for API Gateway data stream.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6950
+- version: "1.46.3"
+ changes:
+ - description: Add missing S3 fields for vpcflow
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6916
+- version: "1.46.2"
+ changes:
+ - description: Enable time series data streams for the S3 daily storage and S3 request datasets. This improves storage usage and query performance. For more details, see https://www.elastic.co/guide/en/elasticsearch/reference/current/tsds.html.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6887
+- version: "1.46.1"
+ changes:
+ - description: Enable time series data streams for the Usage dataset. This improves storage usage and query performance. For more details, see https://www.elastic.co/guide/en/elasticsearch/reference/current/tsds.html.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6886
- version: "1.46.0"
changes:
- - description: Enable time series data streams for the metrics datasets Billing, DynamoDB, EBS, ECS, ELB, Firewall, Kinesis, Lambda, NAT gateway, RDS, Redshift, S3 Storage Lens, SNS, SQS, Transit Gateway and VPN. This improves storage usage and query performance. For more details, see https://www.elastic.co/guide/en/elasticsearch/reference/current/tsds.html
+ - description: Enable time series data streams for the metrics datasets Billing, DynamoDB, EBS, ECS, ELB, Firewall, Kinesis, Lambda, NAT gateway, RDS, Redshift, S3 Storage Lens, SNS, SQS, Transit Gateway and VPN. This improves storage usage and query performance. For more details, see https://www.elastic.co/guide/en/elasticsearch/reference/current/tsds.html.
type: enhancement
link: https://github.com/elastic/integrations/pull/6782
- version: "1.45.9"
diff --git a/packages/aws/data_stream/apigateway_logs/_dev/test/pipeline/test-apigateway-http.log b/packages/aws/data_stream/apigateway_logs/_dev/test/pipeline/test-apigateway-http.log
new file mode 100644
index 00000000000..34973d45612
--- /dev/null
+++ b/packages/aws/data_stream/apigateway_logs/_dev/test/pipeline/test-apigateway-http.log
@@ -0,0 +1,5 @@
+{"requestId":"GQIVriFLIAMEMsA=","ip":"1.128.0.0","requestTime":"09/Jun/2023:12:54:08 +0000","httpMethod":"GET","routeKey":"GET /","status":"200","protocol":"HTTP/1.1","responseLength":"47140"}
+{"requestId": "IWeTChtboAMEVUQ=","ip": "1.128.0.0","requestTime": "20/Jul/2023:07:09:32 +0000","httpMethod": "GET","routeKey": "GET /","status": "200","protocol": "HTTP/1.1","responseLength": "51880"}
+{"requestId": "IWvN1jOkoAMEVpg=","ip": "1.128.0.0","requestTime": "20/Jul/2023:09:05:02 +0000","httpMethod": "GET","routeKey": "GET /","status": "200","protocol": "HTTP/1.1","responseLength": "51898"}
+{"requestId":"Iq8dHhlwIAMEV_g=","ip":"1.128.0.0","requestTime":"26/Jul/2023:12:13:33 +0000","httpMethod":"GET","routeKey":"GET /","status":"200","protocol":"HTTP/1.1","responseLength":"51243","stage":"$default","apiId":"1ax3mj7iqf","domainName":"1ax3mj7iqf.execute-api.us-east-1.amazonaws.com"}
+{"requestId":"Iq8dXiijIAMEV8Q=","ip":"1.128.0.0","requestTime":"26/Jul/2023:12:13:34 +0000","httpMethod":"GET","routeKey":"GET /","status":"200","protocol":"HTTP/1.1","responseLength":"51205","stage":"$default","apiId":"1ax3mj7iqf","domainName":"1ax3mj7iqf.execute-api.us-east-1.amazonaws.com"}
\ No newline at end of file
diff --git a/packages/aws/data_stream/apigateway_logs/_dev/test/pipeline/test-apigateway-http.log-expected.json b/packages/aws/data_stream/apigateway_logs/_dev/test/pipeline/test-apigateway-http.log-expected.json
new file mode 100644
index 00000000000..fabbc92b67a
--- /dev/null
+++ b/packages/aws/data_stream/apigateway_logs/_dev/test/pipeline/test-apigateway-http.log-expected.json
@@ -0,0 +1,125 @@
+{
+ "expected": [
+ {
+ "aws": {
+ "apigateway": {
+ "http_method": "GET",
+ "ip_address": "1.128.0.0",
+ "protocol": "HTTP/1.1",
+ "request_id": "GQIVriFLIAMEMsA=",
+ "request_time": "2023-06-09T12:54:08.000Z",
+ "response_length": 47140,
+ "route_key": "GET /",
+ "status": 200
+ }
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "{\"requestId\":\"GQIVriFLIAMEMsA=\",\"ip\":\"1.128.0.0\",\"requestTime\":\"09/Jun/2023:12:54:08 +0000\",\"httpMethod\":\"GET\",\"routeKey\":\"GET /\",\"status\":\"200\",\"protocol\":\"HTTP/1.1\",\"responseLength\":\"47140\"}"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "aws": {
+ "apigateway": {
+ "http_method": "GET",
+ "ip_address": "1.128.0.0",
+ "protocol": "HTTP/1.1",
+ "request_id": "IWeTChtboAMEVUQ=",
+ "request_time": "2023-07-20T07:09:32.000Z",
+ "response_length": 51880,
+ "route_key": "GET /",
+ "status": 200
+ }
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "{\"requestId\": \"IWeTChtboAMEVUQ=\",\"ip\": \"1.128.0.0\",\"requestTime\": \"20/Jul/2023:07:09:32 +0000\",\"httpMethod\": \"GET\",\"routeKey\": \"GET /\",\"status\": \"200\",\"protocol\": \"HTTP/1.1\",\"responseLength\": \"51880\"}"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "aws": {
+ "apigateway": {
+ "http_method": "GET",
+ "ip_address": "1.128.0.0",
+ "protocol": "HTTP/1.1",
+ "request_id": "IWvN1jOkoAMEVpg=",
+ "request_time": "2023-07-20T09:05:02.000Z",
+ "response_length": 51898,
+ "route_key": "GET /",
+ "status": 200
+ }
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "{\"requestId\": \"IWvN1jOkoAMEVpg=\",\"ip\": \"1.128.0.0\",\"requestTime\": \"20/Jul/2023:09:05:02 +0000\",\"httpMethod\": \"GET\",\"routeKey\": \"GET /\",\"status\": \"200\",\"protocol\": \"HTTP/1.1\",\"responseLength\": \"51898\"}"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "aws": {
+ "apigateway": {
+ "api_id": "1ax3mj7iqf",
+ "domain_name": "1ax3mj7iqf.execute-api.us-east-1.amazonaws.com",
+ "http_method": "GET",
+ "ip_address": "1.128.0.0",
+ "protocol": "HTTP/1.1",
+ "request_id": "Iq8dHhlwIAMEV_g=",
+ "request_time": "2023-07-26T12:13:33.000Z",
+ "response_length": 51243,
+ "route_key": "GET /",
+ "stage": "$default",
+ "status": 200
+ }
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "{\"requestId\":\"Iq8dHhlwIAMEV_g=\",\"ip\":\"1.128.0.0\",\"requestTime\":\"26/Jul/2023:12:13:33 +0000\",\"httpMethod\":\"GET\",\"routeKey\":\"GET /\",\"status\":\"200\",\"protocol\":\"HTTP/1.1\",\"responseLength\":\"51243\",\"stage\":\"$default\",\"apiId\":\"1ax3mj7iqf\",\"domainName\":\"1ax3mj7iqf.execute-api.us-east-1.amazonaws.com\"}"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "aws": {
+ "apigateway": {
+ "api_id": "1ax3mj7iqf",
+ "domain_name": "1ax3mj7iqf.execute-api.us-east-1.amazonaws.com",
+ "http_method": "GET",
+ "ip_address": "1.128.0.0",
+ "protocol": "HTTP/1.1",
+ "request_id": "Iq8dXiijIAMEV8Q=",
+ "request_time": "2023-07-26T12:13:34.000Z",
+ "response_length": 51205,
+ "route_key": "GET /",
+ "stage": "$default",
+ "status": 200
+ }
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "{\"requestId\":\"Iq8dXiijIAMEV8Q=\",\"ip\":\"1.128.0.0\",\"requestTime\":\"26/Jul/2023:12:13:34 +0000\",\"httpMethod\":\"GET\",\"routeKey\":\"GET /\",\"status\":\"200\",\"protocol\":\"HTTP/1.1\",\"responseLength\":\"51205\",\"stage\":\"$default\",\"apiId\":\"1ax3mj7iqf\",\"domainName\":\"1ax3mj7iqf.execute-api.us-east-1.amazonaws.com\"}"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/aws/data_stream/apigateway_logs/_dev/test/pipeline/test-apigateway-rest.log b/packages/aws/data_stream/apigateway_logs/_dev/test/pipeline/test-apigateway-rest.log
new file mode 100644
index 00000000000..a2c6fef1847
--- /dev/null
+++ b/packages/aws/data_stream/apigateway_logs/_dev/test/pipeline/test-apigateway-rest.log
@@ -0,0 +1,5 @@
+{"requestId":"48752d0f-c99d-4cfa-a5a7-f3c6834d19e5","ip":"1.128.0.0","caller":"-","user":"-","requestTime":"10/Jun/2023:15:36:28 +0000","httpMethod":"GET","resourcePath":"/pets","status":"200","protocol":"HTTP/1.1","responseLength":"184"}
+{"requestId": "caa4a500-2651-4476-aa1f-a639b858819b","ip": "1.128.0.0","caller": "-","user": "-","requestTime": "19/Jul/2023:16:15:46 +0000","httpMethod": "GET","resourcePath": "/pets/{petId}","status": "200","protocol": "HTTP/1.1","responseLength": "49"}
+{"requestId": "c5a56ba0-fd42-4425-b7d2-5e8836563270","ip": "1.128.0.0","caller": "-","user": "-","requestTime": "19/Jul/2023:16:15:44 +0000","httpMethod": "GET","resourcePath": "/pets/{petId}","status": "200","protocol": "HTTP/1.1","responseLength": "49"}
+{"requestId":"c12d1542-b79e-4e79-a158-fdf36452a81b","ip":"1.128.0.0","caller":"-","user":"-","requestTime":"26/Jul/2023:12:07:03 +0000","httpMethod":"GET","resourcePath":"/pets/{petId}","status":"200","protocol":"HTTP/1.1","responseLength":"48","stage":"prod","apiId":"asad15n3p0","domainName":"asad15n3p0.execute-api.us-east-1.amazonaws.com"}
+{"requestId":"868ee022-bc3a-4acf-97e7-acb7472b3235","ip":"1.128.0.0","caller":"-","user":"-","requestTime":"26/Jul/2023:12:06:57 +0000","httpMethod":"GET","resourcePath":"/","status":"200","protocol":"HTTP/1.1","responseLength":"1310","stage":"prod","apiId":"asad15n3p0","domainName":"asad15n3p0.execute-api.us-east-1.amazonaws.com"}
\ No newline at end of file
diff --git a/packages/aws/data_stream/apigateway_logs/_dev/test/pipeline/test-apigateway-rest.log-expected.json b/packages/aws/data_stream/apigateway_logs/_dev/test/pipeline/test-apigateway-rest.log-expected.json
new file mode 100644
index 00000000000..01cb89ce7bb
--- /dev/null
+++ b/packages/aws/data_stream/apigateway_logs/_dev/test/pipeline/test-apigateway-rest.log-expected.json
@@ -0,0 +1,135 @@
+{
+ "expected": [
+ {
+ "aws": {
+ "apigateway": {
+ "caller": "-",
+ "http_method": "GET",
+ "ip_address": "1.128.0.0",
+ "protocol": "HTTP/1.1",
+ "request_id": "48752d0f-c99d-4cfa-a5a7-f3c6834d19e5",
+ "request_time": "2023-06-10T15:36:28.000Z",
+ "resource_path": "/pets",
+ "response_length": 184,
+ "status": 200,
+ "user": "-"
+ }
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "{\"requestId\":\"48752d0f-c99d-4cfa-a5a7-f3c6834d19e5\",\"ip\":\"1.128.0.0\",\"caller\":\"-\",\"user\":\"-\",\"requestTime\":\"10/Jun/2023:15:36:28 +0000\",\"httpMethod\":\"GET\",\"resourcePath\":\"/pets\",\"status\":\"200\",\"protocol\":\"HTTP/1.1\",\"responseLength\":\"184\"}"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "aws": {
+ "apigateway": {
+ "caller": "-",
+ "http_method": "GET",
+ "ip_address": "1.128.0.0",
+ "protocol": "HTTP/1.1",
+ "request_id": "caa4a500-2651-4476-aa1f-a639b858819b",
+ "request_time": "2023-07-19T16:15:46.000Z",
+ "resource_path": "/pets/{petId}",
+ "response_length": 49,
+ "status": 200,
+ "user": "-"
+ }
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "{\"requestId\": \"caa4a500-2651-4476-aa1f-a639b858819b\",\"ip\": \"1.128.0.0\",\"caller\": \"-\",\"user\": \"-\",\"requestTime\": \"19/Jul/2023:16:15:46 +0000\",\"httpMethod\": \"GET\",\"resourcePath\": \"/pets/{petId}\",\"status\": \"200\",\"protocol\": \"HTTP/1.1\",\"responseLength\": \"49\"}"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "aws": {
+ "apigateway": {
+ "caller": "-",
+ "http_method": "GET",
+ "ip_address": "1.128.0.0",
+ "protocol": "HTTP/1.1",
+ "request_id": "c5a56ba0-fd42-4425-b7d2-5e8836563270",
+ "request_time": "2023-07-19T16:15:44.000Z",
+ "resource_path": "/pets/{petId}",
+ "response_length": 49,
+ "status": 200,
+ "user": "-"
+ }
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "{\"requestId\": \"c5a56ba0-fd42-4425-b7d2-5e8836563270\",\"ip\": \"1.128.0.0\",\"caller\": \"-\",\"user\": \"-\",\"requestTime\": \"19/Jul/2023:16:15:44 +0000\",\"httpMethod\": \"GET\",\"resourcePath\": \"/pets/{petId}\",\"status\": \"200\",\"protocol\": \"HTTP/1.1\",\"responseLength\": \"49\"}"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "aws": {
+ "apigateway": {
+ "api_id": "asad15n3p0",
+ "caller": "-",
+ "domain_name": "asad15n3p0.execute-api.us-east-1.amazonaws.com",
+ "http_method": "GET",
+ "ip_address": "1.128.0.0",
+ "protocol": "HTTP/1.1",
+ "request_id": "c12d1542-b79e-4e79-a158-fdf36452a81b",
+ "request_time": "2023-07-26T12:07:03.000Z",
+ "resource_path": "/pets/{petId}",
+ "response_length": 48,
+ "stage": "prod",
+ "status": 200,
+ "user": "-"
+ }
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "{\"requestId\":\"c12d1542-b79e-4e79-a158-fdf36452a81b\",\"ip\":\"1.128.0.0\",\"caller\":\"-\",\"user\":\"-\",\"requestTime\":\"26/Jul/2023:12:07:03 +0000\",\"httpMethod\":\"GET\",\"resourcePath\":\"/pets/{petId}\",\"status\":\"200\",\"protocol\":\"HTTP/1.1\",\"responseLength\":\"48\",\"stage\":\"prod\",\"apiId\":\"asad15n3p0\",\"domainName\":\"asad15n3p0.execute-api.us-east-1.amazonaws.com\"}"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "aws": {
+ "apigateway": {
+ "api_id": "asad15n3p0",
+ "caller": "-",
+ "domain_name": "asad15n3p0.execute-api.us-east-1.amazonaws.com",
+ "http_method": "GET",
+ "ip_address": "1.128.0.0",
+ "protocol": "HTTP/1.1",
+ "request_id": "868ee022-bc3a-4acf-97e7-acb7472b3235",
+ "request_time": "2023-07-26T12:06:57.000Z",
+ "resource_path": "/",
+ "response_length": 1310,
+ "stage": "prod",
+ "status": 200,
+ "user": "-"
+ }
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "{\"requestId\":\"868ee022-bc3a-4acf-97e7-acb7472b3235\",\"ip\":\"1.128.0.0\",\"caller\":\"-\",\"user\":\"-\",\"requestTime\":\"26/Jul/2023:12:06:57 +0000\",\"httpMethod\":\"GET\",\"resourcePath\":\"/\",\"status\":\"200\",\"protocol\":\"HTTP/1.1\",\"responseLength\":\"1310\",\"stage\":\"prod\",\"apiId\":\"asad15n3p0\",\"domainName\":\"asad15n3p0.execute-api.us-east-1.amazonaws.com\"}"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/aws/data_stream/apigateway_logs/_dev/test/pipeline/test-apigateway-websocket.log b/packages/aws/data_stream/apigateway_logs/_dev/test/pipeline/test-apigateway-websocket.log
new file mode 100644
index 00000000000..f74976184de
--- /dev/null
+++ b/packages/aws/data_stream/apigateway_logs/_dev/test/pipeline/test-apigateway-websocket.log
@@ -0,0 +1,4 @@
+{"requestId": "REDACTED","ip": "1.128.0.0","caller": "-","user": "-","requestTime": "25/Jul/2023:16:26:02 +0000","eventType": "CONNECT","routeKey": "$connect","status": "500","connectionId": "REDACTED"}
+{"requestId": "177a5660-9b20-4614-b620-51dd4d56fb4c","ip": "1.128.0.0","caller": "-","user": "-","requestTime": "19/Jul/2023:16:17:17 +0000","eventType": "-","routeKey": "-","status": "403","connectionId": "-"}
+{"requestId":"Iq9gwFDNoAMFo1A=","ip":"1.128.0.0","caller":"-","user":"-","requestTime":"26/Jul/2023:12:20:46 +0000","eventType":"CONNECT","routeKey":"$connect","status":"500","connectionId":"Iq8gj1UmIAMCKpA=","apiId":"z1ctxygne5","stage":"production","domainName":"z1ctxygne5.execute-api.us-east-1.amazonaws.com"}
+{"requestId":"Iq9gjE_aIAMFZTg=","ip":"1.128.0.0","caller":"-","user":"-","requestTime":"26/Jul/2023:12:20:44 +0000","eventType":"CONNECT","routeKey":"$connect","status":"500","connectionId":"Iq8gj1UmIAMCKpA=","apiId":"z1ctxygne5","stage":"production","domainName":"z1ctxygne5.execute-api.us-east-1.amazonaws.com"}
\ No newline at end of file
diff --git a/packages/aws/data_stream/apigateway_logs/_dev/test/pipeline/test-apigateway-websocket.log-expected.json b/packages/aws/data_stream/apigateway_logs/_dev/test/pipeline/test-apigateway-websocket.log-expected.json
new file mode 100644
index 00000000000..ba720fad1b2
--- /dev/null
+++ b/packages/aws/data_stream/apigateway_logs/_dev/test/pipeline/test-apigateway-websocket.log-expected.json
@@ -0,0 +1,106 @@
+{
+ "expected": [
+ {
+ "aws": {
+ "apigateway": {
+ "caller": "-",
+ "connection_id": "REDACTED",
+ "event_type": "CONNECT",
+ "ip_address": "1.128.0.0",
+ "request_id": "REDACTED",
+ "request_time": "2023-07-25T16:26:02.000Z",
+ "route_key": "$connect",
+ "status": 500,
+ "user": "-"
+ }
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "{\"requestId\": \"REDACTED\",\"ip\": \"1.128.0.0\",\"caller\": \"-\",\"user\": \"-\",\"requestTime\": \"25/Jul/2023:16:26:02 +0000\",\"eventType\": \"CONNECT\",\"routeKey\": \"$connect\",\"status\": \"500\",\"connectionId\": \"REDACTED\"}"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "aws": {
+ "apigateway": {
+ "caller": "-",
+ "connection_id": "-",
+ "event_type": "-",
+ "ip_address": "1.128.0.0",
+ "request_id": "177a5660-9b20-4614-b620-51dd4d56fb4c",
+ "request_time": "2023-07-19T16:17:17.000Z",
+ "route_key": "-",
+ "status": 403,
+ "user": "-"
+ }
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "{\"requestId\": \"177a5660-9b20-4614-b620-51dd4d56fb4c\",\"ip\": \"1.128.0.0\",\"caller\": \"-\",\"user\": \"-\",\"requestTime\": \"19/Jul/2023:16:17:17 +0000\",\"eventType\": \"-\",\"routeKey\": \"-\",\"status\": \"403\",\"connectionId\": \"-\"}"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "aws": {
+ "apigateway": {
+ "api_id": "z1ctxygne5",
+ "caller": "-",
+ "connection_id": "Iq8gj1UmIAMCKpA=",
+ "domain_name": "z1ctxygne5.execute-api.us-east-1.amazonaws.com",
+ "event_type": "CONNECT",
+ "ip_address": "1.128.0.0",
+ "request_id": "Iq9gwFDNoAMFo1A=",
+ "request_time": "2023-07-26T12:20:46.000Z",
+ "route_key": "$connect",
+ "stage": "production",
+ "status": 500,
+ "user": "-"
+ }
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "{\"requestId\":\"Iq9gwFDNoAMFo1A=\",\"ip\":\"1.128.0.0\",\"caller\":\"-\",\"user\":\"-\",\"requestTime\":\"26/Jul/2023:12:20:46 +0000\",\"eventType\":\"CONNECT\",\"routeKey\":\"$connect\",\"status\":\"500\",\"connectionId\":\"Iq8gj1UmIAMCKpA=\",\"apiId\":\"z1ctxygne5\",\"stage\":\"production\",\"domainName\":\"z1ctxygne5.execute-api.us-east-1.amazonaws.com\"}"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "aws": {
+ "apigateway": {
+ "api_id": "z1ctxygne5",
+ "caller": "-",
+ "connection_id": "Iq8gj1UmIAMCKpA=",
+ "domain_name": "z1ctxygne5.execute-api.us-east-1.amazonaws.com",
+ "event_type": "CONNECT",
+ "ip_address": "1.128.0.0",
+ "request_id": "Iq9gjE_aIAMFZTg=",
+ "request_time": "2023-07-26T12:20:44.000Z",
+ "route_key": "$connect",
+ "stage": "production",
+ "status": 500,
+ "user": "-"
+ }
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "{\"requestId\":\"Iq9gjE_aIAMFZTg=\",\"ip\":\"1.128.0.0\",\"caller\":\"-\",\"user\":\"-\",\"requestTime\":\"26/Jul/2023:12:20:44 +0000\",\"eventType\":\"CONNECT\",\"routeKey\":\"$connect\",\"status\":\"500\",\"connectionId\":\"Iq8gj1UmIAMCKpA=\",\"apiId\":\"z1ctxygne5\",\"stage\":\"production\",\"domainName\":\"z1ctxygne5.execute-api.us-east-1.amazonaws.com\"}"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/aws/data_stream/apigateway_logs/_dev/test/pipeline/test-common-config.yml b/packages/aws/data_stream/apigateway_logs/_dev/test/pipeline/test-common-config.yml
new file mode 100644
index 00000000000..4da22641654
--- /dev/null
+++ b/packages/aws/data_stream/apigateway_logs/_dev/test/pipeline/test-common-config.yml
@@ -0,0 +1,3 @@
+fields:
+ tags:
+ - preserve_original_event
diff --git a/packages/aws/data_stream/apigateway_logs/agent/stream/aws-cloudwatch.yml.hbs b/packages/aws/data_stream/apigateway_logs/agent/stream/aws-cloudwatch.yml.hbs
new file mode 100644
index 00000000000..934f97a44c3
--- /dev/null
+++ b/packages/aws/data_stream/apigateway_logs/agent/stream/aws-cloudwatch.yml.hbs
@@ -0,0 +1,100 @@
+{{#unless log_group_name}}
+{{#unless log_group_name_prefix}}
+{{#if log_group_arn }}
+log_group_arn: {{ log_group_arn }}
+{{/if}}
+{{/unless}}
+{{/unless}}
+
+{{#unless log_group_arn}}
+{{#unless log_group_name}}
+{{#if log_group_name_prefix }}
+log_group_name_prefix: {{ log_group_name_prefix }}
+{{/if}}
+{{/unless}}
+{{/unless}}
+
+{{#unless log_group_arn}}
+{{#unless log_group_name_prefix}}
+{{#if log_group_name }}
+log_group_name: {{ log_group_name }}
+{{/if}}
+{{/unless}}
+{{/unless}}
+
+{{#unless log_group_arn}}
+region_name: {{ region_name }}
+{{/unless}}
+
+{{#unless log_stream_prefix}}
+{{#if log_streams }}
+log_streams: {{ log_streams }}
+{{/if}}
+{{/unless}}
+
+{{#unless log_streams}}
+{{#if log_stream_prefix }}
+log_stream_prefix: {{ log_stream_prefix }}
+{{/if}}
+{{/unless}}
+
+{{#if start_position }}
+start_position: {{ start_position }}
+{{/if}}
+
+{{#if scan_frequency }}
+scan_frequency: {{ scan_frequency }}
+{{/if}}
+
+{{#if api_sleep }}
+api_sleep: {{ api_sleep }}
+{{/if}}
+
+{{#if latency }}
+latency: {{ latency }}
+{{/if}}
+{{#if number_of_workers }}
+number_of_workers: {{ number_of_workers }}
+{{/if}}
+
+{{#if credential_profile_name}}
+credential_profile_name: {{credential_profile_name}}
+{{/if}}
+{{#if shared_credential_file}}
+shared_credential_file: {{shared_credential_file}}
+{{/if}}
+{{#if api_timeout}}
+api_timeout: {{api_timeout}}
+{{/if}}
+{{#if default_region}}
+default_region: {{default_region}}
+{{/if}}
+{{#if access_key_id}}
+access_key_id: {{access_key_id}}
+{{/if}}
+{{#if secret_access_key}}
+secret_access_key: {{secret_access_key}}
+{{/if}}
+{{#if session_token}}
+session_token: {{session_token}}
+{{/if}}
+{{#if role_arn}}
+role_arn: {{role_arn}}
+{{/if}}
+{{#if proxy_url }}
+proxy_url: {{proxy_url}}
+{{/if}}
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/aws/data_stream/apigateway_logs/agent/stream/aws-s3.yml.hbs b/packages/aws/data_stream/apigateway_logs/agent/stream/aws-s3.yml.hbs
new file mode 100644
index 00000000000..dfdf91c9e58
--- /dev/null
+++ b/packages/aws/data_stream/apigateway_logs/agent/stream/aws-s3.yml.hbs
@@ -0,0 +1,72 @@
+{{#if collect_s3_logs}}
+
+{{#if bucket_arn}}
+bucket_arn: {{bucket_arn}}
+{{/if}}
+{{#if number_of_workers}}
+number_of_workers: {{number_of_workers}}
+{{/if}}
+{{#if interval}}
+bucket_list_interval: {{interval}}
+{{/if}}
+{{#if bucket_list_prefix}}
+bucket_list_prefix: {{bucket_list_prefix}}
+{{/if}}
+
+{{else}}
+
+{{#if queue_url}}
+queue_url: {{queue_url}}
+{{/if}}
+{{#if visibility_timeout}}
+visibility_timeout: {{visibility_timeout}}
+{{/if}}
+{{#if api_timeout}}
+api_timeout: {{api_timeout}}
+{{/if}}
+{{#if max_number_of_messages}}
+max_number_of_messages: {{max_number_of_messages}}
+{{/if}}
+
+{{/if}}
+{{#if credential_profile_name}}
+credential_profile_name: {{credential_profile_name}}
+{{/if}}
+{{#if shared_credential_file}}
+shared_credential_file: {{shared_credential_file}}
+{{/if}}
+{{#if default_region}}
+default_region: {{default_region}}
+{{/if}}
+{{#if access_key_id}}
+access_key_id: {{access_key_id}}
+{{/if}}
+{{#if secret_access_key}}
+secret_access_key: {{secret_access_key}}
+{{/if}}
+{{#if session_token}}
+session_token: {{session_token}}
+{{/if}}
+{{#if role_arn}}
+role_arn: {{role_arn}}
+{{/if}}
+{{#if fips_enabled}}
+fips_enabled: {{fips_enabled}}
+{{/if}}
+{{#if proxy_url }}
+proxy_url: {{proxy_url}}
+{{/if}}
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/packages/aws/data_stream/apigateway_logs/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/apigateway_logs/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 00000000000..18b911d11cc
--- /dev/null
+++ b/packages/aws/data_stream/apigateway_logs/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,98 @@
+---
+description: "Pipeline for API Gateway logs in CloudWatch"
+
+processors:
+ - set:
+ field: ecs.version
+ value: '8.0.0'
+ - rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ if: 'ctx.event?.original == null'
+ description: 'Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document.'
+ - remove:
+ field: message
+ ignore_missing: true
+ if: 'ctx.event?.original != null'
+ description: 'The `message` field is no longer required if the document has an `event.original` field.'
+ - json:
+ field: event.original
+ target_field: aws.apigateway
+ ignore_failure: true
+ - rename:
+ field: aws.apigateway.requestId
+ target_field: aws.apigateway.request_id
+ ignore_missing: true
+ - rename:
+ field: aws.apigateway.responseLength
+ target_field: aws.apigateway.response_length
+ ignore_missing: true
+ - rename:
+ field: aws.apigateway.requestTime
+ target_field: aws.apigateway.request_time
+ ignore_missing: true
+ - rename:
+ field: aws.apigateway.httpMethod
+ target_field: aws.apigateway.http_method
+ ignore_missing: true
+ - rename:
+ field: aws.apigateway.routeKey
+ target_field: aws.apigateway.route_key
+ ignore_missing: true
+ - rename:
+ field: aws.apigateway.ip
+ target_field: aws.apigateway.ip_address
+ ignore_missing: true
+ - rename:
+ field: aws.apigateway.resourcePath
+ target_field: aws.apigateway.resource_path
+ ignore_missing: true
+ - rename:
+ field: aws.apigateway.connectionId
+ target_field: aws.apigateway.connection_id
+ ignore_missing: true
+ - rename:
+ field: aws.apigateway.eventType
+ target_field: aws.apigateway.event_type
+ ignore_missing: true
+ - rename:
+ field: aws.apigateway.apiId
+ target_field: aws.apigateway.api_id
+ ignore_missing: true
+ - rename:
+ field: aws.apigateway.domainName
+ target_field: aws.apigateway.domain_name
+ ignore_missing: true
+ - grok:
+ field: aws.apigateway.ip_address
+ patterns:
+ - '%{IPORHOST:aws.apigateway.ip_address}'
+ ignore_failure: true
+ - convert:
+ field: aws.apigateway.ip_address
+ type: ip
+ ignore_missing: true
+ - convert:
+ field: aws.apigateway.response_length
+ type: long
+ ignore_missing: true
+ - convert:
+ field: aws.apigateway.status
+ type: long
+ ignore_missing: true
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
+ - date:
+ field: aws.apigateway.request_time
+ target_field: "aws.apigateway.request_time"
+ formats:
+ - dd/MMM/yyyy:H:m:s Z
+ ignore_failure: true
+on_failure:
+ - set:
+ field: 'error.message'
+ value: '{{ _ingest.on_failure_message }}'
diff --git a/packages/aws/data_stream/apigateway_logs/fields/agent.yml b/packages/aws/data_stream/apigateway_logs/fields/agent.yml
new file mode 100644
index 00000000000..13e13903cc4
--- /dev/null
+++ b/packages/aws/data_stream/apigateway_logs/fields/agent.yml
@@ -0,0 +1,35 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
diff --git a/packages/aws/data_stream/apigateway_logs/fields/base-fields.yml b/packages/aws/data_stream/apigateway_logs/fields/base-fields.yml
new file mode 100644
index 00000000000..258138e694e
--- /dev/null
+++ b/packages/aws/data_stream/apigateway_logs/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: aws
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: aws.apigateway_logs
diff --git a/packages/aws/data_stream/apigateway_logs/fields/ecs.yml b/packages/aws/data_stream/apigateway_logs/fields/ecs.yml
new file mode 100644
index 00000000000..89d1713b818
--- /dev/null
+++ b/packages/aws/data_stream/apigateway_logs/fields/ecs.yml
@@ -0,0 +1,58 @@
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: error.message
+- external: ecs
+ name: message
+- external: ecs
+ name: tags
+- external: ecs
+ name: host.architecture
+- external: ecs
+ name: host.domain
+- external: ecs
+ name: host.hostname
+- external: ecs
+ name: host.id
+- external: ecs
+ name: host.ip
+- external: ecs
+ name: host.mac
+- external: ecs
+ name: host.name
+- external: ecs
+ name: host.os.family
+- external: ecs
+ name: host.os.kernel
+- external: ecs
+ name: host.os.name
+- external: ecs
+ name: host.os.platform
+- external: ecs
+ name: host.os.version
+- external: ecs
+ name: host.type
+- external: ecs
+ name: cloud.account.id
+- external: ecs
+ name: cloud.availability_zone
+- external: ecs
+ name: cloud.instance.id
+- external: ecs
+ name: cloud.instance.name
+- external: ecs
+ name: cloud.machine.type
+- external: ecs
+ name: cloud.provider
+- external: ecs
+ name: cloud.region
+- external: ecs
+ name: cloud.project.id
+- external: ecs
+ name: container.id
+- external: ecs
+ name: container.image.name
+- external: ecs
+ name: container.labels
+- external: ecs
+ name: container.name
diff --git a/packages/aws/data_stream/apigateway_logs/fields/fields.yml b/packages/aws/data_stream/apigateway_logs/fields/fields.yml
new file mode 100644
index 00000000000..26557e30116
--- /dev/null
+++ b/packages/aws/data_stream/apigateway_logs/fields/fields.yml
@@ -0,0 +1,86 @@
+- name: aws.s3
+ type: group
+ fields:
+ - name: bucket.name
+ type: keyword
+ description: |
+ Name of a S3 bucket.
+ - name: bucket.arn
+ type: keyword
+ description: |
+ ARN of the S3 bucket that this log retrieved from.
+ - name: object.key
+ type: keyword
+ description: |
+ Name of the S3 object that this log retrieved from.
+ - name: metadata
+ type: flattened
+ description: |
+ AWS S3 object metadata values.
+- name: aws.apigateway
+ type: group
+ fields:
+ - name: ip_address
+ type: ip
+ description: |
+ The internet address of the requester.
+ - name: request_id
+ type: keyword
+ description: |
+ An ID for the request. Clients can override this request ID.
+ - name: http_method
+ type: keyword
+ description: |
+ The HTTP method used. Valid values include: DELETE, GET, HEAD, OPTIONS, PATCH, POST, and PUT.
+ - name: protocol
+ type: keyword
+ description: |
+ API Gateway APIs can accept HTTP/2 requests, but API Gateway sends requests to backend integrations using HTTP/1.1.
+ - name: request_time
+ type: date
+ description: |
+ The CLF-formatted request time (dd/MMM/yyyy:HH:mm:ss +-hhmm).
+ - name: response_length
+ type: long
+ description: |
+ The response payload length in bytes.
+ - name: route_key
+ type: keyword
+ description: |
+ The selected route key.
+ - name: status
+ type: long
+ description: |
+ The response status.
+ - name: caller
+ type: keyword
+ description: |
+ The principal identifier of the caller making the request.
+ - name: user
+ type: keyword
+ description: |
+ The principal identifier of the user making the request.
+ - name: resource_path
+ type: keyword
+ description: |
+ The path to your resource.
+ - name: connection_id
+ type: keyword
+ description: |
+ A unique ID for the connection that can be used to make a callback to the client.
+ - name: event_type
+ type: keyword
+ description: |
+ The event type: CONNECT, MESSAGE, or DISCONNECT.
+ - name: api_id
+ type: keyword
+ description: |
+ The identifier API Gateway assigns to your API.
+ - name: domain_name
+ type: keyword
+ description: |
+ The full domain name used to invoke the API.
+ - name: stage
+ type: keyword
+ description: |
+ The deployment stage of the API call (for example, beta or prod).
\ No newline at end of file
diff --git a/packages/aws/data_stream/apigateway_logs/manifest.yml b/packages/aws/data_stream/apigateway_logs/manifest.yml
new file mode 100644
index 00000000000..9a46702de0d
--- /dev/null
+++ b/packages/aws/data_stream/apigateway_logs/manifest.yml
@@ -0,0 +1,227 @@
+title: AWS API Gateway logs
+type: logs
+streams:
+ - input: aws-s3
+ template_path: aws-s3.yml.hbs
+ title: AWS API Gateway Logs via S3
+ description: Collect AWS API Gateway logs using S3 input
+ enabled: false
+ vars:
+ - name: collect_s3_logs
+ required: true
+ show_user: true
+ title: Collect logs via S3 Bucket
+ description: To Collect logs via S3 bucket enable the toggle switch. By default, it will collect logs via SQS Queue.
+ type: bool
+ multi: false
+ default: false
+ - name: bucket_arn
+ type: text
+ title: "[S3] Bucket ARN"
+ multi: false
+ required: false
+ show_user: true
+ description: Mandatory if the "Collect logs via S3 Bucket" switch is on. It is a required parameter for collecting logs via the AWS S3 Bucket.
+ - name: queue_url
+ type: text
+ title: "[SQS] Queue URL"
+ multi: false
+ required: false
+ show_user: true
+ description: Mandatory if the "Collect logs via S3 Bucket" switch is off. URL of the AWS SQS queue that messages will be received from.
+ - name: bucket_list_prefix
+ type: text
+ title: "[S3] Bucket Prefix"
+ multi: false
+ required: false
+ show_user: false
+ description: Prefix to apply for the list request to the S3 bucket.
+ - name: interval
+ type: text
+ title: "[S3] Interval"
+ multi: false
+ required: false
+ show_user: false
+ default: 1m
+ description: "Time interval for polling listing of the S3 bucket. NOTE: Supported units for this parameter are h/m/s."
+ - name: number_of_workers
+ type: integer
+ title: "[S3] Number of Workers"
+ multi: false
+ required: false
+ show_user: false
+ default: 5
+ description: Number of workers that will process the S3 objects listed.
+ - name: visibility_timeout
+ type: text
+ title: "[SQS] Visibility Timeout"
+ multi: false
+ required: false
+ show_user: false
+ description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours.
+ - name: api_timeout
+ type: text
+ title: "[SQS] API Timeout"
+ multi: false
+ required: false
+ show_user: false
+ description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value.
+ - name: max_number_of_messages
+ type: integer
+ title: "[SQS] Maximum Concurrent SQS Messages"
+ description: The maximum number of SQS messages that can be inflight at any time.
+ default: 5
+ required: false
+ show_user: false
+ - name: fips_enabled
+ type: bool
+ title: Enable S3 FIPS
+ default: false
+ multi: false
+ required: false
+ show_user: false
+ description: Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint.
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - aws-apigateway-logs
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - input: aws-cloudwatch
+ template_path: aws-cloudwatch.yml.hbs
+ title: AWS API Gateway Logs via CloudWatch
+ description: Collect AWS API Gateway logs using CloudWatch input.
+ vars:
+ - name: log_group_arn
+ type: text
+ title: Log Group ARN
+ multi: false
+ required: false
+ show_user: true
+ description: ARN of the log group to collect logs from.
+ - name: log_group_name
+ type: text
+ title: Log Group Name
+ multi: false
+ required: false
+ show_user: false
+ description: Name of the log group to collect logs from. `region_name` is required when `log_group_name` is given.
+ - name: log_group_name_prefix
+ type: text
+ title: Log Group Name Prefix
+ multi: false
+ required: false
+ show_user: false
+ description: The prefix for a group of log group names. `region_name` is required when `log_group_name_prefix` is given. `log_group_name` and `log_group_name_prefix` cannot be given at the same time.
+ - name: region_name
+ type: text
+ title: Region Name
+ multi: false
+ required: false
+ show_user: false
+ description: Region that the specified log group or log group prefix belongs to.
+ - name: log_streams
+ type: text
+ title: Log Streams
+ multi: true
+ required: false
+ show_user: false
+ description: A list of strings of log streams names that Filebeat collect log events from.
+ - name: log_stream_prefix
+ type: text
+ title: Log Stream Prefix
+ multi: false
+ required: false
+ show_user: false
+ description: A string to filter the results to include only log events from log streams that have names starting with this prefix.
+ - name: start_position
+ type: text
+ title: Start Position
+ multi: false
+ required: false
+ default: beginning
+ show_user: true
+ description: Allows user to specify if this input should read log files from the beginning or from the end.
+ - name: scan_frequency
+ type: text
+ title: Scan Frequency
+ multi: false
+ required: false
+ show_user: false
+ default: 1m
+ description: This config parameter sets how often Filebeat checks for new log events from the specified log group.
+ - name: api_timeput
+ type: text
+ title: API Timeout
+ multi: false
+ required: false
+ show_user: false
+ default: 120s
+ description: The maximum duration of AWS API can take. If it exceeds the timeout, AWS API will be interrupted.
+ - name: api_sleep
+ type: text
+ title: API Sleep
+ multi: false
+ required: false
+ show_user: false
+ default: 200ms
+ description: This is used to sleep between AWS FilterLogEvents API calls inside the same collection period. `FilterLogEvents` API has a quota of 5 transactions per second (TPS)/account/Region. This value should only be adjusted when there are multiple Filebeats or multiple Filebeat inputs collecting logs from the same region and AWS account.
+ - name: latency
+ type: text
+ title: Latency
+ multi: false
+ required: false
+ show_user: false
+ description: "The amount of time required for the logs to be available to CloudWatch Logs. Sample values, `1m` or `5m` — see Golang [time.ParseDuration](https://pkg.go.dev/time#ParseDuration) for more details. Latency translates the query's time range to consider the CloudWatch Logs latency. Example: `5m` means that the integration will query CloudWatch to search for logs available 5 minutes ago."
+ - name: number_of_workers
+ type: integer
+ title: Number of workers
+ required: false
+ show_user: false
+ description: The number of workers assigned to reading from log groups. Each worker will read log events from one of the log groups matching `log_group_name_prefix`. For example, if `log_group_name_prefix` matches five log groups, then `number_of_workers` should be set to `5`. The default value is `1`.
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - aws-apigateway-logs
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
diff --git a/packages/aws/data_stream/apigateway_logs/sample_event.json b/packages/aws/data_stream/apigateway_logs/sample_event.json
new file mode 100644
index 00000000000..99e20527650
--- /dev/null
+++ b/packages/aws/data_stream/apigateway_logs/sample_event.json
@@ -0,0 +1,24 @@
+{
+ "data_stream": {
+ "namespace": "default",
+ "type": "logs",
+ "dataset": "aws.apigateway_logs"
+ },
+ "@timestamp": "2020-02-20T07:01:01.000Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "ingested": "2021-07-19T21:47:04.871450600Z",
+ "original": "2020-02-20T07:01:01.000Z Feb 20 07:01:01 ip-172-31-81-156 systemd: Stopping User Slice of root."
+ },
+ "aws": {
+ "apigateway": {
+ "ip_address": "172.31.81.156"
+ }
+ },
+ "message": "Stopping User Slice of root.",
+ "tags": [
+ "preserve_original_event"
+ ]
+}
\ No newline at end of file
diff --git a/packages/aws/data_stream/apigateway_metrics/fields/ecs.yml b/packages/aws/data_stream/apigateway_metrics/fields/ecs.yml
index 20f154e37bd..8e6c369edfc 100644
--- a/packages/aws/data_stream/apigateway_metrics/fields/ecs.yml
+++ b/packages/aws/data_stream/apigateway_metrics/fields/ecs.yml
@@ -2,6 +2,7 @@
name: cloud
- external: ecs
name: cloud.account.id
+ dimension: true
- external: ecs
name: cloud.account.name
- external: ecs
@@ -14,6 +15,7 @@
name: cloud.provider
- external: ecs
name: cloud.region
+ dimension: true
- external: ecs
name: ecs.version
- external: ecs
@@ -60,3 +62,6 @@
name: container.labels
- external: ecs
name: container.name
+- name: agent.id
+ external: ecs
+ dimension: true
diff --git a/packages/aws/data_stream/apigateway_metrics/fields/fields.yml b/packages/aws/data_stream/apigateway_metrics/fields/fields.yml
index 680d3e6b685..225cd9522ab 100644
--- a/packages/aws/data_stream/apigateway_metrics/fields/fields.yml
+++ b/packages/aws/data_stream/apigateway_metrics/fields/fields.yml
@@ -10,23 +10,23 @@
- name: 4XXError.sum
type: long
description: The number of client-side errors captured in a given period.
- metric_type: counter
+ metric_type: gauge
- name: 4xx.sum
type: long
description: The number of client-side errors captured in a given period.
- metric_type: counter
+ metric_type: gauge
- name: 5XXError.sum
type: long
description: The number of server-side errors captured in a given period.
- metric_type: counter
+ metric_type: gauge
- name: 5xx.sum
type: long
description: The number of server-side errors captured in a given period.
- metric_type: counter
+ metric_type: gauge
- name: Count.sum
type: long
description: The total number API requests in a given period.
- metric_type: counter
+ metric_type: gauge
- name: IntegrationLatency.avg
type: long
description: The time between when API Gateway relays a request to the backend and when it receives a response from the backend.
@@ -45,55 +45,61 @@
- name: CacheHitCount.sum
type: long
description: The number of requests served from the API cache in a given period.
- metric_type: counter
+ metric_type: gauge
- name: CacheMissCount.sum
type: long
description: The number of requests served from the backend in a given period, when API caching is enabled.
- metric_type: counter
+ metric_type: gauge
- name: Count.sum
type: long
description: The total number of API requests in a given period.
- metric_type: counter
+ metric_type: gauge
- name: ConnectCount.sum
type: long
description: The number of messages sent to the connect route integration.
- metric_type: counter
+ metric_type: gauge
- name: MessageCount.sum
type: long
description: The number of messages sent to the WebSocket API, either from or to the client.
- metric_type: counter
+ metric_type: gauge
- name: IntegrationError.sum
type: long
description: The number of requests that return a 4XX/5XX response from the integration.
- metric_type: counter
+ metric_type: gauge
- name: ClientError.sum
type: long
description: The number of requests that have a 4XX response returned by API Gateway before the integration is invoked.
- metric_type: counter
+ metric_type: gauge
- name: ExecutionError.sum
type: long
description: Errors that occurred when calling the integration.
- metric_type: counter
+ metric_type: gauge
- name: dimensions
type: group
fields:
- name: ApiId
type: keyword
+ dimension: true
description: Each API created in API Gateway is assigned a unique ApiId, which is used to distinguish and reference that specific API within the system.
- name: Stage
type: keyword
+ dimension: true
description: It represents a specific version of the API that is accessible to clients. A stage allows you to manage different environments or versions of your API, such as development, testing, and production.
- name: Route
type: keyword
+ dimension: true
description: Routes define the path and HTTP methods that clients can use to access different functionalities of the API.
- name: ApiName
type: keyword
+ dimension: true
description: It represents a human-readable name that helps identify and differentiate the API within the API Gateway service.
- name: Method
type: keyword
+ dimension: true
description: It represents the HTTP method which defines the action that can be performed on a resource, such as retrieving, creating, updating, or deleting data.
- name: Resource
type: keyword
+ dimension: true
description: It represents an endpoint within the API that corresponds to a specific functionality, typically associated with a URL path segment.
- name: cloudwatch
type: group
diff --git a/packages/aws/data_stream/apigateway_metrics/manifest.yml b/packages/aws/data_stream/apigateway_metrics/manifest.yml
index 349ed1ee8c2..73dda6a92ba 100644
--- a/packages/aws/data_stream/apigateway_metrics/manifest.yml
+++ b/packages/aws/data_stream/apigateway_metrics/manifest.yml
@@ -1,5 +1,7 @@
title: AWS API Gateway metrics
type: metrics
+elasticsearch:
+ index_mode: "time_series"
streams:
- input: aws/metrics
vars:
diff --git a/packages/aws/data_stream/billing/manifest.yml b/packages/aws/data_stream/billing/manifest.yml
index 4684f7d3c85..0dd00eb98f8 100644
--- a/packages/aws/data_stream/billing/manifest.yml
+++ b/packages/aws/data_stream/billing/manifest.yml
@@ -1,7 +1,5 @@
title: AWS Billing Metrics
type: metrics
-elasticsearch:
- index_mode: "time_series"
streams:
- input: aws/metrics
vars:
diff --git a/packages/aws/data_stream/cloudtrail/agent/stream/aws-s3.yml.hbs b/packages/aws/data_stream/cloudtrail/agent/stream/aws-s3.yml.hbs
index 39d17cc88ef..b54c36bb530 100644
--- a/packages/aws/data_stream/cloudtrail/agent/stream/aws-s3.yml.hbs
+++ b/packages/aws/data_stream/cloudtrail/agent/stream/aws-s3.yml.hbs
@@ -1,4 +1,35 @@
+{{#if collect_s3_logs}}
+
+{{#if bucket_arn}}
+bucket_arn: {{bucket_arn}}
+{{/if}}
+{{#if number_of_workers}}
+number_of_workers: {{number_of_workers}}
+{{/if}}
+{{#if interval}}
+bucket_list_interval: {{interval}}
+{{/if}}
+{{#if bucket_list_prefix}}
+bucket_list_prefix: {{bucket_list_prefix}}
+{{/if}}
+
+{{else}}
+
+{{#if queue_url}}
queue_url: {{queue_url}}
+{{/if}}
+{{#if visibility_timeout}}
+visibility_timeout: {{visibility_timeout}}
+{{/if}}
+{{#if api_timeout}}
+api_timeout: {{api_timeout}}
+{{/if}}
+{{#if max_number_of_messages}}
+max_number_of_messages: {{max_number_of_messages}}
+{{/if}}
+
+{{/if}}
+
file_selectors:
{{#if cloudtrail_regex}}
- regex: {{cloudtrail_regex}}
@@ -18,15 +49,8 @@ credential_profile_name: {{credential_profile_name}}
{{#if shared_credential_file}}
shared_credential_file: {{shared_credential_file}}
{{/if}}
-{{#if visibility_timeout}}
-visibility_timeout: {{visibility_timeout}}
-{{/if}}
-{{#if api_timeout}}
-api_timeout: {{api_timeout}}
-{{/if}}
-{{#if max_number_of_messages}}
-max_number_of_messages: {{max_number_of_messages}}
-{{/if}}
+
+
{{#if default_region}}
default_region: {{default_region}}
{{/if}}
diff --git a/packages/aws/data_stream/cloudtrail/fields/fields.yml b/packages/aws/data_stream/cloudtrail/fields/fields.yml
index 5b59153c9bf..68fbc0ee8ce 100644
--- a/packages/aws/data_stream/cloudtrail/fields/fields.yml
+++ b/packages/aws/data_stream/cloudtrail/fields/fields.yml
@@ -1,3 +1,22 @@
+- name: aws.s3
+ type: group
+ fields:
+ - name: bucket.name
+ type: keyword
+ description: |
+ Name of a S3 bucket.
+ - name: bucket.arn
+ type: keyword
+ description: |
+ ARN of the S3 bucket that this log retrieved from.
+ - name: object.key
+ type: keyword
+ description: |
+ Name of the S3 object that this log retrieved from.
+ - name: metadata
+ type: flattened
+ description: |
+ AWS S3 object metadata values.
- name: aws.cloudtrail
type: group
fields:
diff --git a/packages/aws/data_stream/cloudtrail/manifest.yml b/packages/aws/data_stream/cloudtrail/manifest.yml
index e6bd6a284ec..132031cfece 100644
--- a/packages/aws/data_stream/cloudtrail/manifest.yml
+++ b/packages/aws/data_stream/cloudtrail/manifest.yml
@@ -6,27 +6,65 @@ streams:
title: AWS CloudTrail Logs
description: Collect AWS CloudTrail logs using s3 input
vars:
+ - name: collect_s3_logs
+ required: true
+ show_user: true
+ title: Collect logs via S3 Bucket
+ description: To Collect logs via S3 bucket enable the toggle switch. By default, it will collect logs via SQS Queue.
+ type: bool
+ multi: false
+ default: false
+ - name: bucket_arn
+ type: text
+ title: "[S3] Bucket ARN"
+ multi: false
+ required: false
+ show_user: true
+ description: Mandatory if the "Collect logs via S3 Bucket" switch is on. It is a required parameter for collecting logs via the AWS S3 Bucket.
+ - name: queue_url
+ type: text
+ title: "[SQS] Queue URL"
+ multi: false
+ required: false
+ show_user: true
+ description: Mandatory if the "Collect logs via S3 Bucket" switch is off. URL of the AWS SQS queue that messages will be received from.
+ - name: bucket_list_prefix
+ type: text
+ title: "[S3] Bucket Prefix"
+ multi: false
+ required: false
+ show_user: false
+ description: Prefix to apply for the list request to the S3 bucket.
+ - name: interval
+ type: text
+ title: "[S3] Interval"
+ multi: false
+ required: false
+ show_user: false
+ default: 1m
+ description: "Time interval for polling listing of the S3 bucket. NOTE: Supported units for this parameter are h/m/s."
+ - name: number_of_workers
+ type: integer
+ title: "[S3] Number of Workers"
+ multi: false
+ required: false
+ show_user: false
+ default: 5
+ description: Number of workers that will process the S3 objects listed.
- name: visibility_timeout
type: text
- title: Visibility Timeout
+ title: "[SQS] Visibility Timeout"
multi: false
required: false
show_user: false
description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours.
- name: api_timeout
type: text
- title: API Timeout
+ title: "[SQS] API Timeout"
multi: false
required: false
show_user: false
description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value.
- - name: queue_url
- type: text
- title: Queue URL
- multi: false
- required: true
- show_user: true
- description: URL of the AWS SQS queue that messages will be received from.
- name: fips_enabled
type: bool
title: Enable S3 FIPS
@@ -89,7 +127,7 @@ streams:
blank CloudTrail Insight logs will be skipped.
- name: max_number_of_messages
type: integer
- title: Maximum Concurrent SQS Messages
+ title: "[SQS] Maximum Concurrent SQS Messages"
description: The maximum number of SQS messages that can be inflight at any time.
default: 5
required: false
diff --git a/packages/aws/data_stream/cloudwatch_logs/agent/stream/aws-s3.yml.hbs b/packages/aws/data_stream/cloudwatch_logs/agent/stream/aws-s3.yml.hbs
deleted file mode 100644
index 77fae5d0dc8..00000000000
--- a/packages/aws/data_stream/cloudwatch_logs/agent/stream/aws-s3.yml.hbs
+++ /dev/null
@@ -1,51 +0,0 @@
-queue_url: {{queue_url}}
-{{#if credential_profile_name}}
-credential_profile_name: {{credential_profile_name}}
-{{/if}}
-{{#if shared_credential_file}}
-shared_credential_file: {{shared_credential_file}}
-{{/if}}
-{{#if visibility_timeout}}
-visibility_timeout: {{visibility_timeout}}
-{{/if}}
-{{#if api_timeout}}
-api_timeout: {{api_timeout}}
-{{/if}}
-{{#if max_number_of_messages}}
-max_number_of_messages: {{max_number_of_messages}}
-{{/if}}
-{{#if default_region}}
-default_region: {{default_region}}
-{{/if}}
-{{#if access_key_id}}
-access_key_id: {{access_key_id}}
-{{/if}}
-{{#if secret_access_key}}
-secret_access_key: {{secret_access_key}}
-{{/if}}
-{{#if session_token}}
-session_token: {{session_token}}
-{{/if}}
-{{#if role_arn}}
-role_arn: {{role_arn}}
-{{/if}}
-{{#if fips_enabled}}
-fips_enabled: {{fips_enabled}}
-{{/if}}
-{{#if proxy_url }}
-proxy_url: {{proxy_url}}
-{{/if}}
-tags:
-{{#if preserve_original_event}}
- - preserve_original_event
-{{/if}}
-{{#each tags as |tag i|}}
- - {{tag}}
-{{/each}}
-{{#contains "forwarded" tags}}
-publisher_pipeline.disable_host: true
-{{/contains}}
-{{#if processors}}
-processors:
-{{processors}}
-{{/if}}
\ No newline at end of file
diff --git a/packages/aws/data_stream/cloudwatch_logs/manifest.yml b/packages/aws/data_stream/cloudwatch_logs/manifest.yml
index 2eb4e4266e5..80391fbb4d9 100644
--- a/packages/aws/data_stream/cloudwatch_logs/manifest.yml
+++ b/packages/aws/data_stream/cloudwatch_logs/manifest.yml
@@ -1,74 +1,6 @@
title: AWS CloudWatch logs
type: logs
streams:
- - input: aws-s3
- template_path: aws-s3.yml.hbs
- title: AWS CloudWatch logs via S3 (Deprecated)
- enabled: false
- description: (Deprecated) Please use Custom AWS Logs integration instead
- vars:
- - name: visibility_timeout
- type: text
- title: Visibility Timeout
- multi: false
- required: false
- show_user: false
- description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours.
- - name: api_timeout
- type: text
- title: API Timeout
- multi: false
- required: false
- show_user: false
- description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value.
- - name: queue_url
- type: text
- title: Queue URL
- multi: false
- required: true
- show_user: true
- description: URL of the AWS SQS queue that messages will be received from.
- - name: fips_enabled
- type: bool
- title: Enable S3 FIPS
- default: false
- multi: false
- required: false
- show_user: false
- description: Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint.
- - name: tags
- type: text
- title: Tags
- multi: true
- required: true
- show_user: false
- default:
- - forwarded
- - aws-cloudwatch-logs
- - name: processors
- type: yaml
- title: Processors
- multi: false
- required: false
- show_user: false
- description: >
- Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
-
- - name: preserve_original_event
- required: true
- show_user: true
- title: Preserve original event
- description: Preserves a raw copy of the original event, added to the field `event.original`
- type: bool
- multi: false
- default: false
- - name: max_number_of_messages
- type: integer
- title: Maximum Concurrent SQS Messages
- description: The maximum number of SQS messages that can be inflight at any time.
- default: 5
- required: false
- show_user: false
- input: aws-cloudwatch
enabled: false
template_path: aws-cloudwatch.yml.hbs
diff --git a/packages/aws/data_stream/cloudwatch_metrics/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/cloudwatch_metrics/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 00000000000..8da84149a46
--- /dev/null
+++ b/packages/aws/data_stream/cloudwatch_metrics/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,11 @@
+---
+description: "Pipeline for AWS CloudWatch metrics"
+processors:
+ - fingerprint:
+ fields: ["aws.dimensions"]
+ target_field: 'aws.dimensions.fingerprint'
+ ignore_missing: true
+on_failure:
+ - set:
+ field: error.message
+ value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/aws/data_stream/cloudwatch_metrics/fields/ecs.yml b/packages/aws/data_stream/cloudwatch_metrics/fields/ecs.yml
index 20f154e37bd..8e6c369edfc 100644
--- a/packages/aws/data_stream/cloudwatch_metrics/fields/ecs.yml
+++ b/packages/aws/data_stream/cloudwatch_metrics/fields/ecs.yml
@@ -2,6 +2,7 @@
name: cloud
- external: ecs
name: cloud.account.id
+ dimension: true
- external: ecs
name: cloud.account.name
- external: ecs
@@ -14,6 +15,7 @@
name: cloud.provider
- external: ecs
name: cloud.region
+ dimension: true
- external: ecs
name: ecs.version
- external: ecs
@@ -60,3 +62,6 @@
name: container.labels
- external: ecs
name: container.name
+- name: agent.id
+ external: ecs
+ dimension: true
diff --git a/packages/aws/data_stream/cloudwatch_metrics/fields/package-fields.yml b/packages/aws/data_stream/cloudwatch_metrics/fields/package-fields.yml
index a8a7ee8dcce..d8459a124e4 100644
--- a/packages/aws/data_stream/cloudwatch_metrics/fields/package-fields.yml
+++ b/packages/aws/data_stream/cloudwatch_metrics/fields/package-fields.yml
@@ -5,15 +5,19 @@
type: object
description: |
Tag key value pairs from aws resources.
- - name: s3.bucket.name
- type: keyword
- description: |
- Name of a S3 bucket.
- name: dimensions.*
type: object
description: |
Metric dimensions.
- - name: '*.metrics.*.*'
- type: object
+ - name: dimensions.fingerprint
+ type: keyword
description: |
- Metrics that returned from Cloudwatch API query.
+ Autogenerated ID representing the fingerprint of the aws.dimensions object
+ dimension: true
+- name: 'aws.*.metrics.*.*'
+ type: object
+ object_type: double
+ object_type_mapping_type: "*"
+ metric_type: gauge
+ description: |
+ Metrics that returned from Cloudwatch API query.
diff --git a/packages/aws/data_stream/cloudwatch_metrics/manifest.yml b/packages/aws/data_stream/cloudwatch_metrics/manifest.yml
index 9e45991ba68..a18e5da0e77 100644
--- a/packages/aws/data_stream/cloudwatch_metrics/manifest.yml
+++ b/packages/aws/data_stream/cloudwatch_metrics/manifest.yml
@@ -1,5 +1,7 @@
title: AWS CloudWatch metrics
type: metrics
+elasticsearch:
+ index_mode: "time_series"
streams:
- input: aws/metrics
enabled: false
diff --git a/packages/aws/data_stream/ec2_metrics/fields/ecs.yml b/packages/aws/data_stream/ec2_metrics/fields/ecs.yml
index a70d08feee0..3126856d0a4 100644
--- a/packages/aws/data_stream/ec2_metrics/fields/ecs.yml
+++ b/packages/aws/data_stream/ec2_metrics/fields/ecs.yml
@@ -2,6 +2,7 @@
name: cloud
- external: ecs
name: cloud.account.id
+ dimension: true
- external: ecs
name: cloud.account.name
- external: ecs
@@ -14,6 +15,7 @@
name: cloud.provider
- external: ecs
name: cloud.region
+ dimension: true
- external: ecs
name: ecs.version
- external: ecs
@@ -36,3 +38,6 @@
name: host.network.ingress.bytes
- external: ecs
name: host.network.ingress.packets
+- name: agent.id
+ external: ecs
+ dimension: true
diff --git a/packages/aws/data_stream/ec2_metrics/fields/fields.yml b/packages/aws/data_stream/ec2_metrics/fields/fields.yml
index d051d8ac5e7..834a283a93f 100644
--- a/packages/aws/data_stream/ec2_metrics/fields/fields.yml
+++ b/packages/aws/data_stream/ec2_metrics/fields/fields.yml
@@ -6,79 +6,146 @@
fields:
- name: AutoScalingGroupName
type: keyword
+ dimension: true
description: An Auto Scaling group is a collection of instances you define if you're using Auto Scaling.
- name: ImageId
type: keyword
+ dimension: true
description: This dimension filters the data you request for all instances running this Amazon EC2 Amazon Machine Image (AMI)
- name: InstanceId
type: keyword
+ dimension: true
description: Amazon EC2 instance ID
- name: InstanceType
type: keyword
+ dimension: true
description: This dimension filters the data you request for all instances running with this specified instance type.
- name: ec2
type: group
fields:
- - name: cpu.credit_usage
- type: long
- description: |
- The number of CPU credits spent by the instance for CPU utilization.
- - name: cpu.credit_balance
- type: long
- description: |
- The number of earned CPU credits that an instance has accrued since it was launched or started.
- - name: cpu.surplus_credit_balance
- type: long
- description: |
- The number of surplus credits that have been spent by an unlimited instance when its CPUCreditBalance value is zero.
- - name: cpu.surplus_credits_charged
- type: long
- description: |
- The number of spent surplus credits that are not paid down by earned CPU credits, and which thus incur an additional charge.
- - name: network.in.packets_per_sec
- type: long
- description: |
- The number of packets per second sent out on all network interfaces by the instance.
- - name: network.out.packets_per_sec
- type: long
- description: |
- The number of packets per second sent out on all network interfaces by the instance.
- - name: network.in.bytes_per_sec
- type: long
- description: |
- The number of bytes per second received on all network interfaces by the instance.
- - name: network.out.bytes_per_sec
- type: long
- description: |
- The number of bytes per second sent out on all network interfaces by the instance.
- - name: diskio.read.bytes_per_sec
- type: long
- description: |
- Bytes read per second from all instance store volumes available to the instance.
- - name: diskio.write.bytes_per_sec
- type: long
- description: |
- Bytes written per second to all instance store volumes available to the instance.
- - name: diskio.read.count_per_sec
- type: long
- description: |
- Completed read operations per second from all instance store volumes available to the instance in a specified period of time.
- - name: diskio.write.count_per_sec
- type: long
- description: |
- Completed write operations per second to all instance store volumes available to the instance in a specified period of time.
- - name: status.check_failed
- type: long
- description: |
- Reports whether the instance has passed both the instance status check and the system status check in the last minute.
- - name: status.check_failed_system
- type: long
- description: |
- Reports whether the instance has passed the system status check in the last minute.
- - name: status.check_failed_instance
- type: long
- description: |
- Reports whether the instance has passed the instance status check in the last minute.
+ - name: metrics
+ type: group
+ fields:
+ - name: CPUCreditUsage.avg
+ type: long
+ metric_type: gauge
+ description: |
+ The number of CPU credits spent by the instance for CPU utilization.
+ - name: CPUCreditBalance.avg
+ type: long
+ metric_type: gauge
+ description: |
+ The number of earned CPU credits that an instance has accrued since it was launched or started.
+ - name: CPUSurplusCreditBalance.avg
+ type: long
+ metric_type: gauge
+ description: |
+ The number of surplus credits that have been spent by an unlimited instance when its CPUCreditBalance value is zero.
+ - name: CPUSurplusCreditsCharged.avg
+ type: long
+ metric_type: gauge
+ description: |
+ The number of spent surplus credits that are not paid down by earned CPU credits, and which thus incur an additional charge.
+ - name: CPUUtilization.avg
+ type: long
+ metric_type: gauge
+ description: |
+ The average percentage of physical CPU time that Amazon EC2 uses to run the EC2 instance.
+ - name: NetworkPacketsIn.rate
+ type: long
+ metric_type: gauge
+ description: |
+ The number of packets per second sent out on all network interfaces by the instance.
+ - name: NetworkPacketsIn.sum
+ type: long
+ metric_type: gauge
+ description: |
+ The number of packets total sent out on all network interfaces by the instance.
+ - name: NetworkPacketsOut.rate
+ type: long
+ metric_type: gauge
+ description: |
+ The number of packets per second sent out on all network interfaces by the instance.
+ - name: NetworkPacketsOut.sum
+ type: long
+ metric_type: gauge
+ description: |
+ The number of packets total sent out on all network interfaces by the instance.
+ - name: NetworkIn.rate
+ type: long
+ metric_type: gauge
+ description: |
+ The number of bytes per second received on all network interfaces by the instance.
+ - name: NetworkIn.sum
+ type: long
+ metric_type: gauge
+ description: |
+ The number of bytes total received on all network interfaces by the instance.
+ - name: NetworkOut.rate
+ type: long
+ metric_type: gauge
+ description: |
+ The number of bytes per second sent out on all network interfaces by the instance.
+ - name: NetworkOut.sum
+ type: long
+ metric_type: gauge
+ description: |
+ The number of bytes total sent out on all network interfaces by the instance.
+ - name: DiskReadBytes.rate
+ type: long
+ metric_type: gauge
+ description: |
+ Bytes read per second from all instance store volumes available to the instance.
+ - name: DiskReadBytes.sum
+ type: long
+ metric_type: gauge
+ description: |
+ Total bytes read from all instance store volumes available to the instance.
+ - name: DiskWriteBytes.rate
+ type: long
+ metric_type: gauge
+ description: |
+ Bytes written per second to all instance store volumes available to the instance.
+ - name: DiskWriteBytes.sum
+ type: long
+ metric_type: gauge
+ description: |
+ Total bytes written to all instance store volumes available to the instance.
+ - name: DiskReadOps.rate
+ type: long
+ metric_type: gauge
+ description: |
+ Completed read operations per second from all instance store volumes available to the instance in a specified period of time.
+ - name: DiskReadOps.sum
+ type: long
+ metric_type: gauge
+ description: |
+ Total completed read operations from all instance store volumes available to the instance in a specified period of time.
+ - name: DiskWriteOps.rate
+ type: long
+ metric_type: gauge
+ description: |
+ Completed write operations per second to all instance store volumes available to the instance in a specified period of time.
+ - name: DiskWriteOps.sum
+ type: long
+ metric_type: gauge
+ description: |
+ Total completed write operations to all instance store volumes available to the instance in a specified period of time.
+ - name: StatusCheckFailed.avg
+ type: long
+ metric_type: gauge
+ description: |
+ Reports whether the instance has passed both the instance status check and the system status check in the last minute.
+ - name: StatusCheckFailed_System.avg
+ type: long
+ metric_type: gauge
+ description: |
+ Reports whether the instance has passed the system status check in the last minute.
+ - name: StatusCheckFailed_Instance.avg
+ type: long
+ metric_type: gauge
+ description: |
+ Reports whether the instance has passed the instance status check in the last minute.
- name: instance.core.count
type: integer
description: |
diff --git a/packages/aws/data_stream/ec2_metrics/fields/package-fields.yml b/packages/aws/data_stream/ec2_metrics/fields/package-fields.yml
index 888286fa7ab..7d6aebd7964 100644
--- a/packages/aws/data_stream/ec2_metrics/fields/package-fields.yml
+++ b/packages/aws/data_stream/ec2_metrics/fields/package-fields.yml
@@ -9,7 +9,3 @@
type: keyword
description: |
Name of a S3 bucket.
- - name: '*.metrics.*.*'
- type: object
- description: |
- Metrics that returned from Cloudwatch API query.
diff --git a/packages/aws/data_stream/ec2_metrics/manifest.yml b/packages/aws/data_stream/ec2_metrics/manifest.yml
index 1e4ca21c1c3..c3e00bc017e 100644
--- a/packages/aws/data_stream/ec2_metrics/manifest.yml
+++ b/packages/aws/data_stream/ec2_metrics/manifest.yml
@@ -1,5 +1,7 @@
title: AWS EC2 metrics
type: metrics
+elasticsearch:
+ index_mode: "time_series"
streams:
- input: aws/metrics
vars:
diff --git a/packages/aws/data_stream/ec2_metrics/sample_event.json b/packages/aws/data_stream/ec2_metrics/sample_event.json
index e36f596d510..050d1461100 100644
--- a/packages/aws/data_stream/ec2_metrics/sample_event.json
+++ b/packages/aws/data_stream/ec2_metrics/sample_event.json
@@ -1,33 +1,27 @@
{
- "@timestamp": "2022-05-26T12:40:00.000Z",
- "agent": {
- "name": "docker-fleet-agent",
- "id": "24d50340-a9d0-4d5d-9f42-fe9cb4b8c95d",
- "type": "metricbeat",
- "ephemeral_id": "f8282deb-ebc7-4d1f-9386-207f56657244",
- "version": "8.2.0"
- },
- "elastic_agent": {
- "id": "24d50340-a9d0-4d5d-9f42-fe9cb4b8c95d",
- "version": "8.2.0",
- "snapshot": false
- },
+ "@timestamp": "2023-08-07T18:35:00.000Z",
"cloud": {
- "availability_zone": "us-east-1c",
+ "availability_zone": "eu-north-1c",
"instance": {
- "name": "elastic-package-test-33138",
- "id": "i-0de58890d94dda2e3"
+ "id": "i-0c08512debca266ab"
},
"provider": "aws",
"machine": {
- "type": "t1.micro"
+ "type": "t3.medium"
},
- "region": "us-east-1",
+ "region": "eu-north-1",
"account": {
- "name": "elastic-beats",
- "id": "428152502467"
+ "name": "MonitoringAccount",
+ "id": "627286350134"
}
},
+ "agent": {
+ "name": "docker-fleet-agent",
+ "id": "72314f01-98f2-477f-978a-e98d109c640c",
+ "type": "metricbeat",
+ "ephemeral_id": "b8cd4414-f528-43f4-b43f-0edbcc69b46f",
+ "version": "8.8.1"
+ },
"ecs": {
"version": "8.0.0"
},
@@ -41,107 +35,121 @@
},
"host": {
"hostname": "docker-fleet-agent",
- "disk": {
- "read": {
- "bytes": 0
- },
- "write": {
- "bytes": 0
- }
- },
"os": {
- "kernel": "5.10.47-linuxkit",
+ "kernel": "5.15.49-linuxkit-pr",
"codename": "focal",
"name": "Ubuntu",
"type": "linux",
"family": "debian",
- "version": "20.04.4 LTS (Focal Fossa)",
+ "version": "20.04.6 LTS (Focal Fossa)",
"platform": "ubuntu"
},
- "containerized": true,
+ "containerized": false,
"ip": [
- "192.168.80.7"
+ "172.20.0.7"
],
- "name": "elastic-package-test-33138",
+ "name": "docker-fleet-agent",
"cpu": {
- "usage": 0.08265027322397175
+ "usage": 2.8849988898518673
},
- "id": "i-0de58890d94dda2e3",
+ "id": "d08b346fbb8f49f5a2bb1a477f8ceb54",
"mac": [
- "02:42:c0:a8:50:07"
+ "02-42-AC-14-00-07"
],
- "architecture": "x86_64",
+ "architecture": "aarch64",
"network": {
"ingress": {
- "bytes": 1992
+ "bytes": 1608959,
+ "packets": 5334
},
"egress": {
- "bytes": 1800
+ "bytes": 626755,
+ "packets": 4977
}
}
},
+ "elastic_agent": {
+ "id": "72314f01-98f2-477f-978a-e98d109c640c",
+ "version": "8.8.1",
+ "snapshot": false
+ },
"metricset": {
"period": 300000,
"name": "cloudwatch"
},
"event": {
- "duration": 15936070000,
+ "duration": 5858967919,
"agent_id_status": "verified",
- "ingested": "2022-05-26T12:44:52Z",
+ "ingested": "2023-08-07T18:41:31Z",
"module": "aws",
"dataset": "aws.ec2_metrics"
},
"aws": {
"ec2": {
- "diskio": {
- "read": {
- "count_per_sec": 0,
- "bytes_per_sec": 0
- },
- "write": {
- "count_per_sec": 0,
- "bytes_per_sec": 0
- }
- },
"instance": {
"image": {
- "id": "ami-0ff900168d0231cd3"
+ "id": "ami-00b8290583a865359"
},
"core": {
"count": 1
},
"private": {
- "ip": "172.31.16.45",
- "dns_name": "ip-172-31-16-45.ec2.internal"
+ "ip": "172.31.13.154",
+ "dns_name": "ip-172-31-13-154.eu-north-1.compute.internal"
},
- "threads_per_core": 1,
+ "threads_per_core": 2,
"public": {
- "ip": "54.90.153.147",
- "dns_name": "ec2-54-90-153-147.compute-1.amazonaws.com"
+ "ip": "16.16.138.5",
+ "dns_name": "ec2-16-16-138-5.eu-north-1.compute.amazonaws.com"
},
"state": {
"code": 16,
"name": "running"
},
"monitoring": {
- "state": "enabled"
+ "state": "disabled"
}
},
- "cpu": {
- "credit_balance": 144,
- "credit_usage": 0.004121
- },
- "status": {
- "check_failed": 0,
- "check_failed_instance": 0,
- "check_failed_system": 0
- },
- "network": {
- "in": {
- "bytes_per_sec": 33.2
+ "metrics": {
+ "NetworkOut": {
+ "rate": 10445.916666666666,
+ "sum": 626755
+ },
+ "CPUUtilization": {
+ "avg": 2.8849988898518673
+ },
+ "StatusCheckFailed_Instance": {
+ "avg": 0
+ },
+ "CPUCreditUsage": {
+ "avg": 0.29100543333333334
+ },
+ "CPUCreditBalance": {
+ "avg": 576
+ },
+ "NetworkPacketsOut": {
+ "rate": 82.95,
+ "sum": 4977
+ },
+ "NetworkPacketsIn": {
+ "rate": 88.9,
+ "sum": 5334
+ },
+ "NetworkIn": {
+ "rate": 26815.983333333334,
+ "sum": 1608959
+ },
+ "StatusCheckFailed": {
+ "avg": 0
+ },
+ "CPUSurplusCreditsCharged": {
+ "avg": 0
+ },
+ "CPUSurplusCreditBalance": {
+ "avg": 0
},
- "out": {
- "bytes_per_sec": 30
+ "StatusCheckFailed_System": {
+ "avg": 0
}
}
},
@@ -149,10 +157,12 @@
"namespace": "AWS/EC2"
},
"dimensions": {
- "InstanceId": "i-0de58890d94dda2e3"
+ "InstanceId": "i-0c08512debca266ab"
},
"tags": {
- "Name": "elastic-package-test-33138"
+ "aws:autoscaling:groupName": "eks-firehose-50c386d7-c8b1-bde8-5d42-d3841ca7ecfe",
+ "aws:ec2launchtemplate:version": "1",
+ "aws:ec2launchtemplate:id": "lt-09e1cdf590e35c687"
}
}
}
\ No newline at end of file
diff --git a/packages/aws/data_stream/emr_logs/_dev/test/pipeline/test-common-config.yml b/packages/aws/data_stream/emr_logs/_dev/test/pipeline/test-common-config.yml
new file mode 100644
index 00000000000..7780f71c7be
--- /dev/null
+++ b/packages/aws/data_stream/emr_logs/_dev/test/pipeline/test-common-config.yml
@@ -0,0 +1,7 @@
+fields:
+ tags:
+ - preserve_original_event
+multiline:
+ first_line_pattern: '^[0-9]'
+ negate: true
+ match: after
\ No newline at end of file
diff --git a/packages/aws/data_stream/emr_logs/_dev/test/pipeline/test-emr-hadoop.log b/packages/aws/data_stream/emr_logs/_dev/test/pipeline/test-emr-hadoop.log
new file mode 100644
index 00000000000..c4c3d07ded6
--- /dev/null
+++ b/packages/aws/data_stream/emr_logs/_dev/test/pipeline/test-emr-hadoop.log
@@ -0,0 +1,92 @@
+2023-06-26 13:45:49,685 INFO namenode.NameNode: STARTUP_MSG:
+/************************************************************
+STARTUP_MSG: Starting NameNode
+STARTUP_MSG: host = ip-172-31-25-102.eu-central-1.compute.internal/172.31.25.102
+STARTUP_MSG: args = [-format, -nonInteractive]
+STARTUP_MSG: version = 3.3.3-amzn-3
+STARTUP_MSG: classpath = /etc/hadoop/conf:/usr/lib/hadoop/lib/jetty-security-9.4.48.v20220622.jar:/usr/lib/hadoop/lib/accessors-smart-2.4.7.jar:/usr/lib/hadoop/lib/jersey-core-1.19.jar:/usr/lib/hadoop/lib/animal-sniffer-annotations-1.17.jar
+STARTUP_MSG: build = Unknown -r Unknown; compiled by 'release' on 2023-05-31T03:49Z
+STARTUP_MSG: java = 1.8.0_372
+************************************************************/
+2023-06-26 13:45:49,697 INFO namenode.NameNode: registered UNIX signal handlers for [TERM, HUP, INT]
+2023-06-26 13:45:49,823 INFO namenode.NameNode: createNameNode [-format, -nonInteractive]
+2023-06-26 13:45:50,318 INFO common.Util: Assuming 'file' scheme for path /mnt/namenode in configuration.
+2023-06-26 13:45:50,319 INFO common.Util: Assuming 'file' scheme for path /mnt1/namenode in configuration.
+2023-06-26 13:45:50,319 INFO common.Util: Assuming 'file' scheme for path /mnt/namenode in configuration.
+2023-06-26 13:45:50,319 INFO common.Util: Assuming 'file' scheme for path /mnt1/namenode in configuration.
+2023-06-26 13:45:50,330 INFO namenode.NameNode: Formatting using clusterid: CID-1b3b14b6-5518-47c3-b981-e5cb6b0ce38c
+2023-06-26 13:45:50,394 INFO namenode.FSEditLog (main): Edit logging is async:true
+2023-06-26 13:45:50,484 INFO namenode.FSNamesystem: KeyProvider: KeyProviderCryptoExtension: org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@a530d0a
+2023-06-26 13:45:50,486 INFO namenode.FSNamesystem: fsLock is fair: true
+2023-06-26 13:45:50,486 INFO namenode.FSNamesystem: Detailed lock hold time metrics enabled: false
+2023-06-26 13:45:50,492 INFO namenode.FSNamesystem: fsOwner = hdfs (auth:SIMPLE)
+2023-06-26 13:45:50,493 INFO namenode.FSNamesystem: supergroup = hdfsadmingroup
+2023-06-26 13:45:50,493 INFO namenode.FSNamesystem: isPermissionEnabled = true
+2023-06-26 13:45:50,493 INFO namenode.FSNamesystem: isStoragePolicyEnabled = true
+2023-06-26 13:45:50,493 INFO namenode.FSNamesystem: HA Enabled: false
+2023-06-26 13:45:50,566 INFO common.Util: dfs.datanode.fileio.profiling.sampling.percentage set to 0. Disabling file IO profiling
+2023-06-26 13:45:50,601 INFO blockmanagement.DatanodeManager: dfs.block.invalidate.limit: configured=1000, counted=60, effected=1000
+2023-06-26 13:45:50,601 INFO blockmanagement.DatanodeManager: dfs.namenode.datanode.registration.ip-hostname-check=true
+2023-06-26 13:45:50,610 INFO blockmanagement.BlockManager: dfs.namenode.startup.delay.block.deletion.sec is set to 000:00:00:00.000
+2023-06-26 13:45:50,611 INFO blockmanagement.BlockManager: The block deletion will start around 2023 Jun 26 13:45:50
+2023-06-26 13:45:50,612 INFO util.GSet: Computing capacity for map BlocksMap
+2023-06-26 13:45:50,613 INFO util.GSet: VM type = 64-bit
+2023-06-26 13:45:50,614 INFO util.GSet: 2.0% max memory 864 MB = 17.3 MB
+2023-06-26 13:45:50,614 INFO util.GSet: capacity = 2^21 = 2097152 entries
+2023-06-26 13:45:50,623 INFO blockmanagement.BlockManager: Storage policy satisfier is disabled
+2023-06-26 13:45:50,623 INFO blockmanagement.BlockManager: dfs.block.access.token.enable = false
+2023-06-26 13:45:50,631 INFO blockmanagement.BlockManagerSafeMode: dfs.namenode.safemode.threshold-pct = 0.999
+2023-06-26 13:45:50,631 INFO blockmanagement.BlockManagerSafeMode: dfs.namenode.safemode.min.datanodes = 0
+2023-06-26 13:45:50,631 INFO blockmanagement.BlockManagerSafeMode: dfs.namenode.safemode.extension = 5000
+2023-06-26 13:45:50,632 INFO blockmanagement.BlockManager: defaultReplication = 1
+2023-06-26 13:45:50,632 INFO blockmanagement.BlockManager: maxReplication = 512
+2023-06-26 13:45:50,632 INFO blockmanagement.BlockManager: minReplication = 1
+2023-06-26 13:45:50,632 INFO blockmanagement.BlockManager: maxReplicationStreams = 100
+2023-06-26 13:45:50,633 INFO blockmanagement.BlockManager: redundancyRecheckInterval = 3000ms
+2023-06-26 13:45:50,633 INFO blockmanagement.BlockManager: encryptDataTransfer = false
+2023-06-26 13:45:50,633 INFO blockmanagement.BlockManager: maxNumBlocksToLog = 1000
+2023-06-26 13:45:50,670 INFO namenode.FSDirectory: GLOBAL serial map: bits=29 maxEntries=536870911
+2023-06-26 13:45:50,671 INFO namenode.FSDirectory: USER serial map: bits=24 maxEntries=16777215
+2023-06-26 13:45:50,671 INFO namenode.FSDirectory: GROUP serial map: bits=24 maxEntries=16777215
+2023-06-26 13:45:50,671 INFO namenode.FSDirectory: XATTR serial map: bits=24 maxEntries=16777215
+2023-06-26 13:45:50,696 INFO util.GSet: Computing capacity for map INodeMap
+2023-06-26 13:45:50,696 INFO util.GSet: VM type = 64-bit
+2023-06-26 13:45:50,697 INFO util.GSet: 1.0% max memory 864 MB = 8.6 MB
+2023-06-26 13:45:50,697 INFO util.GSet: capacity = 2^20 = 1048576 entries
+2023-06-26 13:45:50,699 INFO namenode.FSDirectory: ACLs enabled? true
+2023-06-26 13:45:50,699 INFO namenode.FSDirectory: POSIX ACL inheritance enabled? true
+2023-06-26 13:45:50,699 INFO namenode.FSDirectory: XAttrs enabled? true
+2023-06-26 13:45:50,700 INFO namenode.NameNode: Caching file names occurring more than 10 times
+2023-06-26 13:45:50,708 INFO namenode.ReencryptionHandler: Configured throttleLimitHandlerRatio=1.0 for re-encryption
+2023-06-26 13:45:50,717 INFO snapshot.SnapshotManager: Loaded config captureOpenFiles: false, skipCaptureAccessTimeOnlyChange: false, snapshotDiffAllowSnapRootDescendant: true, maxSnapshotLimit: 65536
+2023-06-26 13:45:50,720 INFO snapshot.SnapshotManager: SkipList is disabled
+2023-06-26 13:45:50,748 INFO util.GSet: Computing capacity for map cachedBlocks
+2023-06-26 13:45:50,748 INFO util.GSet: VM type = 64-bit
+2023-06-26 13:45:50,748 INFO util.GSet: 0.25% max memory 864 MB = 2.2 MB
+2023-06-26 13:45:50,749 INFO util.GSet: capacity = 2^18 = 262144 entries
+2023-06-26 13:45:50,764 INFO metrics.TopMetrics: NNTop conf: dfs.namenode.top.window.num.buckets = 10
+2023-06-26 13:45:50,764 INFO metrics.TopMetrics: NNTop conf: dfs.namenode.top.num.users = 10
+2023-06-26 13:45:50,764 INFO metrics.TopMetrics: NNTop conf: dfs.namenode.top.windows.minutes = 1,5,25
+2023-06-26 13:45:50,768 INFO namenode.FSNamesystem: Retry cache on namenode is enabled
+2023-06-26 13:45:50,768 INFO namenode.FSNamesystem: Retry cache will use 0.03 of total heap and retry cache entry expiry time is 600000 millis
+2023-06-26 13:45:50,771 INFO util.GSet: Computing capacity for map NameNodeRetryCache
+2023-06-26 13:45:50,771 INFO util.GSet: VM type = 64-bit
+2023-06-26 13:45:50,771 INFO util.GSet: 0.029999999329447746% max memory 864 MB = 265.4 KB
+2023-06-26 13:45:50,771 INFO util.GSet: capacity = 2^15 = 32768 entries
+2023-06-26 13:45:50,774 INFO namenode.FSNamesystem: Removal of Expired Lease on Open Files is enabled
+2023-06-26 13:45:50,811 INFO namenode.FSImage: Allocated new BlockPoolId: BP-1979673447-172.31.25.102-1687787150800
+2023-06-26 13:45:50,824 INFO common.Storage: Storage directory /mnt/namenode has been successfully formatted.
+2023-06-26 13:45:50,826 INFO common.Storage: Storage directory /mnt1/namenode has been successfully formatted.
+2023-06-26 13:45:50,868 INFO namenode.FSImageFormatProtobuf: Saving image file /mnt1/namenode/current/fsimage.ckpt_0000000000000000000 using no compression
+2023-06-26 13:45:50,868 INFO namenode.FSImageFormatProtobuf: Saving image file /mnt/namenode/current/fsimage.ckpt_0000000000000000000 using no compression
+2023-06-26 13:45:51,228 INFO namenode.FSImageFormatProtobuf: Image file /mnt1/namenode/current/fsimage.ckpt_0000000000000000000 of size 403 bytes saved in 0 seconds .
+2023-06-26 13:45:51,230 INFO namenode.FSImageFormatProtobuf: Image file /mnt/namenode/current/fsimage.ckpt_0000000000000000000 of size 403 bytes saved in 0 seconds .
+2023-06-26 13:45:51,244 INFO namenode.NNStorageRetentionManager: Going to retain 1 images with txid >= 0
+2023-06-26 13:45:51,301 INFO namenode.FSNamesystem: Stopping services started for active state
+2023-06-26 13:45:51,301 INFO namenode.FSNamesystem: Stopping services started for standby state
+2023-06-26 13:45:51,305 INFO namenode.FSImage: FSImageSaver clean checkpoint: txid=0 when meet shutdown.
+2023-06-26 13:45:51,306 INFO namenode.FSImage: FSImageSaver clean checkpoint: txid=0 when meet shutdown.
+2023-06-26 13:45:51,306 INFO namenode.NameNode: SHUTDOWN_MSG:
+/************************************************************
+SHUTDOWN_MSG: Shutting down NameNode at ip-172-31-25-102.eu-central-1.compute.internal/172.31.25.102
+************************************************************/
\ No newline at end of file
diff --git a/packages/aws/data_stream/emr_logs/_dev/test/pipeline/test-emr-hadoop.log-expected.json b/packages/aws/data_stream/emr_logs/_dev/test/pipeline/test-emr-hadoop.log-expected.json
new file mode 100644
index 00000000000..25994a1ff2f
--- /dev/null
+++ b/packages/aws/data_stream/emr_logs/_dev/test/pipeline/test-emr-hadoop.log-expected.json
@@ -0,0 +1,1526 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2023-06-26T13:45:49.685Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:49,685 INFO namenode.NameNode: STARTUP_MSG: \n/************************************************************\nSTARTUP_MSG: Starting NameNode\nSTARTUP_MSG: host = ip-172-31-25-102.eu-central-1.compute.internal/172.31.25.102\nSTARTUP_MSG: args = [-format, -nonInteractive]\nSTARTUP_MSG: version = 3.3.3-amzn-3\nSTARTUP_MSG: classpath = /etc/hadoop/conf:/usr/lib/hadoop/lib/jetty-security-9.4.48.v20220622.jar:/usr/lib/hadoop/lib/accessors-smart-2.4.7.jar:/usr/lib/hadoop/lib/jersey-core-1.19.jar:/usr/lib/hadoop/lib/animal-sniffer-annotations-1.17.jar\nSTARTUP_MSG: build = Unknown -r Unknown; compiled by 'release' on 2023-05-31T03:49Z\nSTARTUP_MSG: java = 1.8.0_372\n************************************************************/"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "STARTUP_MSG: ",
+ "process": {
+ "message": "/************************************************************\nSTARTUP_MSG: Starting NameNode\nSTARTUP_MSG: host = ip-172-31-25-102.eu-central-1.compute.internal/172.31.25.102\nSTARTUP_MSG: args = [-format, -nonInteractive]\nSTARTUP_MSG: version = 3.3.3-amzn-3\nSTARTUP_MSG: classpath = /etc/hadoop/conf:/usr/lib/hadoop/lib/jetty-security-9.4.48.v20220622.jar:/usr/lib/hadoop/lib/accessors-smart-2.4.7.jar:/usr/lib/hadoop/lib/jersey-core-1.19.jar:/usr/lib/hadoop/lib/animal-sniffer-annotations-1.17.jar\nSTARTUP_MSG: build = Unknown -r Unknown; compiled by 'release' on 2023-05-31T03:49Z\nSTARTUP_MSG: java = 1.8.0_372\n************************************************************/",
+ "name": "namenode.NameNode"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:49.697Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:49,697 INFO namenode.NameNode: registered UNIX signal handlers for [TERM, HUP, INT]"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "registered UNIX signal handlers for [TERM, HUP, INT]",
+ "process": {
+ "name": "namenode.NameNode"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:49.823Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:49,823 INFO namenode.NameNode: createNameNode [-format, -nonInteractive]"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "createNameNode [-format, -nonInteractive]",
+ "process": {
+ "name": "namenode.NameNode"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.318Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,318 INFO common.Util: Assuming 'file' scheme for path /mnt/namenode in configuration."
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "Assuming 'file' scheme for path /mnt/namenode in configuration.",
+ "process": {
+ "name": "common.Util"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.319Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,319 INFO common.Util: Assuming 'file' scheme for path /mnt1/namenode in configuration."
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "Assuming 'file' scheme for path /mnt1/namenode in configuration.",
+ "process": {
+ "name": "common.Util"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.319Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,319 INFO common.Util: Assuming 'file' scheme for path /mnt/namenode in configuration."
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "Assuming 'file' scheme for path /mnt/namenode in configuration.",
+ "process": {
+ "name": "common.Util"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.319Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,319 INFO common.Util: Assuming 'file' scheme for path /mnt1/namenode in configuration."
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "Assuming 'file' scheme for path /mnt1/namenode in configuration.",
+ "process": {
+ "name": "common.Util"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.330Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,330 INFO namenode.NameNode: Formatting using clusterid: CID-1b3b14b6-5518-47c3-b981-e5cb6b0ce38c"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "Formatting using clusterid: CID-1b3b14b6-5518-47c3-b981-e5cb6b0ce38c",
+ "process": {
+ "name": "namenode.NameNode"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.394Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,394 INFO namenode.FSEditLog (main): Edit logging is async:true"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "Edit logging is async:true",
+ "process": {
+ "name": "namenode.FSEditLog (main)"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.484Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,484 INFO namenode.FSNamesystem: KeyProvider: KeyProviderCryptoExtension: org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@a530d0a"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "KeyProvider: KeyProviderCryptoExtension: org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@a530d0a",
+ "process": {
+ "name": "namenode.FSNamesystem"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.486Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,486 INFO namenode.FSNamesystem: fsLock is fair: true"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "fsLock is fair: true",
+ "process": {
+ "name": "namenode.FSNamesystem"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.486Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,486 INFO namenode.FSNamesystem: Detailed lock hold time metrics enabled: false"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "Detailed lock hold time metrics enabled: false",
+ "process": {
+ "name": "namenode.FSNamesystem"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.492Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,492 INFO namenode.FSNamesystem: fsOwner = hdfs (auth:SIMPLE)"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "fsOwner = hdfs (auth:SIMPLE)",
+ "process": {
+ "name": "namenode.FSNamesystem"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.493Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,493 INFO namenode.FSNamesystem: supergroup = hdfsadmingroup"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "supergroup = hdfsadmingroup",
+ "process": {
+ "name": "namenode.FSNamesystem"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.493Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,493 INFO namenode.FSNamesystem: isPermissionEnabled = true"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "isPermissionEnabled = true",
+ "process": {
+ "name": "namenode.FSNamesystem"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.493Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,493 INFO namenode.FSNamesystem: isStoragePolicyEnabled = true"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "isStoragePolicyEnabled = true",
+ "process": {
+ "name": "namenode.FSNamesystem"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.493Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,493 INFO namenode.FSNamesystem: HA Enabled: false"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "HA Enabled: false",
+ "process": {
+ "name": "namenode.FSNamesystem"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.566Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,566 INFO common.Util: dfs.datanode.fileio.profiling.sampling.percentage set to 0. Disabling file IO profiling"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "dfs.datanode.fileio.profiling.sampling.percentage set to 0. Disabling file IO profiling",
+ "process": {
+ "name": "common.Util"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.601Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,601 INFO blockmanagement.DatanodeManager: dfs.block.invalidate.limit: configured=1000, counted=60, effected=1000"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "dfs.block.invalidate.limit: configured=1000, counted=60, effected=1000",
+ "process": {
+ "name": "blockmanagement.DatanodeManager"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.601Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,601 INFO blockmanagement.DatanodeManager: dfs.namenode.datanode.registration.ip-hostname-check=true"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "dfs.namenode.datanode.registration.ip-hostname-check=true",
+ "process": {
+ "name": "blockmanagement.DatanodeManager"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.610Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,610 INFO blockmanagement.BlockManager: dfs.namenode.startup.delay.block.deletion.sec is set to 000:00:00:00.000"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "dfs.namenode.startup.delay.block.deletion.sec is set to 000:00:00:00.000",
+ "process": {
+ "name": "blockmanagement.BlockManager"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.611Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,611 INFO blockmanagement.BlockManager: The block deletion will start around 2023 Jun 26 13:45:50"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "The block deletion will start around 2023 Jun 26 13:45:50",
+ "process": {
+ "name": "blockmanagement.BlockManager"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.612Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,612 INFO util.GSet: Computing capacity for map BlocksMap"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "Computing capacity for map BlocksMap",
+ "process": {
+ "name": "util.GSet"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.613Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,613 INFO util.GSet: VM type = 64-bit"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "VM type = 64-bit",
+ "process": {
+ "name": "util.GSet"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.614Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,614 INFO util.GSet: 2.0% max memory 864 MB = 17.3 MB"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "2.0% max memory 864 MB = 17.3 MB",
+ "process": {
+ "name": "util.GSet"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.614Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,614 INFO util.GSet: capacity = 2^21 = 2097152 entries"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "capacity = 2^21 = 2097152 entries",
+ "process": {
+ "name": "util.GSet"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.623Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,623 INFO blockmanagement.BlockManager: Storage policy satisfier is disabled"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "Storage policy satisfier is disabled",
+ "process": {
+ "name": "blockmanagement.BlockManager"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.623Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,623 INFO blockmanagement.BlockManager: dfs.block.access.token.enable = false"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "dfs.block.access.token.enable = false",
+ "process": {
+ "name": "blockmanagement.BlockManager"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.631Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,631 INFO blockmanagement.BlockManagerSafeMode: dfs.namenode.safemode.threshold-pct = 0.999"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "dfs.namenode.safemode.threshold-pct = 0.999",
+ "process": {
+ "name": "blockmanagement.BlockManagerSafeMode"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.631Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,631 INFO blockmanagement.BlockManagerSafeMode: dfs.namenode.safemode.min.datanodes = 0"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "dfs.namenode.safemode.min.datanodes = 0",
+ "process": {
+ "name": "blockmanagement.BlockManagerSafeMode"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.631Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,631 INFO blockmanagement.BlockManagerSafeMode: dfs.namenode.safemode.extension = 5000"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "dfs.namenode.safemode.extension = 5000",
+ "process": {
+ "name": "blockmanagement.BlockManagerSafeMode"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.632Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,632 INFO blockmanagement.BlockManager: defaultReplication = 1"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "defaultReplication = 1",
+ "process": {
+ "name": "blockmanagement.BlockManager"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.632Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,632 INFO blockmanagement.BlockManager: maxReplication = 512"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "maxReplication = 512",
+ "process": {
+ "name": "blockmanagement.BlockManager"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.632Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,632 INFO blockmanagement.BlockManager: minReplication = 1"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "minReplication = 1",
+ "process": {
+ "name": "blockmanagement.BlockManager"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.632Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,632 INFO blockmanagement.BlockManager: maxReplicationStreams = 100"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "maxReplicationStreams = 100",
+ "process": {
+ "name": "blockmanagement.BlockManager"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.633Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,633 INFO blockmanagement.BlockManager: redundancyRecheckInterval = 3000ms"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "redundancyRecheckInterval = 3000ms",
+ "process": {
+ "name": "blockmanagement.BlockManager"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.633Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,633 INFO blockmanagement.BlockManager: encryptDataTransfer = false"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "encryptDataTransfer = false",
+ "process": {
+ "name": "blockmanagement.BlockManager"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.633Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,633 INFO blockmanagement.BlockManager: maxNumBlocksToLog = 1000"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "maxNumBlocksToLog = 1000",
+ "process": {
+ "name": "blockmanagement.BlockManager"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.670Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,670 INFO namenode.FSDirectory: GLOBAL serial map: bits=29 maxEntries=536870911"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "GLOBAL serial map: bits=29 maxEntries=536870911",
+ "process": {
+ "name": "namenode.FSDirectory"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.671Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,671 INFO namenode.FSDirectory: USER serial map: bits=24 maxEntries=16777215"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "USER serial map: bits=24 maxEntries=16777215",
+ "process": {
+ "name": "namenode.FSDirectory"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.671Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,671 INFO namenode.FSDirectory: GROUP serial map: bits=24 maxEntries=16777215"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "GROUP serial map: bits=24 maxEntries=16777215",
+ "process": {
+ "name": "namenode.FSDirectory"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.671Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,671 INFO namenode.FSDirectory: XATTR serial map: bits=24 maxEntries=16777215"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "XATTR serial map: bits=24 maxEntries=16777215",
+ "process": {
+ "name": "namenode.FSDirectory"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.696Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,696 INFO util.GSet: Computing capacity for map INodeMap"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "Computing capacity for map INodeMap",
+ "process": {
+ "name": "util.GSet"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.696Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,696 INFO util.GSet: VM type = 64-bit"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "VM type = 64-bit",
+ "process": {
+ "name": "util.GSet"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.697Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,697 INFO util.GSet: 1.0% max memory 864 MB = 8.6 MB"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "1.0% max memory 864 MB = 8.6 MB",
+ "process": {
+ "name": "util.GSet"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.697Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,697 INFO util.GSet: capacity = 2^20 = 1048576 entries"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "capacity = 2^20 = 1048576 entries",
+ "process": {
+ "name": "util.GSet"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.699Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,699 INFO namenode.FSDirectory: ACLs enabled? true"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "ACLs enabled? true",
+ "process": {
+ "name": "namenode.FSDirectory"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.699Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,699 INFO namenode.FSDirectory: POSIX ACL inheritance enabled? true"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "POSIX ACL inheritance enabled? true",
+ "process": {
+ "name": "namenode.FSDirectory"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.699Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,699 INFO namenode.FSDirectory: XAttrs enabled? true"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "XAttrs enabled? true",
+ "process": {
+ "name": "namenode.FSDirectory"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.700Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,700 INFO namenode.NameNode: Caching file names occurring more than 10 times"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "Caching file names occurring more than 10 times",
+ "process": {
+ "name": "namenode.NameNode"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.708Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,708 INFO namenode.ReencryptionHandler: Configured throttleLimitHandlerRatio=1.0 for re-encryption"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "Configured throttleLimitHandlerRatio=1.0 for re-encryption",
+ "process": {
+ "name": "namenode.ReencryptionHandler"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.717Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,717 INFO snapshot.SnapshotManager: Loaded config captureOpenFiles: false, skipCaptureAccessTimeOnlyChange: false, snapshotDiffAllowSnapRootDescendant: true, maxSnapshotLimit: 65536"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "Loaded config captureOpenFiles: false, skipCaptureAccessTimeOnlyChange: false, snapshotDiffAllowSnapRootDescendant: true, maxSnapshotLimit: 65536",
+ "process": {
+ "name": "snapshot.SnapshotManager"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.720Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,720 INFO snapshot.SnapshotManager: SkipList is disabled"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "SkipList is disabled",
+ "process": {
+ "name": "snapshot.SnapshotManager"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.748Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,748 INFO util.GSet: Computing capacity for map cachedBlocks"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "Computing capacity for map cachedBlocks",
+ "process": {
+ "name": "util.GSet"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.748Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,748 INFO util.GSet: VM type = 64-bit"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "VM type = 64-bit",
+ "process": {
+ "name": "util.GSet"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.748Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,748 INFO util.GSet: 0.25% max memory 864 MB = 2.2 MB"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "0.25% max memory 864 MB = 2.2 MB",
+ "process": {
+ "name": "util.GSet"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.749Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,749 INFO util.GSet: capacity = 2^18 = 262144 entries"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "capacity = 2^18 = 262144 entries",
+ "process": {
+ "name": "util.GSet"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.764Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,764 INFO metrics.TopMetrics: NNTop conf: dfs.namenode.top.window.num.buckets = 10"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "NNTop conf: dfs.namenode.top.window.num.buckets = 10",
+ "process": {
+ "name": "metrics.TopMetrics"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.764Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,764 INFO metrics.TopMetrics: NNTop conf: dfs.namenode.top.num.users = 10"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "NNTop conf: dfs.namenode.top.num.users = 10",
+ "process": {
+ "name": "metrics.TopMetrics"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.764Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,764 INFO metrics.TopMetrics: NNTop conf: dfs.namenode.top.windows.minutes = 1,5,25"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "NNTop conf: dfs.namenode.top.windows.minutes = 1,5,25",
+ "process": {
+ "name": "metrics.TopMetrics"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.768Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,768 INFO namenode.FSNamesystem: Retry cache on namenode is enabled"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "Retry cache on namenode is enabled",
+ "process": {
+ "name": "namenode.FSNamesystem"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.768Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,768 INFO namenode.FSNamesystem: Retry cache will use 0.03 of total heap and retry cache entry expiry time is 600000 millis"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "Retry cache will use 0.03 of total heap and retry cache entry expiry time is 600000 millis",
+ "process": {
+ "name": "namenode.FSNamesystem"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.771Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,771 INFO util.GSet: Computing capacity for map NameNodeRetryCache"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "Computing capacity for map NameNodeRetryCache",
+ "process": {
+ "name": "util.GSet"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.771Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,771 INFO util.GSet: VM type = 64-bit"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "VM type = 64-bit",
+ "process": {
+ "name": "util.GSet"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.771Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,771 INFO util.GSet: 0.029999999329447746% max memory 864 MB = 265.4 KB"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "0.029999999329447746% max memory 864 MB = 265.4 KB",
+ "process": {
+ "name": "util.GSet"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.771Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,771 INFO util.GSet: capacity = 2^15 = 32768 entries"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "capacity = 2^15 = 32768 entries",
+ "process": {
+ "name": "util.GSet"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.774Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,774 INFO namenode.FSNamesystem: Removal of Expired Lease on Open Files is enabled"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "Removal of Expired Lease on Open Files is enabled",
+ "process": {
+ "name": "namenode.FSNamesystem"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.811Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,811 INFO namenode.FSImage: Allocated new BlockPoolId: BP-1979673447-172.31.25.102-1687787150800"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "Allocated new BlockPoolId: BP-1979673447-172.31.25.102-1687787150800",
+ "process": {
+ "name": "namenode.FSImage"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.824Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,824 INFO common.Storage: Storage directory /mnt/namenode has been successfully formatted."
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "Storage directory /mnt/namenode has been successfully formatted.",
+ "process": {
+ "name": "common.Storage"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.826Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,826 INFO common.Storage: Storage directory /mnt1/namenode has been successfully formatted."
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "Storage directory /mnt1/namenode has been successfully formatted.",
+ "process": {
+ "name": "common.Storage"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.868Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,868 INFO namenode.FSImageFormatProtobuf: Saving image file /mnt1/namenode/current/fsimage.ckpt_0000000000000000000 using no compression"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "Saving image file /mnt1/namenode/current/fsimage.ckpt_0000000000000000000 using no compression",
+ "process": {
+ "name": "namenode.FSImageFormatProtobuf"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:50.868Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,868 INFO namenode.FSImageFormatProtobuf: Saving image file /mnt/namenode/current/fsimage.ckpt_0000000000000000000 using no compression"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "Saving image file /mnt/namenode/current/fsimage.ckpt_0000000000000000000 using no compression",
+ "process": {
+ "name": "namenode.FSImageFormatProtobuf"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:51.228Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:51,228 INFO namenode.FSImageFormatProtobuf: Image file /mnt1/namenode/current/fsimage.ckpt_0000000000000000000 of size 403 bytes saved in 0 seconds ."
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "Image file /mnt1/namenode/current/fsimage.ckpt_0000000000000000000 of size 403 bytes saved in 0 seconds .",
+ "process": {
+ "name": "namenode.FSImageFormatProtobuf"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:51.230Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:51,230 INFO namenode.FSImageFormatProtobuf: Image file /mnt/namenode/current/fsimage.ckpt_0000000000000000000 of size 403 bytes saved in 0 seconds ."
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "Image file /mnt/namenode/current/fsimage.ckpt_0000000000000000000 of size 403 bytes saved in 0 seconds .",
+ "process": {
+ "name": "namenode.FSImageFormatProtobuf"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:51.244Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:51,244 INFO namenode.NNStorageRetentionManager: Going to retain 1 images with txid \u003e= 0"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "Going to retain 1 images with txid \u003e= 0",
+ "process": {
+ "name": "namenode.NNStorageRetentionManager"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:51.301Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:51,301 INFO namenode.FSNamesystem: Stopping services started for active state"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "Stopping services started for active state",
+ "process": {
+ "name": "namenode.FSNamesystem"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:51.301Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:51,301 INFO namenode.FSNamesystem: Stopping services started for standby state"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "Stopping services started for standby state",
+ "process": {
+ "name": "namenode.FSNamesystem"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:51.305Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:51,305 INFO namenode.FSImage: FSImageSaver clean checkpoint: txid=0 when meet shutdown."
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "FSImageSaver clean checkpoint: txid=0 when meet shutdown.",
+ "process": {
+ "name": "namenode.FSImage"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:51.306Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:51,306 INFO namenode.FSImage: FSImageSaver clean checkpoint: txid=0 when meet shutdown."
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "FSImageSaver clean checkpoint: txid=0 when meet shutdown.",
+ "process": {
+ "name": "namenode.FSImage"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-26T13:45:51.306Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:51,306 INFO namenode.NameNode: SHUTDOWN_MSG: \n/************************************************************\nSHUTDOWN_MSG: Shutting down NameNode at ip-172-31-25-102.eu-central-1.compute.internal/172.31.25.102\n************************************************************/"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "message": "SHUTDOWN_MSG: ",
+ "process": {
+ "message": "/************************************************************\nSHUTDOWN_MSG: Shutting down NameNode at ip-172-31-25-102.eu-central-1.compute.internal/172.31.25.102\n************************************************************/",
+ "name": "namenode.NameNode"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/aws/data_stream/emr_logs/agent/stream/aws-cloudwatch.yml.hbs b/packages/aws/data_stream/emr_logs/agent/stream/aws-cloudwatch.yml.hbs
new file mode 100644
index 00000000000..934f97a44c3
--- /dev/null
+++ b/packages/aws/data_stream/emr_logs/agent/stream/aws-cloudwatch.yml.hbs
@@ -0,0 +1,100 @@
+{{#unless log_group_name}}
+{{#unless log_group_name_prefix}}
+{{#if log_group_arn }}
+log_group_arn: {{ log_group_arn }}
+{{/if}}
+{{/unless}}
+{{/unless}}
+
+{{#unless log_group_arn}}
+{{#unless log_group_name}}
+{{#if log_group_name_prefix }}
+log_group_name_prefix: {{ log_group_name_prefix }}
+{{/if}}
+{{/unless}}
+{{/unless}}
+
+{{#unless log_group_arn}}
+{{#unless log_group_name_prefix}}
+{{#if log_group_name }}
+log_group_name: {{ log_group_name }}
+{{/if}}
+{{/unless}}
+{{/unless}}
+
+{{#unless log_group_arn}}
+region_name: {{ region_name }}
+{{/unless}}
+
+{{#unless log_stream_prefix}}
+{{#if log_streams }}
+log_streams: {{ log_streams }}
+{{/if}}
+{{/unless}}
+
+{{#unless log_streams}}
+{{#if log_stream_prefix }}
+log_stream_prefix: {{ log_stream_prefix }}
+{{/if}}
+{{/unless}}
+
+{{#if start_position }}
+start_position: {{ start_position }}
+{{/if}}
+
+{{#if scan_frequency }}
+scan_frequency: {{ scan_frequency }}
+{{/if}}
+
+{{#if api_sleep }}
+api_sleep: {{ api_sleep }}
+{{/if}}
+
+{{#if latency }}
+latency: {{ latency }}
+{{/if}}
+{{#if number_of_workers }}
+number_of_workers: {{ number_of_workers }}
+{{/if}}
+
+{{#if credential_profile_name}}
+credential_profile_name: {{credential_profile_name}}
+{{/if}}
+{{#if shared_credential_file}}
+shared_credential_file: {{shared_credential_file}}
+{{/if}}
+{{#if api_timeout}}
+api_timeout: {{api_timeout}}
+{{/if}}
+{{#if default_region}}
+default_region: {{default_region}}
+{{/if}}
+{{#if access_key_id}}
+access_key_id: {{access_key_id}}
+{{/if}}
+{{#if secret_access_key}}
+secret_access_key: {{secret_access_key}}
+{{/if}}
+{{#if session_token}}
+session_token: {{session_token}}
+{{/if}}
+{{#if role_arn}}
+role_arn: {{role_arn}}
+{{/if}}
+{{#if proxy_url }}
+proxy_url: {{proxy_url}}
+{{/if}}
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/aws/data_stream/emr_logs/agent/stream/aws-s3.yml.hbs b/packages/aws/data_stream/emr_logs/agent/stream/aws-s3.yml.hbs
new file mode 100644
index 00000000000..c479d4b6dd0
--- /dev/null
+++ b/packages/aws/data_stream/emr_logs/agent/stream/aws-s3.yml.hbs
@@ -0,0 +1,78 @@
+{{#if collect_s3_logs}}
+
+{{#if bucket_arn}}
+bucket_arn: {{bucket_arn}}
+{{/if}}
+{{#if number_of_workers}}
+number_of_workers: {{number_of_workers}}
+{{/if}}
+{{#if interval}}
+bucket_list_interval: {{interval}}
+{{/if}}
+{{#if bucket_list_prefix}}
+bucket_list_prefix: {{bucket_list_prefix}}
+{{/if}}
+
+{{else}}
+
+{{#if queue_url}}
+queue_url: {{queue_url}}
+{{/if}}
+{{#if visibility_timeout}}
+visibility_timeout: {{visibility_timeout}}
+{{/if}}
+{{#if api_timeout}}
+api_timeout: {{api_timeout}}
+{{/if}}
+{{#if max_number_of_messages}}
+max_number_of_messages: {{max_number_of_messages}}
+{{/if}}
+{{#if file_selectors}}
+file_selectors:
+{{file_selectors}}
+{{/if}}
+
+{{/if}}
+
+
+{{#if default_region}}
+default_region: {{default_region}}
+{{/if}}
+{{#if credential_profile_name}}
+credential_profile_name: {{credential_profile_name}}
+{{/if}}
+{{#if shared_credential_file}}
+shared_credential_file: {{shared_credential_file}}
+{{/if}}
+{{#if access_key_id}}
+access_key_id: {{access_key_id}}
+{{/if}}
+{{#if secret_access_key}}
+secret_access_key: {{secret_access_key}}
+{{/if}}
+{{#if session_token}}
+session_token: {{session_token}}
+{{/if}}
+{{#if role_arn}}
+role_arn: {{role_arn}}
+{{/if}}
+{{#if fips_enabled}}
+fips_enabled: {{fips_enabled}}
+{{/if}}
+{{#if proxy_url }}
+proxy_url: {{proxy_url}}
+{{/if}}
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/packages/aws/data_stream/emr_logs/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/emr_logs/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 00000000000..55b24bc86c4
--- /dev/null
+++ b/packages/aws/data_stream/emr_logs/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,62 @@
+---
+description: "Pipeline for EMR logs"
+processors:
+ - set:
+ field: ecs.version
+ value: '8.0.0'
+ - rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ if: 'ctx.event?.original == null'
+ description: 'Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document.'
+ - remove:
+ field: message
+ ignore_missing: true
+ if: 'ctx.event?.original != null'
+ description: 'The `message` field is no longer required if the document has an `event.original` field.'
+ - grok:
+ field: event.original
+ pattern_definitions:
+ GREEDYMULTILINE: "(.|\\n)*"
+ patterns:
+ - '%{TIMESTAMP_ISO8601:_tmp.timestamp}%{SPACE}%{LOGLEVEL:log.level}%{SPACE}%{DATA:process.name}(?:\\[%{GREEDYDATA:process.entrypoint}\\])?:%{SPACE}%{GREEDYDATA:message}%{SPACE}%{GREEDYMULTILINE:process.message}'
+ ignore_missing: true
+ - date:
+ field: _tmp.timestamp
+ target_field: '@timestamp'
+ ignore_failure: true
+ formats:
+ - ISO8601
+ - yyyy-MM-dd HH:mm:ss,SSS
+ - remove:
+ field:
+ - _tmp
+ ignore_missing: true
+ - script:
+ description: Drops null/empty values recursively
+ lang: painless
+ ignore_failure: true
+ source: |
+ boolean drop(Object o) {
+ if (o == null || o == "") {
+ return true;
+ } else if (o instanceof Map) {
+ ((Map) o).values().removeIf(v -> drop(v));
+ return (((Map) o).size() == 0);
+ } else if (o instanceof List) {
+ ((List) o).removeIf(v -> drop(v));
+ return (((List) o).length == 0);
+ }
+ return false;
+ }
+ drop(ctx);
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
+on_failure:
+ - set:
+ field: 'error.message'
+ value: '{{ _ingest.on_failure_message }}'
\ No newline at end of file
diff --git a/packages/aws/data_stream/emr_logs/fields/agent.yml b/packages/aws/data_stream/emr_logs/fields/agent.yml
new file mode 100644
index 00000000000..13e13903cc4
--- /dev/null
+++ b/packages/aws/data_stream/emr_logs/fields/agent.yml
@@ -0,0 +1,35 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
diff --git a/packages/aws/data_stream/emr_logs/fields/base-fields.yml b/packages/aws/data_stream/emr_logs/fields/base-fields.yml
new file mode 100644
index 00000000000..ae928a4e452
--- /dev/null
+++ b/packages/aws/data_stream/emr_logs/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: aws
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: aws.emr_logs
diff --git a/packages/aws/data_stream/emr_logs/fields/ecs.yml b/packages/aws/data_stream/emr_logs/fields/ecs.yml
new file mode 100644
index 00000000000..249a3bb663a
--- /dev/null
+++ b/packages/aws/data_stream/emr_logs/fields/ecs.yml
@@ -0,0 +1,60 @@
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: error.message
+- external: ecs
+ name: message
+- external: ecs
+ name: tags
+- external: ecs
+ name: host.architecture
+- external: ecs
+ name: host.domain
+- external: ecs
+ name: host.hostname
+- external: ecs
+ name: host.id
+- external: ecs
+ name: host.ip
+- external: ecs
+ name: host.mac
+- external: ecs
+ name: host.name
+- external: ecs
+ name: host.os.family
+- external: ecs
+ name: host.os.kernel
+- external: ecs
+ name: host.os.name
+- external: ecs
+ name: host.os.platform
+- external: ecs
+ name: host.os.version
+- external: ecs
+ name: host.type
+- external: ecs
+ name: cloud.account.id
+- external: ecs
+ name: cloud.availability_zone
+- external: ecs
+ name: cloud.instance.id
+- external: ecs
+ name: cloud.instance.name
+- external: ecs
+ name: cloud.machine.type
+- external: ecs
+ name: cloud.provider
+- external: ecs
+ name: cloud.region
+- external: ecs
+ name: cloud.project.id
+- external: ecs
+ name: container.id
+- external: ecs
+ name: container.image.name
+- external: ecs
+ name: container.labels
+- external: ecs
+ name: container.name
+- external: ecs
+ name: log.level
\ No newline at end of file
diff --git a/packages/aws/data_stream/emr_logs/fields/fields.yml b/packages/aws/data_stream/emr_logs/fields/fields.yml
new file mode 100644
index 00000000000..d25df0d5191
--- /dev/null
+++ b/packages/aws/data_stream/emr_logs/fields/fields.yml
@@ -0,0 +1,28 @@
+- name: aws.s3
+ type: group
+ fields:
+ - name: bucket.name
+ type: keyword
+ description: |
+ Name of a S3 bucket.
+ - name: bucket.arn
+ type: keyword
+ description: |
+ ARN of the S3 bucket that this log retrieved from.
+ - name: object.key
+ type: keyword
+ description: |
+ Name of the S3 object that this log retrieved from.
+ - name: metadata
+ type: flattened
+ description: |
+ AWS S3 object metadata values.
+- name: process.name
+ type: keyword
+ description: Process name.
+- name: process.entrypoint
+ type: keyword
+ description: Process entrypoint.
+- name: process.message
+ type: keyword
+ description: Process message.
\ No newline at end of file
diff --git a/packages/aws/data_stream/emr_logs/manifest.yml b/packages/aws/data_stream/emr_logs/manifest.yml
new file mode 100644
index 00000000000..68dade863cc
--- /dev/null
+++ b/packages/aws/data_stream/emr_logs/manifest.yml
@@ -0,0 +1,232 @@
+title: AWS EMR logs
+type: logs
+streams:
+ - input: aws-s3
+ template_path: aws-s3.yml.hbs
+ title: AWS EMR Logs via S3
+ description: Collect AWS EMR logs using s3 input
+ enabled: true
+ vars:
+ - name: collect_s3_logs
+ required: true
+ show_user: true
+ title: Collect logs via S3 Bucket
+ description: To Collect logs via S3 bucket enable the toggle switch.
+ type: bool
+ multi: false
+ default: true
+ - name: bucket_arn
+ type: text
+ title: "[S3] Bucket ARN"
+ multi: false
+ required: false
+ show_user: true
+ description: Mandatory if the "Collect logs via S3 Bucket" switch is on. It is a required parameter for collecting logs via the AWS S3 Bucket.
+ - name: queue_url
+ type: text
+ title: "[SQS] Queue URL"
+ multi: false
+ required: false
+ show_user: true
+ default: false
+ description: Mandatory if the "Collect logs via S3 Bucket" switch is off. URL of the AWS SQS queue that messages will be received from.
+ - name: bucket_list_prefix
+ type: text
+ title: "[S3] Bucket Prefix"
+ multi: false
+ required: false
+ show_user: false
+ description: Prefix to apply for the list request to the S3 bucket.
+ - name: interval
+ type: text
+ title: "[S3] Interval"
+ multi: false
+ required: false
+ show_user: false
+ default: 1m
+ description: "Time interval for polling listing of the S3 bucket. NOTE: Supported units for this parameter are h/m/s."
+ - name: number_of_workers
+ type: integer
+ title: "[S3] Number of Workers"
+ multi: false
+ required: false
+ show_user: false
+ default: 5
+ description: Number of workers that will process the S3 objects listed.
+ - name: visibility_timeout
+ type: text
+ title: "[SQS] Visibility Timeout"
+ multi: false
+ required: false
+ show_user: false
+ description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours.
+ - name: api_timeout
+ type: text
+ title: "[SQS] API Timeout"
+ multi: false
+ required: false
+ show_user: false
+ description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value.
+ - name: max_number_of_messages
+ type: integer
+ title: "[SQS] Maximum Concurrent SQS Messages"
+ description: The maximum number of SQS messages that can be inflight at any time.
+ default: 5
+ required: false
+ show_user: false
+ - name: fips_enabled
+ type: bool
+ title: Enable S3 FIPS
+ default: false
+ multi: false
+ required: false
+ show_user: false
+ description: Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint.
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - aws-emr-logs
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - input: aws-cloudwatch
+ template_path: aws-cloudwatch.yml.hbs
+ title: AWS EMR Logs via CloudWatch
+ description: Collect AWS EMR logs using cloudwatch input.
+ enabled: false
+ vars:
+ - name: log_group_arn
+ type: text
+ title: Log Group ARN
+ multi: false
+ required: false
+ show_user: true
+ description: ARN of the log group to collect logs from.
+ - name: log_group_name
+ type: text
+ title: Log Group Name
+ multi: false
+ required: false
+ show_user: false
+ description: Name of the log group to collect logs from. `region_name` is required when `log_group_name` is given.
+ - name: log_group_name_prefix
+ type: text
+ title: Log Group Name Prefix
+ multi: false
+ required: false
+ show_user: false
+ description: The prefix for a group of log group names. `region_name` is required when `log_group_name_prefix` is given. `log_group_name` and `log_group_name_prefix` cannot be given at the same time.
+ - name: region_name
+ type: text
+ title: Region Name
+ multi: false
+ required: false
+ show_user: false
+ description: Region that the specified log group or log group prefix belongs to.
+ - name: log_streams
+ type: text
+ title: Log Streams
+ multi: true
+ required: false
+ show_user: false
+ description: A list of strings of log streams names that Filebeat collect log events from.
+ - name: log_stream_prefix
+ type: text
+ title: Log Stream Prefix
+ multi: false
+ required: false
+ show_user: false
+ description: A string to filter the results to include only log events from log streams that have names starting with this prefix.
+ - name: start_position
+ type: text
+ title: Start Position
+ multi: false
+ required: false
+ default: beginning
+ show_user: true
+ description: Allows user to specify if this input should read log files from the beginning or from the end.
+ - name: scan_frequency
+ type: text
+ title: Scan Frequency
+ multi: false
+ required: false
+ show_user: false
+ default: 1m
+ description: This config parameter sets how often Filebeat checks for new log events from the specified log group.
+ - name: api_timeput
+ type: text
+ title: API Timeout
+ multi: false
+ required: false
+ show_user: false
+ default: 120s
+ description: The maximum duration of AWS API can take. If it exceeds the timeout, AWS API will be interrupted.
+ - name: api_sleep
+ type: text
+ title: API Sleep
+ multi: false
+ required: false
+ show_user: false
+ default: 200ms
+ description: This is used to sleep between AWS FilterLogEvents API calls inside the same collection period. `FilterLogEvents` API has a quota of 5 transactions per second (TPS)/account/Region. This value should only be adjusted when there are multiple Filebeats or multiple Filebeat inputs collecting logs from the same region and AWS account.
+ - name: latency
+ type: text
+ title: Latency
+ multi: false
+ required: false
+ show_user: false
+ description: "The amount of time required for the logs to be available to CloudWatch Logs. Sample values, `1m` or `5m` — see Golang [time.ParseDuration](https://pkg.go.dev/time#ParseDuration) for more details. Latency translates the query's time range to consider the CloudWatch Logs latency. Example: `5m` means that the integration will query CloudWatch to search for logs available 5 minutes ago."
+ - name: number_of_workers
+ type: integer
+ title: Number of workers
+ required: false
+ show_user: false
+ description: The number of workers assigned to reading from log groups. Each worker will read log events from one of the log groups matching `log_group_name_prefix`. For example, if `log_group_name_prefix` matches five log groups, then `number_of_workers` should be set to `5`. The default value is `1`.
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - aws-emr-logs
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+# Ensures agents have permissions to write data to `logs-*-*`
+elasticsearch.dynamic_dataset: true
+elasticsearch.dynamic_namespace: true
diff --git a/packages/aws/data_stream/emr_logs/sample_event.json b/packages/aws/data_stream/emr_logs/sample_event.json
new file mode 100644
index 00000000000..e5506058298
--- /dev/null
+++ b/packages/aws/data_stream/emr_logs/sample_event.json
@@ -0,0 +1,24 @@
+{
+ "data_stream": {
+ "namespace": "default",
+ "type": "logs",
+ "dataset": "aws.emr_logs"
+ },
+ "@timestamp": "2020-02-20T07:01:01.000Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,566 INFO common.Util: dfs.datanode.fileio.profiling.sampling.percentage set to 0. Disabling file IO profiling"
+ },
+ "process": {
+ "name": "blockmanagement.BlockManager"
+ },
+ "message": "dfs.datanode.fileio.profiling.sampling.percentage set to 0. Disabling file IO profiling",
+ "tags": [
+ "preserve_original_event"
+ ]
+}
\ No newline at end of file
diff --git a/packages/aws/data_stream/emr_metrics/fields/ecs.yml b/packages/aws/data_stream/emr_metrics/fields/ecs.yml
index c31e930d1f0..17aba4ca24e 100644
--- a/packages/aws/data_stream/emr_metrics/fields/ecs.yml
+++ b/packages/aws/data_stream/emr_metrics/fields/ecs.yml
@@ -2,6 +2,7 @@
name: cloud
- external: ecs
name: cloud.account.id
+ dimension: true
- external: ecs
name: cloud.account.name
- external: ecs
@@ -18,6 +19,7 @@
name: cloud.provider
- external: ecs
name: cloud.region
+ dimension: true
- external: ecs
name: ecs.version
- external: ecs
@@ -60,3 +62,6 @@
name: container.labels
- external: ecs
name: container.name
+- name: agent.id
+ external: ecs
+ dimension: true
diff --git a/packages/aws/data_stream/emr_metrics/fields/fields.yml b/packages/aws/data_stream/emr_metrics/fields/fields.yml
index 5edbbf69638..da72d8b1215 100644
--- a/packages/aws/data_stream/emr_metrics/fields/fields.yml
+++ b/packages/aws/data_stream/emr_metrics/fields/fields.yml
@@ -16,15 +16,15 @@
- name: ContainerAllocated.sum
type: long
description: The number of resource containers allocated by the ResourceManager.
- metric_type: counter
+ metric_type: gauge
- name: ContainerReserved.sum
type: long
description: The number of containers reserved.
- metric_type: counter
+ metric_type: gauge
- name: ContainerPending.sum
type: long
description: The number of containers in the queue that have not yet been allocated.
- metric_type: counter
+ metric_type: gauge
- name: ContainerPendingRatio.avg
type: long
description: The ratio of pending containers to containers allocated
@@ -33,31 +33,31 @@
- name: AppsCompleted.sum
type: long
description: The number of applications submitted to YARN that have completed.
- metric_type: counter
+ metric_type: gauge
- name: AppsFailed.sum
type: long
description: The number of applications submitted to YARN that have failed to complete.
- metric_type: counter
+ metric_type: gauge
- name: AppsKilled.sum
type: long
description: The number of applications submitted to YARN that have been killed.
- metric_type: counter
+ metric_type: gauge
- name: AppsPending.sum
type: long
description: The number of applications submitted to YARN that are in a pending state.
- metric_type: counter
+ metric_type: gauge
- name: AppsRunning.sum
type: long
description: The number of applications submitted to YARN that are running.
- metric_type: counter
+ metric_type: gauge
- name: AppsSubmitted.sum
type: long
description: The number of applications submitted to YARN.
- metric_type: counter
+ metric_type: gauge
- name: CoreNodesPending.sum
type: long
description: The number of core nodes waiting to be assigned.
- metric_type: counter
+ metric_type: gauge
- name: LiveDataNodes.avg
type: double
description: The percentage of data nodes that are receiving work from Hadoop.
@@ -66,31 +66,31 @@
- name: MRTotalNodes.sum
type: long
description: The number of nodes presently available to MapReduce jobs.
- metric_type: counter
+ metric_type: gauge
- name: MRActiveNodes.sum
type: long
description: The number of nodes presently running MapReduce tasks or jobs.
- metric_type: counter
+ metric_type: gauge
- name: MRLostNodes.sum
type: long
description: The number of nodes allocated to MapReduce that have been marked in a LOST state.
- metric_type: counter
+ metric_type: gauge
- name: MRUnhealthyNodes.sum
type: long
description: The number of nodes available to MapReduce jobs marked in an UNHEALTHY state.
- metric_type: counter
+ metric_type: gauge
- name: MRDecommissionedNodes.sum
type: long
description: The number of nodes allocated to MapReduce applications that have been marked in a DECOMMISSIONED state.
- metric_type: counter
+ metric_type: gauge
- name: MRRebootedNodes.sum
type: long
description: The number of nodes available to MapReduce that have been rebooted and marked in a REBOOTED state.
- metric_type: counter
+ metric_type: gauge
- name: MultiMasterInstanceGroupNodesRunning.sum
type: long
description: The number of running master nodes.
- metric_type: counter
+ metric_type: gauge
- name: MultiMasterInstanceGroupNodesRunningPercentage.avg
type: double
description: The percentage of master nodes that are running over the requested master node instance count.
@@ -99,16 +99,16 @@
- name: MultiMasterInstanceGroupNodesRequested.sum
type: long
description: The number of requested master nodes.
- metric_type: counter
+ metric_type: gauge
- name: S3BytesWritten.sum
type: long
description: The number of bytes written to Amazon S3.
- metric_type: counter
+ metric_type: gauge
unit: byte
- name: S3BytesRead.sum
type: long
description: The number of bytes read from Amazon S3.
- metric_type: counter
+ metric_type: gauge
unit: byte
- name: HDFSUtilization.avg
type: double
@@ -118,12 +118,12 @@
- name: HDFSBytesRead.sum
type: long
description: The number of bytes read from HDFS.
- metric_type: counter
+ metric_type: gauge
unit: byte
- name: HDFSBytesWritten.sum
type: long
description: The number of bytes written to HDFS.
- metric_type: counter
+ metric_type: gauge
unit: byte
- name: MissingBlocks.max
type: long
@@ -136,21 +136,21 @@
- name: TotalLoad.sum
type: long
description: The total number of concurrent data transfers.
- metric_type: counter
+ metric_type: gauge
- name: MemoryTotalMB.sum
type: long
description: The total amount of memory in the cluster.
- metric_type: counter
+ metric_type: gauge
unit: byte
- name: MemoryReservedMB.sum
type: long
description: The amount of memory reserved.
- metric_type: counter
+ metric_type: gauge
unit: byte
- name: MemoryAvailableMB.sum
type: long
description: The amount of memory available to be allocated.
- metric_type: counter
+ metric_type: gauge
unit: byte
- name: YARNMemoryAvailablePercentage.avg
type: double
@@ -160,24 +160,24 @@
- name: MemoryAllocatedMB.sum
type: long
description: The amount of memory allocated to the cluster.
- metric_type: counter
+ metric_type: gauge
unit: byte
- name: PendingDeletionBlocks.sum
type: long
description: The number of blocks marked for deletion.
- metric_type: counter
+ metric_type: gauge
- name: UnderReplicatedBlocks.sum
type: long
description: The number of blocks that need to be replicated one or more times.
- metric_type: counter
+ metric_type: gauge
- name: DfsPendingReplicationBlocks.sum
type: long
description: The status of block replication - blocks being replicated, age of replication requests, and unsuccessful replication requests.
- metric_type: counter
+ metric_type: gauge
- name: CapacityRemainingGB.sum
type: long
description: The amount of remaining HDFS disk capacity.
- metric_type: counter
+ metric_type: gauge
unit: byte
- name: TotalUnitsRequested.max
type: long
@@ -254,7 +254,7 @@
- name: TotalNotebookKernels.sum
type: long
description: The total number of running and idle notebook kernels on the cluster.
- metric_type: counter
+ metric_type: gauge
- name: AutoTerminationIsClusterIdle.avg
type: long
description: Indicates whether the cluster is in use.
diff --git a/packages/aws/data_stream/emr_metrics/manifest.yml b/packages/aws/data_stream/emr_metrics/manifest.yml
index 8fd5519bfe2..d46f18d08cb 100644
--- a/packages/aws/data_stream/emr_metrics/manifest.yml
+++ b/packages/aws/data_stream/emr_metrics/manifest.yml
@@ -1,6 +1,8 @@
title: AWS EMR metrics
type: metrics
release: beta
+elasticsearch:
+ index_mode: "time_series"
streams:
- input: aws/metrics
vars:
diff --git a/packages/aws/data_stream/guardduty/_dev/test/system/test-default-config.yml b/packages/aws/data_stream/guardduty/_dev/test/system/test-default-config.yml
index 7da8e062aa2..213c98db1dd 100644
--- a/packages/aws/data_stream/guardduty/_dev/test/system/test-default-config.yml
+++ b/packages/aws/data_stream/guardduty/_dev/test/system/test-default-config.yml
@@ -1,7 +1,4 @@
input: httpjson
-skip:
- reason: "Support backward compatibility of Current AWS package."
- link: https://github.com/elastic/integrations/issues/4911
service: guardduty
vars:
secret_access_key: xxxx
diff --git a/packages/aws/data_stream/guardduty/agent/stream/httpjson.yml.hbs b/packages/aws/data_stream/guardduty/agent/stream/httpjson.yml.hbs
index 644f4c094b5..479b6d1f697 100644
--- a/packages/aws/data_stream/guardduty/agent/stream/httpjson.yml.hbs
+++ b/packages/aws/data_stream/guardduty/agent/stream/httpjson.yml.hbs
@@ -19,7 +19,7 @@ request.transforms:
target: header.X-Amz-Date
value: '[[formatDate (now) "20060102T150405Z"]]'
- set:
- target: body.MaxResults
+ target: body.maxResults
value: 50
value_type: int
- set:
diff --git a/packages/aws/data_stream/rds/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/rds/elasticsearch/ingest_pipeline/default.yml
index 51fce7d0714..d07c2b30dbe 100644
--- a/packages/aws/data_stream/rds/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/aws/data_stream/rds/elasticsearch/ingest_pipeline/default.yml
@@ -278,74 +278,3 @@ processors:
field: aws.rds.metrics.AuroraVolumeBytesLeftTotal.avg
target_field: aws.rds.aurora_volume_left_total.bytes
ignore_missing: true
- - remove:
- field:
- - aws.rds.metrics.BurstBalance
- - aws.rds.metrics.CPUUtilization
- - aws.rds.metrics.CPUCreditUsage
- - aws.rds.metrics.CPUCreditBalance
- - aws.rds.metrics.DatabaseConnections
- - aws.rds.metrics.DiskQueueDepth
- - aws.rds.metrics.FailedSQLServerAgentJobsCount
- - aws.rds.metrics.FreeableMemory
- - aws.rds.metrics.FreeStorageSpace
- - aws.rds.metrics.MaximumUsedTransactionIDs
- - aws.rds.metrics.OldestReplicationSlotLag
- - aws.rds.metrics.ReadIOPS.avg
- - aws.rds.metrics.CommitThroughput
- - aws.rds.metrics.DeleteThroughput
- - aws.rds.metrics.DDLThroughput
- - aws.rds.metrics.DMLThroughput
- - aws.rds.metrics.InsertThroughput
- - aws.rds.metrics.NetworkThroughput
- - aws.rds.metrics.NetworkReceiveThroughput
- - aws.rds.metrics.NetworkTransmitThroughput
- - aws.rds.metrics.ReadThroughput
- - aws.rds.metrics.SelectThroughput
- - aws.rds.metrics.UpdateThroughput
- - aws.rds.metrics.WriteThroughput
- - aws.rds.metrics.CommitLatency
- - aws.rds.metrics.DDLLatency
- - aws.rds.metrics.DMLLatency
- - aws.rds.metrics.InsertLatency
- - aws.rds.metrics.ReadLatency
- - aws.rds.metrics.SelectLatency
- - aws.rds.metrics.UpdateLatency
- - aws.rds.metrics.WriteLatency
- - aws.rds.metrics.DeleteLatency
- - aws.rds.metrics.ReplicaLag
- - aws.rds.metrics.BinLogDiskUsage
- - aws.rds.metrics.ReplicationSlotDiskUsage
- - aws.rds.metrics.TransactionLogsDiskUsage
- - aws.rds.metrics.SwapUsage
- - aws.rds.metrics.TransactionLogsGeneration
- - aws.rds.metrics.WriteIOPS
- - aws.rds.metrics.Queries
- - aws.rds.metrics.Deadlocks
- - aws.rds.metrics.VolumeBytesUsed
- - aws.rds.metrics.FreeLocalStorage
- - aws.rds.metrics.ActiveTransactions
- - aws.rds.metrics.BlockedTransactions
- - aws.rds.metrics.LoginFailures
- - aws.rds.metrics.AuroraBinlogReplicaLag
- - aws.rds.metrics.aurora_bin_log_replica_lag
- - aws.rds.metrics.AuroraGlobalDBDataTransferBytes
- - aws.rds.metrics.AuroraGlobalDBReplicationLag
- - aws.rds.metrics.AuroraReplicaLag
- - aws.rds.metrics.AuroraReplicaLagMaximum
- - aws.rds.metrics.AuroraReplicaLagMinimum
- - aws.rds.metrics.BacktrackChangeRecordsCreationRate
- - aws.rds.metrics.BacktrackChangeRecordsStored
- - aws.rds.metrics.BacktrackWindowActual
- - aws.rds.metrics.BacktrackWindowAlert
- - aws.rds.metrics.BackupRetentionPeriodStorageUsed
- - aws.rds.metrics.SnapshotStorageUsed
- - aws.rds.metrics.BufferCacheHitRatio
- - aws.rds.metrics.ResultSetCacheHitRatio
- - aws.rds.metrics.EngineUptime
- - aws.rds.metrics.VolumeReadIOPs
- - aws.rds.metrics.VolumeWriteIOPs
- - aws.rds.metrics.RDSToAuroraPostgreSQLReplicaLag
- - aws.rds.metrics.TotalBackupStorageBilled
- - aws.rds.metrics.AuroraVolumeBytesLeftTotal
- ignore_missing: true
\ No newline at end of file
diff --git a/packages/aws/data_stream/s3_daily_storage/manifest.yml b/packages/aws/data_stream/s3_daily_storage/manifest.yml
index 4768bbf65ca..028b41325cf 100644
--- a/packages/aws/data_stream/s3_daily_storage/manifest.yml
+++ b/packages/aws/data_stream/s3_daily_storage/manifest.yml
@@ -1,5 +1,7 @@
title: AWS S3 daily storage metrics
type: metrics
+elasticsearch:
+ index_mode: "time_series"
streams:
- input: aws/metrics
vars:
diff --git a/packages/aws/data_stream/s3_request/manifest.yml b/packages/aws/data_stream/s3_request/manifest.yml
index 1070acd093d..3c8def48812 100644
--- a/packages/aws/data_stream/s3_request/manifest.yml
+++ b/packages/aws/data_stream/s3_request/manifest.yml
@@ -1,5 +1,7 @@
title: AWS S3 request metrics
type: metrics
+elasticsearch:
+ index_mode: "time_series"
streams:
- input: aws/metrics
vars:
diff --git a/packages/aws/data_stream/usage/manifest.yml b/packages/aws/data_stream/usage/manifest.yml
index ed871e37a93..963e3e6d92a 100644
--- a/packages/aws/data_stream/usage/manifest.yml
+++ b/packages/aws/data_stream/usage/manifest.yml
@@ -1,5 +1,7 @@
title: AWS usage metrics
type: metrics
+elasticsearch:
+ index_mode: "time_series"
streams:
- input: aws/metrics
vars:
diff --git a/packages/aws/data_stream/vpcflow/agent/stream/aws-s3.yml.hbs b/packages/aws/data_stream/vpcflow/agent/stream/aws-s3.yml.hbs
index 77fae5d0dc8..64796e6215f 100644
--- a/packages/aws/data_stream/vpcflow/agent/stream/aws-s3.yml.hbs
+++ b/packages/aws/data_stream/vpcflow/agent/stream/aws-s3.yml.hbs
@@ -1,9 +1,22 @@
-queue_url: {{queue_url}}
-{{#if credential_profile_name}}
-credential_profile_name: {{credential_profile_name}}
+{{#if collect_s3_logs}}
+
+{{#if bucket_arn}}
+bucket_arn: {{bucket_arn}}
{{/if}}
-{{#if shared_credential_file}}
-shared_credential_file: {{shared_credential_file}}
+{{#if number_of_workers}}
+number_of_workers: {{number_of_workers}}
+{{/if}}
+{{#if interval}}
+bucket_list_interval: {{interval}}
+{{/if}}
+{{#if bucket_list_prefix}}
+bucket_list_prefix: {{bucket_list_prefix}}
+{{/if}}
+
+{{else}}
+
+{{#if queue_url}}
+queue_url: {{queue_url}}
{{/if}}
{{#if visibility_timeout}}
visibility_timeout: {{visibility_timeout}}
@@ -14,6 +27,15 @@ api_timeout: {{api_timeout}}
{{#if max_number_of_messages}}
max_number_of_messages: {{max_number_of_messages}}
{{/if}}
+
+{{/if}}
+
+{{#if credential_profile_name}}
+credential_profile_name: {{credential_profile_name}}
+{{/if}}
+{{#if shared_credential_file}}
+shared_credential_file: {{shared_credential_file}}
+{{/if}}
{{#if default_region}}
default_region: {{default_region}}
{{/if}}
diff --git a/packages/aws/data_stream/vpcflow/fields/fields.yml b/packages/aws/data_stream/vpcflow/fields/fields.yml
index 1f2779983f2..0d85135f5d3 100644
--- a/packages/aws/data_stream/vpcflow/fields/fields.yml
+++ b/packages/aws/data_stream/vpcflow/fields/fields.yml
@@ -1,3 +1,22 @@
+- name: aws.s3
+ type: group
+ fields:
+ - name: bucket.name
+ type: keyword
+ description: |
+ Name of a S3 bucket.
+ - name: bucket.arn
+ type: keyword
+ description: |
+ ARN of the S3 bucket that this log retrieved from.
+ - name: object.key
+ type: keyword
+ description: |
+ Name of the S3 object that this log retrieved from.
+ - name: metadata
+ type: flattened
+ description: |
+ AWS S3 object metadata values.
- name: aws.vpcflow
type: group
fields:
@@ -74,3 +93,4 @@
type: keyword
description: |
The ID of the sublocation that contains the network interface for which traffic is recorded. If the traffic is not from a sublocation, the field is removed.
+
diff --git a/packages/aws/data_stream/vpcflow/manifest.yml b/packages/aws/data_stream/vpcflow/manifest.yml
index 73a6daa68bd..a8117ff5a00 100644
--- a/packages/aws/data_stream/vpcflow/manifest.yml
+++ b/packages/aws/data_stream/vpcflow/manifest.yml
@@ -7,27 +7,72 @@ streams:
description: Collect AWS vpcflow logs using s3 input
enabled: false
vars:
+ - name: collect_s3_logs
+ required: true
+ show_user: true
+ title: Collect logs via S3 Bucket
+ description: To Collect logs via S3 bucket enable the toggle switch. By default, it will collect logs via SQS Queue.
+ type: bool
+ multi: false
+ default: false
+ - name: bucket_arn
+ type: text
+ title: "[S3] Bucket ARN"
+ multi: false
+ required: false
+ show_user: true
+ description: Mandatory if the "Collect logs via S3 Bucket" switch is on. It is a required parameter for collecting logs via the AWS S3 Bucket.
+ - name: queue_url
+ type: text
+ title: "[SQS] Queue URL"
+ multi: false
+ required: false
+ show_user: true
+ description: Mandatory if the "Collect logs via S3 Bucket" switch is off. URL of the AWS SQS queue that messages will be received from.
+ - name: bucket_list_prefix
+ type: text
+ title: "[S3] Bucket Prefix"
+ multi: false
+ required: false
+ show_user: false
+ description: Prefix to apply for the list request to the S3 bucket.
+ - name: interval
+ type: text
+ title: "[S3] Interval"
+ multi: false
+ required: false
+ show_user: false
+ default: 1m
+ description: "Time interval for polling listing of the S3 bucket. NOTE: Supported units for this parameter are h/m/s."
+ - name: number_of_workers
+ type: integer
+ title: "[S3] Number of Workers"
+ multi: false
+ required: false
+ show_user: false
+ default: 5
+ description: Number of workers that will process the S3 objects listed.
- name: visibility_timeout
type: text
- title: Visibility Timeout
+ title: "[SQS] Visibility Timeout"
multi: false
required: false
show_user: false
description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours.
- name: api_timeout
type: text
- title: API Timeout
+ title: "[SQS] API Timeout"
multi: false
required: false
show_user: false
description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value.
- - name: queue_url
- type: text
- title: Queue URL
- multi: false
- required: true
- show_user: true
- description: URL of the AWS SQS queue that messages will be received from.
+ - name: max_number_of_messages
+ type: integer
+ title: "[SQS] Maximum Concurrent SQS Messages"
+ description: The maximum number of SQS messages that can be inflight at any time.
+ default: 5
+ required: false
+ show_user: false
- name: fips_enabled
type: bool
title: Enable S3 FIPS
@@ -62,13 +107,6 @@ streams:
type: bool
multi: false
default: false
- - name: max_number_of_messages
- type: integer
- title: Maximum Concurrent SQS Messages
- description: The maximum number of SQS messages that can be inflight at any time.
- default: 5
- required: false
- show_user: false
- input: aws-cloudwatch
template_path: aws-cloudwatch.yml.hbs
title: AWS VPC Flow Logs via CloudWatch
diff --git a/packages/aws/docs/apigateway.md b/packages/aws/docs/apigateway.md
index 4f940fc08e5..6a45a52aa60 100644
--- a/packages/aws/docs/apigateway.md
+++ b/packages/aws/docs/apigateway.md
@@ -2,7 +2,7 @@
The AWS API Gateway integration allows you to monitor [API Gateway](https://aws.amazon.com/api-gateway/) — a centralized API management service.
-Use the AWS API Gateway integration to collect metrics related to your HTTP, REST or WebSockets APIs. Then visualize that data in Kibana, create alerts to notify you if something goes wrong, and reference metrics when troubleshooting an issue.
+Use the AWS API Gateway integration to collect metrics and logs related to your HTTP, REST or WebSockets APIs. Then visualize that data in Kibana, create alerts to notify you if something goes wrong, and reference metrics when troubleshooting an issue.
For example, you could use this integration to examine metrics related to error rates, response codes, and latency. You can pinpoint problematic areas, identify error-prone API endpoints, and troubleshoot performance issues.
@@ -10,7 +10,29 @@ For example, you could use this integration to examine metrics related to error
## Data streams
-The API Gateway integration collects one type of data: metrics.
+The API Gateway integration collects two types of data: metrics and logs.
+
+**Logs** help you keep a record of events happening in Amazon API Gateway.
+Logs collected by the Amazon API Gateway integration include the HTTP method, status code, request details and more.
+
+AWS API Gateway allows you to set up Custom Access Logging to gain deeper insights into the requests and responses through your API by making use of context variables ([HTTP](https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-logging-variables.html), [WebSockets](https://docs.aws.amazon.com/apigateway/latest/developerguide/websocket-api-logging.html)), input, stage and util variables ([REST](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-mapping-template-reference.html)).
+
+The Elastic integration for AWS API Gateway supports the following Log Format by API type:
+
+HTTP:
+```{"requestId": "$context.requestId","ip": "$context.identity.sourceIp","requestTime": "$context.requestTime","httpMethod": "$context.httpMethod","routeKey": "$context.routeKey","status": "$context.status","protocol": "$context.protocol","responseLength": "$context.responseLength",apiId": "$context.apiId", "domainName": "$context.domainName", "stage": "$context.stage"}```
+
+REST:
+```{"requestId": "$context.requestId","ip": "$context.identity.sourceIp","caller": "$context.identity.caller","user": "$context.identity.user""requestTime": "$context.requestTime","httpMethod": "$context.httpMethod","resourcePath": "$context.resourcePath","status": "$context.status","protocol": "$context.protocol","responseLength": "$context.responseLength",apiId": "$context.apiId", "domainName": "$context.domainName", "stage": "$context.stage"}```
+
+WebSockets:
+```{"requestId": "$context.requestId","ip": "$context.identity.sourceIp","caller": "$context.identity.caller","user": "$context.identity.user","requestTime": "$context.requestTime","eventType": "$context.eventType","routeKey": "$context.routeKey","status": "$context.status","connectionId": "$context.connectionId", apiId": "$context.apiId", "domainName": "$context.domainName", "stage": "$context.stage"}```
+
+Beyond the standard Log Formats we provide, you can use a wide range of fields for each API type when enabling Custom Access Logging.
+
+To utilize these fields in the integration, create custom pipelines. These pipelines will process field names or values. You'll also need to create a custom mapping to store your data efficiently. For more information on how to do this, check out our [official documentation](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).
+
+See more details in the [Logs reference](#logs-reference).
**Metrics** give you insight into the state of API Gateway.
Metrics collected by the AWS API Gateway integration include the number of client and server errors, request and error counts and cache counts.
@@ -140,21 +162,22 @@ An example event for `apigateway` looks as following:
| Field | Description | Type | Unit | Metric Type |
|---|---|---|---|---|
| @timestamp | Event timestamp. | date | | |
-| aws.apigateway.metrics.4XXError.sum | The number of client-side errors captured in a given period. | long | | counter |
-| aws.apigateway.metrics.4xx.sum | The number of client-side errors captured in a given period. | long | | counter |
-| aws.apigateway.metrics.5XXError.sum | The number of server-side errors captured in a given period. | long | | counter |
-| aws.apigateway.metrics.5xx.sum | The number of server-side errors captured in a given period. | long | | counter |
-| aws.apigateway.metrics.CacheHitCount.sum | The number of requests served from the API cache in a given period. | long | | counter |
-| aws.apigateway.metrics.CacheMissCount.sum | The number of requests served from the backend in a given period, when API caching is enabled. | long | | counter |
-| aws.apigateway.metrics.ClientError.sum | The number of requests that have a 4XX response returned by API Gateway before the integration is invoked. | long | | counter |
-| aws.apigateway.metrics.ConnectCount.sum | The number of messages sent to the connect route integration. | long | | counter |
-| aws.apigateway.metrics.Count.sum | The total number of API requests in a given period. | long | | counter |
+| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | |
+| aws.apigateway.metrics.4XXError.sum | The number of client-side errors captured in a given period. | long | | gauge |
+| aws.apigateway.metrics.4xx.sum | The number of client-side errors captured in a given period. | long | | gauge |
+| aws.apigateway.metrics.5XXError.sum | The number of server-side errors captured in a given period. | long | | gauge |
+| aws.apigateway.metrics.5xx.sum | The number of server-side errors captured in a given period. | long | | gauge |
+| aws.apigateway.metrics.CacheHitCount.sum | The number of requests served from the API cache in a given period. | long | | gauge |
+| aws.apigateway.metrics.CacheMissCount.sum | The number of requests served from the backend in a given period, when API caching is enabled. | long | | gauge |
+| aws.apigateway.metrics.ClientError.sum | The number of requests that have a 4XX response returned by API Gateway before the integration is invoked. | long | | gauge |
+| aws.apigateway.metrics.ConnectCount.sum | The number of messages sent to the connect route integration. | long | | gauge |
+| aws.apigateway.metrics.Count.sum | The total number of API requests in a given period. | long | | gauge |
| aws.apigateway.metrics.DataProcessed.avg | The amount of data processed in bytes. | long | byte | gauge |
-| aws.apigateway.metrics.ExecutionError.sum | Errors that occurred when calling the integration. | long | | counter |
-| aws.apigateway.metrics.IntegrationError.sum | The number of requests that return a 4XX/5XX response from the integration. | long | | counter |
+| aws.apigateway.metrics.ExecutionError.sum | Errors that occurred when calling the integration. | long | | gauge |
+| aws.apigateway.metrics.IntegrationError.sum | The number of requests that return a 4XX/5XX response from the integration. | long | | gauge |
| aws.apigateway.metrics.IntegrationLatency.avg | The time between when API Gateway relays a request to the backend and when it receives a response from the backend. | long | ms | gauge |
| aws.apigateway.metrics.Latency.avg | The time between when API Gateway receives a request from a client and when it returns a response to the client. | long | ms | gauge |
-| aws.apigateway.metrics.MessageCount.sum | The number of messages sent to the WebSocket API, either from or to the client. | long | | counter |
+| aws.apigateway.metrics.MessageCount.sum | The number of messages sent to the WebSocket API, either from or to the client. | long | | gauge |
| aws.cloudwatch.namespace | The namespace specified when query cloudwatch api. | keyword | | |
| aws.dimensions.ApiId | Each API created in API Gateway is assigned a unique ApiId, which is used to distinguish and reference that specific API within the system. | keyword | | |
| aws.dimensions.ApiName | It represents a human-readable name that helps identify and differentiate the API within the API Gateway service. | keyword | | |
@@ -205,3 +228,100 @@ An example event for `apigateway` looks as following:
| host.os.version | Operating system version as a raw string. | keyword | | |
| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | |
| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | |
+
+
+## Logs reference
+
+An example event for `apigateway` looks as following:
+
+```json
+{
+ "data_stream": {
+ "namespace": "default",
+ "type": "logs",
+ "dataset": "aws.apigateway_logs"
+ },
+ "@timestamp": "2020-02-20T07:01:01.000Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "ingested": "2021-07-19T21:47:04.871450600Z",
+ "original": "2020-02-20T07:01:01.000Z Feb 20 07:01:01 ip-172-31-81-156 systemd: Stopping User Slice of root."
+ },
+ "aws": {
+ "apigateway": {
+ "ip_address": "172.31.81.156"
+ }
+ },
+ "message": "Stopping User Slice of root.",
+ "tags": [
+ "preserve_original_event"
+ ]
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| aws.apigateway.api_id | The identifier API Gateway assigns to your API. | keyword |
+| aws.apigateway.caller | The principal identifier of the caller making the request. | keyword |
+| aws.apigateway.connection_id | A unique ID for the connection that can be used to make a callback to the client. | keyword |
+| aws.apigateway.domain_name | The full domain name used to invoke the API. | keyword |
+| aws.apigateway.event_type | The event type: CONNECT, MESSAGE, or DISCONNECT. | keyword |
+| aws.apigateway.http_method | The HTTP method used. Valid values include: DELETE, GET, HEAD, OPTIONS, PATCH, POST, and PUT. | keyword |
+| aws.apigateway.ip_address | The internet address of the requester. | ip |
+| aws.apigateway.protocol | API Gateway APIs can accept HTTP/2 requests, but API Gateway sends requests to backend integrations using HTTP/1.1. | keyword |
+| aws.apigateway.request_id | An ID for the request. Clients can override this request ID. | keyword |
+| aws.apigateway.request_time | The CLF-formatted request time (dd/MMM/yyyy:HH:mm:ss +-hhmm). | date |
+| aws.apigateway.resource_path | The path to your resource. | keyword |
+| aws.apigateway.response_length | The response payload length in bytes. | long |
+| aws.apigateway.route_key | The selected route key. | keyword |
+| aws.apigateway.stage | The deployment stage of the API call (for example, beta or prod). | keyword |
+| aws.apigateway.status | The response status. | long |
+| aws.apigateway.user | The principal identifier of the user making the request. | keyword |
+| aws.s3.bucket.arn | ARN of the S3 bucket that this log retrieved from. | keyword |
+| aws.s3.bucket.name | Name of a S3 bucket. | keyword |
+| aws.s3.metadata | AWS S3 object metadata values. | flattened |
+| aws.s3.object.key | Name of the S3 object that this log retrieved from. | keyword |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host, resource, or service is located. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
+| event.dataset | Event dataset | constant_keyword |
+| event.module | Event module | constant_keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | match_only_text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| tags | List of keywords used to tag each event. | keyword |
diff --git a/packages/aws/docs/cloudtrail.md b/packages/aws/docs/cloudtrail.md
index 4a29fbccfab..ff2f854432f 100644
--- a/packages/aws/docs/cloudtrail.md
+++ b/packages/aws/docs/cloudtrail.md
@@ -115,6 +115,10 @@ If blank, CloudTrail Digest logs will be skipped.
| aws.cloudtrail.user_identity.session_context.session_issuer.type | The source of the temporary security credentials, such as Root, IAMUser, or Role. | keyword |
| aws.cloudtrail.user_identity.type | The type of the identity | keyword |
| aws.cloudtrail.vpc_endpoint_id | Identifies the VPC endpoint in which requests were made from a VPC to another AWS service, such as Amazon S3. | keyword |
+| aws.s3.bucket.arn | ARN of the S3 bucket that this log retrieved from. | keyword |
+| aws.s3.bucket.name | Name of a S3 bucket. | keyword |
+| aws.s3.metadata | AWS S3 object metadata values. | flattened |
+| aws.s3.object.key | Name of the S3 object that this log retrieved from. | keyword |
| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword |
| cloud.image.id | Image ID for the cloud instance. | keyword |
diff --git a/packages/aws/docs/cloudwatch.md b/packages/aws/docs/cloudwatch.md
index b9bc24ba49f..96304d19f4c 100644
--- a/packages/aws/docs/cloudwatch.md
+++ b/packages/aws/docs/cloudwatch.md
@@ -201,53 +201,54 @@ An example event for `cloudwatch` looks as following:
**Exported fields**
-| Field | Description | Type |
-|---|---|---|
-| @timestamp | Event timestamp. | date |
-| aws.\*.metrics.\*.\* | Metrics that returned from Cloudwatch API query. | object |
-| aws.cloudwatch.namespace | The namespace specified when query cloudwatch api. | keyword |
-| aws.dimensions.\* | Metric dimensions. | object |
-| aws.s3.bucket.name | Name of a S3 bucket. | keyword |
-| aws.tags.\* | Tag key value pairs from aws resources. | object |
-| cloud | Fields related to the cloud or infrastructure the events are coming from. | group |
-| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
-| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword |
-| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword |
-| cloud.image.id | Image ID for the cloud instance. | keyword |
-| cloud.instance.id | Instance ID of the host machine. | keyword |
-| cloud.instance.name | Instance name of the host machine. | keyword |
-| cloud.machine.type | Machine type of the host machine. | keyword |
-| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword |
-| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
-| cloud.region | Region in which this host, resource, or service is located. | keyword |
-| container.id | Unique container id. | keyword |
-| container.image.name | Name of the image the container was built on. | keyword |
-| container.labels | Image labels. | object |
-| container.name | Container name. | keyword |
-| data_stream.dataset | Data stream dataset. | constant_keyword |
-| data_stream.namespace | Data stream namespace. | constant_keyword |
-| data_stream.type | Data stream type. | constant_keyword |
-| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
-| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group |
-| error.message | Error message. | match_only_text |
-| event.dataset | Event dataset | constant_keyword |
-| event.module | Event module | constant_keyword |
-| host.architecture | Operating system architecture. | keyword |
-| host.containerized | If the host is a container. | boolean |
-| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
-| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
-| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
-| host.ip | Host ip addresses. | ip |
-| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
-| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
-| host.os.build | OS build information. | keyword |
-| host.os.codename | OS codename, if any. | keyword |
-| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
-| host.os.kernel | Operating system kernel version as a raw string. | keyword |
-| host.os.name | Operating system name, without the version. | keyword |
-| host.os.name.text | Multi-field of `host.os.name`. | match_only_text |
-| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
-| host.os.version | Operating system version as a raw string. | keyword |
-| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
-| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword |
+| Field | Description | Type | Metric Type |
+|---|---|---|---|
+| @timestamp | Event timestamp. | date | |
+| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | |
+| aws.\*.metrics.\*.\* | Metrics that returned from Cloudwatch API query. | object | gauge |
+| aws.cloudwatch.namespace | The namespace specified when query cloudwatch api. | keyword | |
+| aws.dimensions.\* | Metric dimensions. | object | |
+| aws.dimensions.fingerprint | Autogenerated ID representing the fingerprint of the aws.dimensions object | keyword | |
+| aws.tags.\* | Tag key value pairs from aws resources. | object | |
+| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | |
+| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | |
+| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | |
+| cloud.image.id | Image ID for the cloud instance. | keyword | |
+| cloud.instance.id | Instance ID of the host machine. | keyword | |
+| cloud.instance.name | Instance name of the host machine. | keyword | |
+| cloud.machine.type | Machine type of the host machine. | keyword | |
+| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | |
+| cloud.region | Region in which this host, resource, or service is located. | keyword | |
+| container.id | Unique container id. | keyword | |
+| container.image.name | Name of the image the container was built on. | keyword | |
+| container.labels | Image labels. | object | |
+| container.name | Container name. | keyword | |
+| data_stream.dataset | Data stream dataset. | constant_keyword | |
+| data_stream.namespace | Data stream namespace. | constant_keyword | |
+| data_stream.type | Data stream type. | constant_keyword | |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | |
+| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | |
+| error.message | Error message. | match_only_text | |
+| event.dataset | Event dataset | constant_keyword | |
+| event.module | Event module | constant_keyword | |
+| host.architecture | Operating system architecture. | keyword | |
+| host.containerized | If the host is a container. | boolean | |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | |
+| host.ip | Host ip addresses. | ip | |
+| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | |
+| host.os.build | OS build information. | keyword | |
+| host.os.codename | OS codename, if any. | keyword | |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword | |
+| host.os.name | Operating system name, without the version. | keyword | |
+| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | |
+| host.os.version | Operating system version as a raw string. | keyword | |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | |
+| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | |
diff --git a/packages/aws/docs/ec2.md b/packages/aws/docs/ec2.md
index f76cb0fb848..4471f034a8d 100644
--- a/packages/aws/docs/ec2.md
+++ b/packages/aws/docs/ec2.md
@@ -152,35 +152,29 @@ An example event for `ec2` looks as following:
```json
{
- "@timestamp": "2022-05-26T12:40:00.000Z",
- "agent": {
- "name": "docker-fleet-agent",
- "id": "24d50340-a9d0-4d5d-9f42-fe9cb4b8c95d",
- "type": "metricbeat",
- "ephemeral_id": "f8282deb-ebc7-4d1f-9386-207f56657244",
- "version": "8.2.0"
- },
- "elastic_agent": {
- "id": "24d50340-a9d0-4d5d-9f42-fe9cb4b8c95d",
- "version": "8.2.0",
- "snapshot": false
- },
+ "@timestamp": "2023-08-07T18:35:00.000Z",
"cloud": {
- "availability_zone": "us-east-1c",
+ "availability_zone": "eu-north-1c",
"instance": {
- "name": "elastic-package-test-33138",
- "id": "i-0de58890d94dda2e3"
+ "id": "i-0c08512debca266ab"
},
"provider": "aws",
"machine": {
- "type": "t1.micro"
+ "type": "t3.medium"
},
- "region": "us-east-1",
+ "region": "eu-north-1",
"account": {
- "name": "elastic-beats",
- "id": "428152502467"
+ "name": "MonitoringAccount",
+ "id": "627286350134"
}
},
+ "agent": {
+ "name": "docker-fleet-agent",
+ "id": "72314f01-98f2-477f-978a-e98d109c640c",
+ "type": "metricbeat",
+ "ephemeral_id": "b8cd4414-f528-43f4-b43f-0edbcc69b46f",
+ "version": "8.8.1"
+ },
"ecs": {
"version": "8.0.0"
},
@@ -194,107 +188,121 @@ An example event for `ec2` looks as following:
},
"host": {
"hostname": "docker-fleet-agent",
- "disk": {
- "read": {
- "bytes": 0
- },
- "write": {
- "bytes": 0
- }
- },
"os": {
- "kernel": "5.10.47-linuxkit",
+ "kernel": "5.15.49-linuxkit-pr",
"codename": "focal",
"name": "Ubuntu",
"type": "linux",
"family": "debian",
- "version": "20.04.4 LTS (Focal Fossa)",
+ "version": "20.04.6 LTS (Focal Fossa)",
"platform": "ubuntu"
},
- "containerized": true,
+ "containerized": false,
"ip": [
- "192.168.80.7"
+ "172.20.0.7"
],
- "name": "elastic-package-test-33138",
+ "name": "docker-fleet-agent",
"cpu": {
- "usage": 0.08265027322397175
+ "usage": 2.8849988898518673
},
- "id": "i-0de58890d94dda2e3",
+ "id": "d08b346fbb8f49f5a2bb1a477f8ceb54",
"mac": [
- "02:42:c0:a8:50:07"
+ "02-42-AC-14-00-07"
],
- "architecture": "x86_64",
+ "architecture": "aarch64",
"network": {
"ingress": {
- "bytes": 1992
+ "bytes": 1608959,
+ "packets": 5334
},
"egress": {
- "bytes": 1800
+ "bytes": 626755,
+ "packets": 4977
}
}
},
+ "elastic_agent": {
+ "id": "72314f01-98f2-477f-978a-e98d109c640c",
+ "version": "8.8.1",
+ "snapshot": false
+ },
"metricset": {
"period": 300000,
"name": "cloudwatch"
},
"event": {
- "duration": 15936070000,
+ "duration": 5858967919,
"agent_id_status": "verified",
- "ingested": "2022-05-26T12:44:52Z",
+ "ingested": "2023-08-07T18:41:31Z",
"module": "aws",
"dataset": "aws.ec2_metrics"
},
"aws": {
"ec2": {
- "diskio": {
- "read": {
- "count_per_sec": 0,
- "bytes_per_sec": 0
- },
- "write": {
- "count_per_sec": 0,
- "bytes_per_sec": 0
- }
- },
"instance": {
"image": {
- "id": "ami-0ff900168d0231cd3"
+ "id": "ami-00b8290583a865359"
},
"core": {
"count": 1
},
"private": {
- "ip": "172.31.16.45",
- "dns_name": "ip-172-31-16-45.ec2.internal"
+ "ip": "172.31.13.154",
+ "dns_name": "ip-172-31-13-154.eu-north-1.compute.internal"
},
- "threads_per_core": 1,
+ "threads_per_core": 2,
"public": {
- "ip": "54.90.153.147",
- "dns_name": "ec2-54-90-153-147.compute-1.amazonaws.com"
+ "ip": "16.16.138.5",
+ "dns_name": "ec2-16-16-138-5.eu-north-1.compute.amazonaws.com"
},
"state": {
"code": 16,
"name": "running"
},
"monitoring": {
- "state": "enabled"
+ "state": "disabled"
}
},
- "cpu": {
- "credit_balance": 144,
- "credit_usage": 0.004121
- },
- "status": {
- "check_failed": 0,
- "check_failed_instance": 0,
- "check_failed_system": 0
- },
- "network": {
- "in": {
- "bytes_per_sec": 33.2
+ "metrics": {
+ "NetworkOut": {
+ "rate": 10445.916666666666,
+ "sum": 626755
+ },
+ "CPUUtilization": {
+ "avg": 2.8849988898518673
+ },
+ "StatusCheckFailed_Instance": {
+ "avg": 0
+ },
+ "CPUCreditUsage": {
+ "avg": 0.29100543333333334
+ },
+ "CPUCreditBalance": {
+ "avg": 576
},
- "out": {
- "bytes_per_sec": 30
+ "NetworkPacketsOut": {
+ "rate": 82.95,
+ "sum": 4977
+ },
+ "NetworkPacketsIn": {
+ "rate": 88.9,
+ "sum": 5334
+ },
+ "NetworkIn": {
+ "rate": 26815.983333333334,
+ "sum": 1608959
+ },
+ "StatusCheckFailed": {
+ "avg": 0
+ },
+ "CPUSurplusCreditsCharged": {
+ "avg": 0
+ },
+ "CPUSurplusCreditBalance": {
+ "avg": 0
+ },
+ "StatusCheckFailed_System": {
+ "avg": 0
}
}
},
@@ -302,10 +310,12 @@ An example event for `ec2` looks as following:
"namespace": "AWS/EC2"
},
"dimensions": {
- "InstanceId": "i-0de58890d94dda2e3"
+ "InstanceId": "i-0c08512debca266ab"
},
"tags": {
- "Name": "elastic-package-test-33138"
+ "aws:autoscaling:groupName": "eks-firehose-50c386d7-c8b1-bde8-5d42-d3841ca7ecfe",
+ "aws:ec2launchtemplate:version": "1",
+ "aws:ec2launchtemplate:id": "lt-09e1cdf590e35c687"
}
}
}
@@ -313,67 +323,76 @@ An example event for `ec2` looks as following:
**Exported fields**
-| Field | Description | Type |
-|---|---|---|
-| @timestamp | Event timestamp. | date |
-| aws.\*.metrics.\*.\* | Metrics that returned from Cloudwatch API query. | object |
-| aws.cloudwatch.namespace | The namespace specified when query cloudwatch api. | keyword |
-| aws.dimensions.AutoScalingGroupName | An Auto Scaling group is a collection of instances you define if you're using Auto Scaling. | keyword |
-| aws.dimensions.ImageId | This dimension filters the data you request for all instances running this Amazon EC2 Amazon Machine Image (AMI) | keyword |
-| aws.dimensions.InstanceId | Amazon EC2 instance ID | keyword |
-| aws.dimensions.InstanceType | This dimension filters the data you request for all instances running with this specified instance type. | keyword |
-| aws.ec2.cpu.credit_balance | The number of earned CPU credits that an instance has accrued since it was launched or started. | long |
-| aws.ec2.cpu.credit_usage | The number of CPU credits spent by the instance for CPU utilization. | long |
-| aws.ec2.cpu.surplus_credit_balance | The number of surplus credits that have been spent by an unlimited instance when its CPUCreditBalance value is zero. | long |
-| aws.ec2.cpu.surplus_credits_charged | The number of spent surplus credits that are not paid down by earned CPU credits, and which thus incur an additional charge. | long |
-| aws.ec2.diskio.read.bytes_per_sec | Bytes read per second from all instance store volumes available to the instance. | long |
-| aws.ec2.diskio.read.count_per_sec | Completed read operations per second from all instance store volumes available to the instance in a specified period of time. | long |
-| aws.ec2.diskio.write.bytes_per_sec | Bytes written per second to all instance store volumes available to the instance. | long |
-| aws.ec2.diskio.write.count_per_sec | Completed write operations per second to all instance store volumes available to the instance in a specified period of time. | long |
-| aws.ec2.instance.core.count | The number of CPU cores for the instance. | integer |
-| aws.ec2.instance.image.id | The ID of the image used to launch the instance. | keyword |
-| aws.ec2.instance.monitoring.state | Indicates whether detailed monitoring is enabled. | keyword |
-| aws.ec2.instance.private.dns_name | The private DNS name of the network interface. | keyword |
-| aws.ec2.instance.private.ip | The private IPv4 address associated with the network interface. | ip |
-| aws.ec2.instance.public.dns_name | The public DNS name of the instance. | keyword |
-| aws.ec2.instance.public.ip | The address of the Elastic IP address (IPv4) bound to the network interface. | ip |
-| aws.ec2.instance.state.code | The state of the instance, as a 16-bit unsigned integer. | integer |
-| aws.ec2.instance.state.name | The state of the instance (pending | running | shutting-down | terminated | stopping | stopped). | keyword |
-| aws.ec2.instance.threads_per_core | The number of threads per CPU core. | integer |
-| aws.ec2.network.in.bytes_per_sec | The number of bytes per second received on all network interfaces by the instance. | long |
-| aws.ec2.network.in.packets_per_sec | The number of packets per second sent out on all network interfaces by the instance. | long |
-| aws.ec2.network.out.bytes_per_sec | The number of bytes per second sent out on all network interfaces by the instance. | long |
-| aws.ec2.network.out.packets_per_sec | The number of packets per second sent out on all network interfaces by the instance. | long |
-| aws.ec2.status.check_failed | Reports whether the instance has passed both the instance status check and the system status check in the last minute. | long |
-| aws.ec2.status.check_failed_instance | Reports whether the instance has passed the instance status check in the last minute. | long |
-| aws.ec2.status.check_failed_system | Reports whether the instance has passed the system status check in the last minute. | long |
-| aws.s3.bucket.name | Name of a S3 bucket. | keyword |
-| aws.tags.\* | Tag key value pairs from aws resources. | object |
-| cloud | Fields related to the cloud or infrastructure the events are coming from. | group |
-| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
-| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword |
-| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword |
-| cloud.image.id | Image ID for the cloud instance. | keyword |
-| cloud.instance.id | Instance ID of the host machine. | keyword |
-| cloud.machine.type | Machine type of the host machine. | keyword |
-| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
-| cloud.region | Region in which this host, resource, or service is located. | keyword |
-| data_stream.dataset | Data stream dataset. | constant_keyword |
-| data_stream.namespace | Data stream namespace. | constant_keyword |
-| data_stream.type | Data stream type. | constant_keyword |
-| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
-| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group |
-| error.message | Error message. | match_only_text |
-| event.dataset | Event dataset | constant_keyword |
-| event.module | Event module | constant_keyword |
-| host.containerized | If the host is a container. | boolean |
-| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float |
-| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long |
-| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long |
-| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long |
-| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long |
-| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long |
-| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long |
-| host.os.build | OS build information. | keyword |
-| host.os.codename | OS codename, if any. | keyword |
-| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword |
+| Field | Description | Type | Metric Type |
+|---|---|---|---|
+| @timestamp | Event timestamp. | date | |
+| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | |
+| aws.cloudwatch.namespace | The namespace specified when query cloudwatch api. | keyword | |
+| aws.dimensions.AutoScalingGroupName | An Auto Scaling group is a collection of instances you define if you're using Auto Scaling. | keyword | |
+| aws.dimensions.ImageId | This dimension filters the data you request for all instances running this Amazon EC2 Amazon Machine Image (AMI) | keyword | |
+| aws.dimensions.InstanceId | Amazon EC2 instance ID | keyword | |
+| aws.dimensions.InstanceType | This dimension filters the data you request for all instances running with this specified instance type. | keyword | |
+| aws.ec2.instance.core.count | The number of CPU cores for the instance. | integer | |
+| aws.ec2.instance.image.id | The ID of the image used to launch the instance. | keyword | |
+| aws.ec2.instance.monitoring.state | Indicates whether detailed monitoring is enabled. | keyword | |
+| aws.ec2.instance.private.dns_name | The private DNS name of the network interface. | keyword | |
+| aws.ec2.instance.private.ip | The private IPv4 address associated with the network interface. | ip | |
+| aws.ec2.instance.public.dns_name | The public DNS name of the instance. | keyword | |
+| aws.ec2.instance.public.ip | The address of the Elastic IP address (IPv4) bound to the network interface. | ip | |
+| aws.ec2.instance.state.code | The state of the instance, as a 16-bit unsigned integer. | integer | |
+| aws.ec2.instance.state.name | The state of the instance (pending | running | shutting-down | terminated | stopping | stopped). | keyword | |
+| aws.ec2.instance.threads_per_core | The number of threads per CPU core. | integer | |
+| aws.ec2.metrics.CPUCreditBalance.avg | The number of earned CPU credits that an instance has accrued since it was launched or started. | long | gauge |
+| aws.ec2.metrics.CPUCreditUsage.avg | The number of CPU credits spent by the instance for CPU utilization. | long | gauge |
+| aws.ec2.metrics.CPUSurplusCreditBalance.avg | The number of surplus credits that have been spent by an unlimited instance when its CPUCreditBalance value is zero. | long | gauge |
+| aws.ec2.metrics.CPUSurplusCreditsCharged.avg | The number of spent surplus credits that are not paid down by earned CPU credits, and which thus incur an additional charge. | long | gauge |
+| aws.ec2.metrics.CPUUtilization.avg | The average percentage of physical CPU time that Amazon EC2 uses to run the EC2 instance. | long | gauge |
+| aws.ec2.metrics.DiskReadBytes.rate | Bytes read per second from all instance store volumes available to the instance. | long | gauge |
+| aws.ec2.metrics.DiskReadBytes.sum | Total bytes read from all instance store volumes available to the instance. | long | gauge |
+| aws.ec2.metrics.DiskReadOps.rate | Completed read operations per second from all instance store volumes available to the instance in a specified period of time. | long | gauge |
+| aws.ec2.metrics.DiskReadOps.sum | Total completed read operations from all instance store volumes available to the instance in a specified period of time. | long | gauge |
+| aws.ec2.metrics.DiskWriteBytes.rate | Bytes written per second to all instance store volumes available to the instance. | long | gauge |
+| aws.ec2.metrics.DiskWriteBytes.sum | Total bytes written to all instance store volumes available to the instance. | long | gauge |
+| aws.ec2.metrics.DiskWriteOps.rate | Completed write operations per second to all instance store volumes available to the instance in a specified period of time. | long | gauge |
+| aws.ec2.metrics.DiskWriteOps.sum | Total completed write operations to all instance store volumes available to the instance in a specified period of time. | long | gauge |
+| aws.ec2.metrics.NetworkIn.rate | The number of bytes per second received on all network interfaces by the instance. | long | gauge |
+| aws.ec2.metrics.NetworkIn.sum | The number of bytes total received on all network interfaces by the instance. | long | gauge |
+| aws.ec2.metrics.NetworkOut.rate | The number of bytes per second sent out on all network interfaces by the instance. | long | gauge |
+| aws.ec2.metrics.NetworkOut.sum | The number of bytes total sent out on all network interfaces by the instance. | long | gauge |
+| aws.ec2.metrics.NetworkPacketsIn.rate | The number of packets per second sent out on all network interfaces by the instance. | long | gauge |
+| aws.ec2.metrics.NetworkPacketsIn.sum | The number of packets total sent out on all network interfaces by the instance. | long | gauge |
+| aws.ec2.metrics.NetworkPacketsOut.rate | The number of packets per second sent out on all network interfaces by the instance. | long | gauge |
+| aws.ec2.metrics.NetworkPacketsOut.sum | The number of packets total sent out on all network interfaces by the instance. | long | gauge |
+| aws.ec2.metrics.StatusCheckFailed.avg | Reports whether the instance has passed both the instance status check and the system status check in the last minute. | long | gauge |
+| aws.ec2.metrics.StatusCheckFailed_Instance.avg | Reports whether the instance has passed the instance status check in the last minute. | long | gauge |
+| aws.ec2.metrics.StatusCheckFailed_System.avg | Reports whether the instance has passed the system status check in the last minute. | long | gauge |
+| aws.s3.bucket.name | Name of a S3 bucket. | keyword | |
+| aws.tags.\* | Tag key value pairs from aws resources. | object | |
+| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | |
+| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | |
+| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | |
+| cloud.image.id | Image ID for the cloud instance. | keyword | |
+| cloud.instance.id | Instance ID of the host machine. | keyword | |
+| cloud.machine.type | Machine type of the host machine. | keyword | |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | |
+| cloud.region | Region in which this host, resource, or service is located. | keyword | |
+| data_stream.dataset | Data stream dataset. | constant_keyword | |
+| data_stream.namespace | Data stream namespace. | constant_keyword | |
+| data_stream.type | Data stream type. | constant_keyword | |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | |
+| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | |
+| error.message | Error message. | match_only_text | |
+| event.dataset | Event dataset | constant_keyword | |
+| event.module | Event module | constant_keyword | |
+| host.containerized | If the host is a container. | boolean | |
+| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | |
+| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | |
+| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | |
+| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | |
+| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | |
+| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | |
+| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | |
+| host.os.build | OS build information. | keyword | |
+| host.os.codename | OS codename, if any. | keyword | |
+| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | |
diff --git a/packages/aws/docs/emr.md b/packages/aws/docs/emr.md
index 24698fd5813..ce6167d337c 100644
--- a/packages/aws/docs/emr.md
+++ b/packages/aws/docs/emr.md
@@ -10,11 +10,14 @@ For example, you could use this data to track Amazon EMR cluster progress and cl
## Data streams
-The Amazon EMR integration collects one type of data: metrics.
+The Amazon EMR integration collects two types of data: metrics and logs.
**Metrics** give you insight into the state of Amazon EMR.
The metrics collected by the Amazon EMR integration include cluster progress, cluster state, cluster or node storage, and more. See more details in the [Metrics reference](#metrics-reference)
+**Logs** help you keep a record of events happening in Amazon EMR.
+Logs collected by the Amazon EMR integration include the cluster status, node status details and more.
+
## Requirements
You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it.
@@ -109,21 +112,22 @@ An example event for `emr` looks as following:
| Field | Description | Type | Unit | Metric Type |
|---|---|---|---|---|
| @timestamp | Event timestamp. | date | | |
+| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | |
| aws.cloudwatch.namespace | The namespace specified when query cloudwatch api. | keyword | | |
| aws.dimensions.JobFlowId | Filters metrics by cluster ID. | keyword | | |
-| aws.elasticmapreduce.metrics.AppsCompleted.sum | The number of applications submitted to YARN that have completed. | long | | counter |
-| aws.elasticmapreduce.metrics.AppsFailed.sum | The number of applications submitted to YARN that have failed to complete. | long | | counter |
-| aws.elasticmapreduce.metrics.AppsKilled.sum | The number of applications submitted to YARN that have been killed. | long | | counter |
-| aws.elasticmapreduce.metrics.AppsPending.sum | The number of applications submitted to YARN that are in a pending state. | long | | counter |
-| aws.elasticmapreduce.metrics.AppsRunning.sum | The number of applications submitted to YARN that are running. | long | | counter |
-| aws.elasticmapreduce.metrics.AppsSubmitted.sum | The number of applications submitted to YARN. | long | | counter |
+| aws.elasticmapreduce.metrics.AppsCompleted.sum | The number of applications submitted to YARN that have completed. | long | | gauge |
+| aws.elasticmapreduce.metrics.AppsFailed.sum | The number of applications submitted to YARN that have failed to complete. | long | | gauge |
+| aws.elasticmapreduce.metrics.AppsKilled.sum | The number of applications submitted to YARN that have been killed. | long | | gauge |
+| aws.elasticmapreduce.metrics.AppsPending.sum | The number of applications submitted to YARN that are in a pending state. | long | | gauge |
+| aws.elasticmapreduce.metrics.AppsRunning.sum | The number of applications submitted to YARN that are running. | long | | gauge |
+| aws.elasticmapreduce.metrics.AppsSubmitted.sum | The number of applications submitted to YARN. | long | | gauge |
| aws.elasticmapreduce.metrics.AutoTerminationIsClusterIdle.avg | Indicates whether the cluster is in use. | long | percent | gauge |
-| aws.elasticmapreduce.metrics.CapacityRemainingGB.sum | The amount of remaining HDFS disk capacity. | long | byte | counter |
-| aws.elasticmapreduce.metrics.ContainerAllocated.sum | The number of resource containers allocated by the ResourceManager. | long | | counter |
-| aws.elasticmapreduce.metrics.ContainerPending.sum | The number of containers in the queue that have not yet been allocated. | long | | counter |
+| aws.elasticmapreduce.metrics.CapacityRemainingGB.sum | The amount of remaining HDFS disk capacity. | long | byte | gauge |
+| aws.elasticmapreduce.metrics.ContainerAllocated.sum | The number of resource containers allocated by the ResourceManager. | long | | gauge |
+| aws.elasticmapreduce.metrics.ContainerPending.sum | The number of containers in the queue that have not yet been allocated. | long | | gauge |
| aws.elasticmapreduce.metrics.ContainerPendingRatio.avg | The ratio of pending containers to containers allocated | long | percent | gauge |
-| aws.elasticmapreduce.metrics.ContainerReserved.sum | The number of containers reserved. | long | | counter |
-| aws.elasticmapreduce.metrics.CoreNodesPending.sum | The number of core nodes waiting to be assigned. | long | | counter |
+| aws.elasticmapreduce.metrics.ContainerReserved.sum | The number of containers reserved. | long | | gauge |
+| aws.elasticmapreduce.metrics.CoreNodesPending.sum | The number of core nodes waiting to be assigned. | long | | gauge |
| aws.elasticmapreduce.metrics.CoreNodesRequested.max | The target number of CORE nodes in a cluster as determined by managed scaling. | long | | gauge |
| aws.elasticmapreduce.metrics.CoreNodesRunning.avg | The current number of CORE nodes running in a cluster. | long | | gauge |
| aws.elasticmapreduce.metrics.CoreUnitsRequested.max | The target number of CORE units in a cluster as determined by managed scaling. | long | | gauge |
@@ -131,44 +135,44 @@ An example event for `emr` looks as following:
| aws.elasticmapreduce.metrics.CoreVCPURequested.max | The target number of CORE vCPUs in a cluster as determined by managed scaling. | long | | gauge |
| aws.elasticmapreduce.metrics.CoreVCPURunning.avg | The current number of CORE vCPUs running in a cluster. | long | | gauge |
| aws.elasticmapreduce.metrics.CorruptBlocks.max | The number of blocks that HDFS reports as corrupted. | long | | gauge |
-| aws.elasticmapreduce.metrics.DfsPendingReplicationBlocks.sum | The status of block replication - blocks being replicated, age of replication requests, and unsuccessful replication requests. | long | | counter |
-| aws.elasticmapreduce.metrics.HDFSBytesRead.sum | The number of bytes read from HDFS. | long | byte | counter |
-| aws.elasticmapreduce.metrics.HDFSBytesWritten.sum | The number of bytes written to HDFS. | long | byte | counter |
+| aws.elasticmapreduce.metrics.DfsPendingReplicationBlocks.sum | The status of block replication - blocks being replicated, age of replication requests, and unsuccessful replication requests. | long | | gauge |
+| aws.elasticmapreduce.metrics.HDFSBytesRead.sum | The number of bytes read from HDFS. | long | byte | gauge |
+| aws.elasticmapreduce.metrics.HDFSBytesWritten.sum | The number of bytes written to HDFS. | long | byte | gauge |
| aws.elasticmapreduce.metrics.HDFSUtilization.avg | The percentage of HDFS storage currently used. | double | percent | gauge |
| aws.elasticmapreduce.metrics.IsIdle.avg | Indicates that a cluster is no longer performing work, but is still alive and accruing charges. | long | percent | gauge |
| aws.elasticmapreduce.metrics.LiveDataNodes.avg | The percentage of data nodes that are receiving work from Hadoop. | double | percent | gauge |
-| aws.elasticmapreduce.metrics.MRActiveNodes.sum | The number of nodes presently running MapReduce tasks or jobs. | long | | counter |
-| aws.elasticmapreduce.metrics.MRDecommissionedNodes.sum | The number of nodes allocated to MapReduce applications that have been marked in a DECOMMISSIONED state. | long | | counter |
-| aws.elasticmapreduce.metrics.MRLostNodes.sum | The number of nodes allocated to MapReduce that have been marked in a LOST state. | long | | counter |
-| aws.elasticmapreduce.metrics.MRRebootedNodes.sum | The number of nodes available to MapReduce that have been rebooted and marked in a REBOOTED state. | long | | counter |
-| aws.elasticmapreduce.metrics.MRTotalNodes.sum | The number of nodes presently available to MapReduce jobs. | long | | counter |
-| aws.elasticmapreduce.metrics.MRUnhealthyNodes.sum | The number of nodes available to MapReduce jobs marked in an UNHEALTHY state. | long | | counter |
-| aws.elasticmapreduce.metrics.MemoryAllocatedMB.sum | The amount of memory allocated to the cluster. | long | byte | counter |
-| aws.elasticmapreduce.metrics.MemoryAvailableMB.sum | The amount of memory available to be allocated. | long | byte | counter |
-| aws.elasticmapreduce.metrics.MemoryReservedMB.sum | The amount of memory reserved. | long | byte | counter |
-| aws.elasticmapreduce.metrics.MemoryTotalMB.sum | The total amount of memory in the cluster. | long | byte | counter |
+| aws.elasticmapreduce.metrics.MRActiveNodes.sum | The number of nodes presently running MapReduce tasks or jobs. | long | | gauge |
+| aws.elasticmapreduce.metrics.MRDecommissionedNodes.sum | The number of nodes allocated to MapReduce applications that have been marked in a DECOMMISSIONED state. | long | | gauge |
+| aws.elasticmapreduce.metrics.MRLostNodes.sum | The number of nodes allocated to MapReduce that have been marked in a LOST state. | long | | gauge |
+| aws.elasticmapreduce.metrics.MRRebootedNodes.sum | The number of nodes available to MapReduce that have been rebooted and marked in a REBOOTED state. | long | | gauge |
+| aws.elasticmapreduce.metrics.MRTotalNodes.sum | The number of nodes presently available to MapReduce jobs. | long | | gauge |
+| aws.elasticmapreduce.metrics.MRUnhealthyNodes.sum | The number of nodes available to MapReduce jobs marked in an UNHEALTHY state. | long | | gauge |
+| aws.elasticmapreduce.metrics.MemoryAllocatedMB.sum | The amount of memory allocated to the cluster. | long | byte | gauge |
+| aws.elasticmapreduce.metrics.MemoryAvailableMB.sum | The amount of memory available to be allocated. | long | byte | gauge |
+| aws.elasticmapreduce.metrics.MemoryReservedMB.sum | The amount of memory reserved. | long | byte | gauge |
+| aws.elasticmapreduce.metrics.MemoryTotalMB.sum | The total amount of memory in the cluster. | long | byte | gauge |
| aws.elasticmapreduce.metrics.MissingBlocks.max | The number of blocks in which HDFS has no replicas. | long | | gauge |
-| aws.elasticmapreduce.metrics.MultiMasterInstanceGroupNodesRequested.sum | The number of requested master nodes. | long | | counter |
-| aws.elasticmapreduce.metrics.MultiMasterInstanceGroupNodesRunning.sum | The number of running master nodes. | long | | counter |
+| aws.elasticmapreduce.metrics.MultiMasterInstanceGroupNodesRequested.sum | The number of requested master nodes. | long | | gauge |
+| aws.elasticmapreduce.metrics.MultiMasterInstanceGroupNodesRunning.sum | The number of running master nodes. | long | | gauge |
| aws.elasticmapreduce.metrics.MultiMasterInstanceGroupNodesRunningPercentage.avg | The percentage of master nodes that are running over the requested master node instance count. | double | percent | gauge |
-| aws.elasticmapreduce.metrics.PendingDeletionBlocks.sum | The number of blocks marked for deletion. | long | | counter |
-| aws.elasticmapreduce.metrics.S3BytesRead.sum | The number of bytes read from Amazon S3. | long | byte | counter |
-| aws.elasticmapreduce.metrics.S3BytesWritten.sum | The number of bytes written to Amazon S3. | long | byte | counter |
+| aws.elasticmapreduce.metrics.PendingDeletionBlocks.sum | The number of blocks marked for deletion. | long | | gauge |
+| aws.elasticmapreduce.metrics.S3BytesRead.sum | The number of bytes read from Amazon S3. | long | byte | gauge |
+| aws.elasticmapreduce.metrics.S3BytesWritten.sum | The number of bytes written to Amazon S3. | long | byte | gauge |
| aws.elasticmapreduce.metrics.TaskNodesRequested.max | The target number of TASK nodes in a cluster as determined by managed scaling. | long | | gauge |
| aws.elasticmapreduce.metrics.TaskNodesRunning.avg | The current number of TASK nodes running in a cluster. | long | | gauge |
| aws.elasticmapreduce.metrics.TaskUnitsRequested.max | The target number of TASK units in a cluster as determined by managed scaling. | long | | gauge |
| aws.elasticmapreduce.metrics.TaskUnitsRunning.avg | The current number of TASK units running in a cluster. | long | | gauge |
| aws.elasticmapreduce.metrics.TaskVCPURequested.max | The target number of TASK vCPUs in a cluster as determined by managed scaling. | long | | gauge |
| aws.elasticmapreduce.metrics.TaskVCPURunning.avg | The current number of TASK vCPUs running in a cluster. | long | | gauge |
-| aws.elasticmapreduce.metrics.TotalLoad.sum | The total number of concurrent data transfers. | long | | counter |
+| aws.elasticmapreduce.metrics.TotalLoad.sum | The total number of concurrent data transfers. | long | | gauge |
| aws.elasticmapreduce.metrics.TotalNodesRequested.max | The target total number of nodes in a cluster as determined by managed scaling. | long | | gauge |
| aws.elasticmapreduce.metrics.TotalNodesRunning.avg | The current total number of nodes available in a running cluster. | long | | gauge |
-| aws.elasticmapreduce.metrics.TotalNotebookKernels.sum | The total number of running and idle notebook kernels on the cluster. | long | | counter |
+| aws.elasticmapreduce.metrics.TotalNotebookKernels.sum | The total number of running and idle notebook kernels on the cluster. | long | | gauge |
| aws.elasticmapreduce.metrics.TotalUnitsRequested.max | The target total number of units in a cluster as determined by managed scaling. | long | | gauge |
| aws.elasticmapreduce.metrics.TotalUnitsRunning.avg | The current total number of units available in a running cluster. | long | | gauge |
| aws.elasticmapreduce.metrics.TotalVCPURequested.max | The target total number of vCPUs in a cluster as determined by managed scaling. | long | | gauge |
| aws.elasticmapreduce.metrics.TotalVCPURunning.avg | The current total number of vCPUs available in a running cluster. | long | | gauge |
-| aws.elasticmapreduce.metrics.UnderReplicatedBlocks.sum | The number of blocks that need to be replicated one or more times. | long | | counter |
+| aws.elasticmapreduce.metrics.UnderReplicatedBlocks.sum | The number of blocks that need to be replicated one or more times. | long | | gauge |
| aws.elasticmapreduce.metrics.YARNMemoryAvailablePercentage.avg | The percentage of remaining memory available to YARN | double | percent | gauge |
| aws.s3.bucket.name | Name of a S3 bucket. | keyword | | |
| aws.tags.\* | Tag key value pairs from aws resources. | object | | |
@@ -213,3 +217,88 @@ An example event for `emr` looks as following:
| host.os.version | Operating system version as a raw string. | keyword | | |
| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | |
| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | |
+
+
+## Logs reference
+
+An example event for `emr` looks as following:
+
+```json
+{
+ "data_stream": {
+ "namespace": "default",
+ "type": "logs",
+ "dataset": "aws.emr_logs"
+ },
+ "@timestamp": "2020-02-20T07:01:01.000Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "log": {
+ "level": "INFO"
+ },
+ "event": {
+ "original": "2023-06-26 13:45:50,566 INFO common.Util: dfs.datanode.fileio.profiling.sampling.percentage set to 0. Disabling file IO profiling"
+ },
+ "process": {
+ "name": "blockmanagement.BlockManager"
+ },
+ "message": "dfs.datanode.fileio.profiling.sampling.percentage set to 0. Disabling file IO profiling",
+ "tags": [
+ "preserve_original_event"
+ ]
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| aws.s3.bucket.arn | ARN of the S3 bucket that this log retrieved from. | keyword |
+| aws.s3.bucket.name | Name of a S3 bucket. | keyword |
+| aws.s3.metadata | AWS S3 object metadata values. | flattened |
+| aws.s3.object.key | Name of the S3 object that this log retrieved from. | keyword |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host, resource, or service is located. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
+| event.dataset | Event dataset | constant_keyword |
+| event.module | Event module | constant_keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | match_only_text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| process.entrypoint | Process entrypoint. | keyword |
+| process.message | Process message. | keyword |
+| process.name | Process name. | keyword |
+| tags | List of keywords used to tag each event. | keyword |
diff --git a/packages/aws/docs/vpcflow.md b/packages/aws/docs/vpcflow.md
index cd358707f70..26ad7a89ef3 100644
--- a/packages/aws/docs/vpcflow.md
+++ b/packages/aws/docs/vpcflow.md
@@ -85,6 +85,10 @@ The `number_of_workers` setting defines the number of workers assigned to readin
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
+| aws.s3.bucket.arn | ARN of the S3 bucket that this log retrieved from. | keyword |
+| aws.s3.bucket.name | Name of a S3 bucket. | keyword |
+| aws.s3.metadata | AWS S3 object metadata values. | flattened |
+| aws.s3.object.key | Name of the S3 object that this log retrieved from. | keyword |
| aws.vpcflow.account_id | The AWS account ID for the flow log. | keyword |
| aws.vpcflow.action | The action that is associated with the traffic, ACCEPT or REJECT. | keyword |
| aws.vpcflow.instance_id | The ID of the instance that's associated with network interface for which the traffic is recorded, if the instance is owned by you. | keyword |
diff --git a/packages/aws/img/filebeat-aws-apigateway-overview.png b/packages/aws/img/filebeat-aws-apigateway-overview.png
new file mode 100644
index 00000000000..efdd4d382e0
Binary files /dev/null and b/packages/aws/img/filebeat-aws-apigateway-overview.png differ
diff --git a/packages/aws/img/filebeat-aws-emr-overview.png b/packages/aws/img/filebeat-aws-emr-overview.png
new file mode 100644
index 00000000000..6e27933a4a0
Binary files /dev/null and b/packages/aws/img/filebeat-aws-emr-overview.png differ
diff --git a/packages/aws/img/filebeat-aws-firewall-alerts.png b/packages/aws/img/filebeat-aws-firewall-alerts.png
index 3c478366d1c..195be257e05 100644
Binary files a/packages/aws/img/filebeat-aws-firewall-alerts.png and b/packages/aws/img/filebeat-aws-firewall-alerts.png differ
diff --git a/packages/aws/img/filebeat-aws-firewall-flows.png b/packages/aws/img/filebeat-aws-firewall-flows.png
index 9c2337ac549..5e3c1961e57 100644
Binary files a/packages/aws/img/filebeat-aws-firewall-flows.png and b/packages/aws/img/filebeat-aws-firewall-flows.png differ
diff --git a/packages/aws/img/filebeat-aws-firewall-overview.png b/packages/aws/img/filebeat-aws-firewall-overview.png
index b868846151c..048bdd0fe8f 100644
Binary files a/packages/aws/img/filebeat-aws-firewall-overview.png and b/packages/aws/img/filebeat-aws-firewall-overview.png differ
diff --git a/packages/aws/img/filebeat-aws-s3access-overview.png b/packages/aws/img/filebeat-aws-s3access-overview.png
index ed5f9c42fd0..10201f334a3 100644
Binary files a/packages/aws/img/filebeat-aws-s3access-overview.png and b/packages/aws/img/filebeat-aws-s3access-overview.png differ
diff --git a/packages/aws/img/filebeat-aws-vpcflow-overview.png b/packages/aws/img/filebeat-aws-vpcflow-overview.png
index 15eee187641..85da48705e7 100644
Binary files a/packages/aws/img/filebeat-aws-vpcflow-overview.png and b/packages/aws/img/filebeat-aws-vpcflow-overview.png differ
diff --git a/packages/aws/img/metricbeat-aws-billing-overview.png b/packages/aws/img/metricbeat-aws-billing-overview.png
index fc7bf1c664f..298f970839f 100644
Binary files a/packages/aws/img/metricbeat-aws-billing-overview.png and b/packages/aws/img/metricbeat-aws-billing-overview.png differ
diff --git a/packages/aws/img/metricbeat-aws-redshift-overview.png b/packages/aws/img/metricbeat-aws-redshift-overview.png
index 3f9cda8fa78..265f1a75570 100644
Binary files a/packages/aws/img/metricbeat-aws-redshift-overview.png and b/packages/aws/img/metricbeat-aws-redshift-overview.png differ
diff --git a/packages/aws/img/securityhub_summary_dashboard.png b/packages/aws/img/securityhub_summary_dashboard.png
index 4d066916bba..e8930944ffd 100644
Binary files a/packages/aws/img/securityhub_summary_dashboard.png and b/packages/aws/img/securityhub_summary_dashboard.png differ
diff --git a/packages/aws/kibana/dashboard/aws-15503340-4488-11ea-ad63-791a5dc86f10.json b/packages/aws/kibana/dashboard/aws-15503340-4488-11ea-ad63-791a5dc86f10.json
index 1fb9acec837..f87decc844e 100644
--- a/packages/aws/kibana/dashboard/aws-15503340-4488-11ea-ad63-791a5dc86f10.json
+++ b/packages/aws/kibana/dashboard/aws-15503340-4488-11ea-ad63-791a5dc86f10.json
@@ -1,14 +1,12 @@
{
- "id": "aws-15503340-4488-11ea-ad63-791a5dc86f10",
- "type": "dashboard",
- "namespaces": [
- "default"
- ],
- "updated_at": "2022-08-01T13:47:45.463Z",
- "version": "Wzg0NSwxXQ==",
"attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
+ "panelsJSON": "{\"646957e1-54a2-4461-b862-eebe7b8d6bcc\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"646957e1-54a2-4461-b862-eebe7b8d6bcc\",\"fieldName\":\"aws.s3.bucket.name\",\"title\":\"S3 Bucket Names\",\"enhancements\":{}}}}"
+ },
"description": "Logs AWS VPC Flow Log Overview Dashboard",
- "hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [],
@@ -20,80 +18,196 @@
},
"optionsJSON": {
"hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
"useMargins": true
},
"panelsJSON": [
{
"embeddableConfig": {
- "title": "S3 Bucket Filter",
- "savedVis": {
- "title": "S3 Bucket Name Filter [Logs AWS]",
- "description": "",
- "uiState": {},
- "params": {
- "controls": [
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_logs-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "logs-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "logs-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "86cfaa02-f45b-4de6-9017-0e0cdd3b274b": {
+ "columnOrder": [
+ "841feb22-9e6e-46da-86fb-4060376ac1a0",
+ "cbf8de11-c02e-4e2f-948f-265d60459706"
+ ],
+ "columns": {
+ "841feb22-9e6e-46da-86fb-4060376ac1a0": {
+ "dataType": "ip",
+ "isBucketed": true,
+ "label": "Top 10 values of source.ip",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "cbf8de11-c02e-4e2f-948f-265d60459706",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "source.ip"
+ },
+ "cbf8de11-c02e-4e2f-948f-265d60459706": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "data_stream.dataset : \"aws.vpcflow\" "
+ },
+ "isBucketed": false,
+ "label": "IP address",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "reducedTimeRange": "",
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
{
- "fieldName": "aws.s3.bucket.name",
- "id": "1565034367477",
- "indexPatternRefName": "control_0_index_pattern",
- "label": "S3 Bucket Names",
- "options": {
- "dynamicOptions": true,
- "multiselect": true,
- "order": "desc",
- "size": 5,
- "type": "terms"
- },
- "parent": "",
- "type": "list"
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "indexpattern-datasource-layer-86cfaa02-f45b-4de6-9017-0e0cdd3b274b",
+ "type": "index-pattern"
}
],
- "pinFilters": false,
- "updateFiltersOnChange": true,
- "useTimeFilter": true
- },
- "type": "input_control_vis",
- "data": {
- "aggs": [],
- "searchSource": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": false,
+ "yLeft": false,
+ "yRight": false
+ },
+ "fillOpacity": 0.5,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": false,
+ "yLeft": false,
+ "yRight": false
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "cbf8de11-c02e-4e2f-948f-265d60459706"
+ ],
+ "layerId": "86cfaa02-f45b-4de6-9017-0e0cdd3b274b",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "bar_horizontal",
+ "xAccessor": "841feb22-9e6e-46da-86fb-4060376ac1a0",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(115,216,255,1)",
+ "forAccessor": "cbf8de11-c02e-4e2f-948f-265d60459706"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "bottom",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": false
+ },
+ "valueLabels": "show"
}
- }
- }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
- "h": 5,
- "i": "c802177f-038c-4a35-a82d-0fa42c857d02",
+ "h": 17,
+ "i": "3dde08df-2d7e-464e-825d-03179e43e175",
"w": 18,
"x": 0,
"y": 0
},
- "panelIndex": "c802177f-038c-4a35-a82d-0fa42c857d02",
- "title": "S3 Bucket Filter",
- "version": "8.0.0",
- "type": "visualization"
+ "panelIndex": "3dde08df-2d7e-464e-825d-03179e43e175",
+ "title": "VPC Flow Top IP Addresses",
+ "type": "lens",
+ "version": "8.7.1"
},
{
"embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "layerListJSON": "[{\"alpha\":1,\"id\":\"842c201e-96d7-413d-8688-de5ee4f8a1e0\",\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"type\":\"EMS_TMS\",\"lightModeDefault\":\"road_map\"},\"style\":{},\"type\":\"EMS_VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"401944dd-a371-4698-be17-bc4542e9a5d4\",\"label\":\"vpc flow action accept\",\"maxZoom\":24,\"minZoom\":0,\"query\":{\"language\":\"kuery\",\"query\":\"aws.vpcflow.action : \\\"ACCEPT\\\" \"},\"sourceDescriptor\":{\"applyGlobalQuery\":true,\"filterByMapBounds\":true,\"geoField\":\"destination.geo.location\",\"id\":\"97903038-e08d-4451-bbd2-eb92c894bdf5\",\"scalingType\":\"LIMIT\",\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\",\"tooltipProperties\":[],\"topHitsSize\":1,\"type\":\"ES_SEARCH\",\"indexPatternRefName\":\"layer_1_source_index_pattern\"},\"style\":{\"properties\":{\"fillColor\":{\"options\":{\"color\":\"#1EA593\"},\"type\":\"STATIC\"},\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}},\"iconOrientation\":{\"options\":{\"orientation\":0},\"type\":\"STATIC\"},\"iconSize\":{\"options\":{\"size\":5},\"type\":\"STATIC\"},\"lineColor\":{\"options\":{\"color\":\"#167a6d\"},\"type\":\"STATIC\"},\"lineWidth\":{\"options\":{\"size\":1},\"type\":\"STATIC\"},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}}},\"type\":\"VECTOR\"},\"type\":\"GEOJSON_VECTOR\",\"visible\":true},{\"alpha\":0.75,\"id\":\"b1d44a5c-3a04-4c80-8080-57585b02fd48\",\"label\":\"vpc flow action reject\",\"maxZoom\":24,\"minZoom\":0,\"query\":{\"language\":\"kuery\",\"query\":\"aws.vpcflow.action : \\\"REJECT\\\" \"},\"sourceDescriptor\":{\"applyGlobalQuery\":true,\"filterByMapBounds\":true,\"geoField\":\"source.geo.location\",\"id\":\"9c0e7cce-4f21-4bcd-bb50-ae36c0fffffb\",\"scalingType\":\"LIMIT\",\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\",\"tooltipProperties\":[],\"topHitsSize\":1,\"type\":\"ES_SEARCH\",\"indexPatternRefName\":\"layer_2_source_index_pattern\"},\"style\":{\"properties\":{\"fillColor\":{\"options\":{\"color\":\"#f00f0b\"},\"type\":\"STATIC\"},\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}},\"iconOrientation\":{\"options\":{\"orientation\":0},\"type\":\"STATIC\"},\"iconSize\":{\"options\":{\"size\":5},\"type\":\"STATIC\"},\"lineColor\":{\"options\":{\"color\":\"#7a1a18\"},\"type\":\"STATIC\"},\"lineWidth\":{\"options\":{\"size\":1},\"type\":\"STATIC\"},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}}},\"type\":\"VECTOR\"},\"type\":\"GEOJSON_VECTOR\",\"visible\":true}]",
+ "mapStateJSON": "{\"center\":{\"lat\":0,\"lon\":-108.92402},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"refreshConfig\":{\"interval\":0,\"isPaused\":false},\"timeFilters\":{\"from\":\"now-15d\",\"to\":\"now\"},\"zoom\":0.47,\"settings\":{\"autoFitToDataBounds\":false}}",
+ "title": "VPC Flow Action Geo Location[Logs AWS]",
+ "uiStateJSON": "{\"isLayerTOCOpen\":false,\"openTOCDetails\":[]}"
+ },
+ "enhancements": {},
+ "hiddenLayers": [],
"isLayerTOCOpen": true,
"mapCenter": {
"lat": 12.09237,
"lon": 60.11722,
"zoom": 0.47
},
- "openTOCDetails": [],
- "title": "VPC Flow Action Geo Location",
- "attributes": {
- "title": "VPC Flow Action Geo Location[Logs AWS]",
- "description": "",
- "uiStateJSON": "{\"isLayerTOCOpen\":false,\"openTOCDetails\":[]}",
- "mapStateJSON": "{\"center\":{\"lat\":0,\"lon\":-108.92402},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"refreshConfig\":{\"interval\":0,\"isPaused\":false},\"timeFilters\":{\"from\":\"now-15d\",\"to\":\"now\"},\"zoom\":0.47,\"settings\":{\"autoFitToDataBounds\":false}}",
- "layerListJSON": "[{\"alpha\":1,\"id\":\"842c201e-96d7-413d-8688-de5ee4f8a1e0\",\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"type\":\"EMS_TMS\",\"lightModeDefault\":\"road_map\"},\"style\":{},\"type\":\"EMS_VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"401944dd-a371-4698-be17-bc4542e9a5d4\",\"label\":\"vpc flow action accept\",\"maxZoom\":24,\"minZoom\":0,\"query\":{\"language\":\"kuery\",\"query\":\"aws.vpcflow.action : \\\"ACCEPT\\\" \"},\"sourceDescriptor\":{\"applyGlobalQuery\":true,\"filterByMapBounds\":true,\"geoField\":\"destination.geo.location\",\"id\":\"97903038-e08d-4451-bbd2-eb92c894bdf5\",\"indexPatternRefName\":\"layer_1_source_index_pattern\",\"scalingType\":\"LIMIT\",\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\",\"tooltipProperties\":[],\"topHitsSize\":1,\"type\":\"ES_SEARCH\"},\"style\":{\"properties\":{\"fillColor\":{\"options\":{\"color\":\"#1EA593\"},\"type\":\"STATIC\"},\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}},\"iconOrientation\":{\"options\":{\"orientation\":0},\"type\":\"STATIC\"},\"iconSize\":{\"options\":{\"size\":5},\"type\":\"STATIC\"},\"lineColor\":{\"options\":{\"color\":\"#167a6d\"},\"type\":\"STATIC\"},\"lineWidth\":{\"options\":{\"size\":1},\"type\":\"STATIC\"},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}}},\"type\":\"VECTOR\"},\"type\":\"GEOJSON_VECTOR\",\"visible\":true},{\"alpha\":0.75,\"id\":\"b1d44a5c-3a04-4c80-8080-57585b02fd48\",\"label\":\"vpc flow action reject\",\"maxZoom\":24,\"minZoom\":0,\"query\":{\"language\":\"kuery\",\"query\":\"aws.vpcflow.action : \\\"REJECT\\\" \"},\"sourceDescriptor\":{\"applyGlobalQuery\":true,\"filterByMapBounds\":true,\"geoField\":\"source.geo.location\",\"id\":\"9c0e7cce-4f21-4bcd-bb50-ae36c0fffffb\",\"indexPatternRefName\":\"layer_2_source_index_pattern\",\"scalingType\":\"LIMIT\",\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\",\"tooltipProperties\":[],\"topHitsSize\":1,\"type\":\"ES_SEARCH\"},\"style\":{\"properties\":{\"fillColor\":{\"options\":{\"color\":\"#f00f0b\"},\"type\":\"STATIC\"},\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}},\"iconOrientation\":{\"options\":{\"orientation\":0},\"type\":\"STATIC\"},\"iconSize\":{\"options\":{\"size\":5},\"type\":\"STATIC\"},\"lineColor\":{\"options\":{\"color\":\"#7a1a18\"},\"type\":\"STATIC\"},\"lineWidth\":{\"options\":{\"size\":1},\"type\":\"STATIC\"},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}}},\"type\":\"VECTOR\"},\"type\":\"GEOJSON_VECTOR\",\"visible\":true}]"
- }
+ "openTOCDetails": []
},
"gridData": {
"h": 17,
@@ -104,277 +218,347 @@
},
"panelIndex": "380eed85-225b-4d5d-88bc-1c70a3643ddb",
"title": "VPC Flow Action Geo Location",
- "version": "8.1.0",
- "type": "map"
+ "type": "map",
+ "version": "8.7.1"
},
{
"embeddableConfig": {
- "title": "VPC Flow Top IP Addresses",
- "savedVis": {
- "title": "VPC Flow Top IP Addresses [Logs AWS]",
- "description": "",
- "uiState": {},
- "params": {
- "axis_formatter": "number",
- "axis_min": "0",
- "axis_position": "left",
- "axis_scale": "normal",
- "background_color_rules": [
- {
- "id": "29527130-3e86-11ea-9067-cf383a4ea3b3"
- }
- ],
- "bar_color_rules": [
- {
- "id": "cc6d5070-3e85-11ea-9067-cf383a4ea3b3"
- }
- ],
- "gauge_color_rules": [
- {
- "id": "2b29c940-3e86-11ea-9067-cf383a4ea3b3"
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_logs-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "logs-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "logs-*"
}
- ],
- "gauge_inner_width": 10,
- "gauge_style": "half",
- "gauge_width": 10,
- "id": "61ca57f0-469d-11e7-af02-69e470af7417",
- "index_pattern": "logs-*",
- "interval": "",
- "isModelInvalid": false,
- "legend_position": "bottom",
- "pivot_id": "user_agent.original",
- "pivot_type": "string",
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(115,216,255,1)",
- "color_rules": [
- {
- "id": "42e14220-3e86-11ea-9067-cf383a4ea3b3"
- }
- ],
- "fill": 0.5,
- "filter": {
- "language": "kuery",
- "query": "data_stream.dataset : \"aws.vpcflow\" "
- },
- "formatter": "number",
- "id": "61ca57f1-469d-11e7-af02-69e470af7417",
- "label": "IP address",
- "line_width": 1,
- "metrics": [
- {
- "id": "61ca57f2-469d-11e7-af02-69e470af7417",
- "type": "count"
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "3a3d34c2-5e9f-40a0-8c76-8d98046bdb0a": {
+ "columnOrder": [
+ "70e9ae97-07d7-4c12-baa5-046451c4c111",
+ "96fa67a4-29c8-47a5-9b80-e33b59e74db1"
+ ],
+ "columns": {
+ "70e9ae97-07d7-4c12-baa5-046451c4c111": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "96fa67a4-29c8-47a5-9b80-e33b59e74db1": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "data_stream.dataset : \"aws.vpcflow\""
+ },
+ "isBucketed": false,
+ "label": "Total Requests",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ },
+ "50e2716e-87bd-4221-a6ad-ca3af32d3391": {
+ "columnOrder": [
+ "8d4086ff-105d-4c5a-99ee-322d8f76915c",
+ "becfb4b6-83cb-43aa-b34a-fb594d89f39b"
+ ],
+ "columns": {
+ "8d4086ff-105d-4c5a-99ee-322d8f76915c": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "becfb4b6-83cb-43aa-b34a-fb594d89f39b": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "data_stream.dataset : \"aws.vpcflow\" and aws.vpcflow.action : \"-\" "
+ },
+ "isBucketed": false,
+ "label": "-",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ },
+ "e967d5d6-33cd-4795-b409-aacf9e3c5e53": {
+ "columnOrder": [
+ "24c316fc-f587-40a5-b4ab-1e783b930024",
+ "844187f7-6228-4e42-b9c0-812008499e60"
+ ],
+ "columns": {
+ "24c316fc-f587-40a5-b4ab-1e783b930024": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "844187f7-6228-4e42-b9c0-812008499e60": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "data_stream.dataset : \"aws.vpcflow\" and aws.vpcflow.action : \"ACCEPT\" "
+ },
+ "isBucketed": false,
+ "label": "ACCEPT",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
},
- {
- "field": "61ca57f2-469d-11e7-af02-69e470af7417",
- "id": "40c52370-3e87-11ea-9067-cf383a4ea3b3",
- "type": "cumulative_sum"
+ "f4910fcb-12d5-46bf-980a-f68dde0f12d2": {
+ "columnOrder": [
+ "ebc79e52-2cb8-4014-a32e-f840aef9f647",
+ "f3b4e399-2bbb-4767-999d-8b4b952732b6"
+ ],
+ "columns": {
+ "ebc79e52-2cb8-4014-a32e-f840aef9f647": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "f3b4e399-2bbb-4767-999d-8b4b952732b6": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "data_stream.dataset : \"aws.vpcflow\" and aws.vpcflow.action : \"REJECT\" "
+ },
+ "isBucketed": false,
+ "label": "REJECT",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
}
- ],
- "override_index_pattern": 1,
- "point_size": 1,
- "separate_axis": 0,
- "series_drop_last_bucket": 0,
- "series_index_pattern": "logs-*",
- "split_color_mode": "gradient",
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "source.ip",
- "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417",
- "type": "timeseries"
+ }
+ },
+ "textBased": {
+ "layers": {}
}
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "",
- "type": "top_n",
- "use_kibana_indexes": false,
- "hide_last_value_indicator": true,
- "drop_last_bucket": 1
- },
- "type": "metrics",
- "data": {
- "aggs": [],
- "searchSource": {}
- }
- }
- },
- "gridData": {
- "h": 12,
- "i": "3dde08df-2d7e-464e-825d-03179e43e175",
- "w": 18,
- "x": 0,
- "y": 5
- },
- "panelIndex": "3dde08df-2d7e-464e-825d-03179e43e175",
- "title": "VPC Flow Top IP Addresses",
- "version": "8.0.0",
- "type": "visualization"
- },
- {
- "embeddableConfig": {
- "title": "VPC Flow Total Requests",
- "savedVis": {
- "title": "VPC Flow Total Requests [Logs AWS]",
- "description": "",
- "uiState": {},
- "params": {
- "axis_formatter": "number",
- "axis_min": "0",
- "axis_position": "left",
- "axis_scale": "normal",
- "background_color": "rgba(255,255,255,1)",
- "id": "61ca57f0-469d-11e7-af02-69e470af7417",
- "index_pattern": "logs-*",
- "interval": "",
- "isModelInvalid": false,
- "legend_position": "right",
- "series": [
+ },
+ "filters": [],
+ "internalReferences": [
{
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(211,49,21,1)",
- "fill": "0",
- "filter": {
- "language": "kuery",
- "query": "data_stream.dataset : \"aws.vpcflow\" and aws.vpcflow.action : \"REJECT\" "
- },
- "formatter": "number",
- "id": "61ca57f1-469d-11e7-af02-69e470af7417",
- "label": "REJECT",
- "line_width": "2",
- "metrics": [
- {
- "id": "61ca57f2-469d-11e7-af02-69e470af7417",
- "type": "count"
- }
- ],
- "override_index_pattern": 1,
- "point_size": "3",
- "separate_axis": 0,
- "series_drop_last_bucket": 0,
- "series_index_pattern": "logs-*",
- "series_time_field": "@timestamp",
- "split_color_mode": "rainbow",
- "split_mode": "everything",
- "stacked": "none",
- "terms_field": "aws.vpcflow.action",
- "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417",
- "type": "timeseries"
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "indexpattern-datasource-layer-3a3d34c2-5e9f-40a0-8c76-8d98046bdb0a",
+ "type": "index-pattern"
},
{
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(104,188,0,1)",
- "fill": "0",
- "filter": {
- "language": "kuery",
- "query": "data_stream.dataset : \"aws.vpcflow\" and aws.vpcflow.action : \"ACCEPT\" "
- },
- "formatter": "number",
- "id": "7ec99260-4485-11ea-9ee9-2d27e9149ae8",
- "label": "ACCEPT",
- "line_width": "2",
- "metrics": [
- {
- "id": "7ec99261-4485-11ea-9ee9-2d27e9149ae8",
- "type": "count"
- }
- ],
- "override_index_pattern": 1,
- "point_size": "3",
- "separate_axis": 0,
- "series_drop_last_bucket": 0,
- "series_index_pattern": "logs-*",
- "series_time_field": "@timestamp",
- "split_color_mode": "rainbow",
- "split_mode": "everything",
- "stacked": "none",
- "terms_field": "aws.vpcflow.action",
- "terms_order_by": "7ec99261-4485-11ea-9ee9-2d27e9149ae8",
- "type": "timeseries"
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "indexpattern-datasource-layer-50e2716e-87bd-4221-a6ad-ca3af32d3391",
+ "type": "index-pattern"
},
{
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(252,220,0,1)",
- "fill": "0",
- "filter": {
- "language": "kuery",
- "query": "data_stream.dataset : \"aws.vpcflow\" and aws.vpcflow.action : \"-\" "
- },
- "formatter": "number",
- "id": "8d550580-4485-11ea-9ee9-2d27e9149ae8",
- "label": "-",
- "line_width": "2",
- "metrics": [
- {
- "id": "8d552c90-4485-11ea-9ee9-2d27e9149ae8",
- "type": "count"
- }
- ],
- "override_index_pattern": 1,
- "point_size": "3",
- "separate_axis": 0,
- "series_drop_last_bucket": 0,
- "series_index_pattern": "logs-*",
- "series_time_field": "@timestamp",
- "split_color_mode": "rainbow",
- "split_mode": "everything",
- "stacked": "none",
- "terms_field": "aws.vpcflow.action",
- "terms_order_by": "8d552c90-4485-11ea-9ee9-2d27e9149ae8",
- "type": "timeseries"
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "indexpattern-datasource-layer-e967d5d6-33cd-4795-b409-aacf9e3c5e53",
+ "type": "index-pattern"
},
{
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(115,216,255,1)",
- "fill": "0.5",
- "filter": {
- "language": "kuery",
- "query": "data_stream.dataset : \"aws.vpcflow\""
- },
- "formatter": "number",
- "id": "c8c27df0-4485-11ea-9ee9-2d27e9149ae8",
- "label": "Total Requests",
- "line_width": "2",
- "metrics": [
- {
- "id": "c8c27df1-4485-11ea-9ee9-2d27e9149ae8",
- "type": "count"
- }
- ],
- "override_index_pattern": 1,
- "point_size": "3",
- "separate_axis": 0,
- "series_drop_last_bucket": 0,
- "series_index_pattern": "logs-*",
- "series_time_field": "@timestamp",
- "split_color_mode": "rainbow",
- "split_mode": "everything",
- "stacked": "none",
- "terms_field": "aws.vpcflow.action",
- "terms_order_by": "c8c27df1-4485-11ea-9ee9-2d27e9149ae8",
- "type": "timeseries"
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "indexpattern-datasource-layer-f4910fcb-12d5-46bf-980a-f68dde0f12d2",
+ "type": "index-pattern"
}
],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "",
- "type": "timeseries",
- "use_kibana_indexes": false,
- "drop_last_bucket": 1
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fillOpacity": 0,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "f3b4e399-2bbb-4767-999d-8b4b952732b6"
+ ],
+ "layerId": "f4910fcb-12d5-46bf-980a-f68dde0f12d2",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "xAccessor": "ebc79e52-2cb8-4014-a32e-f840aef9f647",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(211,49,21,1)",
+ "forAccessor": "f3b4e399-2bbb-4767-999d-8b4b952732b6"
+ }
+ ]
+ },
+ {
+ "accessors": [
+ "844187f7-6228-4e42-b9c0-812008499e60"
+ ],
+ "layerId": "e967d5d6-33cd-4795-b409-aacf9e3c5e53",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "xAccessor": "24c316fc-f587-40a5-b4ab-1e783b930024",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(104,188,0,1)",
+ "forAccessor": "844187f7-6228-4e42-b9c0-812008499e60"
+ }
+ ]
+ },
+ {
+ "accessors": [
+ "becfb4b6-83cb-43aa-b34a-fb594d89f39b"
+ ],
+ "layerId": "50e2716e-87bd-4221-a6ad-ca3af32d3391",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "xAccessor": "8d4086ff-105d-4c5a-99ee-322d8f76915c",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(252,220,0,1)",
+ "forAccessor": "becfb4b6-83cb-43aa-b34a-fb594d89f39b"
+ }
+ ]
+ },
+ {
+ "accessors": [
+ "96fa67a4-29c8-47a5-9b80-e33b59e74db1"
+ ],
+ "layerId": "3a3d34c2-5e9f-40a0-8c76-8d98046bdb0a",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "area",
+ "xAccessor": "70e9ae97-07d7-4c12-baa5-046451c4c111",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(115,216,255,1)",
+ "forAccessor": "96fa67a4-29c8-47a5-9b80-e33b59e74db1"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yLeftScale": "linear",
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yRightScale": "linear",
+ "yTitle": "Count"
+ }
},
- "type": "metrics",
- "data": {
- "aggs": [],
- "searchSource": {}
- }
- }
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 12,
@@ -385,12 +569,12 @@
},
"panelIndex": "f7c6de04-c771-47ff-a32d-00a7940e414a",
"title": "VPC Flow Total Requests",
- "version": "8.0.0",
- "type": "visualization"
+ "type": "lens",
+ "version": "8.7.1"
},
{
"embeddableConfig": {
- "title": "VPC Flow Reject Logs"
+ "enhancements": {}
},
"gridData": {
"h": 15,
@@ -400,39 +584,43 @@
"y": 29
},
"panelIndex": "b4dbbe72-0dc0-428b-b21e-91c6cc82745c",
- "panelRefName": "panel_4",
+ "panelRefName": "panel_b4dbbe72-0dc0-428b-b21e-91c6cc82745c",
"title": "VPC Flow Reject Logs",
- "version": "7.4.0"
+ "type": "search",
+ "version": "8.7.1"
}
],
"timeRestore": false,
"title": "[Logs AWS] VPC Flow Log Overview",
"version": 1
},
+ "coreMigrationVersion": "8.7.1",
+ "created_at": "2023-05-30T07:31:18.993Z",
+ "id": "aws-15503340-4488-11ea-ad63-791a5dc86f10",
+ "migrationVersion": {
+ "dashboard": "8.7.0"
+ },
"references": [
{
- "id": "aws-c1aee600-4487-11ea-ad63-791a5dc86f10",
- "name": "panel_4",
- "type": "search"
+ "id": "logs-*",
+ "name": "380eed85-225b-4d5d-88bc-1c70a3643ddb:layer_1_source_index_pattern",
+ "type": "index-pattern"
},
{
- "type": "index-pattern",
- "name": "c802177f-038c-4a35-a82d-0fa42c857d02:control_0_index_pattern",
- "id": "logs-*"
+ "id": "logs-*",
+ "name": "380eed85-225b-4d5d-88bc-1c70a3643ddb:layer_2_source_index_pattern",
+ "type": "index-pattern"
},
{
- "type": "index-pattern",
- "name": "380eed85-225b-4d5d-88bc-1c70a3643ddb:layer_1_source_index_pattern",
- "id": "logs-*"
+ "id": "aws-c1aee600-4487-11ea-ad63-791a5dc86f10",
+ "name": "b4dbbe72-0dc0-428b-b21e-91c6cc82745c:panel_b4dbbe72-0dc0-428b-b21e-91c6cc82745c",
+ "type": "search"
},
{
- "type": "index-pattern",
- "name": "380eed85-225b-4d5d-88bc-1c70a3643ddb:layer_2_source_index_pattern",
- "id": "logs-*"
+ "id": "logs-*",
+ "name": "controlGroup_646957e1-54a2-4461-b862-eebe7b8d6bcc:optionsListDataView",
+ "type": "index-pattern"
}
],
- "migrationVersion": {
- "dashboard": "8.1.0"
- },
- "coreMigrationVersion": "8.1.0"
+ "type": "dashboard"
}
\ No newline at end of file
diff --git a/packages/aws/kibana/dashboard/aws-2ba11b50-4b9d-11ec-8282-5342b8988acc.json b/packages/aws/kibana/dashboard/aws-2ba11b50-4b9d-11ec-8282-5342b8988acc.json
index da713bde764..d24704d6e24 100644
--- a/packages/aws/kibana/dashboard/aws-2ba11b50-4b9d-11ec-8282-5342b8988acc.json
+++ b/packages/aws/kibana/dashboard/aws-2ba11b50-4b9d-11ec-8282-5342b8988acc.json
@@ -1,14 +1,12 @@
{
- "id": "aws-2ba11b50-4b9d-11ec-8282-5342b8988acc",
- "type": "dashboard",
- "namespaces": [
- "default"
- ],
- "updated_at": "2022-08-01T13:47:45.463Z",
- "version": "Wzg0NywxXQ==",
"attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
+ "panelsJSON": "{\"475e2e65-d0a0-4f8e-ae71-2b5c71c68ed1\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"475e2e65-d0a0-4f8e-ae71-2b5c71c68ed1\",\"fieldName\":\"cloud.region\",\"title\":\"Region\",\"enhancements\":{}}},\"e91b2714-66a3-4048-80b1-c440d4fc6070\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"e91b2714-66a3-4048-80b1-c440d4fc6070\",\"fieldName\":\"cloud.availability_zone\",\"title\":\"Availability Zone\",\"enhancements\":{}}},\"e9da20a5-4e9e-4c81-a47c-193773c72f34\":{\"type\":\"optionsListControl\",\"order\":2,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"e9da20a5-4e9e-4c81-a47c-193773c72f34\",\"fieldName\":\"observer.name\",\"title\":\"Firewall\",\"enhancements\":{}}}}"
+ },
"description": "Dashboard providing an overall view of the AWS Network Firewall integration.",
- "hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [
@@ -43,20 +41,12 @@
"optionsJSON": {
"hidePanelTitles": false,
"syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
"useMargins": true
},
"panelsJSON": [
{
- "version": "8.1.0",
- "type": "visualization",
- "gridData": {
- "h": 15,
- "i": "258f7245-5011-4f03-bcd3-cada0180dc7a",
- "w": 13,
- "x": 0,
- "y": 0
- },
- "panelIndex": "258f7245-5011-4f03-bcd3-cada0180dc7a",
"embeddableConfig": {
"enhancements": {},
"savedVis": {
@@ -80,106 +70,20 @@
"title": "",
"type": "markdown",
"uiState": {}
- },
- "type": "visualization"
- }
- },
- {
- "embeddableConfig": {
- "enhancements": {},
- "hidePanelTitles": false,
- "savedVis": {
- "title": "Firewall Filters [Logs AWS]",
- "description": "",
- "uiState": {},
- "params": {
- "controls": [
- {
- "fieldName": "cloud.region",
- "id": "1637591016076",
- "indexPatternRefName": "control_0_index_pattern",
- "label": "Region",
- "options": {
- "dynamicOptions": true,
- "multiselect": true,
- "order": "desc",
- "size": 5,
- "type": "terms"
- },
- "parent": "",
- "type": "list"
- },
- {
- "fieldName": "cloud.availability_zone",
- "id": "1637591029629",
- "indexPatternRefName": "control_1_index_pattern",
- "label": "Availability Zone",
- "options": {
- "dynamicOptions": true,
- "multiselect": true,
- "order": "desc",
- "size": 5,
- "type": "terms"
- },
- "parent": "",
- "type": "list"
- },
- {
- "fieldName": "observer.name",
- "id": "1637591118622",
- "indexPatternRefName": "control_2_index_pattern",
- "label": "Firewall",
- "options": {
- "dynamicOptions": true,
- "multiselect": true,
- "order": "desc",
- "size": 5,
- "type": "terms"
- },
- "parent": "",
- "type": "list"
- }
- ],
- "pinFilters": false,
- "updateFiltersOnChange": false,
- "useTimeFilter": false
- },
- "type": "input_control_vis",
- "data": {
- "aggs": [],
- "searchSource": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- }
}
},
"gridData": {
- "h": 7,
- "i": "2ece3b2b-326d-4856-b537-4de075cb5d5d",
- "w": 35,
- "x": 13,
+ "h": 16,
+ "i": "258f7245-5011-4f03-bcd3-cada0180dc7a",
+ "w": 18,
+ "x": 0,
"y": 0
},
- "panelIndex": "2ece3b2b-326d-4856-b537-4de075cb5d5d",
- "title": "Firewall Filters",
+ "panelIndex": "258f7245-5011-4f03-bcd3-cada0180dc7a",
"type": "visualization",
- "version": "8.0.0"
+ "version": "8.8.1"
},
{
- "version": "8.1.0",
- "type": "lens",
- "gridData": {
- "h": 8,
- "i": "dfcf4383-4ce2-42a2-b0a9-a48dbf39db64",
- "w": 5,
- "x": 13,
- "y": 7
- },
- "panelIndex": "dfcf4383-4ce2-42a2-b0a9-a48dbf39db64",
"embeddableConfig": {
"attributes": {
"references": [
@@ -201,7 +105,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"454630b2-cff5-45ab-9cfc-ec19c5aeb97a": {
"columnOrder": [
@@ -212,10 +116,10 @@
"customLabel": true,
"dataType": "number",
"isBucketed": false,
- "label": "Total Alerts",
- "operationType": "count",
+ "label": "Unique Destination IPs",
+ "operationType": "unique_count",
"scale": "ratio",
- "sourceField": "___records___"
+ "sourceField": "destination.ip"
}
},
"incompleteColumns": {}
@@ -231,13 +135,13 @@
"meta": {
"alias": null,
"disabled": false,
+ "index": "filter-index-pattern-0",
"key": "event.kind",
"negate": false,
"params": {
"query": "alert"
},
- "type": "phrase",
- "index": "filter-index-pattern-0"
+ "type": "phrase"
},
"query": {
"match_phrase": {
@@ -253,30 +157,32 @@
"visualization": {
"accessor": "775a9e84-2203-42bf-a775-f60ad2cd84ae",
"layerId": "454630b2-cff5-45ab-9cfc-ec19c5aeb97a",
- "layerType": "data"
+ "layerType": "data",
+ "size": "xl",
+ "textAlign": "center",
+ "titlePosition": "bottom"
}
},
"title": "",
"type": "lens",
- "visualizationType": "lnsMetric"
+ "visualizationType": "lnsLegacyMetric"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Total Alerts"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
"h": 8,
- "i": "e8d2a7be-bc2a-4ca5-ae71-5273156084b3",
- "w": 5,
+ "i": "b9d7f8b6-deb6-4d46-ad11-7793dd783012",
+ "w": 10,
"x": 18,
- "y": 7
+ "y": 0
},
- "panelIndex": "e8d2a7be-bc2a-4ca5-ae71-5273156084b3",
+ "panelIndex": "b9d7f8b6-deb6-4d46-ad11-7793dd783012",
+ "title": "Unique Destination IPs",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -298,7 +204,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"454630b2-cff5-45ab-9cfc-ec19c5aeb97a": {
"columnOrder": [
@@ -309,10 +215,10 @@
"customLabel": true,
"dataType": "number",
"isBucketed": false,
- "label": "Total Flows",
- "operationType": "count",
+ "label": "Unique Source IPs",
+ "operationType": "unique_count",
"scale": "ratio",
- "sourceField": "___records___"
+ "sourceField": "source.ip"
}
},
"incompleteColumns": {}
@@ -328,17 +234,17 @@
"meta": {
"alias": null,
"disabled": false,
+ "index": "filter-index-pattern-0",
"key": "event.kind",
"negate": false,
"params": {
- "query": "event"
+ "query": "alert"
},
- "type": "phrase",
- "index": "filter-index-pattern-0"
+ "type": "phrase"
},
"query": {
"match_phrase": {
- "event.kind": "event"
+ "event.kind": "alert"
}
}
}
@@ -350,30 +256,32 @@
"visualization": {
"accessor": "775a9e84-2203-42bf-a775-f60ad2cd84ae",
"layerId": "454630b2-cff5-45ab-9cfc-ec19c5aeb97a",
- "layerType": "data"
+ "layerType": "data",
+ "size": "xl",
+ "textAlign": "center",
+ "titlePosition": "bottom"
}
},
"title": "",
"type": "lens",
- "visualizationType": "lnsMetric"
+ "visualizationType": "lnsLegacyMetric"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Total Flows"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
"h": 8,
- "i": "b9d7f8b6-deb6-4d46-ad11-7793dd783012",
- "w": 5,
- "x": 23,
- "y": 7
+ "i": "54c39a08-c881-4c64-af1a-8e48867947c3",
+ "w": 10,
+ "x": 28,
+ "y": 0
},
- "panelIndex": "b9d7f8b6-deb6-4d46-ad11-7793dd783012",
+ "panelIndex": "54c39a08-c881-4c64-af1a-8e48867947c3",
+ "title": "Unique Source IPs",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -395,10 +303,11 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"454630b2-cff5-45ab-9cfc-ec19c5aeb97a": {
"columnOrder": [
+ "b6504f22-c6eb-439d-bb4d-a3acc2b5de34",
"775a9e84-2203-42bf-a775-f60ad2cd84ae"
],
"columns": {
@@ -406,10 +315,18 @@
"customLabel": true,
"dataType": "number",
"isBucketed": false,
- "label": "Unique Destination IPs",
+ "label": "Unique Network Protocols",
"operationType": "unique_count",
"scale": "ratio",
- "sourceField": "destination.ip"
+ "sourceField": "network.protocol"
+ },
+ "b6504f22-c6eb-439d-bb4d-a3acc2b5de34": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Unique count of network.protocol",
+ "operationType": "unique_count",
+ "scale": "ratio",
+ "sourceField": "network.protocol"
}
},
"incompleteColumns": {}
@@ -425,17 +342,17 @@
"meta": {
"alias": null,
"disabled": false,
+ "index": "filter-index-pattern-0",
"key": "event.kind",
"negate": false,
"params": {
- "query": "alert"
+ "query": "event"
},
- "type": "phrase",
- "index": "filter-index-pattern-0"
+ "type": "phrase"
},
"query": {
"match_phrase": {
- "event.kind": "alert"
+ "event.kind": "event"
}
}
}
@@ -447,30 +364,32 @@
"visualization": {
"accessor": "775a9e84-2203-42bf-a775-f60ad2cd84ae",
"layerId": "454630b2-cff5-45ab-9cfc-ec19c5aeb97a",
- "layerType": "data"
+ "layerType": "data",
+ "size": "xl",
+ "textAlign": "center",
+ "titlePosition": "bottom"
}
},
"title": "",
"type": "lens",
- "visualizationType": "lnsMetric"
+ "visualizationType": "lnsLegacyMetric"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Unique Destination IPs"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
"h": 8,
- "i": "54c39a08-c881-4c64-af1a-8e48867947c3",
- "w": 5,
- "x": 28,
- "y": 7
+ "i": "83dde1a0-0605-4c05-9bd2-1f2686cd7007",
+ "w": 10,
+ "x": 38,
+ "y": 0
},
- "panelIndex": "54c39a08-c881-4c64-af1a-8e48867947c3",
+ "panelIndex": "83dde1a0-0605-4c05-9bd2-1f2686cd7007",
+ "title": "Unique Network Protocols",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -492,7 +411,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"454630b2-cff5-45ab-9cfc-ec19c5aeb97a": {
"columnOrder": [
@@ -503,10 +422,10 @@
"customLabel": true,
"dataType": "number",
"isBucketed": false,
- "label": "Unique Source IPs",
- "operationType": "unique_count",
+ "label": "Total Flows",
+ "operationType": "count",
"scale": "ratio",
- "sourceField": "source.ip"
+ "sourceField": "___records___"
}
},
"incompleteColumns": {}
@@ -522,17 +441,17 @@
"meta": {
"alias": null,
"disabled": false,
+ "index": "filter-index-pattern-0",
"key": "event.kind",
"negate": false,
"params": {
- "query": "alert"
+ "query": "event"
},
- "type": "phrase",
- "index": "filter-index-pattern-0"
+ "type": "phrase"
},
"query": {
"match_phrase": {
- "event.kind": "alert"
+ "event.kind": "event"
}
}
}
@@ -544,30 +463,32 @@
"visualization": {
"accessor": "775a9e84-2203-42bf-a775-f60ad2cd84ae",
"layerId": "454630b2-cff5-45ab-9cfc-ec19c5aeb97a",
- "layerType": "data"
+ "layerType": "data",
+ "size": "xl",
+ "textAlign": "center",
+ "titlePosition": "bottom"
}
},
"title": "",
"type": "lens",
- "visualizationType": "lnsMetric"
+ "visualizationType": "lnsLegacyMetric"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Unique Source IPs"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
"h": 8,
- "i": "83dde1a0-0605-4c05-9bd2-1f2686cd7007",
- "w": 5,
- "x": 33,
- "y": 7
+ "i": "e8d2a7be-bc2a-4ca5-ae71-5273156084b3",
+ "w": 8,
+ "x": 18,
+ "y": 8
},
- "panelIndex": "83dde1a0-0605-4c05-9bd2-1f2686cd7007",
+ "panelIndex": "e8d2a7be-bc2a-4ca5-ae71-5273156084b3",
+ "title": "Total Flows",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -589,11 +510,10 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"454630b2-cff5-45ab-9cfc-ec19c5aeb97a": {
"columnOrder": [
- "b6504f22-c6eb-439d-bb4d-a3acc2b5de34",
"775a9e84-2203-42bf-a775-f60ad2cd84ae"
],
"columns": {
@@ -601,18 +521,10 @@
"customLabel": true,
"dataType": "number",
"isBucketed": false,
- "label": "Unique Network Protocols",
- "operationType": "unique_count",
- "scale": "ratio",
- "sourceField": "network.protocol"
- },
- "b6504f22-c6eb-439d-bb4d-a3acc2b5de34": {
- "dataType": "number",
- "isBucketed": false,
- "label": "Unique count of network.protocol",
- "operationType": "unique_count",
+ "label": "Total Alerts",
+ "operationType": "count",
"scale": "ratio",
- "sourceField": "network.protocol"
+ "sourceField": "___records___"
}
},
"incompleteColumns": {}
@@ -628,17 +540,17 @@
"meta": {
"alias": null,
"disabled": false,
+ "index": "filter-index-pattern-0",
"key": "event.kind",
"negate": false,
"params": {
- "query": "event"
+ "query": "alert"
},
- "type": "phrase",
- "index": "filter-index-pattern-0"
+ "type": "phrase"
},
"query": {
"match_phrase": {
- "event.kind": "event"
+ "event.kind": "alert"
}
}
}
@@ -650,30 +562,32 @@
"visualization": {
"accessor": "775a9e84-2203-42bf-a775-f60ad2cd84ae",
"layerId": "454630b2-cff5-45ab-9cfc-ec19c5aeb97a",
- "layerType": "data"
+ "layerType": "data",
+ "size": "xl",
+ "textAlign": "center",
+ "titlePosition": "bottom"
}
},
"title": "",
"type": "lens",
- "visualizationType": "lnsMetric"
+ "visualizationType": "lnsLegacyMetric"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Unique Network Protocols"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
"h": 8,
- "i": "649add0f-9eb6-4cc8-be29-b0911e29827c",
- "w": 5,
- "x": 38,
- "y": 7
+ "i": "dfcf4383-4ce2-42a2-b0a9-a48dbf39db64",
+ "w": 8,
+ "x": 26,
+ "y": 8
},
- "panelIndex": "649add0f-9eb6-4cc8-be29-b0911e29827c",
+ "panelIndex": "dfcf4383-4ce2-42a2-b0a9-a48dbf39db64",
+ "title": "Total Alerts",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -695,7 +609,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"454630b2-cff5-45ab-9cfc-ec19c5aeb97a": {
"columnOrder": [
@@ -742,13 +656,13 @@
"meta": {
"alias": null,
"disabled": false,
+ "index": "filter-index-pattern-0",
"key": "event.kind",
"negate": false,
"params": {
"query": "event"
},
- "type": "phrase",
- "index": "filter-index-pattern-0"
+ "type": "phrase"
},
"query": {
"match_phrase": {
@@ -764,30 +678,32 @@
"visualization": {
"accessor": "775a9e84-2203-42bf-a775-f60ad2cd84ae",
"layerId": "454630b2-cff5-45ab-9cfc-ec19c5aeb97a",
- "layerType": "data"
+ "layerType": "data",
+ "size": "xl",
+ "textAlign": "center",
+ "titlePosition": "bottom"
}
},
"title": "",
"type": "lens",
- "visualizationType": "lnsMetric"
+ "visualizationType": "lnsLegacyMetric"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Total Bytes"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
"h": 8,
- "i": "c070e106-ce00-4096-be3d-b528119f0828",
- "w": 5,
- "x": 43,
- "y": 7
+ "i": "649add0f-9eb6-4cc8-be29-b0911e29827c",
+ "w": 7,
+ "x": 34,
+ "y": 8
},
- "panelIndex": "c070e106-ce00-4096-be3d-b528119f0828",
+ "panelIndex": "649add0f-9eb6-4cc8-be29-b0911e29827c",
+ "title": "Total Bytes",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -809,7 +725,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"454630b2-cff5-45ab-9cfc-ec19c5aeb97a": {
"columnOrder": [
@@ -849,13 +765,13 @@
"meta": {
"alias": null,
"disabled": false,
+ "index": "filter-index-pattern-0",
"key": "event.kind",
"negate": false,
"params": {
"query": "event"
},
- "type": "phrase",
- "index": "filter-index-pattern-0"
+ "type": "phrase"
},
"query": {
"match_phrase": {
@@ -871,30 +787,32 @@
"visualization": {
"accessor": "775a9e84-2203-42bf-a775-f60ad2cd84ae",
"layerId": "454630b2-cff5-45ab-9cfc-ec19c5aeb97a",
- "layerType": "data"
+ "layerType": "data",
+ "size": "xl",
+ "textAlign": "center",
+ "titlePosition": "bottom"
}
},
"title": "",
"type": "lens",
- "visualizationType": "lnsMetric"
+ "visualizationType": "lnsLegacyMetric"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Total Bytes"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
- "h": 16,
- "i": "f933435c-1f7d-4cb0-87eb-6c23c6ad6dbb",
- "w": 28,
- "x": 0,
- "y": 15
+ "h": 8,
+ "i": "c070e106-ce00-4096-be3d-b528119f0828",
+ "w": 7,
+ "x": 41,
+ "y": 8
},
- "panelIndex": "f933435c-1f7d-4cb0-87eb-6c23c6ad6dbb",
+ "panelIndex": "c070e106-ce00-4096-be3d-b528119f0828",
+ "title": "Total Bytes",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -911,7 +829,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"8c1d8a18-0da5-431f-8faf-f72f028b10de": {
"columnOrder": [
@@ -944,6 +862,7 @@
"label": "@timestamp",
"operationType": "date_histogram",
"params": {
+ "includeEmptyRows": true,
"interval": "auto"
},
"scale": "interval",
@@ -1001,6 +920,7 @@
],
"legend": {
"isVisible": true,
+ "legendSize": "auto",
"position": "right"
},
"preferredSeriesType": "line",
@@ -1023,22 +943,21 @@
"visualizationType": "lnsXY"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Events"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
"h": 16,
- "i": "bcfbc5f5-fd40-48e3-937d-965fcb8a5585",
- "w": 20,
- "x": 28,
- "y": 15
+ "i": "f933435c-1f7d-4cb0-87eb-6c23c6ad6dbb",
+ "w": 28,
+ "x": 0,
+ "y": 16
},
- "panelIndex": "bcfbc5f5-fd40-48e3-937d-965fcb8a5585",
+ "panelIndex": "f933435c-1f7d-4cb0-87eb-6c23c6ad6dbb",
+ "title": "Events",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -1055,7 +974,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"b2bc813b-af38-4aac-bf1f-7d3b6f3aa51c": {
"columnOrder": [
@@ -1153,6 +1072,7 @@
],
"legend": {
"isVisible": true,
+ "legendSize": "auto",
"position": "right"
},
"preferredSeriesType": "bar_horizontal",
@@ -1175,10 +1095,19 @@
"visualizationType": "lnsXY"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Total Events by Firewall"
+ "gridData": {
+ "h": 16,
+ "i": "bcfbc5f5-fd40-48e3-937d-965fcb8a5585",
+ "w": 20,
+ "x": 28,
+ "y": 16
+ },
+ "panelIndex": "bcfbc5f5-fd40-48e3-937d-965fcb8a5585",
+ "title": "Total Events by Firewall",
+ "type": "lens",
+ "version": "8.8.1"
},
{
"embeddableConfig": {
@@ -1199,19 +1128,25 @@
"i": "fc5a3028-fdfc-4c3c-ab04-f43123af380b",
"w": 48,
"x": 0,
- "y": 31
+ "y": 32
},
"panelIndex": "fc5a3028-fdfc-4c3c-ab04-f43123af380b",
"panelRefName": "panel_fc5a3028-fdfc-4c3c-ab04-f43123af380b",
"title": "Firewall Logs",
"type": "search",
- "version": "7.15.1"
+ "version": "8.8.1"
}
],
"timeRestore": false,
"title": "[Logs AWS] Firewall Overview",
"version": 1
},
+ "coreMigrationVersion": "8.7.0",
+ "created_at": "2023-07-18T09:17:37.345Z",
+ "id": "aws-2ba11b50-4b9d-11ec-8282-5342b8988acc",
+ "migrationVersion": {
+ "dashboard": "8.7.0"
+ },
"references": [
{
"id": "logs-*",
@@ -1220,77 +1155,77 @@
},
{
"id": "logs-*",
- "name": "dfcf4383-4ce2-42a2-b0a9-a48dbf39db64:indexpattern-datasource-current-indexpattern",
+ "name": "b9d7f8b6-deb6-4d46-ad11-7793dd783012:indexpattern-datasource-current-indexpattern",
"type": "index-pattern"
},
{
"id": "logs-*",
- "name": "dfcf4383-4ce2-42a2-b0a9-a48dbf39db64:indexpattern-datasource-layer-454630b2-cff5-45ab-9cfc-ec19c5aeb97a",
+ "name": "b9d7f8b6-deb6-4d46-ad11-7793dd783012:indexpattern-datasource-layer-454630b2-cff5-45ab-9cfc-ec19c5aeb97a",
"type": "index-pattern"
},
{
"id": "logs-*",
- "name": "dfcf4383-4ce2-42a2-b0a9-a48dbf39db64:filter-index-pattern-0",
+ "name": "b9d7f8b6-deb6-4d46-ad11-7793dd783012:filter-index-pattern-0",
"type": "index-pattern"
},
{
"id": "logs-*",
- "name": "e8d2a7be-bc2a-4ca5-ae71-5273156084b3:indexpattern-datasource-current-indexpattern",
+ "name": "54c39a08-c881-4c64-af1a-8e48867947c3:indexpattern-datasource-current-indexpattern",
"type": "index-pattern"
},
{
"id": "logs-*",
- "name": "e8d2a7be-bc2a-4ca5-ae71-5273156084b3:indexpattern-datasource-layer-454630b2-cff5-45ab-9cfc-ec19c5aeb97a",
+ "name": "54c39a08-c881-4c64-af1a-8e48867947c3:indexpattern-datasource-layer-454630b2-cff5-45ab-9cfc-ec19c5aeb97a",
"type": "index-pattern"
},
{
"id": "logs-*",
- "name": "e8d2a7be-bc2a-4ca5-ae71-5273156084b3:filter-index-pattern-0",
+ "name": "54c39a08-c881-4c64-af1a-8e48867947c3:filter-index-pattern-0",
"type": "index-pattern"
},
{
"id": "logs-*",
- "name": "b9d7f8b6-deb6-4d46-ad11-7793dd783012:indexpattern-datasource-current-indexpattern",
+ "name": "83dde1a0-0605-4c05-9bd2-1f2686cd7007:indexpattern-datasource-current-indexpattern",
"type": "index-pattern"
},
{
"id": "logs-*",
- "name": "b9d7f8b6-deb6-4d46-ad11-7793dd783012:indexpattern-datasource-layer-454630b2-cff5-45ab-9cfc-ec19c5aeb97a",
+ "name": "83dde1a0-0605-4c05-9bd2-1f2686cd7007:indexpattern-datasource-layer-454630b2-cff5-45ab-9cfc-ec19c5aeb97a",
"type": "index-pattern"
},
{
"id": "logs-*",
- "name": "b9d7f8b6-deb6-4d46-ad11-7793dd783012:filter-index-pattern-0",
+ "name": "83dde1a0-0605-4c05-9bd2-1f2686cd7007:filter-index-pattern-0",
"type": "index-pattern"
},
{
"id": "logs-*",
- "name": "54c39a08-c881-4c64-af1a-8e48867947c3:indexpattern-datasource-current-indexpattern",
+ "name": "e8d2a7be-bc2a-4ca5-ae71-5273156084b3:indexpattern-datasource-current-indexpattern",
"type": "index-pattern"
},
{
"id": "logs-*",
- "name": "54c39a08-c881-4c64-af1a-8e48867947c3:indexpattern-datasource-layer-454630b2-cff5-45ab-9cfc-ec19c5aeb97a",
+ "name": "e8d2a7be-bc2a-4ca5-ae71-5273156084b3:indexpattern-datasource-layer-454630b2-cff5-45ab-9cfc-ec19c5aeb97a",
"type": "index-pattern"
},
{
"id": "logs-*",
- "name": "54c39a08-c881-4c64-af1a-8e48867947c3:filter-index-pattern-0",
+ "name": "e8d2a7be-bc2a-4ca5-ae71-5273156084b3:filter-index-pattern-0",
"type": "index-pattern"
},
{
"id": "logs-*",
- "name": "83dde1a0-0605-4c05-9bd2-1f2686cd7007:indexpattern-datasource-current-indexpattern",
+ "name": "dfcf4383-4ce2-42a2-b0a9-a48dbf39db64:indexpattern-datasource-current-indexpattern",
"type": "index-pattern"
},
{
"id": "logs-*",
- "name": "83dde1a0-0605-4c05-9bd2-1f2686cd7007:indexpattern-datasource-layer-454630b2-cff5-45ab-9cfc-ec19c5aeb97a",
+ "name": "dfcf4383-4ce2-42a2-b0a9-a48dbf39db64:indexpattern-datasource-layer-454630b2-cff5-45ab-9cfc-ec19c5aeb97a",
"type": "index-pattern"
},
{
"id": "logs-*",
- "name": "83dde1a0-0605-4c05-9bd2-1f2686cd7007:filter-index-pattern-0",
+ "name": "dfcf4383-4ce2-42a2-b0a9-a48dbf39db64:filter-index-pattern-0",
"type": "index-pattern"
},
{
@@ -1349,23 +1284,20 @@
"type": "search"
},
{
- "type": "index-pattern",
- "name": "2ece3b2b-326d-4856-b537-4de075cb5d5d:control_0_index_pattern",
- "id": "logs-*"
+ "id": "logs-*",
+ "name": "controlGroup_475e2e65-d0a0-4f8e-ae71-2b5c71c68ed1:optionsListDataView",
+ "type": "index-pattern"
},
{
- "type": "index-pattern",
- "name": "2ece3b2b-326d-4856-b537-4de075cb5d5d:control_1_index_pattern",
- "id": "logs-*"
+ "id": "logs-*",
+ "name": "controlGroup_e91b2714-66a3-4048-80b1-c440d4fc6070:optionsListDataView",
+ "type": "index-pattern"
},
{
- "type": "index-pattern",
- "name": "2ece3b2b-326d-4856-b537-4de075cb5d5d:control_2_index_pattern",
- "id": "logs-*"
+ "id": "logs-*",
+ "name": "controlGroup_e9da20a5-4e9e-4c81-a47c-193773c72f34:optionsListDataView",
+ "type": "index-pattern"
}
],
- "migrationVersion": {
- "dashboard": "8.1.0"
- },
- "coreMigrationVersion": "8.1.0"
+ "type": "dashboard"
}
\ No newline at end of file
diff --git a/packages/aws/kibana/dashboard/aws-3abffe60-4ba9-11ec-8282-5342b8988acc.json b/packages/aws/kibana/dashboard/aws-3abffe60-4ba9-11ec-8282-5342b8988acc.json
index d9a9b6afaee..36122db6406 100644
--- a/packages/aws/kibana/dashboard/aws-3abffe60-4ba9-11ec-8282-5342b8988acc.json
+++ b/packages/aws/kibana/dashboard/aws-3abffe60-4ba9-11ec-8282-5342b8988acc.json
@@ -123,7 +123,6 @@
"query": ""
},
"visualization": {
- "color": "#ffffff",
"layerId": "32700201-1770-46bd-9ee6-64cad8904bdc",
"layerType": "data",
"metricAccessor": "120709bf-e5a1-4646-9ee7-ae2d5d5f144d"
@@ -190,7 +189,6 @@
"query": ""
},
"visualization": {
- "color": "#ffffff",
"layerId": "32700201-1770-46bd-9ee6-64cad8904bdc",
"layerType": "data",
"metricAccessor": "120709bf-e5a1-4646-9ee7-ae2d5d5f144d"
@@ -257,7 +255,6 @@
"query": ""
},
"visualization": {
- "color": "#ffffff",
"layerId": "454630b2-cff5-45ab-9cfc-ec19c5aeb97a",
"layerType": "data",
"metricAccessor": "9fc78ba7-ca2c-41da-8723-8f7c14623b98"
@@ -324,7 +321,6 @@
"query": ""
},
"visualization": {
- "color": "#ffffff",
"layerId": "32700201-1770-46bd-9ee6-64cad8904bdc",
"layerType": "data",
"metricAccessor": "120709bf-e5a1-4646-9ee7-ae2d5d5f144d"
@@ -391,7 +387,6 @@
"query": ""
},
"visualization": {
- "color": "#ffffff",
"layerId": "454630b2-cff5-45ab-9cfc-ec19c5aeb97a",
"layerType": "data",
"metricAccessor": "9f99f66f-4762-4030-9704-d215568cce9c"
@@ -458,7 +453,6 @@
"query": ""
},
"visualization": {
- "color": "#ffffff",
"layerId": "454630b2-cff5-45ab-9cfc-ec19c5aeb97a",
"layerType": "data",
"metricAccessor": "9fc78ba7-ca2c-41da-8723-8f7c14623b98"
diff --git a/packages/aws/kibana/dashboard/aws-4746e000-bacd-11e9-9f70-1f7bda85a5eb.json b/packages/aws/kibana/dashboard/aws-4746e000-bacd-11e9-9f70-1f7bda85a5eb.json
index 8d5c0b41c8c..4fe55589e44 100644
--- a/packages/aws/kibana/dashboard/aws-4746e000-bacd-11e9-9f70-1f7bda85a5eb.json
+++ b/packages/aws/kibana/dashboard/aws-4746e000-bacd-11e9-9f70-1f7bda85a5eb.json
@@ -1,14 +1,6 @@
{
- "id": "aws-4746e000-bacd-11e9-9f70-1f7bda85a5eb",
- "type": "dashboard",
- "namespaces": [
- "default"
- ],
- "updated_at": "2022-08-01T13:47:45.463Z",
- "version": "Wzg1MiwxXQ==",
"attributes": {
"description": "Logs AWS S3 Server Access Log Overview Dashboard",
- "hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [],
@@ -20,136 +12,169 @@
},
"optionsJSON": {
"hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
"useMargins": true
},
"panelsJSON": [
{
"embeddableConfig": {
- "title": "Top URLs",
- "savedVis": {
- "title": "Top URLs [Logs AWS]",
- "description": "",
- "uiState": {
- "vis": {
- "colors": {
- "404": "#EAB839"
- }
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-e3977136-863c-4101-afdb-25130f0263b8",
+ "type": "index-pattern"
}
- },
- "params": {
- "addLegend": true,
- "addTooltip": true,
- "dimensions": {
- "buckets": [
- {
- "accessor": 2,
- "aggType": "terms",
- "format": {
- "id": "terms",
- "params": {
- "id": "number",
- "missingBucketLabel": "Missing",
- "otherBucketLabel": "Other"
- }
- },
- "params": {}
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "e3977136-863c-4101-afdb-25130f0263b8": {
+ "columnOrder": [
+ "3739613d-707c-44c0-92f6-d5b116591386",
+ "f8aa313c-7316-4d09-bdac-b3983b1db338",
+ "04d38e1e-d320-47b2-9088-16d241a5bb07"
+ ],
+ "columns": {
+ "04d38e1e-d320-47b2-9088-16d241a5bb07": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "3739613d-707c-44c0-92f6-d5b116591386": {
+ "customLabel": false,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 5 values of aws.s3access.request_uri",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "04d38e1e-d320-47b2-9088-16d241a5bb07",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "aws.s3access.request_uri"
+ },
+ "f8aa313c-7316-4d09-bdac-b3983b1db338": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": true,
+ "label": "HTTP Status",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "04d38e1e-d320-47b2-9088-16d241a5bb07",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "aws.s3access.http_status"
+ }
+ },
+ "incompleteColumns": {}
+ }
}
- ],
- "metric": {
- "accessor": 3,
- "aggType": "count",
- "format": {
- "id": "number"
- },
- "params": {}
},
- "splitColumn": [
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": false,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
{
- "accessor": 0,
- "aggType": "terms",
- "format": {
- "id": "terms",
- "params": {
- "id": "string",
- "missingBucketLabel": "Missing",
- "otherBucketLabel": "Other"
- }
+ "accessors": [
+ "04d38e1e-d320-47b2-9088-16d241a5bb07"
+ ],
+ "layerId": "e3977136-863c-4101-afdb-25130f0263b8",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
},
- "params": {}
+ "seriesType": "bar_horizontal_stacked",
+ "splitAccessor": "f8aa313c-7316-4d09-bdac-b3983b1db338",
+ "xAccessor": "3739613d-707c-44c0-92f6-d5b116591386"
}
- ]
- },
- "isDonut": false,
- "labels": {
- "last_level": true,
- "show": false,
- "truncate": 100,
- "values": true
- },
- "legendPosition": "right",
- "type": "pie",
- "row": false,
- "palette": {
- "type": "palette",
- "name": "kibana_palette"
- },
- "distinctColors": true
- },
- "type": "pie",
- "data": {
- "aggs": [
- {
- "enabled": true,
- "id": "1",
- "params": {},
- "schema": "metric",
- "type": "count"
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
},
- {
- "enabled": true,
- "id": "2",
- "params": {
- "customLabel": "Request Uri",
- "field": "aws.s3access.request_uri",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "1",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 5
- },
- "schema": "split",
- "type": "terms"
+ "preferredSeriesType": "bar_horizontal_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
},
- {
- "enabled": true,
- "id": "3",
- "params": {
- "customLabel": "HTTP Status",
- "field": "aws.s3access.http_status",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "1",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 5
- },
- "schema": "segment",
- "type": "terms"
- }
- ],
- "searchSource": {
- "filter": [],
- "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
- "query": {
- "language": "kuery",
- "query": ""
+ "valueLabels": "show",
+ "yLeftExtent": {
+ "mode": "full",
+ "niceValues": true
}
}
- }
- }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 15,
@@ -160,104 +185,200 @@
},
"panelIndex": "1",
"title": "Top URLs",
- "version": "8.0.0",
- "type": "visualization"
+ "type": "lens",
+ "version": "8.7.1"
},
{
"embeddableConfig": {
- "title": "Http Status over time",
- "savedVis": {
- "title": "Http Status over time [Logs AWS]",
- "description": "",
- "uiState": {},
- "params": {
- "axis_formatter": "number",
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "lucene",
- "query": "data_stream.dataset:aws.s3access"
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_logs-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "logs-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "logs-*"
+ }
},
- "id": "61ca57f0-469d-11e7-af02-69e470af7417",
- "index_pattern": "logs-*",
- "interval": "auto",
- "legend_position": "bottom",
- "series": [
- {
- "axis_position": "right",
- "chart_type": "bar",
- "color": "#68BC00",
- "fill": 0.5,
- "formatter": "number",
- "id": "61ca57f1-469d-11e7-af02-69e470af7417",
- "label": "Http Status",
- "line_width": 1,
- "metrics": [
- {
- "id": "61ca57f2-469d-11e7-af02-69e470af7417",
- "type": "count"
- }
- ],
- "point_size": 1,
- "seperate_axis": 0,
- "split_color_mode": "gradient",
- "split_filters": [
- {
- "color": "#68BC00",
- "filter": {
- "language": "kuery",
- "query": "aws.s3access.http_status \u003c 300 and aws.s3access.http_status \u003e= 200"
- },
- "id": "5acdc750-a29d-11e7-a062-a1c3587f4874",
- "label": "200s"
- },
- {
- "color": "rgba(252,196,0,1)",
- "filter": {
- "language": "kuery",
- "query": "aws.s3access.http_status \u003c 400 and aws.s3access.http_status \u003e= 300"
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "61669f3c-1aff-44c6-ad13-61e6a9ab3296": {
+ "columnOrder": [
+ "293fa4d1-b5cb-4af3-b3f4-09c7194987e5",
+ "b5cbcf41-77b1-4436-bda0-6a65f91b9fcd",
+ "d3270734-6fa1-4c88-affb-f0b6707a242b"
+ ],
+ "columns": {
+ "293fa4d1-b5cb-4af3-b3f4-09c7194987e5": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "b5cbcf41-77b1-4436-bda0-6a65f91b9fcd": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Filters",
+ "operationType": "filters",
+ "params": {
+ "filters": [
+ {
+ "input": {
+ "language": "kuery",
+ "query": "aws.s3access.http_status \u003c 300 and aws.s3access.http_status \u003e= 200"
+ },
+ "label": "200s"
+ },
+ {
+ "input": {
+ "language": "kuery",
+ "query": "aws.s3access.http_status \u003c 400 and aws.s3access.http_status \u003e= 300"
+ },
+ "label": "300s"
+ },
+ {
+ "input": {
+ "language": "kuery",
+ "query": "aws.s3access.http_status \u003c 500 and aws.s3access.http_status \u003e= 400"
+ },
+ "label": "400s"
+ },
+ {
+ "input": {
+ "language": "kuery",
+ "query": "aws.s3access.http_status \u003c 600 and aws.s3access.http_status \u003e= 500"
+ },
+ "label": "500s"
+ }
+ ]
+ },
+ "scale": "ordinal"
+ },
+ "d3270734-6fa1-4c88-affb-f0b6707a242b": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Http Status",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
},
- "id": "6efd2ae0-a29d-11e7-a062-a1c3587f4874",
- "label": "300s"
- },
- {
- "color": "rgba(211,49,21,1)",
- "filter": {
- "language": "kuery",
- "query": "aws.s3access.http_status \u003c 500 and aws.s3access.http_status \u003e= 400"
- },
- "id": "76089a90-a29d-11e7-a062-a1c3587f4874",
- "label": "400s"
- },
- {
- "color": "rgba(171,20,158,1)",
- "filter": {
- "language": "kuery",
- "query": "aws.s3access.http_status \u003c 600 and aws.s3access.http_status \u003e= 500"
- },
- "id": "7c7929d0-a29d-11e7-a062-a1c3587f4874",
- "label": "500s"
+ "incompleteColumns": {}
}
- ],
- "split_mode": "filters",
- "stacked": "stacked",
- "terms_field": "http.response.status_code",
- "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417"
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_logs-*/@timestamp",
+ "name": "indexpattern-datasource-layer-61669f3c-1aff-44c6-ad13-61e6a9ab3296",
+ "type": "index-pattern"
}
],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false,
- "drop_last_bucket": 1
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0.5,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "d3270734-6fa1-4c88-affb-f0b6707a242b"
+ ],
+ "layerId": "61669f3c-1aff-44c6-ad13-61e6a9ab3296",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "bar_stacked",
+ "splitAccessor": "b5cbcf41-77b1-4436-bda0-6a65f91b9fcd",
+ "xAccessor": "293fa4d1-b5cb-4af3-b3f4-09c7194987e5",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "#68BC00",
+ "forAccessor": "d3270734-6fa1-4c88-affb-f0b6707a242b"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "bottom",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "show",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yLeftScale": "linear",
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yRightScale": "linear"
+ }
},
- "type": "metrics",
- "data": {
- "aggs": [],
- "searchSource": {}
- }
- }
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 15,
@@ -268,12 +389,12 @@
},
"panelIndex": "2",
"title": "Http Status over time",
- "version": "8.0.0",
- "type": "visualization"
+ "type": "lens",
+ "version": "8.7.1"
},
{
"embeddableConfig": {
- "title": "Error Logs"
+ "enhancements": {}
},
"gridData": {
"h": 15,
@@ -283,29 +404,33 @@
"y": 15
},
"panelIndex": "3",
- "panelRefName": "panel_2",
+ "panelRefName": "panel_3",
"title": "Error Logs",
- "version": "7.4.0"
+ "type": "search",
+ "version": "8.7.1"
}
],
"timeRestore": false,
"title": "[Logs AWS] S3 Server Access Log Overview",
"version": 1
},
+ "coreMigrationVersion": "8.7.0",
+ "created_at": "2023-07-18T08:47:59.330Z",
+ "id": "aws-4746e000-bacd-11e9-9f70-1f7bda85a5eb",
+ "migrationVersion": {
+ "dashboard": "8.7.0"
+ },
"references": [
{
- "id": "aws-5e5a3c90-bac0-11e9-9f70-1f7bda85a5eb",
- "name": "panel_2",
- "type": "search"
+ "id": "logs-*",
+ "name": "1:indexpattern-datasource-layer-e3977136-863c-4101-afdb-25130f0263b8",
+ "type": "index-pattern"
},
{
- "type": "index-pattern",
- "name": "1:kibanaSavedObjectMeta.searchSourceJSON.index",
- "id": "logs-*"
+ "id": "aws-5e5a3c90-bac0-11e9-9f70-1f7bda85a5eb",
+ "name": "3:panel_3",
+ "type": "search"
}
],
- "migrationVersion": {
- "dashboard": "8.1.0"
- },
- "coreMigrationVersion": "8.1.0"
+ "type": "dashboard"
}
\ No newline at end of file
diff --git a/packages/aws/kibana/dashboard/aws-4c404390-2724-11ee-a3cb-33de1feb08f6.json b/packages/aws/kibana/dashboard/aws-4c404390-2724-11ee-a3cb-33de1feb08f6.json
new file mode 100644
index 00000000000..7fbbef07bf0
--- /dev/null
+++ b/packages/aws/kibana/dashboard/aws-4c404390-2724-11ee-a3cb-33de1feb08f6.json
@@ -0,0 +1,319 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "aws.emr_logs"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "aws.emr_logs"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "optionsJSON": {
+ "hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "useMargins": true
+ },
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-063f2b19-5cf4-4a39-a699-f00d4ab5aeae",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "063f2b19-5cf4-4a39-a699-f00d4ab5aeae": {
+ "columnOrder": [
+ "82883b46-c5bf-426b-8145-8512134d9e46",
+ "5071a31f-c22c-4521-a95a-b091d815210f"
+ ],
+ "columns": {
+ "5071a31f-c22c-4521-a95a-b091d815210f": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "82883b46-c5bf-426b-8145-8512134d9e46": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Process name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "5071a31f-c22c-4521-a95a-b091d815210f",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "process.name"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "82883b46-c5bf-426b-8145-8512134d9e46",
+ "isTransposed": false
+ },
+ {
+ "columnId": "5071a31f-c22c-4521-a95a-b091d815210f",
+ "isTransposed": false
+ }
+ ],
+ "layerId": "063f2b19-5cf4-4a39-a699-f00d4ab5aeae",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "67059371-5528-45be-b6e0-1525e0e215cc",
+ "w": 24,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "67059371-5528-45be-b6e0-1525e0e215cc",
+ "title": "Top Process Names",
+ "type": "lens",
+ "version": "8.7.1"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-c96dc367-7669-4582-8b49-d5dfaf453256",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "c96dc367-7669-4582-8b49-d5dfaf453256": {
+ "columnOrder": [
+ "ecb84283-f29f-4ad8-a24d-004dc1f78612",
+ "ce1a3d48-fcab-4c38-ada6-6330fbd87ffa"
+ ],
+ "columns": {
+ "ce1a3d48-fcab-4c38-ada6-6330fbd87ffa": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "ecb84283-f29f-4ad8-a24d-004dc1f78612": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 5 values of log.level",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "ce1a3d48-fcab-4c38-ada6-6330fbd87ffa",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "log.level"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "layerId": "c96dc367-7669-4582-8b49-d5dfaf453256",
+ "layerType": "data",
+ "legendDisplay": "default",
+ "metrics": [
+ "ce1a3d48-fcab-4c38-ada6-6330fbd87ffa"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "ecb84283-f29f-4ad8-a24d-004dc1f78612"
+ ]
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "94471afc-1bf7-4bbc-8e33-1d234b4631a8",
+ "w": 24,
+ "x": 24,
+ "y": 0
+ },
+ "panelIndex": "94471afc-1bf7-4bbc-8e33-1d234b4631a8",
+ "title": "Log Level",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "9d6500f1-b8a2-4b8a-a78b-32267bda7e45",
+ "w": 48,
+ "x": 0,
+ "y": 15
+ },
+ "panelIndex": "9d6500f1-b8a2-4b8a-a78b-32267bda7e45",
+ "panelRefName": "panel_9d6500f1-b8a2-4b8a-a78b-32267bda7e45",
+ "title": "EMR Logs",
+ "type": "search",
+ "version": "8.7.1"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[Logs AWS] EMR Overview",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.7.0",
+ "created_at": "2023-07-20T17:49:07.190Z",
+ "id": "aws-4c404390-2724-11ee-a3cb-33de1feb08f6",
+ "managed": false,
+ "migrationVersion": {
+ "dashboard": "8.7.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "67059371-5528-45be-b6e0-1525e0e215cc:indexpattern-datasource-layer-063f2b19-5cf4-4a39-a699-f00d4ab5aeae",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "94471afc-1bf7-4bbc-8e33-1d234b4631a8:indexpattern-datasource-layer-c96dc367-7669-4582-8b49-d5dfaf453256",
+ "type": "index-pattern"
+ },
+ {
+ "id": "aws-c1543010-2724-11ee-a3cb-33de1feb08f6",
+ "name": "9d6500f1-b8a2-4b8a-a78b-32267bda7e45:panel_9d6500f1-b8a2-4b8a-a78b-32267bda7e45",
+ "type": "search"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/aws/kibana/dashboard/aws-5465f0f0-26e4-11ee-9051-011d57d86fe2.json b/packages/aws/kibana/dashboard/aws-5465f0f0-26e4-11ee-9051-011d57d86fe2.json
new file mode 100644
index 00000000000..5b36cae7216
--- /dev/null
+++ b/packages/aws/kibana/dashboard/aws-5465f0f0-26e4-11ee-9051-011d57d86fe2.json
@@ -0,0 +1,1046 @@
+{
+ "attributes": {
+ "description": "Overview of AWS API Gateway Logs",
+ "controlGroupInput": {
+ "controlStyle": "oneLine",
+ "chainingSystem": "HIERARCHICAL",
+ "panelsJSON": "{\"8f39f203-e0d6-4567-bcae-8b2f875cf442\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":false,\"width\":\"medium\",\"explicitInput\":{\"id\":\"8f39f203-e0d6-4567-bcae-8b2f875cf442\",\"fieldName\":\"aws.apigateway.api_id\",\"title\":\"API ID\",\"grow\":false,\"width\":\"medium\",\"enhancements\":{}}},\"7acb90a0-4fc1-4ed9-bf45-2a00e082c705\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":false,\"width\":\"medium\",\"explicitInput\":{\"id\":\"7acb90a0-4fc1-4ed9-bf45-2a00e082c705\",\"fieldName\":\"aws.apigateway.domain_name\",\"title\":\"Domain Name\",\"grow\":false,\"width\":\"medium\",\"enhancements\":{}}},\"a9bf185b-ff91-4165-8584-6075e830a2b0\":{\"type\":\"optionsListControl\",\"order\":2,\"grow\":false,\"width\":\"medium\",\"explicitInput\":{\"id\":\"a9bf185b-ff91-4165-8584-6075e830a2b0\",\"fieldName\":\"aws.apigateway.stage\",\"title\":\"Stage\",\"grow\":false,\"width\":\"medium\",\"enhancements\":{}}},\"14595511-24be-417b-af74-625ad0e7319a\":{\"type\":\"optionsListControl\",\"order\":3,\"grow\":false,\"width\":\"medium\",\"explicitInput\":{\"id\":\"14595511-24be-417b-af74-625ad0e7319a\",\"fieldName\":\"cloud.region\",\"title\":\"AWS Region\",\"grow\":false,\"width\":\"medium\",\"enhancements\":{}}}}",
+ "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}"
+ },
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"data_stream.dataset\",\"field\":\"data_stream.dataset\",\"params\":{\"query\":\"aws.apigateway_logs\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"aws.apigateway_logs\"}},\"$state\":{\"store\":\"appState\"}}]}"
+ },
+ "optionsJSON": {
+ "hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "useMargins": true
+ },
+ "panelsJSON": [
+ {
+ "version": "8.7.1",
+ "type": "lens",
+ "gridData": {
+ "x": 0,
+ "y": 0,
+ "w": 16,
+ "h": 15,
+ "i": "124faec6-fedf-4a5c-b060-ab3f03a8cdbe"
+ },
+ "panelIndex": "124faec6-fedf-4a5c-b060-ab3f03a8cdbe",
+ "embeddableConfig": {
+ "attributes": {
+ "title": "",
+ "description": "",
+ "visualizationType": "lnsPie",
+ "type": "lens",
+ "references": [
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-06dccdd0-c0b9-4519-a299-53546adbc735"
+ }
+ ],
+ "state": {
+ "visualization": {
+ "shape": "treemap",
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "layerId": "06dccdd0-c0b9-4519-a299-53546adbc735",
+ "layerType": "data",
+ "legendDisplay": "default",
+ "metrics": [
+ "850d3e92-043f-4460-9290-10ca1311dc97"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "03ad11f6-344c-43a3-91fe-b70024c79ead"
+ ]
+ }
+ ]
+ },
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "filters": [],
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "06dccdd0-c0b9-4519-a299-53546adbc735": {
+ "columnOrder": [
+ "03ad11f6-344c-43a3-91fe-b70024c79ead",
+ "850d3e92-043f-4460-9290-10ca1311dc97"
+ ],
+ "columns": {
+ "03ad11f6-344c-43a3-91fe-b70024c79ead": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 5 values of aws.apigateway.http_method",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "850d3e92-043f-4460-9290-10ca1311dc97",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "aws.apigateway.http_method"
+ },
+ "850d3e92-043f-4460-9290-10ca1311dc97": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "internalReferences": [],
+ "adHocDataViews": {}
+ }
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "title": "HTTP Method"
+ },
+ {
+ "version": "8.7.1",
+ "type": "lens",
+ "gridData": {
+ "x": 32,
+ "y": 0,
+ "w": 16,
+ "h": 15,
+ "i": "9a82e092-0e19-4f51-8879-680d1ed0ba44"
+ },
+ "panelIndex": "9a82e092-0e19-4f51-8879-680d1ed0ba44",
+ "embeddableConfig": {
+ "attributes": {
+ "title": "",
+ "description": "",
+ "visualizationType": "lnsPie",
+ "type": "lens",
+ "references": [
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-06dccdd0-c0b9-4519-a299-53546adbc735"
+ }
+ ],
+ "state": {
+ "visualization": {
+ "shape": "treemap",
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "layerId": "06dccdd0-c0b9-4519-a299-53546adbc735",
+ "layerType": "data",
+ "legendDisplay": "default",
+ "metrics": [
+ "850d3e92-043f-4460-9290-10ca1311dc97"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "03ad11f6-344c-43a3-91fe-b70024c79ead"
+ ]
+ }
+ ]
+ },
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "filters": [],
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "06dccdd0-c0b9-4519-a299-53546adbc735": {
+ "columnOrder": [
+ "03ad11f6-344c-43a3-91fe-b70024c79ead",
+ "850d3e92-043f-4460-9290-10ca1311dc97"
+ ],
+ "columns": {
+ "03ad11f6-344c-43a3-91fe-b70024c79ead": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of aws.apigateway.event_type",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "850d3e92-043f-4460-9290-10ca1311dc97",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "aws.apigateway.event_type"
+ },
+ "850d3e92-043f-4460-9290-10ca1311dc97": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "internalReferences": [],
+ "adHocDataViews": {}
+ }
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "title": "[WebSocket] Event Type"
+ },
+ {
+ "version": "8.7.1",
+ "type": "lens",
+ "gridData": {
+ "x": 0,
+ "y": 15,
+ "w": 16,
+ "h": 15,
+ "i": "245be50a-a099-4712-bbf5-2b6ce1368ec7"
+ },
+ "panelIndex": "245be50a-a099-4712-bbf5-2b6ce1368ec7",
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "name": "indexpattern-datasource-layer-e0c50ea5-82ba-4ee6-be31-497faf705f15",
+ "id": "logs-*",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "e0c50ea5-82ba-4ee6-be31-497faf705f15": {
+ "columnOrder": [
+ "56bc0501-4f72-4b55-8998-f3aeceed9834",
+ "9afd9da3-ed66-4c33-a4a6-d9dc7f89119b"
+ ],
+ "columns": {
+ "56bc0501-4f72-4b55-8998-f3aeceed9834": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Path",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "9afd9da3-ed66-4c33-a4a6-d9dc7f89119b",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "aws.apigateway.resource_path"
+ },
+ "9afd9da3-ed66-4c33-a4a6-d9dc7f89119b": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "56bc0501-4f72-4b55-8998-f3aeceed9834"
+ },
+ {
+ "columnId": "9afd9da3-ed66-4c33-a4a6-d9dc7f89119b",
+ "isTransposed": false
+ }
+ ],
+ "layerId": "e0c50ea5-82ba-4ee6-be31-497faf705f15",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "title": "Top Accessed Resource Paths"
+ },
+ {
+ "version": "8.7.1",
+ "type": "lens",
+ "gridData": {
+ "x": 16,
+ "y": 0,
+ "w": 16,
+ "h": 15,
+ "i": "92abd08c-7a30-4df3-bfae-31f101cd3f02"
+ },
+ "panelIndex": "92abd08c-7a30-4df3-bfae-31f101cd3f02",
+ "embeddableConfig": {
+ "attributes": {
+ "title": "",
+ "description": "",
+ "visualizationType": "lnsPie",
+ "type": "lens",
+ "references": [
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-06dccdd0-c0b9-4519-a299-53546adbc735"
+ }
+ ],
+ "state": {
+ "visualization": {
+ "shape": "treemap",
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "layerId": "06dccdd0-c0b9-4519-a299-53546adbc735",
+ "layerType": "data",
+ "legendDisplay": "default",
+ "metrics": [
+ "850d3e92-043f-4460-9290-10ca1311dc97"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "03ad11f6-344c-43a3-91fe-b70024c79ead"
+ ]
+ }
+ ]
+ },
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "filters": [],
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "06dccdd0-c0b9-4519-a299-53546adbc735": {
+ "columnOrder": [
+ "03ad11f6-344c-43a3-91fe-b70024c79ead",
+ "850d3e92-043f-4460-9290-10ca1311dc97"
+ ],
+ "columns": {
+ "03ad11f6-344c-43a3-91fe-b70024c79ead": {
+ "dataType": "number",
+ "isBucketed": true,
+ "label": "Top 10 values of aws.apigateway.status",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "850d3e92-043f-4460-9290-10ca1311dc97",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "aws.apigateway.status"
+ },
+ "850d3e92-043f-4460-9290-10ca1311dc97": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "internalReferences": [],
+ "adHocDataViews": {}
+ }
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "title": "Status Code"
+ },
+ {
+ "version": "8.7.1",
+ "type": "lens",
+ "gridData": {
+ "x": 32,
+ "y": 15,
+ "w": 16,
+ "h": 15,
+ "i": "4df6f1a3-5307-4b0d-8e77-d2d1c1cfe423"
+ },
+ "panelIndex": "4df6f1a3-5307-4b0d-8e77-d2d1c1cfe423",
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "name": "indexpattern-datasource-layer-e0c50ea5-82ba-4ee6-be31-497faf705f15",
+ "id": "logs-*",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "e0c50ea5-82ba-4ee6-be31-497faf705f15": {
+ "columnOrder": [
+ "56bc0501-4f72-4b55-8998-f3aeceed9834",
+ "9afd9da3-ed66-4c33-a4a6-d9dc7f89119b"
+ ],
+ "columns": {
+ "56bc0501-4f72-4b55-8998-f3aeceed9834": {
+ "customLabel": true,
+ "dataType": "ip",
+ "isBucketed": true,
+ "label": "IP Address",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "9afd9da3-ed66-4c33-a4a6-d9dc7f89119b",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "aws.apigateway.ip_address"
+ },
+ "9afd9da3-ed66-4c33-a4a6-d9dc7f89119b": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "56bc0501-4f72-4b55-8998-f3aeceed9834"
+ },
+ {
+ "columnId": "9afd9da3-ed66-4c33-a4a6-d9dc7f89119b",
+ "isTransposed": false
+ }
+ ],
+ "layerId": "e0c50ea5-82ba-4ee6-be31-497faf705f15",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "title": "Top IP Addresses"
+ },
+ {
+ "version": "8.7.1",
+ "type": "lens",
+ "gridData": {
+ "x": 16,
+ "y": 15,
+ "w": 16,
+ "h": 15,
+ "i": "e779f254-8384-4e2f-aea1-0dc375931e25"
+ },
+ "panelIndex": "e779f254-8384-4e2f-aea1-0dc375931e25",
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "name": "indexpattern-datasource-layer-e0c50ea5-82ba-4ee6-be31-497faf705f15",
+ "id": "logs-*",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "e0c50ea5-82ba-4ee6-be31-497faf705f15": {
+ "columnOrder": [
+ "56bc0501-4f72-4b55-8998-f3aeceed9834",
+ "9afd9da3-ed66-4c33-a4a6-d9dc7f89119b"
+ ],
+ "columns": {
+ "56bc0501-4f72-4b55-8998-f3aeceed9834": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Route Key",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "9afd9da3-ed66-4c33-a4a6-d9dc7f89119b",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "aws.apigateway.route_key"
+ },
+ "9afd9da3-ed66-4c33-a4a6-d9dc7f89119b": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "56bc0501-4f72-4b55-8998-f3aeceed9834"
+ },
+ {
+ "columnId": "9afd9da3-ed66-4c33-a4a6-d9dc7f89119b",
+ "isTransposed": false
+ }
+ ],
+ "layerId": "e0c50ea5-82ba-4ee6-be31-497faf705f15",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "title": "Top Accessed Route Keys"
+ },
+ {
+ "version": "8.7.1",
+ "type": "lens",
+ "gridData": {
+ "x": 0,
+ "y": 30,
+ "w": 24,
+ "h": 15,
+ "i": "df1c2d17-abc3-4e03-999b-4e8a082cb302"
+ },
+ "panelIndex": "df1c2d17-abc3-4e03-999b-4e8a082cb302",
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "name": "indexpattern-datasource-layer-c7dca2ac-c8e3-48eb-b604-609a2a808cae",
+ "id": "logs-*",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "c7dca2ac-c8e3-48eb-b604-609a2a808cae": {
+ "columnOrder": [
+ "557d1ba6-226e-488e-a132-6ec8f52d67b8",
+ "fb83df49-4a4a-4e31-90cc-e79176cc0359"
+ ],
+ "columns": {
+ "557d1ba6-226e-488e-a132-6ec8f52d67b8": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "60s"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "fb83df49-4a4a-4e31-90cc-e79176cc0359": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Average of aws.apigateway.response_length",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 2,
+ "suffix": "ms"
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "aws.apigateway.response_length"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "curveType": "LINEAR",
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "fb83df49-4a4a-4e31-90cc-e79176cc0359"
+ ],
+ "layerId": "c7dca2ac-c8e3-48eb-b604-609a2a808cae",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "line",
+ "showGridlines": false,
+ "xAccessor": "557d1ba6-226e-488e-a132-6ec8f52d67b8"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "line",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "title": "Request Time"
+ },
+ {
+ "version": "8.7.1",
+ "type": "lens",
+ "gridData": {
+ "x": 24,
+ "y": 30,
+ "w": 24,
+ "h": 15,
+ "i": "cfe1a0fc-f948-4dce-bb6f-41ae6b018f0d"
+ },
+ "panelIndex": "cfe1a0fc-f948-4dce-bb6f-41ae6b018f0d",
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "name": "indexpattern-datasource-layer-8fb38a54-10e3-47e3-83c5-8853e0afe9da",
+ "id": "logs-*",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "8fb38a54-10e3-47e3-83c5-8853e0afe9da": {
+ "columnOrder": [
+ "9d3e6d3a-28ff-4ccd-9fc2-c4e6ef6355b7",
+ "8fa54c3a-d913-4266-bf1d-8047e35b8a16"
+ ],
+ "columns": {
+ "8fa54c3a-d913-4266-bf1d-8047e35b8a16": {
+ "customLabel": false,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Average of aws.apigateway.response_length",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 2
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "aws.apigateway.response_length"
+ },
+ "9d3e6d3a-28ff-4ccd-9fc2-c4e6ef6355b7": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "60s"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "8fa54c3a-d913-4266-bf1d-8047e35b8a16"
+ ],
+ "layerId": "8fb38a54-10e3-47e3-83c5-8853e0afe9da",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "line",
+ "showGridlines": false,
+ "xAccessor": "9d3e6d3a-28ff-4ccd-9fc2-c4e6ef6355b7"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "line",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "title": "Response Length"
+ },
+ {
+ "version": "8.7.1",
+ "type": "search",
+ "gridData": {
+ "x": 0,
+ "y": 45,
+ "w": 48,
+ "h": 15,
+ "i": "4bbea79e-625f-4803-8050-25d55e530dee"
+ },
+ "panelIndex": "4bbea79e-625f-4803-8050-25d55e530dee",
+ "embeddableConfig": {
+ "enhancements": {}
+ },
+ "panelRefName": "panel_4bbea79e-625f-4803-8050-25d55e530dee"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[Logs AWS] API Gateway Overview",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.7.1",
+ "created_at": "2023-07-20T14:05:48.227Z",
+ "id": "aws-5465f0f0-26e4-11ee-9051-011d57d86fe2",
+ "migrationVersion": {
+ "dashboard": "8.7.0"
+ },
+ "references": [
+ {
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern",
+ "id": "logs-*"
+ },
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "124faec6-fedf-4a5c-b060-ab3f03a8cdbe:indexpattern-datasource-layer-06dccdd0-c0b9-4519-a299-53546adbc735"
+ },
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "9a82e092-0e19-4f51-8879-680d1ed0ba44:indexpattern-datasource-layer-06dccdd0-c0b9-4519-a299-53546adbc735"
+ },
+ {
+ "name": "245be50a-a099-4712-bbf5-2b6ce1368ec7:indexpattern-datasource-layer-e0c50ea5-82ba-4ee6-be31-497faf705f15",
+ "id": "logs-*",
+ "type": "index-pattern"
+ },
+ {
+ "type": "index-pattern",
+ "id": "logs-*",
+ "name": "92abd08c-7a30-4df3-bfae-31f101cd3f02:indexpattern-datasource-layer-06dccdd0-c0b9-4519-a299-53546adbc735"
+ },
+ {
+ "name": "4df6f1a3-5307-4b0d-8e77-d2d1c1cfe423:indexpattern-datasource-layer-e0c50ea5-82ba-4ee6-be31-497faf705f15",
+ "id": "logs-*",
+ "type": "index-pattern"
+ },
+ {
+ "name": "e779f254-8384-4e2f-aea1-0dc375931e25:indexpattern-datasource-layer-e0c50ea5-82ba-4ee6-be31-497faf705f15",
+ "id": "logs-*",
+ "type": "index-pattern"
+ },
+ {
+ "name": "df1c2d17-abc3-4e03-999b-4e8a082cb302:indexpattern-datasource-layer-c7dca2ac-c8e3-48eb-b604-609a2a808cae",
+ "id": "logs-*",
+ "type": "index-pattern"
+ },
+ {
+ "name": "cfe1a0fc-f948-4dce-bb6f-41ae6b018f0d:indexpattern-datasource-layer-8fb38a54-10e3-47e3-83c5-8853e0afe9da",
+ "id": "logs-*",
+ "type": "index-pattern"
+ },
+ {
+ "name": "4bbea79e-625f-4803-8050-25d55e530dee:panel_4bbea79e-625f-4803-8050-25d55e530dee",
+ "type": "search",
+ "id": "aws-4f41d150-2704-11ee-81f9-fdf97c8e03a6"
+ },
+ {
+ "name": "controlGroup_8f39f203-e0d6-4567-bcae-8b2f875cf442:optionsListDataView",
+ "type": "index-pattern",
+ "id": "logs-*"
+ },
+ {
+ "name": "controlGroup_7acb90a0-4fc1-4ed9-bf45-2a00e082c705:optionsListDataView",
+ "type": "index-pattern",
+ "id": "logs-*"
+ },
+ {
+ "name": "controlGroup_a9bf185b-ff91-4165-8584-6075e830a2b0:optionsListDataView",
+ "type": "index-pattern",
+ "id": "logs-*"
+ },
+ {
+ "name": "controlGroup_14595511-24be-417b-af74-625ad0e7319a:optionsListDataView",
+ "type": "index-pattern",
+ "id": "logs-*"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/aws/kibana/dashboard/aws-562bdea0-4ba7-11ec-8282-5342b8988acc.json b/packages/aws/kibana/dashboard/aws-562bdea0-4ba7-11ec-8282-5342b8988acc.json
index b3b06e32338..e3d6f7368e3 100644
--- a/packages/aws/kibana/dashboard/aws-562bdea0-4ba7-11ec-8282-5342b8988acc.json
+++ b/packages/aws/kibana/dashboard/aws-562bdea0-4ba7-11ec-8282-5342b8988acc.json
@@ -1,14 +1,12 @@
{
- "id": "aws-562bdea0-4ba7-11ec-8282-5342b8988acc",
- "type": "dashboard",
- "namespaces": [
- "default"
- ],
- "updated_at": "2022-08-01T13:47:45.463Z",
- "version": "Wzg1MywxXQ==",
"attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
+ "panelsJSON": "{\"93146885-2c36-40c3-8245-14518519f97e\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"93146885-2c36-40c3-8245-14518519f97e\",\"fieldName\":\"cloud.region\",\"title\":\"Region\",\"enhancements\":{}}},\"6a637a29-9089-4826-aa65-088a3bbeb98f\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"6a637a29-9089-4826-aa65-088a3bbeb98f\",\"fieldName\":\"cloud.availability_zone\",\"title\":\"Availability Zone\",\"enhancements\":{}}},\"fdc8cb1e-fc15-4f63-8ce7-0027c9d10ad3\":{\"type\":\"optionsListControl\",\"order\":2,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"fdc8cb1e-fc15-4f63-8ce7-0027c9d10ad3\",\"fieldName\":\"observer.name\",\"title\":\"Firewall\",\"enhancements\":{}}}}"
+ },
"description": "Dashboard providing statistics about flows ingested from the AWS Network Firewall integration.",
- "hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [
@@ -64,20 +62,12 @@
"optionsJSON": {
"hidePanelTitles": false,
"syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
"useMargins": true
},
"panelsJSON": [
{
- "version": "8.1.0",
- "type": "visualization",
- "gridData": {
- "h": 15,
- "i": "258f7245-5011-4f03-bcd3-cada0180dc7a",
- "w": 12,
- "x": 0,
- "y": 0
- },
- "panelIndex": "258f7245-5011-4f03-bcd3-cada0180dc7a",
"embeddableConfig": {
"enhancements": {},
"savedVis": {
@@ -101,106 +91,20 @@
"title": "",
"type": "markdown",
"uiState": {}
- },
- "type": "visualization"
- }
- },
- {
- "embeddableConfig": {
- "enhancements": {},
- "hidePanelTitles": false,
- "savedVis": {
- "title": "Firewall Filters [Logs AWS]",
- "description": "",
- "uiState": {},
- "params": {
- "controls": [
- {
- "fieldName": "cloud.region",
- "id": "1637591016076",
- "indexPatternRefName": "control_0_index_pattern",
- "label": "Region",
- "options": {
- "dynamicOptions": true,
- "multiselect": true,
- "order": "desc",
- "size": 5,
- "type": "terms"
- },
- "parent": "",
- "type": "list"
- },
- {
- "fieldName": "cloud.availability_zone",
- "id": "1637591029629",
- "indexPatternRefName": "control_1_index_pattern",
- "label": "Availability Zone",
- "options": {
- "dynamicOptions": true,
- "multiselect": true,
- "order": "desc",
- "size": 5,
- "type": "terms"
- },
- "parent": "",
- "type": "list"
- },
- {
- "fieldName": "observer.name",
- "id": "1637591118622",
- "indexPatternRefName": "control_2_index_pattern",
- "label": "Firewall",
- "options": {
- "dynamicOptions": true,
- "multiselect": true,
- "order": "desc",
- "size": 5,
- "type": "terms"
- },
- "parent": "",
- "type": "list"
- }
- ],
- "pinFilters": false,
- "updateFiltersOnChange": false,
- "useTimeFilter": false
- },
- "type": "input_control_vis",
- "data": {
- "aggs": [],
- "searchSource": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- }
}
},
"gridData": {
- "h": 7,
- "i": "9acd5716-4bce-498a-9a4e-4d4fd81dfdc2",
- "w": 36,
- "x": 12,
+ "h": 16,
+ "i": "258f7245-5011-4f03-bcd3-cada0180dc7a",
+ "w": 18,
+ "x": 0,
"y": 0
},
- "panelIndex": "9acd5716-4bce-498a-9a4e-4d4fd81dfdc2",
- "title": "Firewall Filters",
+ "panelIndex": "258f7245-5011-4f03-bcd3-cada0180dc7a",
"type": "visualization",
- "version": "8.0.0"
+ "version": "8.8.1"
},
{
- "version": "8.1.0",
- "type": "lens",
- "gridData": {
- "h": 8,
- "i": "09caeba8-1f98-4937-b1b8-60debe3e3728",
- "w": 6,
- "x": 12,
- "y": 7
- },
- "panelIndex": "09caeba8-1f98-4937-b1b8-60debe3e3728",
"embeddableConfig": {
"attributes": {
"references": [
@@ -217,7 +121,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"454630b2-cff5-45ab-9cfc-ec19c5aeb97a": {
"columnOrder": [
@@ -263,30 +167,32 @@
"visualization": {
"accessor": "fe432a5c-5813-4a13-948e-ea6d83ec8c40",
"layerId": "454630b2-cff5-45ab-9cfc-ec19c5aeb97a",
- "layerType": "data"
+ "layerType": "data",
+ "size": "xl",
+ "textAlign": "center",
+ "titlePosition": "bottom"
}
},
"title": "",
"type": "lens",
- "visualizationType": "lnsMetric"
+ "visualizationType": "lnsLegacyMetric"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Unique Flows"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
"h": 8,
- "i": "4c85d573-baea-49ca-bb9e-4013a0373da7",
- "w": 6,
+ "i": "09caeba8-1f98-4937-b1b8-60debe3e3728",
+ "w": 10,
"x": 18,
- "y": 7
+ "y": 0
},
- "panelIndex": "4c85d573-baea-49ca-bb9e-4013a0373da7",
+ "panelIndex": "09caeba8-1f98-4937-b1b8-60debe3e3728",
+ "title": "Unique Flows",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -303,7 +209,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"454630b2-cff5-45ab-9cfc-ec19c5aeb97a": {
"columnOrder": [
@@ -349,30 +255,32 @@
"visualization": {
"accessor": "fe432a5c-5813-4a13-948e-ea6d83ec8c40",
"layerId": "454630b2-cff5-45ab-9cfc-ec19c5aeb97a",
- "layerType": "data"
+ "layerType": "data",
+ "size": "xl",
+ "textAlign": "center",
+ "titlePosition": "bottom"
}
},
"title": "",
"type": "lens",
- "visualizationType": "lnsMetric"
+ "visualizationType": "lnsLegacyMetric"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Unique Destination IPs"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
"h": 8,
- "i": "dfcf4383-4ce2-42a2-b0a9-a48dbf39db64",
- "w": 6,
- "x": 24,
- "y": 7
+ "i": "4c85d573-baea-49ca-bb9e-4013a0373da7",
+ "w": 10,
+ "x": 28,
+ "y": 0
},
- "panelIndex": "dfcf4383-4ce2-42a2-b0a9-a48dbf39db64",
+ "panelIndex": "4c85d573-baea-49ca-bb9e-4013a0373da7",
+ "title": "Unique Destination IPs",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -389,7 +297,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"454630b2-cff5-45ab-9cfc-ec19c5aeb97a": {
"columnOrder": [
@@ -401,10 +309,10 @@
"customLabel": true,
"dataType": "number",
"isBucketed": false,
- "label": "Unique Source IPs",
+ "label": "Unique Network Protocols",
"operationType": "formula",
"params": {
- "formula": "unique_count(source.ip)",
+ "formula": "unique_count(network.protocol)",
"isFormulaBroken": false
},
"references": [
@@ -416,10 +324,10 @@
"customLabel": true,
"dataType": "number",
"isBucketed": false,
- "label": "Part of unique_count(source.ip)",
+ "label": "Part of Unique Rules",
"operationType": "unique_count",
"scale": "ratio",
- "sourceField": "source.ip"
+ "sourceField": "network.protocol"
}
},
"incompleteColumns": {}
@@ -435,30 +343,32 @@
"visualization": {
"accessor": "fe432a5c-5813-4a13-948e-ea6d83ec8c40",
"layerId": "454630b2-cff5-45ab-9cfc-ec19c5aeb97a",
- "layerType": "data"
+ "layerType": "data",
+ "size": "xl",
+ "textAlign": "center",
+ "titlePosition": "bottom"
}
},
"title": "",
"type": "lens",
- "visualizationType": "lnsMetric"
+ "visualizationType": "lnsLegacyMetric"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Unique Source IPs"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
"h": 8,
- "i": "6d617b1a-a973-4136-8d93-15e5c72c43f2",
- "w": 6,
- "x": 30,
- "y": 7
+ "i": "673dd2b3-e271-4ad9-9b86-83e4e1070647",
+ "w": 10,
+ "x": 38,
+ "y": 0
},
- "panelIndex": "6d617b1a-a973-4136-8d93-15e5c72c43f2",
+ "panelIndex": "673dd2b3-e271-4ad9-9b86-83e4e1070647",
+ "title": "Unique Network Protocols",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -475,7 +385,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"454630b2-cff5-45ab-9cfc-ec19c5aeb97a": {
"columnOrder": [
@@ -487,10 +397,10 @@
"customLabel": true,
"dataType": "number",
"isBucketed": false,
- "label": "Unique Transport Protocols",
+ "label": "Unique Source IPs",
"operationType": "formula",
"params": {
- "formula": "unique_count(network.transport)",
+ "formula": "unique_count(source.ip)",
"isFormulaBroken": false
},
"references": [
@@ -502,10 +412,10 @@
"customLabel": true,
"dataType": "number",
"isBucketed": false,
- "label": "Part of Unique Network Protocols",
+ "label": "Part of unique_count(source.ip)",
"operationType": "unique_count",
"scale": "ratio",
- "sourceField": "network.transport"
+ "sourceField": "source.ip"
}
},
"incompleteColumns": {}
@@ -521,30 +431,32 @@
"visualization": {
"accessor": "fe432a5c-5813-4a13-948e-ea6d83ec8c40",
"layerId": "454630b2-cff5-45ab-9cfc-ec19c5aeb97a",
- "layerType": "data"
+ "layerType": "data",
+ "size": "xl",
+ "textAlign": "center",
+ "titlePosition": "bottom"
}
},
"title": "",
"type": "lens",
- "visualizationType": "lnsMetric"
+ "visualizationType": "lnsLegacyMetric"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Unique Network Protocols"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
"h": 8,
- "i": "673dd2b3-e271-4ad9-9b86-83e4e1070647",
- "w": 6,
- "x": 36,
- "y": 7
+ "i": "dfcf4383-4ce2-42a2-b0a9-a48dbf39db64",
+ "w": 10,
+ "x": 18,
+ "y": 8
},
- "panelIndex": "673dd2b3-e271-4ad9-9b86-83e4e1070647",
+ "panelIndex": "dfcf4383-4ce2-42a2-b0a9-a48dbf39db64",
+ "title": "Unique Source IPs",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -561,7 +473,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"454630b2-cff5-45ab-9cfc-ec19c5aeb97a": {
"columnOrder": [
@@ -573,10 +485,10 @@
"customLabel": true,
"dataType": "number",
"isBucketed": false,
- "label": "Unique Network Protocols",
+ "label": "Unique Transport Protocols",
"operationType": "formula",
"params": {
- "formula": "unique_count(network.protocol)",
+ "formula": "unique_count(network.transport)",
"isFormulaBroken": false
},
"references": [
@@ -588,10 +500,10 @@
"customLabel": true,
"dataType": "number",
"isBucketed": false,
- "label": "Part of Unique Rules",
+ "label": "Part of Unique Network Protocols",
"operationType": "unique_count",
"scale": "ratio",
- "sourceField": "network.protocol"
+ "sourceField": "network.transport"
}
},
"incompleteColumns": {}
@@ -607,30 +519,32 @@
"visualization": {
"accessor": "fe432a5c-5813-4a13-948e-ea6d83ec8c40",
"layerId": "454630b2-cff5-45ab-9cfc-ec19c5aeb97a",
- "layerType": "data"
+ "layerType": "data",
+ "size": "xl",
+ "textAlign": "center",
+ "titlePosition": "bottom"
}
},
"title": "",
"type": "lens",
- "visualizationType": "lnsMetric"
+ "visualizationType": "lnsLegacyMetric"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Unique Network Protocols"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
"h": 8,
- "i": "77a70f50-9523-45f0-bbf6-cd6628d2ef53",
- "w": 6,
- "x": 42,
- "y": 7
+ "i": "6d617b1a-a973-4136-8d93-15e5c72c43f2",
+ "w": 10,
+ "x": 28,
+ "y": 8
},
- "panelIndex": "77a70f50-9523-45f0-bbf6-cd6628d2ef53",
+ "panelIndex": "6d617b1a-a973-4136-8d93-15e5c72c43f2",
+ "title": "Unique Network Protocols",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -647,7 +561,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"454630b2-cff5-45ab-9cfc-ec19c5aeb97a": {
"columnOrder": [
@@ -685,30 +599,32 @@
"visualization": {
"accessor": "fe2e527e-c274-42c2-8d95-0c5955356eb8",
"layerId": "454630b2-cff5-45ab-9cfc-ec19c5aeb97a",
- "layerType": "data"
+ "layerType": "data",
+ "size": "xl",
+ "textAlign": "center",
+ "titlePosition": "bottom"
}
},
"title": "",
"type": "lens",
- "visualizationType": "lnsMetric"
+ "visualizationType": "lnsLegacyMetric"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Total Bytes"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
- "h": 15,
- "i": "227abb53-ab6c-40f9-af63-6c6ac41d6855",
- "w": 12,
- "x": 0,
- "y": 15
+ "h": 8,
+ "i": "77a70f50-9523-45f0-bbf6-cd6628d2ef53",
+ "w": 10,
+ "x": 38,
+ "y": 8
},
- "panelIndex": "227abb53-ab6c-40f9-af63-6c6ac41d6855",
+ "panelIndex": "77a70f50-9523-45f0-bbf6-cd6628d2ef53",
+ "title": "Total Bytes",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -725,7 +641,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"77c8c7dc-b073-4d7c-8403-b25ee4647152": {
"columnOrder": [
@@ -793,16 +709,19 @@
"layers": [
{
"categoryDisplay": "default",
- "groups": [
- "4c3d3741-afe6-403d-bc83-7f90196c291a",
- "1d64873d-37af-48f4-b6ec-911b6e0243cd"
- ],
"layerId": "77c8c7dc-b073-4d7c-8403-b25ee4647152",
"layerType": "data",
"legendDisplay": "default",
- "metric": "0e88e9b7-a2b1-4634-95c1-a7d38dce70a6",
+ "legendSize": "auto",
+ "metrics": [
+ "0e88e9b7-a2b1-4634-95c1-a7d38dce70a6"
+ ],
"nestedLegend": false,
- "numberDisplay": "percent"
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "4c3d3741-afe6-403d-bc83-7f90196c291a",
+ "1d64873d-37af-48f4-b6ec-911b6e0243cd"
+ ]
}
],
"shape": "donut"
@@ -813,22 +732,21 @@
"visualizationType": "lnsPie"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Top Protocols"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
"h": 15,
- "i": "2148efa5-f130-4751-909d-6a79eed2e16b",
+ "i": "227abb53-ab6c-40f9-af63-6c6ac41d6855",
"w": 12,
- "x": 12,
- "y": 15
+ "x": 0,
+ "y": 16
},
- "panelIndex": "2148efa5-f130-4751-909d-6a79eed2e16b",
+ "panelIndex": "227abb53-ab6c-40f9-af63-6c6ac41d6855",
+ "title": "Top Protocols",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -845,7 +763,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"77c8c7dc-b073-4d7c-8403-b25ee4647152": {
"columnOrder": [
@@ -894,15 +812,18 @@
"layers": [
{
"categoryDisplay": "default",
- "groups": [
- "f49ff962-9e8a-4170-a0d8-54cee9438651"
- ],
"layerId": "77c8c7dc-b073-4d7c-8403-b25ee4647152",
"layerType": "data",
"legendDisplay": "default",
- "metric": "0e88e9b7-a2b1-4634-95c1-a7d38dce70a6",
+ "legendSize": "auto",
+ "metrics": [
+ "0e88e9b7-a2b1-4634-95c1-a7d38dce70a6"
+ ],
"nestedLegend": false,
- "numberDisplay": "percent"
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "f49ff962-9e8a-4170-a0d8-54cee9438651"
+ ]
}
],
"shape": "pie"
@@ -913,22 +834,21 @@
"visualizationType": "lnsPie"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Top Source Countries"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
"h": 15,
- "i": "6790d45f-4fa9-4a70-b0e1-a3e10682c852",
+ "i": "2148efa5-f130-4751-909d-6a79eed2e16b",
"w": 12,
- "x": 24,
- "y": 15
+ "x": 12,
+ "y": 16
},
- "panelIndex": "6790d45f-4fa9-4a70-b0e1-a3e10682c852",
+ "panelIndex": "2148efa5-f130-4751-909d-6a79eed2e16b",
+ "title": "Top Source Countries",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -945,7 +865,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"77c8c7dc-b073-4d7c-8403-b25ee4647152": {
"columnOrder": [
@@ -994,15 +914,18 @@
"layers": [
{
"categoryDisplay": "default",
- "groups": [
- "f49ff962-9e8a-4170-a0d8-54cee9438651"
- ],
"layerId": "77c8c7dc-b073-4d7c-8403-b25ee4647152",
"layerType": "data",
"legendDisplay": "default",
- "metric": "0e88e9b7-a2b1-4634-95c1-a7d38dce70a6",
+ "legendSize": "auto",
+ "metrics": [
+ "0e88e9b7-a2b1-4634-95c1-a7d38dce70a6"
+ ],
"nestedLegend": false,
- "numberDisplay": "percent"
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "f49ff962-9e8a-4170-a0d8-54cee9438651"
+ ]
}
],
"shape": "pie"
@@ -1013,22 +936,21 @@
"visualizationType": "lnsPie"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Top Destination Countries"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
"h": 15,
- "i": "cdab9d28-4b3b-4228-8e3a-6e3d29022815",
+ "i": "6790d45f-4fa9-4a70-b0e1-a3e10682c852",
"w": 12,
- "x": 36,
- "y": 15
+ "x": 24,
+ "y": 16
},
- "panelIndex": "cdab9d28-4b3b-4228-8e3a-6e3d29022815",
+ "panelIndex": "6790d45f-4fa9-4a70-b0e1-a3e10682c852",
+ "title": "Top Destination Countries",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -1045,7 +967,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"77c8c7dc-b073-4d7c-8403-b25ee4647152": {
"columnOrder": [
@@ -1094,15 +1016,18 @@
"layers": [
{
"categoryDisplay": "default",
- "groups": [
- "b6083b5e-5207-4632-9f23-e76872d504e4"
- ],
"layerId": "77c8c7dc-b073-4d7c-8403-b25ee4647152",
"layerType": "data",
"legendDisplay": "default",
- "metric": "0e88e9b7-a2b1-4634-95c1-a7d38dce70a6",
+ "legendSize": "auto",
+ "metrics": [
+ "0e88e9b7-a2b1-4634-95c1-a7d38dce70a6"
+ ],
"nestedLegend": false,
- "numberDisplay": "percent"
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "b6083b5e-5207-4632-9f23-e76872d504e4"
+ ]
}
],
"shape": "pie"
@@ -1113,22 +1038,21 @@
"visualizationType": "lnsPie"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Top Firewalls"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
- "h": 11,
- "i": "9609e04b-0043-4b3a-a31b-a2461c1e3dcb",
+ "h": 15,
+ "i": "cdab9d28-4b3b-4228-8e3a-6e3d29022815",
"w": 12,
- "x": 12,
- "y": 30
+ "x": 36,
+ "y": 16
},
- "panelIndex": "9609e04b-0043-4b3a-a31b-a2461c1e3dcb",
+ "panelIndex": "cdab9d28-4b3b-4228-8e3a-6e3d29022815",
+ "title": "Top Firewalls",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -1145,7 +1069,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"a5c93c96-5038-49e1-acca-2e876257c059": {
"columnOrder": [
@@ -1155,7 +1079,7 @@
"columns": {
"63e483b4-0ce2-4f05-92a2-8e699650d64c": {
"customLabel": true,
- "dataType": "ip",
+ "dataType": "string",
"isBucketed": true,
"label": "Source IP",
"operationType": "terms",
@@ -1170,7 +1094,7 @@
"size": 5
},
"scale": "ordinal",
- "sourceField": "source.ip"
+ "sourceField": "network.protocol"
},
"915adad5-4455-40d4-a9cd-0702da79189c": {
"dataType": "number",
@@ -1203,7 +1127,9 @@
}
],
"layerId": "a5c93c96-5038-49e1-acca-2e876257c059",
- "layerType": "data"
+ "layerType": "data",
+ "rowHeight": "single",
+ "rowHeightLines": 1
}
},
"title": "",
@@ -1211,22 +1137,21 @@
"visualizationType": "lnsDatatable"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Top Source IPs"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
"h": 11,
- "i": "dae8d2e7-7949-4023-9926-58af14895e11",
+ "i": "29627829-7a4d-4fc3-9ee4-c9af667dd941",
"w": 12,
- "x": 24,
- "y": 30
+ "x": 0,
+ "y": 31
},
- "panelIndex": "dae8d2e7-7949-4023-9926-58af14895e11",
+ "panelIndex": "29627829-7a4d-4fc3-9ee4-c9af667dd941",
+ "title": "Top Protocols",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -1243,7 +1168,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"a5c93c96-5038-49e1-acca-2e876257c059": {
"columnOrder": [
@@ -1255,7 +1180,7 @@
"customLabel": true,
"dataType": "ip",
"isBucketed": true,
- "label": "Destination IP",
+ "label": "Source IP",
"operationType": "terms",
"params": {
"missingBucket": false,
@@ -1268,7 +1193,7 @@
"size": 5
},
"scale": "ordinal",
- "sourceField": "destination.ip"
+ "sourceField": "source.ip"
},
"915adad5-4455-40d4-a9cd-0702da79189c": {
"dataType": "number",
@@ -1301,7 +1226,9 @@
}
],
"layerId": "a5c93c96-5038-49e1-acca-2e876257c059",
- "layerType": "data"
+ "layerType": "data",
+ "rowHeight": "single",
+ "rowHeightLines": 1
}
},
"title": "",
@@ -1309,22 +1236,21 @@
"visualizationType": "lnsDatatable"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Top Destination IPs"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
"h": 11,
- "i": "ce8caf3c-c830-4500-a4bf-66a9f354cd49",
+ "i": "9609e04b-0043-4b3a-a31b-a2461c1e3dcb",
"w": 12,
- "x": 36,
- "y": 30
+ "x": 12,
+ "y": 31
},
- "panelIndex": "ce8caf3c-c830-4500-a4bf-66a9f354cd49",
+ "panelIndex": "9609e04b-0043-4b3a-a31b-a2461c1e3dcb",
+ "title": "Top Source IPs",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -1341,27 +1267,19 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"a5c93c96-5038-49e1-acca-2e876257c059": {
"columnOrder": [
- "bcad6771-9620-48eb-b728-c5548423a150",
+ "63e483b4-0ce2-4f05-92a2-8e699650d64c",
"915adad5-4455-40d4-a9cd-0702da79189c"
],
"columns": {
- "915adad5-4455-40d4-a9cd-0702da79189c": {
- "dataType": "number",
- "isBucketed": false,
- "label": "Count of records",
- "operationType": "count",
- "scale": "ratio",
- "sourceField": "___records___"
- },
- "bcad6771-9620-48eb-b728-c5548423a150": {
+ "63e483b4-0ce2-4f05-92a2-8e699650d64c": {
"customLabel": true,
- "dataType": "string",
+ "dataType": "ip",
"isBucketed": true,
- "label": "Firewalls",
+ "label": "Destination IP",
"operationType": "terms",
"params": {
"missingBucket": false,
@@ -1374,7 +1292,15 @@
"size": 5
},
"scale": "ordinal",
- "sourceField": "observer.name"
+ "sourceField": "destination.ip"
+ },
+ "915adad5-4455-40d4-a9cd-0702da79189c": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "scale": "ratio",
+ "sourceField": "___records___"
}
},
"incompleteColumns": {}
@@ -1390,16 +1316,18 @@
"visualization": {
"columns": [
{
- "columnId": "bcad6771-9620-48eb-b728-c5548423a150",
+ "columnId": "915adad5-4455-40d4-a9cd-0702da79189c",
"isTransposed": false
},
{
- "columnId": "915adad5-4455-40d4-a9cd-0702da79189c",
+ "columnId": "63e483b4-0ce2-4f05-92a2-8e699650d64c",
"isTransposed": false
}
],
"layerId": "a5c93c96-5038-49e1-acca-2e876257c059",
- "layerType": "data"
+ "layerType": "data",
+ "rowHeight": "single",
+ "rowHeightLines": 1
}
},
"title": "",
@@ -1407,22 +1335,21 @@
"visualizationType": "lnsDatatable"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Top Firewalls"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
"h": 11,
- "i": "29627829-7a4d-4fc3-9ee4-c9af667dd941",
+ "i": "dae8d2e7-7949-4023-9926-58af14895e11",
"w": 12,
- "x": 0,
- "y": 30
+ "x": 24,
+ "y": 31
},
- "panelIndex": "29627829-7a4d-4fc3-9ee4-c9af667dd941",
+ "panelIndex": "dae8d2e7-7949-4023-9926-58af14895e11",
+ "title": "Top Destination IPs",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -1439,19 +1366,27 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"a5c93c96-5038-49e1-acca-2e876257c059": {
"columnOrder": [
- "63e483b4-0ce2-4f05-92a2-8e699650d64c",
+ "bcad6771-9620-48eb-b728-c5548423a150",
"915adad5-4455-40d4-a9cd-0702da79189c"
],
"columns": {
- "63e483b4-0ce2-4f05-92a2-8e699650d64c": {
+ "915adad5-4455-40d4-a9cd-0702da79189c": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "bcad6771-9620-48eb-b728-c5548423a150": {
"customLabel": true,
"dataType": "string",
"isBucketed": true,
- "label": "Source IP",
+ "label": "Firewalls",
"operationType": "terms",
"params": {
"missingBucket": false,
@@ -1464,15 +1399,7 @@
"size": 5
},
"scale": "ordinal",
- "sourceField": "network.protocol"
- },
- "915adad5-4455-40d4-a9cd-0702da79189c": {
- "dataType": "number",
- "isBucketed": false,
- "label": "Count of records",
- "operationType": "count",
- "scale": "ratio",
- "sourceField": "___records___"
+ "sourceField": "observer.name"
}
},
"incompleteColumns": {}
@@ -1488,16 +1415,18 @@
"visualization": {
"columns": [
{
- "columnId": "915adad5-4455-40d4-a9cd-0702da79189c",
+ "columnId": "bcad6771-9620-48eb-b728-c5548423a150",
"isTransposed": false
},
{
- "columnId": "63e483b4-0ce2-4f05-92a2-8e699650d64c",
+ "columnId": "915adad5-4455-40d4-a9cd-0702da79189c",
"isTransposed": false
}
],
"layerId": "a5c93c96-5038-49e1-acca-2e876257c059",
- "layerType": "data"
+ "layerType": "data",
+ "rowHeight": "single",
+ "rowHeightLines": 1
}
},
"title": "",
@@ -1505,10 +1434,19 @@
"visualizationType": "lnsDatatable"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Top Protocols"
+ "gridData": {
+ "h": 11,
+ "i": "ce8caf3c-c830-4500-a4bf-66a9f354cd49",
+ "w": 12,
+ "x": 36,
+ "y": 31
+ },
+ "panelIndex": "ce8caf3c-c830-4500-a4bf-66a9f354cd49",
+ "title": "Top Firewalls",
+ "type": "lens",
+ "version": "8.8.1"
},
{
"embeddableConfig": {
@@ -1530,19 +1468,25 @@
"i": "0de2176d-e3ab-4911-933e-fb0f46ca6700",
"w": 48,
"x": 0,
- "y": 41
+ "y": 42
},
"panelIndex": "0de2176d-e3ab-4911-933e-fb0f46ca6700",
"panelRefName": "panel_0de2176d-e3ab-4911-933e-fb0f46ca6700",
"title": "Firewall Logs",
"type": "search",
- "version": "7.15.1"
+ "version": "8.8.1"
}
],
"timeRestore": false,
"title": "[Logs AWS] Firewall Flows",
"version": 1
},
+ "coreMigrationVersion": "8.7.0",
+ "created_at": "2023-07-18T09:17:37.345Z",
+ "id": "aws-562bdea0-4ba7-11ec-8282-5342b8988acc",
+ "migrationVersion": {
+ "dashboard": "8.7.0"
+ },
"references": [
{
"id": "logs-*",
@@ -1576,32 +1520,32 @@
},
{
"id": "logs-*",
- "name": "dfcf4383-4ce2-42a2-b0a9-a48dbf39db64:indexpattern-datasource-current-indexpattern",
+ "name": "673dd2b3-e271-4ad9-9b86-83e4e1070647:indexpattern-datasource-current-indexpattern",
"type": "index-pattern"
},
{
"id": "logs-*",
- "name": "dfcf4383-4ce2-42a2-b0a9-a48dbf39db64:indexpattern-datasource-layer-454630b2-cff5-45ab-9cfc-ec19c5aeb97a",
+ "name": "673dd2b3-e271-4ad9-9b86-83e4e1070647:indexpattern-datasource-layer-454630b2-cff5-45ab-9cfc-ec19c5aeb97a",
"type": "index-pattern"
},
{
"id": "logs-*",
- "name": "6d617b1a-a973-4136-8d93-15e5c72c43f2:indexpattern-datasource-current-indexpattern",
+ "name": "dfcf4383-4ce2-42a2-b0a9-a48dbf39db64:indexpattern-datasource-current-indexpattern",
"type": "index-pattern"
},
{
"id": "logs-*",
- "name": "6d617b1a-a973-4136-8d93-15e5c72c43f2:indexpattern-datasource-layer-454630b2-cff5-45ab-9cfc-ec19c5aeb97a",
+ "name": "dfcf4383-4ce2-42a2-b0a9-a48dbf39db64:indexpattern-datasource-layer-454630b2-cff5-45ab-9cfc-ec19c5aeb97a",
"type": "index-pattern"
},
{
"id": "logs-*",
- "name": "673dd2b3-e271-4ad9-9b86-83e4e1070647:indexpattern-datasource-current-indexpattern",
+ "name": "6d617b1a-a973-4136-8d93-15e5c72c43f2:indexpattern-datasource-current-indexpattern",
"type": "index-pattern"
},
{
"id": "logs-*",
- "name": "673dd2b3-e271-4ad9-9b86-83e4e1070647:indexpattern-datasource-layer-454630b2-cff5-45ab-9cfc-ec19c5aeb97a",
+ "name": "6d617b1a-a973-4136-8d93-15e5c72c43f2:indexpattern-datasource-layer-454630b2-cff5-45ab-9cfc-ec19c5aeb97a",
"type": "index-pattern"
},
{
@@ -1656,42 +1600,42 @@
},
{
"id": "logs-*",
- "name": "9609e04b-0043-4b3a-a31b-a2461c1e3dcb:indexpattern-datasource-current-indexpattern",
+ "name": "29627829-7a4d-4fc3-9ee4-c9af667dd941:indexpattern-datasource-current-indexpattern",
"type": "index-pattern"
},
{
"id": "logs-*",
- "name": "9609e04b-0043-4b3a-a31b-a2461c1e3dcb:indexpattern-datasource-layer-a5c93c96-5038-49e1-acca-2e876257c059",
+ "name": "29627829-7a4d-4fc3-9ee4-c9af667dd941:indexpattern-datasource-layer-a5c93c96-5038-49e1-acca-2e876257c059",
"type": "index-pattern"
},
{
"id": "logs-*",
- "name": "dae8d2e7-7949-4023-9926-58af14895e11:indexpattern-datasource-current-indexpattern",
+ "name": "9609e04b-0043-4b3a-a31b-a2461c1e3dcb:indexpattern-datasource-current-indexpattern",
"type": "index-pattern"
},
{
"id": "logs-*",
- "name": "dae8d2e7-7949-4023-9926-58af14895e11:indexpattern-datasource-layer-a5c93c96-5038-49e1-acca-2e876257c059",
+ "name": "9609e04b-0043-4b3a-a31b-a2461c1e3dcb:indexpattern-datasource-layer-a5c93c96-5038-49e1-acca-2e876257c059",
"type": "index-pattern"
},
{
"id": "logs-*",
- "name": "ce8caf3c-c830-4500-a4bf-66a9f354cd49:indexpattern-datasource-current-indexpattern",
+ "name": "dae8d2e7-7949-4023-9926-58af14895e11:indexpattern-datasource-current-indexpattern",
"type": "index-pattern"
},
{
"id": "logs-*",
- "name": "ce8caf3c-c830-4500-a4bf-66a9f354cd49:indexpattern-datasource-layer-a5c93c96-5038-49e1-acca-2e876257c059",
+ "name": "dae8d2e7-7949-4023-9926-58af14895e11:indexpattern-datasource-layer-a5c93c96-5038-49e1-acca-2e876257c059",
"type": "index-pattern"
},
{
"id": "logs-*",
- "name": "29627829-7a4d-4fc3-9ee4-c9af667dd941:indexpattern-datasource-current-indexpattern",
+ "name": "ce8caf3c-c830-4500-a4bf-66a9f354cd49:indexpattern-datasource-current-indexpattern",
"type": "index-pattern"
},
{
"id": "logs-*",
- "name": "29627829-7a4d-4fc3-9ee4-c9af667dd941:indexpattern-datasource-layer-a5c93c96-5038-49e1-acca-2e876257c059",
+ "name": "ce8caf3c-c830-4500-a4bf-66a9f354cd49:indexpattern-datasource-layer-a5c93c96-5038-49e1-acca-2e876257c059",
"type": "index-pattern"
},
{
@@ -1700,23 +1644,20 @@
"type": "search"
},
{
- "type": "index-pattern",
- "name": "9acd5716-4bce-498a-9a4e-4d4fd81dfdc2:control_0_index_pattern",
- "id": "logs-*"
+ "id": "logs-*",
+ "name": "controlGroup_93146885-2c36-40c3-8245-14518519f97e:optionsListDataView",
+ "type": "index-pattern"
},
{
- "type": "index-pattern",
- "name": "9acd5716-4bce-498a-9a4e-4d4fd81dfdc2:control_1_index_pattern",
- "id": "logs-*"
+ "id": "logs-*",
+ "name": "controlGroup_6a637a29-9089-4826-aa65-088a3bbeb98f:optionsListDataView",
+ "type": "index-pattern"
},
{
- "type": "index-pattern",
- "name": "9acd5716-4bce-498a-9a4e-4d4fd81dfdc2:control_2_index_pattern",
- "id": "logs-*"
+ "id": "logs-*",
+ "name": "controlGroup_fdc8cb1e-fc15-4f63-8ce7-0027c9d10ad3:optionsListDataView",
+ "type": "index-pattern"
}
],
- "migrationVersion": {
- "dashboard": "8.1.0"
- },
- "coreMigrationVersion": "8.1.0"
+ "type": "dashboard"
}
\ No newline at end of file
diff --git a/packages/aws/kibana/dashboard/aws-81f2c980-e743-11ec-93f6-9b98f71110cd.json b/packages/aws/kibana/dashboard/aws-81f2c980-e743-11ec-93f6-9b98f71110cd.json
index fbc8f507a99..b76afe0f19b 100644
--- a/packages/aws/kibana/dashboard/aws-81f2c980-e743-11ec-93f6-9b98f71110cd.json
+++ b/packages/aws/kibana/dashboard/aws-81f2c980-e743-11ec-93f6-9b98f71110cd.json
@@ -1,14 +1,12 @@
{
- "id": "aws-81f2c980-e743-11ec-93f6-9b98f71110cd",
- "type": "dashboard",
- "namespaces": [
- "default"
- ],
- "updated_at": "2022-08-01T13:47:45.463Z",
- "version": "Wzg1OCwxXQ==",
"attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
+ "panelsJSON": "{\"8e87fad0-fc18-4bf8-862b-e015f6b6588b\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"8e87fad0-fc18-4bf8-862b-e015f6b6588b\",\"fieldName\":\"cloud.account.name\",\"title\":\"Account Name\",\"enhancements\":{}}},\"8606570c-7081-4ba2-94e9-c553d33c2acf\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"8606570c-7081-4ba2-94e9-c553d33c2acf\",\"fieldName\":\"aws.dimensions.ClusterIdentifier\",\"title\":\"Cluster Identifier\",\"enhancements\":{}}}}"
+ },
"description": "Overview of Amazon Redshift metrics",
- "hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [
@@ -43,23 +41,15 @@
"optionsJSON": {
"hidePanelTitles": false,
"syncColors": true,
+ "syncCursor": true,
+ "syncTooltips": false,
"useMargins": false
},
"panelsJSON": [
{
- "version": "8.1.0",
- "type": "visualization",
- "gridData": {
- "h": 6,
- "i": "88b83992-1fc4-4509-b89d-2de22163f92c",
- "w": 48,
- "x": 0,
- "y": 0
- },
- "panelIndex": "88b83992-1fc4-4509-b89d-2de22163f92c",
"embeddableConfig": {
"enhancements": {},
- "hidePanelTitles": false,
+ "hidePanelTitles": true,
"savedVis": {
"data": {
"aggs": [],
@@ -72,54 +62,17 @@
}
},
"description": "",
+ "id": "",
"params": {
- "controls": [
- {
- "fieldName": "cloud.account.name",
- "id": "1549397251041",
- "indexPatternRefName": "control_88b83992-1fc4-4509-b89d-2de22163f92c_0_index_pattern",
- "label": "account name",
- "options": {
- "dynamicOptions": true,
- "multiselect": true,
- "order": "desc",
- "size": 5,
- "type": "terms"
- },
- "parent": "",
- "type": "list"
- },
- {
- "fieldName": "aws.dimensions.ClusterIdentifier",
- "id": "1655371342369",
- "indexPatternRefName": "control_88b83992-1fc4-4509-b89d-2de22163f92c_1_index_pattern",
- "label": "cluster identifier",
- "options": {
- "dynamicOptions": true,
- "multiselect": true,
- "order": "desc",
- "size": 5,
- "type": "terms"
- },
- "parent": "",
- "type": "list"
- }
- ],
- "pinFilters": false,
- "updateFiltersOnChange": true,
- "useTimeFilter": false
+ "fontSize": 12,
+ "markdown": "## Cluster monitoring",
+ "openLinksInNewTab": false
},
"title": "",
- "type": "input_control_vis",
+ "type": "markdown",
"uiState": {}
- },
- "type": "visualization"
+ }
},
- "title": "AWS Account and Redshift Cluster Filters"
- },
- {
- "version": "8.1.0",
- "type": "visualization",
"gridData": {
"h": 5,
"i": "dffd1329-1668-441d-907d-c04a5cee3fcc",
@@ -128,45 +81,10 @@
"y": 6
},
"panelIndex": "dffd1329-1668-441d-907d-c04a5cee3fcc",
- "embeddableConfig": {
- "enhancements": {},
- "hidePanelTitles": true,
- "savedVis": {
- "data": {
- "aggs": [],
- "searchSource": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "description": "",
- "id": "",
- "params": {
- "fontSize": 12,
- "markdown": "## Cluster monitoring",
- "openLinksInNewTab": false
- },
- "title": "",
- "type": "markdown",
- "uiState": {}
- },
- "type": "visualization"
- }
+ "type": "visualization",
+ "version": "8.8.1"
},
{
- "version": "8.1.0",
- "type": "lens",
- "gridData": {
- "h": 15,
- "i": "500e407a-5b1e-4963-b229-f14024f7678d",
- "w": 24,
- "x": 0,
- "y": 11
- },
- "panelIndex": "500e407a-5b1e-4963-b229-f14024f7678d",
"embeddableConfig": {
"attributes": {
"references": [
@@ -183,7 +101,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"f26f3fa9-c910-4463-917a-a5190e20d8cc": {
"columnOrder": [
@@ -258,6 +176,7 @@
],
"legend": {
"isVisible": true,
+ "legendSize": "auto",
"position": "right"
},
"preferredSeriesType": "line",
@@ -274,22 +193,21 @@
"visualizationType": "lnsXY"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Health Status"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
"h": 15,
- "i": "cdb8dc8b-e920-459d-b55e-462059dd148c",
+ "i": "500e407a-5b1e-4963-b229-f14024f7678d",
"w": 24,
- "x": 24,
+ "x": 0,
"y": 11
},
- "panelIndex": "cdb8dc8b-e920-459d-b55e-462059dd148c",
+ "panelIndex": "500e407a-5b1e-4963-b229-f14024f7678d",
+ "title": "Health Status",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -306,7 +224,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"63ac4267-da50-47f2-a95d-f210ac96e7be": {
"columnOrder": [
@@ -382,6 +300,7 @@
],
"legend": {
"isVisible": true,
+ "legendSize": "auto",
"position": "right"
},
"preferredSeriesType": "line",
@@ -403,22 +322,21 @@
"visualizationType": "lnsXY"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Maintenance mode"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
- "h": 12,
- "i": "e1952ece-22a7-4d9e-a96d-035e49e48e89",
- "w": 15,
- "x": 0,
- "y": 26
+ "h": 15,
+ "i": "cdb8dc8b-e920-459d-b55e-462059dd148c",
+ "w": 24,
+ "x": 24,
+ "y": 11
},
- "panelIndex": "e1952ece-22a7-4d9e-a96d-035e49e48e89",
+ "panelIndex": "cdb8dc8b-e920-459d-b55e-462059dd148c",
+ "title": "Maintenance mode",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -435,7 +353,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"07d0e5df-2cdd-4f7d-89a5-79cd6faf96d2": {
"columnOrder": [
@@ -474,29 +392,31 @@
"visualization": {
"accessor": "9dc06753-8051-4a65-8122-bd693491cf43",
"layerId": "07d0e5df-2cdd-4f7d-89a5-79cd6faf96d2",
- "layerType": "data"
+ "layerType": "data",
+ "size": "xl",
+ "textAlign": "center",
+ "titlePosition": "bottom"
}
},
"title": "",
"type": "lens",
- "visualizationType": "lnsMetric"
+ "visualizationType": "lnsLegacyMetric"
},
"enhancements": {},
- "hidePanelTitles": true,
- "type": "lens"
- }
- },
- {
- "version": "8.1.0",
- "type": "lens",
+ "hidePanelTitles": true
+ },
"gridData": {
"h": 12,
- "i": "a2c1cf3b-86a2-4a9f-9f5f-99c51d536a5a",
- "w": 33,
- "x": 15,
+ "i": "e1952ece-22a7-4d9e-a96d-035e49e48e89",
+ "w": 15,
+ "x": 0,
"y": 26
},
- "panelIndex": "a2c1cf3b-86a2-4a9f-9f5f-99c51d536a5a",
+ "panelIndex": "e1952ece-22a7-4d9e-a96d-035e49e48e89",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -513,7 +433,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"95dadc13-e250-40e4-8ae8-9c612d40d8b5": {
"columnOrder": [
@@ -590,6 +510,7 @@
],
"legend": {
"isVisible": true,
+ "legendSize": "auto",
"position": "right"
},
"preferredSeriesType": "line",
@@ -606,22 +527,21 @@
"visualizationType": "lnsXY"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Database connections"
- },
- {
- "version": "8.1.0",
- "type": "visualization",
"gridData": {
- "h": 5,
- "i": "c150200d-1645-49be-a3f6-103da488bc4e",
- "w": 48,
- "x": 0,
- "y": 38
+ "h": 12,
+ "i": "a2c1cf3b-86a2-4a9f-9f5f-99c51d536a5a",
+ "w": 33,
+ "x": 15,
+ "y": 26
},
- "panelIndex": "c150200d-1645-49be-a3f6-103da488bc4e",
+ "panelIndex": "a2c1cf3b-86a2-4a9f-9f5f-99c51d536a5a",
+ "title": "Database connections",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"enhancements": {},
"hidePanelTitles": true,
@@ -646,21 +566,20 @@
"title": "",
"type": "markdown",
"uiState": {}
- },
- "type": "visualization"
- }
- },
- {
- "version": "8.1.0",
- "type": "lens",
+ }
+ },
"gridData": {
- "h": 14,
- "i": "818689c7-efe0-4c41-9fa7-640b9281d4d8",
- "w": 15,
+ "h": 5,
+ "i": "c150200d-1645-49be-a3f6-103da488bc4e",
+ "w": 48,
"x": 0,
- "y": 43
+ "y": 38
},
- "panelIndex": "818689c7-efe0-4c41-9fa7-640b9281d4d8",
+ "panelIndex": "c150200d-1645-49be-a3f6-103da488bc4e",
+ "type": "visualization",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -677,7 +596,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"e8f1122f-78fe-4db5-b05e-e87553c61237": {
"columnOrder": [
@@ -761,29 +680,31 @@
]
},
"type": "palette"
- }
+ },
+ "size": "xl",
+ "textAlign": "center",
+ "titlePosition": "bottom"
}
},
"title": "",
"type": "lens",
- "visualizationType": "lnsMetric"
+ "visualizationType": "lnsLegacyMetric"
},
"enhancements": {},
- "hidePanelTitles": true,
- "type": "lens"
- }
- },
- {
- "version": "8.1.0",
- "type": "lens",
+ "hidePanelTitles": true
+ },
"gridData": {
"h": 14,
- "i": "860dc77f-8d28-4af7-8c04-baf0ad10e402",
- "w": 33,
- "x": 15,
+ "i": "818689c7-efe0-4c41-9fa7-640b9281d4d8",
+ "w": 15,
+ "x": 0,
"y": 43
},
- "panelIndex": "860dc77f-8d28-4af7-8c04-baf0ad10e402",
+ "panelIndex": "818689c7-efe0-4c41-9fa7-640b9281d4d8",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -800,7 +721,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"27acbd7b-a2c6-4116-989a-ec58fc9d0e29": {
"columnOrder": [
@@ -908,6 +829,7 @@
],
"legend": {
"isVisible": true,
+ "legendSize": "auto",
"position": "right",
"showSingleSeries": false
},
@@ -929,22 +851,21 @@
"visualizationType": "lnsXY"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "CPU Utilization per Node"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
- "h": 15,
- "i": "2ce96451-53a0-4fb7-90a4-0ef0d09b9aa3",
- "w": 24,
- "x": 0,
- "y": 57
+ "h": 14,
+ "i": "860dc77f-8d28-4af7-8c04-baf0ad10e402",
+ "w": 33,
+ "x": 15,
+ "y": 43
},
- "panelIndex": "2ce96451-53a0-4fb7-90a4-0ef0d09b9aa3",
+ "panelIndex": "860dc77f-8d28-4af7-8c04-baf0ad10e402",
+ "title": "CPU Utilization per Node",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -961,7 +882,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"2a63294f-c73c-4822-bf57-5ceebef529f4": {
"columnOrder": [
@@ -1038,6 +959,7 @@
],
"legend": {
"isVisible": true,
+ "legendSize": "auto",
"position": "right"
},
"preferredSeriesType": "line",
@@ -1054,22 +976,21 @@
"visualizationType": "lnsXY"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Disk Read Throughput"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
"h": 15,
- "i": "1289046b-48c1-4506-a473-cebc26cc5a1c",
+ "i": "2ce96451-53a0-4fb7-90a4-0ef0d09b9aa3",
"w": 24,
- "x": 24,
+ "x": 0,
"y": 57
},
- "panelIndex": "1289046b-48c1-4506-a473-cebc26cc5a1c",
+ "panelIndex": "2ce96451-53a0-4fb7-90a4-0ef0d09b9aa3",
+ "title": "Disk Read Throughput",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -1086,7 +1007,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"115b9c0c-4ad8-44df-b8ed-2771d89a23d2": {
"columnOrder": [
@@ -1163,6 +1084,7 @@
],
"legend": {
"isVisible": true,
+ "legendSize": "auto",
"position": "right"
},
"preferredSeriesType": "line",
@@ -1179,22 +1101,21 @@
"visualizationType": "lnsXY"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Storage Write Throughput"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
"h": 15,
- "i": "464712cc-51aa-4e6f-a520-f7b528c17793",
+ "i": "1289046b-48c1-4506-a473-cebc26cc5a1c",
"w": 24,
- "x": 0,
- "y": 72
+ "x": 24,
+ "y": 57
},
- "panelIndex": "464712cc-51aa-4e6f-a520-f7b528c17793",
+ "panelIndex": "1289046b-48c1-4506-a473-cebc26cc5a1c",
+ "title": "Storage Write Throughput",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -1211,7 +1132,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"4ebcdab6-4f10-4f42-9f61-e4aec03c380e": {
"columnOrder": [
@@ -1287,6 +1208,7 @@
],
"legend": {
"isVisible": true,
+ "legendSize": "auto",
"position": "right"
},
"preferredSeriesType": "line",
@@ -1303,22 +1225,21 @@
"visualizationType": "lnsXY"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Storage Read Latency"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
"h": 15,
- "i": "fd92a37e-9ba8-4134-ac5d-71c1a0d1d0bc",
+ "i": "464712cc-51aa-4e6f-a520-f7b528c17793",
"w": 24,
- "x": 24,
+ "x": 0,
"y": 72
},
- "panelIndex": "fd92a37e-9ba8-4134-ac5d-71c1a0d1d0bc",
+ "panelIndex": "464712cc-51aa-4e6f-a520-f7b528c17793",
+ "title": "Storage Read Latency",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -1335,7 +1256,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"9b073139-c687-4094-aa13-d20f79b9f550": {
"columnOrder": [
@@ -1411,6 +1332,7 @@
],
"legend": {
"isVisible": true,
+ "legendSize": "auto",
"position": "right"
},
"preferredSeriesType": "line",
@@ -1427,22 +1349,21 @@
"visualizationType": "lnsXY"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Storage Write Latency"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
"h": 15,
- "i": "aa0f68cd-7a8e-4b27-9ec1-b8e288039cca",
- "w": 15,
- "x": 0,
- "y": 102
+ "i": "fd92a37e-9ba8-4134-ac5d-71c1a0d1d0bc",
+ "w": 24,
+ "x": 24,
+ "y": 72
},
- "panelIndex": "aa0f68cd-7a8e-4b27-9ec1-b8e288039cca",
+ "panelIndex": "fd92a37e-9ba8-4134-ac5d-71c1a0d1d0bc",
+ "title": "Storage Write Latency",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -1459,7 +1380,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"1fddbb42-ef13-4a93-8b4a-d4e28866916e": {
"columnOrder": [
@@ -1543,29 +1464,31 @@
]
},
"type": "palette"
- }
+ },
+ "size": "xl",
+ "textAlign": "center",
+ "titlePosition": "bottom"
}
},
"title": "",
"type": "lens",
- "visualizationType": "lnsMetric"
+ "visualizationType": "lnsLegacyMetric"
},
"enhancements": {},
- "hidePanelTitles": true,
- "type": "lens"
- }
- },
- {
- "version": "8.1.0",
- "type": "lens",
+ "hidePanelTitles": true
+ },
"gridData": {
"h": 15,
- "i": "9c5ba303-08c6-455c-a1e0-9a85327682ca",
- "w": 33,
- "x": 15,
+ "i": "aa0f68cd-7a8e-4b27-9ec1-b8e288039cca",
+ "w": 15,
+ "x": 0,
"y": 102
},
- "panelIndex": "9c5ba303-08c6-455c-a1e0-9a85327682ca",
+ "panelIndex": "aa0f68cd-7a8e-4b27-9ec1-b8e288039cca",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -1582,7 +1505,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"84cfb763-392e-4bb7-9c83-ee13166710ef": {
"columnOrder": [
@@ -1666,6 +1589,7 @@
],
"legend": {
"isVisible": true,
+ "legendSize": "auto",
"position": "right"
},
"preferredSeriesType": "line",
@@ -1685,22 +1609,21 @@
"visualizationType": "lnsXY"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Percentage of disk space used"
- },
- {
- "version": "8.1.0",
- "type": "visualization",
"gridData": {
- "h": 5,
- "i": "be4f09e7-c419-435e-987f-98c491928001",
- "w": 48,
- "x": 0,
- "y": 117
+ "h": 15,
+ "i": "9c5ba303-08c6-455c-a1e0-9a85327682ca",
+ "w": 33,
+ "x": 15,
+ "y": 102
},
- "panelIndex": "be4f09e7-c419-435e-987f-98c491928001",
+ "panelIndex": "9c5ba303-08c6-455c-a1e0-9a85327682ca",
+ "title": "Percentage of disk space used",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"enhancements": {},
"hidePanelTitles": true,
@@ -1725,21 +1648,20 @@
"title": "",
"type": "markdown",
"uiState": {}
- },
- "type": "visualization"
- }
- },
- {
- "version": "8.1.0",
- "type": "lens",
+ }
+ },
"gridData": {
- "h": 15,
- "i": "3a0afa56-f307-4f5f-9668-81ed9c6de56f",
- "w": 24,
+ "h": 5,
+ "i": "be4f09e7-c419-435e-987f-98c491928001",
+ "w": 48,
"x": 0,
- "y": 122
+ "y": 117
},
- "panelIndex": "3a0afa56-f307-4f5f-9668-81ed9c6de56f",
+ "panelIndex": "be4f09e7-c419-435e-987f-98c491928001",
+ "type": "visualization",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -1756,7 +1678,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"58906b59-5f5e-431d-a8a1-61210e31d56c": {
"columnOrder": [
@@ -1856,6 +1778,7 @@
],
"legend": {
"isVisible": true,
+ "legendSize": "auto",
"position": "right"
},
"preferredSeriesType": "line",
@@ -1872,22 +1795,21 @@
"visualizationType": "lnsXY"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Query Duration by latency range"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
"h": 15,
- "i": "8f853d89-2901-48a8-823d-affb864f1078",
+ "i": "3a0afa56-f307-4f5f-9668-81ed9c6de56f",
"w": 24,
- "x": 24,
+ "x": 0,
"y": 122
},
- "panelIndex": "8f853d89-2901-48a8-823d-affb864f1078",
+ "panelIndex": "3a0afa56-f307-4f5f-9668-81ed9c6de56f",
+ "title": "Query Duration by latency range",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -1904,7 +1826,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"98a1fb8e-6416-4a46-9545-176a7b58e607": {
"columnOrder": [
@@ -2001,6 +1923,7 @@
],
"legend": {
"isVisible": true,
+ "legendSize": "auto",
"position": "right"
},
"preferredSeriesType": "line",
@@ -2017,22 +1940,21 @@
"visualizationType": "lnsXY"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Query duration by WLM queue"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
"h": 15,
- "i": "90e8066a-f9fb-405f-85ba-c0456fcd055a",
+ "i": "8f853d89-2901-48a8-823d-affb864f1078",
"w": 24,
- "x": 0,
- "y": 87
+ "x": 24,
+ "y": 122
},
- "panelIndex": "90e8066a-f9fb-405f-85ba-c0456fcd055a",
+ "panelIndex": "8f853d89-2901-48a8-823d-affb864f1078",
+ "title": "Query duration by WLM queue",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -2049,7 +1971,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"0a5a3c92-22e8-4794-b07c-78477920697f": {
"columnOrder": [
@@ -2126,6 +2048,7 @@
],
"legend": {
"isVisible": true,
+ "legendSize": "auto",
"position": "right"
},
"preferredSeriesType": "line",
@@ -2142,22 +2065,21 @@
"visualizationType": "lnsXY"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Network Receive Throughput"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
"h": 15,
- "i": "83d380db-07a5-45e7-bd97-661c06da0455",
+ "i": "90e8066a-f9fb-405f-85ba-c0456fcd055a",
"w": 24,
- "x": 24,
+ "x": 0,
"y": 87
},
- "panelIndex": "83d380db-07a5-45e7-bd97-661c06da0455",
+ "panelIndex": "90e8066a-f9fb-405f-85ba-c0456fcd055a",
+ "title": "Network Receive Throughput",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -2174,7 +2096,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"b5db7d5d-7e7c-413c-b691-4481bc1ec5e3": {
"columnOrder": [
@@ -2251,6 +2173,7 @@
],
"legend": {
"isVisible": true,
+ "legendSize": "auto",
"position": "right"
},
"preferredSeriesType": "line",
@@ -2267,32 +2190,37 @@
"visualizationType": "lnsXY"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Network Transmit Throughput"
+ "gridData": {
+ "h": 15,
+ "i": "83d380db-07a5-45e7-bd97-661c06da0455",
+ "w": 24,
+ "x": 24,
+ "y": 87
+ },
+ "panelIndex": "83d380db-07a5-45e7-bd97-661c06da0455",
+ "title": "Network Transmit Throughput",
+ "type": "lens",
+ "version": "8.8.1"
}
],
"timeRestore": false,
"title": "[Metrics AWS] Redshift metrics overview",
"version": 1
},
+ "coreMigrationVersion": "8.7.0",
+ "created_at": "2023-07-18T08:47:59.330Z",
+ "id": "aws-81f2c980-e743-11ec-93f6-9b98f71110cd",
+ "migrationVersion": {
+ "dashboard": "8.7.0"
+ },
"references": [
{
"id": "metrics-*",
"name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
"type": "index-pattern"
},
- {
- "id": "metrics-*",
- "name": "88b83992-1fc4-4509-b89d-2de22163f92c:control_88b83992-1fc4-4509-b89d-2de22163f92c_0_index_pattern",
- "type": "index-pattern"
- },
- {
- "id": "metrics-*",
- "name": "88b83992-1fc4-4509-b89d-2de22163f92c:control_88b83992-1fc4-4509-b89d-2de22163f92c_1_index_pattern",
- "type": "index-pattern"
- },
{
"id": "metrics-*",
"name": "500e407a-5b1e-4963-b229-f14024f7678d:indexpattern-datasource-current-indexpattern",
@@ -2452,10 +2380,17 @@
"id": "metrics-*",
"name": "83d380db-07a5-45e7-bd97-661c06da0455:indexpattern-datasource-layer-b5db7d5d-7e7c-413c-b691-4481bc1ec5e3",
"type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "controlGroup_8e87fad0-fc18-4bf8-862b-e015f6b6588b:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "controlGroup_8606570c-7081-4ba2-94e9-c553d33c2acf:optionsListDataView",
+ "type": "index-pattern"
}
],
- "migrationVersion": {
- "dashboard": "8.1.0"
- },
- "coreMigrationVersion": "8.1.0"
+ "type": "dashboard"
}
\ No newline at end of file
diff --git a/packages/aws/kibana/dashboard/aws-a4482820-03aa-11ee-84d4-7f15bab18041.json b/packages/aws/kibana/dashboard/aws-a4482820-03aa-11ee-84d4-7f15bab18041.json
index e4f79abd49c..3d7c2156f1b 100644
--- a/packages/aws/kibana/dashboard/aws-a4482820-03aa-11ee-84d4-7f15bab18041.json
+++ b/packages/aws/kibana/dashboard/aws-a4482820-03aa-11ee-84d4-7f15bab18041.json
@@ -4,16 +4,36 @@
"chainingSystem": "HIERARCHICAL",
"controlStyle": "oneLine",
"ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
- "panelsJSON": "{\"9edfaf7a-7867-4413-84df-4648537b365a\":{\"order\":0,\"width\":\"medium\",\"grow\":false,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"cloud.region\",\"title\":\"AWS Region\",\"id\":\"9edfaf7a-7867-4413-84df-4648537b365a\",\"enhancements\":{}}}}"
+ "panelsJSON": "{\"9edfaf7a-7867-4413-84df-4648537b365a\":{\"order\":3,\"width\":\"medium\",\"grow\":false,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"cloud.region\",\"title\":\"AWS Region\",\"id\":\"9edfaf7a-7867-4413-84df-4648537b365a\",\"enhancements\":{}}},\"f72aa0d1-b9b2-4817-951d-60259a5f9bb0\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":false,\"width\":\"medium\",\"explicitInput\":{\"id\":\"f72aa0d1-b9b2-4817-951d-60259a5f9bb0\",\"fieldName\":\"aws.dimensions.ApiId\",\"title\":\"API ID\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}},\"729df68e-b651-4e0a-8b7b-d025a3d7fb05\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":false,\"width\":\"medium\",\"explicitInput\":{\"id\":\"729df68e-b651-4e0a-8b7b-d025a3d7fb05\",\"fieldName\":\"aws.dimensions.ApiName\",\"title\":\"API Name\",\"grow\":false,\"width\":\"medium\",\"enhancements\":{}}},\"fd2f10f0-1233-42e4-8dcf-af0a9676ea7c\":{\"type\":\"optionsListControl\",\"order\":2,\"grow\":false,\"width\":\"medium\",\"explicitInput\":{\"id\":\"fd2f10f0-1233-42e4-8dcf-af0a9676ea7c\",\"fieldName\":\"aws.dimensions.Stage\",\"title\":\"Stage\",\"grow\":false,\"width\":\"medium\",\"enhancements\":{}}}}"
},
"description": "Overview of AWS API Gateway Metrics",
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
- "filter": [],
"query": {
- "language": "kuery",
- "query": ""
- }
+ "query": "",
+ "language": "kuery"
+ },
+ "filter": [
+ {
+ "meta": {
+ "disabled": false,
+ "negate": false,
+ "alias": null,
+ "key": "aws.dimensions.Stage",
+ "field": "aws.dimensions.Stage",
+ "type": "exists",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index"
+ },
+ "query": {
+ "exists": {
+ "field": "aws.dimensions.Stage"
+ }
+ },
+ "$state": {
+ "store": "appState"
+ }
+ }
+ ]
}
},
"optionsJSON": {
@@ -25,12 +45,22 @@
},
"panelsJSON": [
{
+ "version": "8.9.0",
+ "type": "lens",
+ "gridData": {
+ "x": 0,
+ "y": 0,
+ "w": 16,
+ "h": 13,
+ "i": "36a3594d-c18b-4d09-ae87-7561750822ae"
+ },
+ "panelIndex": "36a3594d-c18b-4d09-ae87-7561750822ae",
"embeddableConfig": {
"attributes": {
"references": [
{
- "id": "metrics-*",
"name": "indexpattern-datasource-layer-ff2c6fd1-df0b-409d-a7e7-033a129edba3",
+ "id": "metrics-*",
"type": "index-pattern"
}
],
@@ -49,8 +79,8 @@
"11242c77-c1e8-482f-a8ab-d14342367450": {
"dataType": "number",
"isBucketed": false,
- "label": "Count of aws.apigateway.metrics.Count.sum",
- "operationType": "count",
+ "label": "Sum of aws.apigateway.metrics.Count.sum",
+ "operationType": "sum",
"params": {
"emptyAsNull": true
},
@@ -148,25 +178,25 @@
"enhancements": {},
"hidePanelTitles": false
},
+ "title": "[REST] Count"
+ },
+ {
+ "version": "8.9.0",
+ "type": "lens",
"gridData": {
- "h": 13,
- "i": "36a3594d-c18b-4d09-ae87-7561750822ae",
+ "x": 16,
+ "y": 0,
"w": 16,
- "x": 0,
- "y": 0
+ "h": 13,
+ "i": "b2ece1d0-652f-481e-9dec-ae411c897a44"
},
- "panelIndex": "36a3594d-c18b-4d09-ae87-7561750822ae",
- "title": "[REST] Count",
- "type": "lens",
- "version": "8.7.1"
- },
- {
+ "panelIndex": "b2ece1d0-652f-481e-9dec-ae411c897a44",
"embeddableConfig": {
"attributes": {
"references": [
{
- "id": "metrics-*",
"name": "indexpattern-datasource-layer-f9ae930c-999d-4b82-a9ce-01d6237fa03c",
+ "id": "metrics-*",
"type": "index-pattern"
}
],
@@ -286,25 +316,25 @@
"enhancements": {},
"hidePanelTitles": false
},
+ "title": "[REST] 4XX Error"
+ },
+ {
+ "version": "8.9.0",
+ "type": "lens",
"gridData": {
- "h": 13,
- "i": "b2ece1d0-652f-481e-9dec-ae411c897a44",
+ "x": 32,
+ "y": 0,
"w": 16,
- "x": 16,
- "y": 0
+ "h": 13,
+ "i": "e970e1a1-b243-46e0-b200-2cf787f26561"
},
- "panelIndex": "b2ece1d0-652f-481e-9dec-ae411c897a44",
- "title": "[REST] 4XX Error",
- "type": "lens",
- "version": "8.7.1"
- },
- {
+ "panelIndex": "e970e1a1-b243-46e0-b200-2cf787f26561",
"embeddableConfig": {
"attributes": {
"references": [
{
- "id": "metrics-*",
"name": "indexpattern-datasource-layer-48d7bfc9-ad80-47ac-974e-a265b9c3af45",
+ "id": "metrics-*",
"type": "index-pattern"
}
],
@@ -336,8 +366,8 @@
"90c328ce-f5c8-48a0-8545-57ea1ec6d7fe": {
"dataType": "number",
"isBucketed": false,
- "label": "Median of aws.apigateway.metrics.5XXError.sum",
- "operationType": "median",
+ "label": "Sum of aws.apigateway.metrics.5XXError.sum",
+ "operationType": "sum",
"params": {
"emptyAsNull": true
},
@@ -422,25 +452,25 @@
"enhancements": {},
"hidePanelTitles": false
},
+ "title": "[REST] 5XX Error"
+ },
+ {
+ "version": "8.9.0",
+ "type": "lens",
"gridData": {
+ "x": 0,
+ "y": 13,
+ "w": 24,
"h": 13,
- "i": "e970e1a1-b243-46e0-b200-2cf787f26561",
- "w": 16,
- "x": 32,
- "y": 0
+ "i": "8b56a477-3e09-4bb0-94c3-9add2e443772"
},
- "panelIndex": "e970e1a1-b243-46e0-b200-2cf787f26561",
- "title": "[REST] 5XX Error",
- "type": "lens",
- "version": "8.7.1"
- },
- {
+ "panelIndex": "8b56a477-3e09-4bb0-94c3-9add2e443772",
"embeddableConfig": {
"attributes": {
"references": [
{
- "id": "metrics-*",
"name": "indexpattern-datasource-layer-2cfef95f-fa80-4a29-b211-9874dba1c2bb",
+ "id": "metrics-*",
"type": "index-pattern"
}
],
@@ -564,25 +594,25 @@
"enhancements": {},
"hidePanelTitles": false
},
+ "title": "[REST] Latency"
+ },
+ {
+ "version": "8.9.0",
+ "type": "lens",
"gridData": {
- "h": 13,
- "i": "8b56a477-3e09-4bb0-94c3-9add2e443772",
+ "x": 24,
+ "y": 13,
"w": 24,
- "x": 0,
- "y": 13
+ "h": 13,
+ "i": "51e609da-7bb4-4579-843f-88e9748e0982"
},
- "panelIndex": "8b56a477-3e09-4bb0-94c3-9add2e443772",
- "title": "[REST] Latency",
- "type": "lens",
- "version": "8.7.1"
- },
- {
+ "panelIndex": "51e609da-7bb4-4579-843f-88e9748e0982",
"embeddableConfig": {
"attributes": {
"references": [
{
- "id": "metrics-*",
"name": "indexpattern-datasource-layer-2cfef95f-fa80-4a29-b211-9874dba1c2bb",
+ "id": "metrics-*",
"type": "index-pattern"
}
],
@@ -706,25 +736,25 @@
"enhancements": {},
"hidePanelTitles": false
},
+ "title": "[REST] Integration Latency"
+ },
+ {
+ "version": "8.9.0",
+ "type": "lens",
"gridData": {
- "h": 13,
- "i": "51e609da-7bb4-4579-843f-88e9748e0982",
+ "x": 0,
+ "y": 26,
"w": 24,
- "x": 24,
- "y": 13
+ "h": 13,
+ "i": "eb48842e-d380-4291-aa03-47960594babd"
},
- "panelIndex": "51e609da-7bb4-4579-843f-88e9748e0982",
- "title": "[REST] Integration Latency",
- "type": "lens",
- "version": "8.7.1"
- },
- {
+ "panelIndex": "eb48842e-d380-4291-aa03-47960594babd",
"embeddableConfig": {
"attributes": {
"references": [
{
- "id": "metrics-*",
"name": "indexpattern-datasource-layer-2cfef95f-fa80-4a29-b211-9874dba1c2bb",
+ "id": "metrics-*",
"type": "index-pattern"
}
],
@@ -841,25 +871,25 @@
"enhancements": {},
"hidePanelTitles": false
},
+ "title": "[REST] Cache Hit Count"
+ },
+ {
+ "version": "8.9.0",
+ "type": "lens",
"gridData": {
- "h": 13,
- "i": "eb48842e-d380-4291-aa03-47960594babd",
+ "x": 24,
+ "y": 26,
"w": 24,
- "x": 0,
- "y": 26
+ "h": 13,
+ "i": "a1ef019a-60b1-41d9-845c-cecc5f0450c5"
},
- "panelIndex": "eb48842e-d380-4291-aa03-47960594babd",
- "title": "[REST] Cache Hit Count",
- "type": "lens",
- "version": "8.7.1"
- },
- {
+ "panelIndex": "a1ef019a-60b1-41d9-845c-cecc5f0450c5",
"embeddableConfig": {
"attributes": {
"references": [
{
- "id": "metrics-*",
"name": "indexpattern-datasource-layer-2cfef95f-fa80-4a29-b211-9874dba1c2bb",
+ "id": "metrics-*",
"type": "index-pattern"
}
],
@@ -976,25 +1006,25 @@
"enhancements": {},
"hidePanelTitles": false
},
+ "title": "[REST] Cache Miss Count"
+ },
+ {
+ "version": "8.9.0",
+ "type": "lens",
"gridData": {
- "h": 13,
- "i": "a1ef019a-60b1-41d9-845c-cecc5f0450c5",
+ "x": 0,
+ "y": 39,
"w": 24,
- "x": 24,
- "y": 26
+ "h": 12,
+ "i": "070fab3f-bc1d-4ac3-830a-97a86f9a277f"
},
- "panelIndex": "a1ef019a-60b1-41d9-845c-cecc5f0450c5",
- "title": "[REST] Cache Miss Count",
- "type": "lens",
- "version": "8.7.1"
- },
- {
+ "panelIndex": "070fab3f-bc1d-4ac3-830a-97a86f9a277f",
"embeddableConfig": {
"attributes": {
"references": [
{
- "id": "metrics-*",
"name": "indexpattern-datasource-layer-ff2c6fd1-df0b-409d-a7e7-033a129edba3",
+ "id": "metrics-*",
"type": "index-pattern"
}
],
@@ -1013,8 +1043,8 @@
"11242c77-c1e8-482f-a8ab-d14342367450": {
"dataType": "number",
"isBucketed": false,
- "label": "Count of aws.apigateway.metrics.Count.sum",
- "operationType": "count",
+ "label": "Sum of aws.apigateway.metrics.Count.sum",
+ "operationType": "sum",
"params": {
"emptyAsNull": true
},
@@ -1111,25 +1141,25 @@
"enhancements": {},
"hidePanelTitles": false
},
+ "title": "[HTTP] Count"
+ },
+ {
+ "version": "8.9.0",
+ "type": "lens",
"gridData": {
- "h": 12,
- "i": "070fab3f-bc1d-4ac3-830a-97a86f9a277f",
+ "x": 24,
+ "y": 39,
"w": 24,
- "x": 0,
- "y": 39
+ "h": 12,
+ "i": "de3fd32b-c351-4b26-8c9d-84ce99ed24b5"
},
- "panelIndex": "070fab3f-bc1d-4ac3-830a-97a86f9a277f",
- "title": "[HTTP] Count",
- "type": "lens",
- "version": "8.7.1"
- },
- {
+ "panelIndex": "de3fd32b-c351-4b26-8c9d-84ce99ed24b5",
"embeddableConfig": {
"attributes": {
"references": [
{
- "id": "metrics-*",
"name": "indexpattern-datasource-layer-da960427-d6bb-4f17-a5ac-9be25356186a",
+ "id": "metrics-*",
"type": "index-pattern"
}
],
@@ -1247,25 +1277,25 @@
"enhancements": {},
"hidePanelTitles": false
},
+ "title": "[HTTP] Data Processed"
+ },
+ {
+ "version": "8.9.0",
+ "type": "lens",
"gridData": {
- "h": 12,
- "i": "de3fd32b-c351-4b26-8c9d-84ce99ed24b5",
+ "x": 0,
+ "y": 51,
"w": 24,
- "x": 24,
- "y": 39
+ "h": 13,
+ "i": "4979b1bc-45c5-4164-9887-498b4f893513"
},
- "panelIndex": "de3fd32b-c351-4b26-8c9d-84ce99ed24b5",
- "title": "[HTTP] Data Processed",
- "type": "lens",
- "version": "8.7.1"
- },
- {
+ "panelIndex": "4979b1bc-45c5-4164-9887-498b4f893513",
"embeddableConfig": {
"attributes": {
"references": [
{
- "id": "metrics-*",
"name": "indexpattern-datasource-layer-ff2c6fd1-df0b-409d-a7e7-033a129edba3",
+ "id": "metrics-*",
"type": "index-pattern"
}
],
@@ -1389,25 +1419,25 @@
"enhancements": {},
"hidePanelTitles": false
},
+ "title": "[HTTP] Latency"
+ },
+ {
+ "version": "8.9.0",
+ "type": "lens",
"gridData": {
- "h": 13,
- "i": "4979b1bc-45c5-4164-9887-498b4f893513",
+ "x": 24,
+ "y": 51,
"w": 24,
- "x": 0,
- "y": 51
+ "h": 13,
+ "i": "3aa94e06-0dfe-4ae2-93e8-be0627ab841e"
},
- "panelIndex": "4979b1bc-45c5-4164-9887-498b4f893513",
- "title": "[HTTP] Latency",
- "type": "lens",
- "version": "8.7.1"
- },
- {
+ "panelIndex": "3aa94e06-0dfe-4ae2-93e8-be0627ab841e",
"embeddableConfig": {
"attributes": {
"references": [
{
- "id": "metrics-*",
"name": "indexpattern-datasource-layer-ff2c6fd1-df0b-409d-a7e7-033a129edba3",
+ "id": "metrics-*",
"type": "index-pattern"
}
],
@@ -1531,25 +1561,25 @@
"enhancements": {},
"hidePanelTitles": false
},
+ "title": "[HTTP] Integration Latency"
+ },
+ {
+ "version": "8.9.0",
+ "type": "lens",
"gridData": {
- "h": 13,
- "i": "3aa94e06-0dfe-4ae2-93e8-be0627ab841e",
+ "x": 0,
+ "y": 64,
"w": 24,
- "x": 24,
- "y": 51
+ "h": 13,
+ "i": "dc9f0691-ccda-4403-8158-c6191d5090eb"
},
- "panelIndex": "3aa94e06-0dfe-4ae2-93e8-be0627ab841e",
- "title": "[HTTP] Integration Latency",
- "type": "lens",
- "version": "8.7.1"
- },
- {
+ "panelIndex": "dc9f0691-ccda-4403-8158-c6191d5090eb",
"embeddableConfig": {
"attributes": {
"references": [
{
- "id": "metrics-*",
"name": "indexpattern-datasource-layer-5e9706cb-90ee-4f08-af6a-f2a8048628af",
+ "id": "metrics-*",
"type": "index-pattern"
}
],
@@ -1607,8 +1637,8 @@
"cd10361b-ce2e-454c-8612-6be186ffefac": {
"dataType": "number",
"isBucketed": false,
- "label": "Median of aws.apigateway.metrics.4xx.sum",
- "operationType": "median",
+ "label": "Sum of aws.apigateway.metrics.4xx.sum",
+ "operationType": "sum",
"params": {
"emptyAsNull": true
},
@@ -1668,25 +1698,25 @@
"enhancements": {},
"hidePanelTitles": false
},
+ "title": "[HTTP] 4XX Error"
+ },
+ {
+ "version": "8.9.0",
+ "type": "lens",
"gridData": {
- "h": 13,
- "i": "dc9f0691-ccda-4403-8158-c6191d5090eb",
+ "x": 24,
+ "y": 64,
"w": 24,
- "x": 0,
- "y": 64
+ "h": 13,
+ "i": "98f24465-f278-4e2c-93db-9112014a449e"
},
- "panelIndex": "dc9f0691-ccda-4403-8158-c6191d5090eb",
- "title": "[HTTP] 4XX Error",
- "type": "lens",
- "version": "8.7.1"
- },
- {
+ "panelIndex": "98f24465-f278-4e2c-93db-9112014a449e",
"embeddableConfig": {
"attributes": {
"references": [
{
- "id": "metrics-*",
"name": "indexpattern-datasource-layer-da960427-d6bb-4f17-a5ac-9be25356186a",
+ "id": "metrics-*",
"type": "index-pattern"
}
],
@@ -1705,8 +1735,8 @@
"53bb15bf-1d19-4aaa-be68-5015b194e60b": {
"dataType": "number",
"isBucketed": false,
- "label": "Median of aws.apigateway.metrics.5xx.sum",
- "operationType": "median",
+ "label": "Sum of aws.apigateway.metrics.5xx.sum",
+ "operationType": "sum",
"params": {
"emptyAsNull": true
},
@@ -1804,25 +1834,25 @@
"enhancements": {},
"hidePanelTitles": false
},
+ "title": "[HTTP] 5XX Error"
+ },
+ {
+ "version": "8.9.0",
+ "type": "lens",
"gridData": {
- "h": 13,
- "i": "98f24465-f278-4e2c-93db-9112014a449e",
+ "x": 0,
+ "y": 77,
"w": 24,
- "x": 24,
- "y": 64
+ "h": 12,
+ "i": "bfa3b44b-89ba-43e4-99b7-02ab03bd0a72"
},
- "panelIndex": "98f24465-f278-4e2c-93db-9112014a449e",
- "title": "[HTTP] 5XX Error",
- "type": "lens",
- "version": "8.7.1"
- },
- {
+ "panelIndex": "bfa3b44b-89ba-43e4-99b7-02ab03bd0a72",
"embeddableConfig": {
"attributes": {
"references": [
{
- "id": "metrics-*",
"name": "indexpattern-datasource-layer-2cfef95f-fa80-4a29-b211-9874dba1c2bb",
+ "id": "metrics-*",
"type": "index-pattern"
}
],
@@ -1940,25 +1970,25 @@
"enhancements": {},
"hidePanelTitles": false
},
+ "title": "[WebSocket] Connect Count"
+ },
+ {
+ "version": "8.9.0",
+ "type": "lens",
"gridData": {
- "h": 12,
- "i": "bfa3b44b-89ba-43e4-99b7-02ab03bd0a72",
+ "x": 24,
+ "y": 77,
"w": 24,
- "x": 0,
- "y": 77
+ "h": 12,
+ "i": "bf18dbe6-4dcb-4145-a699-bdd859a7ba99"
},
- "panelIndex": "bfa3b44b-89ba-43e4-99b7-02ab03bd0a72",
- "title": "[WebSocket] Connect Count",
- "type": "lens",
- "version": "8.7.1"
- },
- {
+ "panelIndex": "bf18dbe6-4dcb-4145-a699-bdd859a7ba99",
"embeddableConfig": {
"attributes": {
"references": [
{
- "id": "metrics-*",
"name": "indexpattern-datasource-layer-2cfef95f-fa80-4a29-b211-9874dba1c2bb",
+ "id": "metrics-*",
"type": "index-pattern"
}
],
@@ -2076,25 +2106,25 @@
"enhancements": {},
"hidePanelTitles": false
},
+ "title": "[WebSocket] Message Count"
+ },
+ {
+ "version": "8.9.0",
+ "type": "lens",
"gridData": {
- "h": 12,
- "i": "bf18dbe6-4dcb-4145-a699-bdd859a7ba99",
+ "x": 0,
+ "y": 89,
"w": 24,
- "x": 24,
- "y": 77
+ "h": 13,
+ "i": "8773ffcd-1b64-4784-8271-ba54e73eb63d"
},
- "panelIndex": "bf18dbe6-4dcb-4145-a699-bdd859a7ba99",
- "title": "[WebSocket] Message Count",
- "type": "lens",
- "version": "8.7.1"
- },
- {
+ "panelIndex": "8773ffcd-1b64-4784-8271-ba54e73eb63d",
"embeddableConfig": {
"attributes": {
"references": [
{
+ "name": "indexpattern-datasource-layer-2cfef95f-fa80-4a29-b211-9874dba1c2bb",
"id": "metrics-*",
- "name": "indexpattern-datasource-layer-56b0bb53-472a-48f9-bc07-b3c340f5a74e",
"type": "index-pattern"
}
],
@@ -2103,49 +2133,18 @@
"datasourceStates": {
"formBased": {
"layers": {
- "56b0bb53-472a-48f9-bc07-b3c340f5a74e": {
+ "2cfef95f-fa80-4a29-b211-9874dba1c2bb": {
"columnOrder": [
- "dc78b53d-e3d1-442e-a751-07556c6f9656",
- "57b02865-fe07-4419-b48a-2f1d42a80e75",
- "10f58695-52de-4d25-ba4b-71441b986e85"
+ "23c27e1f-f9a4-4abb-9732-aeca6f42070d",
+ "3d7acb77-f3cc-4fea-bf5a-f1975f3be254",
+ "88f0a2a6-8f91-47a7-8b7d-ae008db08c21"
],
"columns": {
- "10f58695-52de-4d25-ba4b-71441b986e85": {
- "dataType": "number",
- "isBucketed": false,
- "label": "Average of aws.apigateway.metrics.Latency.avg",
- "operationType": "average",
- "params": {
- "emptyAsNull": true,
- "format": {
- "id": "number",
- "params": {
- "decimals": 2,
- "suffix": "ms"
- }
- }
- },
- "scale": "ratio",
- "sourceField": "aws.apigateway.metrics.Latency.avg"
- },
- "57b02865-fe07-4419-b48a-2f1d42a80e75": {
- "dataType": "date",
+ "23c27e1f-f9a4-4abb-9732-aeca6f42070d": {
+ "dataType": "string",
"isBucketed": true,
- "label": "@timestamp",
- "operationType": "date_histogram",
- "params": {
- "dropPartials": false,
- "includeEmptyRows": true,
- "interval": "60m"
- },
- "scale": "interval",
- "sourceField": "@timestamp"
- },
- "dc78b53d-e3d1-442e-a751-07556c6f9656": {
- "dataType": "string",
- "isBucketed": true,
- "label": "Top 10 values of aws.dimensions.ApiId",
- "operationType": "terms",
+ "label": "Top 10 values of aws.dimensions.ApiId",
+ "operationType": "terms",
"params": {
"exclude": [],
"excludeIsRegex": false,
@@ -2153,7 +2152,7 @@
"includeIsRegex": false,
"missingBucket": false,
"orderBy": {
- "columnId": "10f58695-52de-4d25-ba4b-71441b986e85",
+ "columnId": "88f0a2a6-8f91-47a7-8b7d-ae008db08c21",
"type": "column"
},
"orderDirection": "desc",
@@ -2161,10 +2160,42 @@
"parentFormat": {
"id": "terms"
},
+ "secondaryFields": [],
"size": 10
},
"scale": "ordinal",
"sourceField": "aws.dimensions.ApiId"
+ },
+ "3d7acb77-f3cc-4fea-bf5a-f1975f3be254": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "60s"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "88f0a2a6-8f91-47a7-8b7d-ae008db08c21": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Average of aws.apigateway.metrics.IntegrationLatency.avg",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 2,
+ "suffix": "ms"
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "aws.apigateway.metrics.IntegrationLatency.avg"
}
},
"incompleteColumns": {},
@@ -2191,25 +2222,24 @@
"layers": [
{
"accessors": [
- "10f58695-52de-4d25-ba4b-71441b986e85"
+ "88f0a2a6-8f91-47a7-8b7d-ae008db08c21"
],
- "layerId": "56b0bb53-472a-48f9-bc07-b3c340f5a74e",
+ "layerId": "2cfef95f-fa80-4a29-b211-9874dba1c2bb",
"layerType": "data",
"position": "top",
"seriesType": "line",
"showGridlines": false,
- "splitAccessor": "dc78b53d-e3d1-442e-a751-07556c6f9656",
- "xAccessor": "57b02865-fe07-4419-b48a-2f1d42a80e75"
+ "splitAccessor": "23c27e1f-f9a4-4abb-9732-aeca6f42070d",
+ "xAccessor": "3d7acb77-f3cc-4fea-bf5a-f1975f3be254"
}
],
"legend": {
"isVisible": true,
"position": "right"
},
- "preferredSeriesType": "bar_stacked",
+ "preferredSeriesType": "line",
"title": "Empty XY chart",
- "valueLabels": "hide",
- "yTitle": ""
+ "valueLabels": "hide"
}
},
"title": "",
@@ -2219,25 +2249,25 @@
"enhancements": {},
"hidePanelTitles": false
},
+ "title": "[WebSocket] Integration Latency"
+ },
+ {
+ "version": "8.9.0",
+ "type": "lens",
"gridData": {
- "h": 13,
- "i": "8aa530e9-cf48-4966-b829-6e856d749ef9",
+ "x": 24,
+ "y": 89,
"w": 24,
- "x": 0,
- "y": 89
+ "h": 13,
+ "i": "55f916cb-6995-4565-98d0-d88b442fe88e"
},
- "panelIndex": "8aa530e9-cf48-4966-b829-6e856d749ef9",
- "title": "[WebSocket] Latency",
- "type": "lens",
- "version": "8.7.1"
- },
- {
+ "panelIndex": "55f916cb-6995-4565-98d0-d88b442fe88e",
"embeddableConfig": {
"attributes": {
"references": [
{
- "id": "metrics-*",
"name": "indexpattern-datasource-layer-2cfef95f-fa80-4a29-b211-9874dba1c2bb",
+ "id": "metrics-*",
"type": "index-pattern"
}
],
@@ -2295,20 +2325,13 @@
"88f0a2a6-8f91-47a7-8b7d-ae008db08c21": {
"dataType": "number",
"isBucketed": false,
- "label": "Average of aws.apigateway.metrics.IntegrationLatency.avg",
- "operationType": "average",
+ "label": "Sum of aws.apigateway.metrics.IntegrationError.sum",
+ "operationType": "sum",
"params": {
- "emptyAsNull": true,
- "format": {
- "id": "number",
- "params": {
- "decimals": 2,
- "suffix": "ms"
- }
- }
+ "emptyAsNull": true
},
"scale": "ratio",
- "sourceField": "aws.apigateway.metrics.IntegrationLatency.avg"
+ "sourceField": "aws.apigateway.metrics.IntegrationError.sum"
}
},
"incompleteColumns": {},
@@ -2362,25 +2385,25 @@
"enhancements": {},
"hidePanelTitles": false
},
+ "title": "[WebSocket] Integration Error"
+ },
+ {
+ "version": "8.9.0",
+ "type": "lens",
"gridData": {
- "h": 13,
- "i": "8773ffcd-1b64-4784-8271-ba54e73eb63d",
+ "x": 0,
+ "y": 102,
"w": 24,
- "x": 24,
- "y": 89
+ "h": 13,
+ "i": "1f4e10e2-b08d-4ad1-9991-9e76c0485cc1"
},
- "panelIndex": "8773ffcd-1b64-4784-8271-ba54e73eb63d",
- "title": "[WebSocket] Integration Latency",
- "type": "lens",
- "version": "8.7.1"
- },
- {
+ "panelIndex": "1f4e10e2-b08d-4ad1-9991-9e76c0485cc1",
"embeddableConfig": {
"attributes": {
"references": [
{
- "id": "metrics-*",
"name": "indexpattern-datasource-layer-8e802b8a-241a-42a9-b6fe-64d720488b94",
+ "id": "metrics-*",
"type": "index-pattern"
}
],
@@ -2498,161 +2521,25 @@
"enhancements": {},
"hidePanelTitles": false
},
- "gridData": {
- "h": 13,
- "i": "1f4e10e2-b08d-4ad1-9991-9e76c0485cc1",
- "w": 16,
- "x": 0,
- "y": 102
- },
- "panelIndex": "1f4e10e2-b08d-4ad1-9991-9e76c0485cc1",
- "title": "[WebSocket] Client Error",
- "type": "lens",
- "version": "8.7.1"
+ "title": "[WebSocket] Client Error"
},
{
- "embeddableConfig": {
- "attributes": {
- "references": [
- {
- "id": "metrics-*",
- "name": "indexpattern-datasource-layer-2cfef95f-fa80-4a29-b211-9874dba1c2bb",
- "type": "index-pattern"
- }
- ],
- "state": {
- "adHocDataViews": {},
- "datasourceStates": {
- "formBased": {
- "layers": {
- "2cfef95f-fa80-4a29-b211-9874dba1c2bb": {
- "columnOrder": [
- "23c27e1f-f9a4-4abb-9732-aeca6f42070d",
- "3d7acb77-f3cc-4fea-bf5a-f1975f3be254",
- "88f0a2a6-8f91-47a7-8b7d-ae008db08c21"
- ],
- "columns": {
- "23c27e1f-f9a4-4abb-9732-aeca6f42070d": {
- "dataType": "string",
- "isBucketed": true,
- "label": "Top 10 values of aws.dimensions.ApiId",
- "operationType": "terms",
- "params": {
- "exclude": [],
- "excludeIsRegex": false,
- "include": [],
- "includeIsRegex": false,
- "missingBucket": false,
- "orderBy": {
- "columnId": "88f0a2a6-8f91-47a7-8b7d-ae008db08c21",
- "type": "column"
- },
- "orderDirection": "desc",
- "otherBucket": true,
- "parentFormat": {
- "id": "terms"
- },
- "secondaryFields": [],
- "size": 10
- },
- "scale": "ordinal",
- "sourceField": "aws.dimensions.ApiId"
- },
- "3d7acb77-f3cc-4fea-bf5a-f1975f3be254": {
- "dataType": "date",
- "isBucketed": true,
- "label": "@timestamp",
- "operationType": "date_histogram",
- "params": {
- "dropPartials": false,
- "includeEmptyRows": true,
- "interval": "60s"
- },
- "scale": "interval",
- "sourceField": "@timestamp"
- },
- "88f0a2a6-8f91-47a7-8b7d-ae008db08c21": {
- "dataType": "number",
- "isBucketed": false,
- "label": "Sum of aws.apigateway.metrics.ExecutionError.sum",
- "operationType": "sum",
- "params": {
- "emptyAsNull": true
- },
- "scale": "ratio",
- "sourceField": "aws.apigateway.metrics.ExecutionError.sum"
- }
- },
- "incompleteColumns": {},
- "sampling": 1
- }
- }
- },
- "textBased": {
- "layers": {}
- }
- },
- "filters": [],
- "internalReferences": [],
- "query": {
- "language": "kuery",
- "query": ""
- },
- "visualization": {
- "axisTitlesVisibilitySettings": {
- "x": true,
- "yLeft": false,
- "yRight": true
- },
- "layers": [
- {
- "accessors": [
- "88f0a2a6-8f91-47a7-8b7d-ae008db08c21"
- ],
- "layerId": "2cfef95f-fa80-4a29-b211-9874dba1c2bb",
- "layerType": "data",
- "position": "top",
- "seriesType": "line",
- "showGridlines": false,
- "splitAccessor": "23c27e1f-f9a4-4abb-9732-aeca6f42070d",
- "xAccessor": "3d7acb77-f3cc-4fea-bf5a-f1975f3be254"
- }
- ],
- "legend": {
- "isVisible": true,
- "position": "right"
- },
- "preferredSeriesType": "line",
- "title": "Empty XY chart",
- "valueLabels": "hide"
- }
- },
- "title": "",
- "type": "lens",
- "visualizationType": "lnsXY"
- },
- "enhancements": {},
- "hidePanelTitles": false
- },
+ "version": "8.9.0",
+ "type": "lens",
"gridData": {
+ "x": 24,
+ "y": 102,
+ "w": 24,
"h": 13,
- "i": "c2039848-87fc-4336-8f9c-c1f3195029d1",
- "w": 16,
- "x": 16,
- "y": 102
+ "i": "c2039848-87fc-4336-8f9c-c1f3195029d1"
},
"panelIndex": "c2039848-87fc-4336-8f9c-c1f3195029d1",
- "title": "[WebSocket] Execution Error",
- "type": "lens",
- "version": "8.7.1"
- },
- {
"embeddableConfig": {
"attributes": {
"references": [
{
- "id": "metrics-*",
"name": "indexpattern-datasource-layer-2cfef95f-fa80-4a29-b211-9874dba1c2bb",
+ "id": "metrics-*",
"type": "index-pattern"
}
],
@@ -2710,13 +2597,13 @@
"88f0a2a6-8f91-47a7-8b7d-ae008db08c21": {
"dataType": "number",
"isBucketed": false,
- "label": "Sum of aws.apigateway.metrics.IntegrationError.sum",
+ "label": "Sum of aws.apigateway.metrics.ExecutionError.sum",
"operationType": "sum",
"params": {
"emptyAsNull": true
},
"scale": "ratio",
- "sourceField": "aws.apigateway.metrics.IntegrationError.sum"
+ "sourceField": "aws.apigateway.metrics.ExecutionError.sum"
}
},
"incompleteColumns": {},
@@ -2770,17 +2657,7 @@
"enhancements": {},
"hidePanelTitles": false
},
- "gridData": {
- "h": 13,
- "i": "55f916cb-6995-4565-98d0-d88b442fe88e",
- "w": 16,
- "x": 32,
- "y": 102
- },
- "panelIndex": "55f916cb-6995-4565-98d0-d88b442fe88e",
- "title": "[WebSocket] Integration Error",
- "type": "lens",
- "version": "8.7.1"
+ "title": "[WebSocket] Execution Error"
}
],
"timeRestore": false,
@@ -2795,109 +2672,124 @@
},
"references": [
{
- "id": "metrics-*",
- "name": "36a3594d-c18b-4d09-ae87-7561750822ae:indexpattern-datasource-layer-ff2c6fd1-df0b-409d-a7e7-033a129edba3",
- "type": "index-pattern"
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern",
+ "id": "metrics-*"
},
{
+ "name": "36a3594d-c18b-4d09-ae87-7561750822ae:indexpattern-datasource-layer-ff2c6fd1-df0b-409d-a7e7-033a129edba3",
"id": "metrics-*",
- "name": "b2ece1d0-652f-481e-9dec-ae411c897a44:indexpattern-datasource-layer-f9ae930c-999d-4b82-a9ce-01d6237fa03c",
"type": "index-pattern"
},
{
+ "name": "b2ece1d0-652f-481e-9dec-ae411c897a44:indexpattern-datasource-layer-f9ae930c-999d-4b82-a9ce-01d6237fa03c",
"id": "metrics-*",
- "name": "e970e1a1-b243-46e0-b200-2cf787f26561:indexpattern-datasource-layer-48d7bfc9-ad80-47ac-974e-a265b9c3af45",
"type": "index-pattern"
},
{
+ "name": "e970e1a1-b243-46e0-b200-2cf787f26561:indexpattern-datasource-layer-48d7bfc9-ad80-47ac-974e-a265b9c3af45",
"id": "metrics-*",
- "name": "8b56a477-3e09-4bb0-94c3-9add2e443772:indexpattern-datasource-layer-2cfef95f-fa80-4a29-b211-9874dba1c2bb",
"type": "index-pattern"
},
{
+ "name": "8b56a477-3e09-4bb0-94c3-9add2e443772:indexpattern-datasource-layer-2cfef95f-fa80-4a29-b211-9874dba1c2bb",
"id": "metrics-*",
- "name": "51e609da-7bb4-4579-843f-88e9748e0982:indexpattern-datasource-layer-2cfef95f-fa80-4a29-b211-9874dba1c2bb",
"type": "index-pattern"
},
{
+ "name": "51e609da-7bb4-4579-843f-88e9748e0982:indexpattern-datasource-layer-2cfef95f-fa80-4a29-b211-9874dba1c2bb",
"id": "metrics-*",
- "name": "eb48842e-d380-4291-aa03-47960594babd:indexpattern-datasource-layer-2cfef95f-fa80-4a29-b211-9874dba1c2bb",
"type": "index-pattern"
},
{
+ "name": "eb48842e-d380-4291-aa03-47960594babd:indexpattern-datasource-layer-2cfef95f-fa80-4a29-b211-9874dba1c2bb",
"id": "metrics-*",
- "name": "a1ef019a-60b1-41d9-845c-cecc5f0450c5:indexpattern-datasource-layer-2cfef95f-fa80-4a29-b211-9874dba1c2bb",
"type": "index-pattern"
},
{
+ "name": "a1ef019a-60b1-41d9-845c-cecc5f0450c5:indexpattern-datasource-layer-2cfef95f-fa80-4a29-b211-9874dba1c2bb",
"id": "metrics-*",
- "name": "070fab3f-bc1d-4ac3-830a-97a86f9a277f:indexpattern-datasource-layer-ff2c6fd1-df0b-409d-a7e7-033a129edba3",
"type": "index-pattern"
},
{
+ "name": "070fab3f-bc1d-4ac3-830a-97a86f9a277f:indexpattern-datasource-layer-ff2c6fd1-df0b-409d-a7e7-033a129edba3",
"id": "metrics-*",
- "name": "de3fd32b-c351-4b26-8c9d-84ce99ed24b5:indexpattern-datasource-layer-da960427-d6bb-4f17-a5ac-9be25356186a",
"type": "index-pattern"
},
{
+ "name": "de3fd32b-c351-4b26-8c9d-84ce99ed24b5:indexpattern-datasource-layer-da960427-d6bb-4f17-a5ac-9be25356186a",
"id": "metrics-*",
- "name": "4979b1bc-45c5-4164-9887-498b4f893513:indexpattern-datasource-layer-ff2c6fd1-df0b-409d-a7e7-033a129edba3",
"type": "index-pattern"
},
{
+ "name": "4979b1bc-45c5-4164-9887-498b4f893513:indexpattern-datasource-layer-ff2c6fd1-df0b-409d-a7e7-033a129edba3",
"id": "metrics-*",
- "name": "3aa94e06-0dfe-4ae2-93e8-be0627ab841e:indexpattern-datasource-layer-ff2c6fd1-df0b-409d-a7e7-033a129edba3",
"type": "index-pattern"
},
{
+ "name": "3aa94e06-0dfe-4ae2-93e8-be0627ab841e:indexpattern-datasource-layer-ff2c6fd1-df0b-409d-a7e7-033a129edba3",
"id": "metrics-*",
- "name": "dc9f0691-ccda-4403-8158-c6191d5090eb:indexpattern-datasource-layer-5e9706cb-90ee-4f08-af6a-f2a8048628af",
"type": "index-pattern"
},
{
+ "name": "dc9f0691-ccda-4403-8158-c6191d5090eb:indexpattern-datasource-layer-5e9706cb-90ee-4f08-af6a-f2a8048628af",
"id": "metrics-*",
- "name": "98f24465-f278-4e2c-93db-9112014a449e:indexpattern-datasource-layer-da960427-d6bb-4f17-a5ac-9be25356186a",
"type": "index-pattern"
},
{
+ "name": "98f24465-f278-4e2c-93db-9112014a449e:indexpattern-datasource-layer-da960427-d6bb-4f17-a5ac-9be25356186a",
"id": "metrics-*",
- "name": "bfa3b44b-89ba-43e4-99b7-02ab03bd0a72:indexpattern-datasource-layer-2cfef95f-fa80-4a29-b211-9874dba1c2bb",
"type": "index-pattern"
},
{
+ "name": "bfa3b44b-89ba-43e4-99b7-02ab03bd0a72:indexpattern-datasource-layer-2cfef95f-fa80-4a29-b211-9874dba1c2bb",
"id": "metrics-*",
- "name": "bf18dbe6-4dcb-4145-a699-bdd859a7ba99:indexpattern-datasource-layer-2cfef95f-fa80-4a29-b211-9874dba1c2bb",
"type": "index-pattern"
},
{
+ "name": "bf18dbe6-4dcb-4145-a699-bdd859a7ba99:indexpattern-datasource-layer-2cfef95f-fa80-4a29-b211-9874dba1c2bb",
"id": "metrics-*",
- "name": "8aa530e9-cf48-4966-b829-6e856d749ef9:indexpattern-datasource-layer-56b0bb53-472a-48f9-bc07-b3c340f5a74e",
"type": "index-pattern"
},
{
- "id": "metrics-*",
"name": "8773ffcd-1b64-4784-8271-ba54e73eb63d:indexpattern-datasource-layer-2cfef95f-fa80-4a29-b211-9874dba1c2bb",
+ "id": "metrics-*",
"type": "index-pattern"
},
{
+ "name": "55f916cb-6995-4565-98d0-d88b442fe88e:indexpattern-datasource-layer-2cfef95f-fa80-4a29-b211-9874dba1c2bb",
"id": "metrics-*",
- "name": "1f4e10e2-b08d-4ad1-9991-9e76c0485cc1:indexpattern-datasource-layer-8e802b8a-241a-42a9-b6fe-64d720488b94",
"type": "index-pattern"
},
{
+ "name": "1f4e10e2-b08d-4ad1-9991-9e76c0485cc1:indexpattern-datasource-layer-8e802b8a-241a-42a9-b6fe-64d720488b94",
"id": "metrics-*",
- "name": "c2039848-87fc-4336-8f9c-c1f3195029d1:indexpattern-datasource-layer-2cfef95f-fa80-4a29-b211-9874dba1c2bb",
"type": "index-pattern"
},
{
+ "name": "c2039848-87fc-4336-8f9c-c1f3195029d1:indexpattern-datasource-layer-2cfef95f-fa80-4a29-b211-9874dba1c2bb",
"id": "metrics-*",
- "name": "55f916cb-6995-4565-98d0-d88b442fe88e:indexpattern-datasource-layer-2cfef95f-fa80-4a29-b211-9874dba1c2bb",
"type": "index-pattern"
},
{
- "id": "metrics-*",
"name": "controlGroup_9edfaf7a-7867-4413-84df-4648537b365a:optionsListDataView",
- "type": "index-pattern"
+ "type": "index-pattern",
+ "id": "metrics-*"
+ },
+ {
+ "name": "controlGroup_f72aa0d1-b9b2-4817-951d-60259a5f9bb0:optionsListDataView",
+ "type": "index-pattern",
+ "id": "metrics-*"
+ },
+ {
+ "name": "controlGroup_729df68e-b651-4e0a-8b7b-d025a3d7fb05:optionsListDataView",
+ "type": "index-pattern",
+ "id": "metrics-*"
+ },
+ {
+ "name": "controlGroup_fd2f10f0-1233-42e4-8dcf-af0a9676ea7c:optionsListDataView",
+ "type": "index-pattern",
+ "id": "metrics-*"
}
],
"type": "dashboard"
diff --git a/packages/aws/kibana/dashboard/aws-c2b1cbc0-6891-11ea-b0ac-95d4ecb1fecd.json b/packages/aws/kibana/dashboard/aws-c2b1cbc0-6891-11ea-b0ac-95d4ecb1fecd.json
index 5178c69b2e3..abdc7e108d4 100644
--- a/packages/aws/kibana/dashboard/aws-c2b1cbc0-6891-11ea-b0ac-95d4ecb1fecd.json
+++ b/packages/aws/kibana/dashboard/aws-c2b1cbc0-6891-11ea-b0ac-95d4ecb1fecd.json
@@ -90,7 +90,6 @@
"query": ""
},
"visualization": {
- "color": "#ffffff",
"layerId": "2be82836-3227-41d5-8ad2-f7b666330f2e",
"layerType": "data",
"metricAccessor": "921ab0b9-2a39-4b9a-9a9f-fc9cf0db58ac"
@@ -305,7 +304,6 @@
"query": ""
},
"visualization": {
- "color": "#ffffff",
"layerId": "c49d4404-7e1d-47b8-a6f7-0c5c67eddc0d",
"layerType": "data",
"metricAccessor": "b09057e6-1cb6-40b0-b671-fa5f75f49c88"
@@ -377,7 +375,6 @@
"query": ""
},
"visualization": {
- "color": "#ffffff",
"layerId": "daa7ca03-5ead-495d-8eac-80aa3d03f95f",
"layerType": "data",
"metricAccessor": "00722a15-cbac-4ddb-a505-b60f4003070c",
diff --git a/packages/aws/kibana/dashboard/aws-c5846400-f7fb-11e8-af03-c999c9dea608.json b/packages/aws/kibana/dashboard/aws-c5846400-f7fb-11e8-af03-c999c9dea608.json
index 134f66e5dc5..f06105b7103 100644
--- a/packages/aws/kibana/dashboard/aws-c5846400-f7fb-11e8-af03-c999c9dea608.json
+++ b/packages/aws/kibana/dashboard/aws-c5846400-f7fb-11e8-af03-c999c9dea608.json
@@ -231,7 +231,7 @@
}
},
"scale": "ratio",
- "sourceField": "aws.ec2.status.check_failed"
+ "sourceField": "aws.ec2.metrics.StatusCheckFailed.avg"
}
},
"incompleteColumns": {}
@@ -249,7 +249,6 @@
"query": ""
},
"visualization": {
- "color": "#ffffff",
"layerId": "9c4853fc-7664-4b48-97c4-856bc94b6889",
"layerType": "data",
"metricAccessor": "ec85ba57-c17c-417d-9d1d-2b84ad163643"
diff --git a/packages/aws/kibana/dashboard/aws-c9f103d0-5f63-11ed-bd69-473ce047ef30.json b/packages/aws/kibana/dashboard/aws-c9f103d0-5f63-11ed-bd69-473ce047ef30.json
index b3db2c6fbd4..7459927808c 100644
--- a/packages/aws/kibana/dashboard/aws-c9f103d0-5f63-11ed-bd69-473ce047ef30.json
+++ b/packages/aws/kibana/dashboard/aws-c9f103d0-5f63-11ed-bd69-473ce047ef30.json
@@ -7,7 +7,6 @@
"panelsJSON": "{\"d620f0d7-381f-456f-8660-a6e6838e34fc\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"data_stream.dataset\",\"title\":\"Integrations\",\"id\":\"d620f0d7-381f-456f-8660-a6e6838e34fc\",\"enhancements\":{},\"selectedOptions\":[]}},\"f7d8c037-280e-4387-84e2-fa76ee6124da\":{\"order\":2,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"aws.securityhub_findings.region\",\"title\":\"Region\",\"id\":\"f7d8c037-280e-4387-84e2-fa76ee6124da\",\"enhancements\":{},\"selectedOptions\":[]}},\"c819da49-49e8-4460-8329-8521d7f8ac8a\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"cloud.account.id\",\"title\":\"Account\",\"id\":\"c819da49-49e8-4460-8329-8521d7f8ac8a\",\"enhancements\":{},\"selectedOptions\":[]}}}"
},
"description": "AWS Security Hub Findings Summary",
- "hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [
@@ -41,6 +40,9 @@
},
"optionsJSON": {
"hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
"useMargins": true
},
"panelsJSON": [
@@ -79,7 +81,7 @@
},
"panelIndex": "cc027475-1e31-4ccf-bdd7-9655809a1c30",
"type": "visualization",
- "version": "8.4.0"
+ "version": "8.8.1"
},
{
"embeddableConfig": {
@@ -93,7 +95,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"4b9a3fe3-f262-48c5-97cd-3f32f2264fdb": {
"columnOrder": [
@@ -150,15 +152,17 @@
"layers": [
{
"categoryDisplay": "default",
- "groups": [
- "fb8cd887-3cd0-45c3-8aed-262a64d6b8b3"
- ],
"layerId": "4b9a3fe3-f262-48c5-97cd-3f32f2264fdb",
"layerType": "data",
"legendDisplay": "default",
- "metric": "7bcad210-7a5d-4afe-94ea-942f04dc5e68",
+ "metrics": [
+ "7bcad210-7a5d-4afe-94ea-942f04dc5e68"
+ ],
"nestedLegend": false,
- "numberDisplay": "percent"
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "fb8cd887-3cd0-45c3-8aed-262a64d6b8b3"
+ ]
}
],
"shape": "donut"
@@ -181,7 +185,7 @@
"panelIndex": "146c2ac6-d83d-4fcb-808a-d24c2762f45c",
"title": "Distribution of Events by Account [Logs AWS]",
"type": "lens",
- "version": "8.4.0"
+ "version": "8.8.1"
},
{
"embeddableConfig": {
@@ -195,7 +199,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"45c33cba-b3b0-45a4-91f3-a13600dbfdcc": {
"columnOrder": [
@@ -251,15 +255,17 @@
"layers": [
{
"categoryDisplay": "default",
- "groups": [
- "6d202975-b109-4e8b-a047-019162160e00"
- ],
"layerId": "45c33cba-b3b0-45a4-91f3-a13600dbfdcc",
"layerType": "data",
"legendDisplay": "default",
- "metric": "25539159-d53b-4507-9e4b-e5aa60e46960",
+ "metrics": [
+ "25539159-d53b-4507-9e4b-e5aa60e46960"
+ ],
"nestedLegend": false,
- "numberDisplay": "percent"
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "6d202975-b109-4e8b-a047-019162160e00"
+ ]
}
],
"shape": "donut"
@@ -282,7 +288,7 @@
"panelIndex": "2aeb6bda-8e7f-40bf-a8b3-ea8fdee8dea7",
"title": "Distribution of Events by Region [Logs AWS]",
"type": "lens",
- "version": "8.4.0"
+ "version": "8.8.1"
},
{
"embeddableConfig": {
@@ -296,7 +302,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"abc2e8dc-c832-4535-bdf4-d39175c25d2e": {
"columnOrder": [
@@ -358,7 +364,7 @@
},
"title": "",
"type": "lens",
- "visualizationType": "lnsMetricNew"
+ "visualizationType": "lnsMetric"
},
"enhancements": {},
"hidePanelTitles": false
@@ -373,7 +379,7 @@
"panelIndex": "7a319626-d1c2-4728-9611-3bbea3c850d4",
"title": "Count by Severity [Logs AWS]",
"type": "lens",
- "version": "8.4.0"
+ "version": "8.8.1"
},
{
"embeddableConfig": {
@@ -387,7 +393,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"cc8f028d-adf1-46a8-a162-aa6ba2cb8406": {
"columnOrder": [
@@ -449,7 +455,7 @@
},
"title": "",
"type": "lens",
- "visualizationType": "lnsMetricNew"
+ "visualizationType": "lnsMetric"
},
"enhancements": {}
},
@@ -462,7 +468,7 @@
},
"panelIndex": "7cb13a54-c41f-4653-be22-340b99b6d83c",
"type": "lens",
- "version": "8.4.0"
+ "version": "8.8.1"
},
{
"embeddableConfig": {
@@ -477,7 +483,7 @@
"state": {
"adHocDataViews": {},
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"abc2e8dc-c832-4535-bdf4-d39175c25d2e": {
"columnOrder": [
@@ -602,83 +608,110 @@
"panelIndex": "7c5505a3-f4e0-43af-8e25-260e9e7e8473",
"title": "Distribution of Finding's Severity Over Time [Logs AWS]",
"type": "lens",
- "version": "8.4.0"
+ "version": "8.8.1"
},
{
"embeddableConfig": {
- "enhancements": {},
- "hidePanelTitles": false,
- "savedVis": {
- "data": {
- "aggs": [
- {
- "enabled": true,
- "id": "1",
- "params": {
- "customLabel": "Count",
- "emptyAsNull": false,
- "field": "event.id"
- },
- "schema": "metric",
- "type": "cardinality"
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-b6d482c4-5861-4768-a01d-df114f2df10c",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "b6d482c4-5861-4768-a01d-df114f2df10c": {
+ "columnOrder": [
+ "d0ce7a75-18da-4c6d-a7a4-f3731fc2c804",
+ "0ca8af2e-f100-4b02-a31d-73cdbbcfef3c"
+ ],
+ "columns": {
+ "0ca8af2e-f100-4b02-a31d-73cdbbcfef3c": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "unique_count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "event.id"
+ },
+ "d0ce7a75-18da-4c6d-a7a4-f3731fc2c804": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Instance ID ",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "0ca8af2e-f100-4b02-a31d-73cdbbcfef3c",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10000
+ },
+ "scale": "ordinal",
+ "sourceField": "cloud.instance.id"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
},
- {
- "enabled": true,
- "id": "2",
- "params": {
- "customLabel": "Instance ID ",
- "excludeIsRegex": true,
- "field": "cloud.instance.id",
- "includeIsRegex": true,
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "1",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 10000
- },
- "schema": "bucket",
- "type": "terms"
- }
- ],
- "searchSource": {
- "filter": [],
- "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
- "query": {
- "language": "kuery",
- "query": "data_stream.dataset : \"aws.securityhub_findings\" or data_stream.dataset : \"aws.securityhub_insights\" "
+ "textBased": {
+ "layers": {}
}
- }
- },
- "description": "",
- "params": {
- "autoFitRowToContent": false,
- "perPage": 10,
- "percentageCol": "",
- "showMetricsAtAllLevels": false,
- "showPartialRows": false,
- "showToolbar": true,
- "showTotal": false,
- "sort": {
- "columnIndex": null,
- "direction": null
},
- "totalFunc": "sum"
- },
- "title": "",
- "type": "table",
- "uiState": {
- "vis": {
- "params": {
- "sort": {
- "columnIndex": null,
- "direction": null
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": "data_stream.dataset : \"aws.securityhub_findings\" or data_stream.dataset : \"aws.securityhub_insights\" "
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "0ca8af2e-f100-4b02-a31d-73cdbbcfef3c"
+ },
+ {
+ "alignment": "left",
+ "columnId": "d0ce7a75-18da-4c6d-a7a4-f3731fc2c804"
}
- }
+ ],
+ "headerRowHeight": "single",
+ "layerId": "b6d482c4-5861-4768-a01d-df114f2df10c",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 10
+ },
+ "rowHeight": "single"
}
- }
- }
+ },
+ "title": "Security Hub - Affected Instance ID [Logs AWS] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 8,
@@ -689,110 +722,142 @@
},
"panelIndex": "d296bb5b-a63d-4931-84aa-d3a2d0fa754d",
"title": "Security Hub - Affected Instance ID [Logs AWS]",
- "type": "visualization",
- "version": "8.4.0"
+ "type": "lens",
+ "version": "8.8.1"
},
{
"embeddableConfig": {
- "enhancements": {},
- "hidePanelTitles": false,
- "savedVis": {
- "data": {
- "aggs": [
- {
- "enabled": true,
- "id": "1",
- "params": {
- "emptyAsNull": false
- },
- "schema": "metric",
- "type": "count"
- },
- {
- "enabled": true,
- "id": "2",
- "params": {
- "customLabel": "Finding Type",
- "excludeIsRegex": true,
- "field": "aws.securityhub_findings.types",
- "includeIsRegex": true,
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "1",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 100
- },
- "schema": "bucket",
- "type": "terms"
- },
- {
- "enabled": true,
- "id": "3",
- "params": {
- "customLabel": "Severity Label",
- "excludeIsRegex": true,
- "field": "aws.securityhub_findings.severity.label",
- "includeIsRegex": true,
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "1",
- "otherBucket": true,
- "otherBucketLabel": "Other",
- "size": 100
- },
- "schema": "bucket",
- "type": "terms"
- }
- ],
- "searchSource": {
- "filter": [],
- "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
- "query": {
- "language": "kuery",
- "query": "data_stream.dataset : \"aws.securityhub_findings\" or data_stream.dataset : \"aws.securityhub_insights\" "
- }
- }
- },
+ "attributes": {
"description": "",
- "params": {
- "autoFitRowToContent": false,
- "perPage": 10,
- "percentageCol": "",
- "showMetricsAtAllLevels": false,
- "showPartialRows": false,
- "showToolbar": true,
- "showTotal": false,
- "sort": {
- "columnIndex": null,
- "direction": null
- },
- "totalFunc": "sum"
- },
- "type": "table",
- "uiState": {
- "vis": {
- "params": {
- "colWidth": [
- {
- "colIndex": 0,
- "width": 650
- },
- {
- "colIndex": 1,
- "width": 556
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-82d08903-c849-4c8d-b8b8-8fd454fc4ff3",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "82d08903-c849-4c8d-b8b8-8fd454fc4ff3": {
+ "columnOrder": [
+ "ecd5aae0-fa34-4c2d-ae22-1e66e2ddb9cf",
+ "b70803d5-0f60-490c-afb3-b4e00ee6d46c",
+ "b1c7d6c3-1538-4e39-ab0d-0aef9be0b526"
+ ],
+ "columns": {
+ "b1c7d6c3-1538-4e39-ab0d-0aef9be0b526": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "b70803d5-0f60-490c-afb3-b4e00ee6d46c": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Severity Label",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "b1c7d6c3-1538-4e39-ab0d-0aef9be0b526",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 100
+ },
+ "scale": "ordinal",
+ "sourceField": "aws.securityhub_findings.severity.label"
+ },
+ "ecd5aae0-fa34-4c2d-ae22-1e66e2ddb9cf": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Finding Type",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "b1c7d6c3-1538-4e39-ab0d-0aef9be0b526",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 100
+ },
+ "scale": "ordinal",
+ "sourceField": "aws.securityhub_findings.types"
+ }
+ },
+ "incompleteColumns": {}
}
- ],
- "sort": {
- "columnIndex": 2,
- "direction": "desc"
}
+ },
+ "textBased": {
+ "layers": {}
}
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": "data_stream.dataset : \"aws.securityhub_findings\" or data_stream.dataset : \"aws.securityhub_insights\" "
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "b1c7d6c3-1538-4e39-ab0d-0aef9be0b526"
+ },
+ {
+ "alignment": "left",
+ "columnId": "ecd5aae0-fa34-4c2d-ae22-1e66e2ddb9cf"
+ },
+ {
+ "alignment": "left",
+ "columnId": "b70803d5-0f60-490c-afb3-b4e00ee6d46c"
+ }
+ ],
+ "headerRowHeight": "single",
+ "layerId": "82d08903-c849-4c8d-b8b8-8fd454fc4ff3",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 10
+ },
+ "rowHeight": "single"
}
- }
- }
+ },
+ "title": "Security Hub - Finding Types [Logs AWS] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 16,
@@ -803,293 +868,419 @@
},
"panelIndex": "933df910-8ae4-4a4b-9af7-87b30a92d952",
"title": "Security Hub - Finding Types [Logs AWS]",
- "type": "visualization",
- "version": "8.4.0"
+ "type": "lens",
+ "version": "8.8.1"
},
{
"embeddableConfig": {
- "enhancements": {},
- "hidePanelTitles": false,
- "savedVis": {
- "data": {
- "aggs": [
- {
- "enabled": true,
- "id": "1",
- "params": {
- "customLabel": "Count",
- "emptyAsNull": false,
- "field": "event.id"
- },
- "schema": "metric",
- "type": "cardinality"
- },
- {
- "enabled": true,
- "id": "2",
- "params": {
- "excludeIsRegex": true,
- "field": "network.direction",
- "includeIsRegex": true,
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "1",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 6
- },
- "schema": "bucket",
- "type": "terms"
- }
- ],
- "searchSource": {
- "filter": [],
- "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
- "query": {
- "language": "kuery",
- "query": "data_stream.dataset : \"aws.securityhub_findings\" or data_stream.dataset : \"aws.securityhub_insights\" "
- }
- }
- },
+ "attributes": {
"description": "",
- "params": {
- "autoFitRowToContent": false,
- "perPage": 10,
- "percentageCol": "",
- "showMetricsAtAllLevels": false,
- "showPartialRows": false,
- "showToolbar": true,
- "showTotal": false,
- "sort": {
- "columnIndex": null,
- "direction": null
- },
- "totalFunc": "sum"
- },
- "title": "",
- "type": "table",
- "uiState": {
- "vis": {
- "params": {
- "sort": {
- "columnIndex": null,
- "direction": null
- }
- }
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-9ef8c19c-b6ff-405a-9d42-514495ccd36c",
+ "type": "index-pattern"
}
- }
- }
- },
- "gridData": {
- "h": 8,
- "i": "a4cba719-5f51-4090-910f-12e39dc01239",
- "w": 11,
- "x": 0,
- "y": 47
- },
- "panelIndex": "a4cba719-5f51-4090-910f-12e39dc01239",
- "title": "Security Hub - Network Direction [Logs AWS]",
- "type": "visualization",
- "version": "8.4.0"
- },
- {
- "embeddableConfig": {
- "enhancements": {},
- "hidePanelTitles": false,
- "savedVis": {
- "data": {
- "aggs": [
- {
- "enabled": true,
- "id": "1",
- "params": {
- "aggregate": "concat",
- "customLabel": "Workflow",
- "field": "aws.securityhub_findings.workflow.status",
- "size": 1,
- "sortField": "@timestamp",
- "sortOrder": "desc"
- },
- "schema": "metric",
- "type": "top_hits"
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "9ef8c19c-b6ff-405a-9d42-514495ccd36c": {
+ "columnOrder": [
+ "819379b0-1a98-4be5-a471-55ac44fbf024",
+ "368eb4c9-51ae-4aef-a439-a8547fbfe987"
+ ],
+ "columns": {
+ "368eb4c9-51ae-4aef-a439-a8547fbfe987": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "unique_count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "event.id"
+ },
+ "819379b0-1a98-4be5-a471-55ac44fbf024": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "network.direction: Descending",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "368eb4c9-51ae-4aef-a439-a8547fbfe987",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 6
+ },
+ "scale": "ordinal",
+ "sourceField": "network.direction"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
},
- {
- "enabled": true,
- "id": "5",
- "params": {
- "customLabel": "Severity",
- "excludeIsRegex": true,
- "field": "aws.securityhub_findings.severity.normalized",
- "includeIsRegex": true,
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "_key",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 1000
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": "data_stream.dataset : \"aws.securityhub_findings\" or data_stream.dataset : \"aws.securityhub_insights\" "
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "368eb4c9-51ae-4aef-a439-a8547fbfe987"
},
- "schema": "bucket",
- "type": "terms"
- },
- {
+ {
+ "alignment": "left",
+ "columnId": "819379b0-1a98-4be5-a471-55ac44fbf024"
+ }
+ ],
+ "headerRowHeight": "single",
+ "layerId": "9ef8c19c-b6ff-405a-9d42-514495ccd36c",
+ "layerType": "data",
+ "paging": {
"enabled": true,
- "id": "6",
- "params": {
- "customLabel": "Label",
- "excludeIsRegex": true,
- "field": "aws.securityhub_findings.severity.label",
- "includeIsRegex": true,
- "missingBucket": true,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "_key",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 10000
- },
- "schema": "bucket",
- "type": "terms"
+ "size": 10
},
- {
- "enabled": true,
- "id": "2",
- "params": {
- "customLabel": "Account",
- "excludeIsRegex": true,
- "field": "cloud.account.id",
- "includeIsRegex": true,
- "missingBucket": true,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "_key",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 10000
- },
- "schema": "bucket",
- "type": "terms"
+ "rowHeight": "single"
+ }
+ },
+ "title": "Security Hub - Network Direction [Logs AWS] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 8,
+ "i": "a4cba719-5f51-4090-910f-12e39dc01239",
+ "w": 11,
+ "x": 0,
+ "y": 47
+ },
+ "panelIndex": "a4cba719-5f51-4090-910f-12e39dc01239",
+ "title": "Security Hub - Network Direction [Logs AWS]",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-62cff437-61bd-46d9-91ce-412aa336de04",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "62cff437-61bd-46d9-91ce-412aa336de04": {
+ "columnOrder": [
+ "dcdef06d-44d3-453e-a7f1-88523373c0f6",
+ "cd0e385c-2a0e-4908-918a-385e195dad32",
+ "126df109-06ba-4d0c-bdb5-dff16bad0c16",
+ "44d316f6-eb70-4230-b17a-d84c9773e7b7",
+ "f5f7e973-6d86-44f5-b402-cd291a158d30",
+ "899a4a7e-919a-429b-8035-0b8cd268c5cf",
+ "bf150044-adc1-4873-a60d-684a9d1c3d20",
+ "31bff37d-ab4d-4730-a9ad-79e9d7c22de9",
+ "edd7ce3d-69ca-4079-81ba-c03ac8f70f21"
+ ],
+ "columns": {
+ "126df109-06ba-4d0c-bdb5-dff16bad0c16": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Account",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": true,
+ "orderBy": {
+ "type": "alphabetical"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10000
+ },
+ "scale": "ordinal",
+ "sourceField": "cloud.account.id"
+ },
+ "31bff37d-ab4d-4730-a9ad-79e9d7c22de9": {
+ "customLabel": true,
+ "dataType": "string",
+ "filter": {
+ "language": "kuery",
+ "query": "aws.securityhub_findings.record_state: *"
+ },
+ "isBucketed": false,
+ "label": "Record State",
+ "operationType": "last_value",
+ "params": {
+ "showArrayValues": true,
+ "sortField": "@timestamp"
+ },
+ "scale": "ordinal",
+ "sourceField": "aws.securityhub_findings.record_state"
+ },
+ "44d316f6-eb70-4230-b17a-d84c9773e7b7": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Region",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": true,
+ "orderBy": {
+ "type": "alphabetical"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10000
+ },
+ "scale": "ordinal",
+ "sourceField": "aws.securityhub_findings.region"
+ },
+ "899a4a7e-919a-429b-8035-0b8cd268c5cf": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "ID",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": true,
+ "orderBy": {
+ "type": "alphabetical"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10000
+ },
+ "scale": "ordinal",
+ "sourceField": "event.id"
+ },
+ "bf150044-adc1-4873-a60d-684a9d1c3d20": {
+ "customLabel": true,
+ "dataType": "string",
+ "filter": {
+ "language": "kuery",
+ "query": "aws.securityhub_findings.workflow.status: *"
+ },
+ "isBucketed": false,
+ "label": "Workflow",
+ "operationType": "last_value",
+ "params": {
+ "showArrayValues": true,
+ "sortField": "@timestamp"
+ },
+ "scale": "ordinal",
+ "sourceField": "aws.securityhub_findings.workflow.status"
+ },
+ "cd0e385c-2a0e-4908-918a-385e195dad32": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Label",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": true,
+ "orderBy": {
+ "type": "alphabetical"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10000
+ },
+ "scale": "ordinal",
+ "sourceField": "aws.securityhub_findings.severity.label"
+ },
+ "dcdef06d-44d3-453e-a7f1-88523373c0f6": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Severity",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "type": "alphabetical"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 1000
+ },
+ "scale": "ordinal",
+ "sourceField": "aws.securityhub_findings.severity.normalized"
+ },
+ "edd7ce3d-69ca-4079-81ba-c03ac8f70f21": {
+ "customLabel": true,
+ "dataType": "date",
+ "isBucketed": false,
+ "label": "Timestamp",
+ "operationType": "max",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "@timestamp"
+ },
+ "f5f7e973-6d86-44f5-b402-cd291a158d30": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Product",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": true,
+ "orderBy": {
+ "type": "alphabetical"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10000
+ },
+ "scale": "ordinal",
+ "sourceField": "aws.securityhub_findings.product.name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
},
- {
- "enabled": true,
- "id": "3",
- "params": {
- "customLabel": "Region",
- "excludeIsRegex": true,
- "field": "aws.securityhub_findings.region",
- "includeIsRegex": true,
- "missingBucket": true,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "_key",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 10000
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": "data_stream.dataset : \"aws.securityhub_findings\" or data_stream.dataset : \"aws.securityhub_insights\" "
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "bf150044-adc1-4873-a60d-684a9d1c3d20"
},
- "schema": "bucket",
- "type": "terms"
- },
- {
- "enabled": true,
- "id": "4",
- "params": {
- "customLabel": "Product",
- "excludeIsRegex": true,
- "field": "aws.securityhub_findings.product.name",
- "includeIsRegex": true,
- "missingBucket": true,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "_key",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 10000
+ {
+ "alignment": "left",
+ "columnId": "31bff37d-ab4d-4730-a9ad-79e9d7c22de9"
},
- "schema": "bucket",
- "type": "terms"
- },
- {
- "enabled": true,
- "id": "7",
- "params": {
- "aggregate": "concat",
- "customLabel": "Record State",
- "field": "aws.securityhub_findings.record_state",
- "size": 1,
- "sortField": "@timestamp",
- "sortOrder": "desc"
+ {
+ "alignment": "left",
+ "columnId": "dcdef06d-44d3-453e-a7f1-88523373c0f6"
},
- "schema": "metric",
- "type": "top_hits"
- },
- {
- "enabled": true,
- "id": "8",
- "params": {
- "customLabel": "Timestamp",
- "field": "@timestamp"
+ {
+ "alignment": "left",
+ "columnId": "cd0e385c-2a0e-4908-918a-385e195dad32"
},
- "schema": "metric",
- "type": "max"
- },
- {
- "enabled": true,
- "id": "10",
- "params": {
- "customLabel": "ID",
- "excludeIsRegex": true,
- "field": "event.id",
- "includeIsRegex": true,
- "missingBucket": true,
- "missingBucketLabel": "-",
- "order": "desc",
- "orderBy": "_key",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 10000
+ {
+ "alignment": "left",
+ "columnId": "126df109-06ba-4d0c-bdb5-dff16bad0c16"
},
- "schema": "bucket",
- "type": "terms"
- }
- ],
- "searchSource": {
- "filter": [],
- "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
- "query": {
- "language": "kuery",
- "query": "data_stream.dataset : \"aws.securityhub_findings\" or data_stream.dataset : \"aws.securityhub_insights\" "
- }
- }
- },
- "description": "",
- "params": {
- "autoFitRowToContent": false,
- "perPage": 20,
- "percentageCol": "",
- "showMetricsAtAllLevels": false,
- "showPartialRows": false,
- "showToolbar": true,
- "showTotal": false,
- "sort": {
- "columnIndex": null,
- "direction": null
- },
- "totalFunc": "sum"
- },
- "title": "",
- "type": "table",
- "uiState": {
- "vis": {
- "params": {
- "sort": {
- "columnIndex": null,
- "direction": null
+ {
+ "alignment": "left",
+ "columnId": "44d316f6-eb70-4230-b17a-d84c9773e7b7"
+ },
+ {
+ "alignment": "left",
+ "columnId": "f5f7e973-6d86-44f5-b402-cd291a158d30"
+ },
+ {
+ "alignment": "left",
+ "columnId": "899a4a7e-919a-429b-8035-0b8cd268c5cf"
+ },
+ {
+ "columnId": "edd7ce3d-69ca-4079-81ba-c03ac8f70f21",
+ "isTransposed": false
}
- }
+ ],
+ "headerRowHeight": "single",
+ "layerId": "62cff437-61bd-46d9-91ce-412aa336de04",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 20
+ },
+ "rowHeight": "single"
}
- }
- }
+ },
+ "title": "Security Hub - Findings [Logs AWS] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 18,
@@ -1100,8 +1291,8 @@
},
"panelIndex": "5c3b2b5f-b097-4b2e-adae-a4d9149e808f",
"title": "Security Hub - Findings [Logs AWS]",
- "type": "visualization",
- "version": "8.4.0"
+ "type": "lens",
+ "version": "8.8.1"
},
{
"embeddableConfig": {
@@ -1137,189 +1328,274 @@
"panelIndex": "7a8bdb96-e4c4-4e63-bc80-14fbd4b97c2f",
"title": "",
"type": "visualization",
- "version": "8.4.0"
+ "version": "8.8.1"
},
{
"embeddableConfig": {
- "enhancements": {},
- "savedVis": {
- "data": {
- "aggs": [
- {
- "enabled": true,
- "id": "1",
- "params": {
- "aggregate": "concat",
- "customLabel": "Workflow",
- "field": "aws.securityhub_findings.workflow.status",
- "size": 1,
- "sortField": "@timestamp",
- "sortOrder": "desc"
- },
- "schema": "metric",
- "type": "top_hits"
- },
- {
- "enabled": true,
- "id": "2",
- "params": {
- "customLabel": "Account",
- "excludeIsRegex": true,
- "field": "cloud.account.id",
- "includeIsRegex": true,
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderAgg": {
- "enabled": true,
- "id": "2-orderAgg",
- "params": {
- "emptyAsNull": false
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-946ff939-5488-4f22-9b9c-f96707dd1e6a",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "946ff939-5488-4f22-9b9c-f96707dd1e6a": {
+ "columnOrder": [
+ "2e4c0553-5188-4999-b833-39de963396a9",
+ "440bc381-b954-4fb5-b0dd-8445f16fd495",
+ "e4aa3ccd-813f-4021-95f5-476c643bf49c",
+ "10ef0679-7a1e-49ee-926e-572f24e60f8c",
+ "5c861f3b-9f9c-44e8-a2d8-90f6b315460f",
+ "cb8daec8-89a8-4f60-aae2-df7f72f8e2e0",
+ "b19f4eb7-2ec2-4460-bf0a-388680b3347b",
+ "006be8f8-7a9c-444b-9368-ff77309d1f40"
+ ],
+ "columns": {
+ "006be8f8-7a9c-444b-9368-ff77309d1f40": {
+ "customLabel": true,
+ "dataType": "date",
+ "isBucketed": false,
+ "label": "Timestamp",
+ "operationType": "max",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "@timestamp"
+ },
+ "10ef0679-7a1e-49ee-926e-572f24e60f8c": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Id",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "type": "alphabetical"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "event.id"
+ },
+ "2e4c0553-5188-4999-b833-39de963396a9": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Account",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {},
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10000
+ },
+ "scale": "ordinal",
+ "sourceField": "cloud.account.id"
+ },
+ "440bc381-b954-4fb5-b0dd-8445f16fd495": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Region",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "type": "alphabetical"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10000
+ },
+ "scale": "ordinal",
+ "sourceField": "aws.securityhub_findings.region"
+ },
+ "5c861f3b-9f9c-44e8-a2d8-90f6b315460f": {
+ "customLabel": true,
+ "dataType": "string",
+ "filter": {
+ "language": "kuery",
+ "query": "aws.securityhub_findings.workflow.status: *"
+ },
+ "isBucketed": false,
+ "label": "Workflow",
+ "operationType": "last_value",
+ "params": {
+ "showArrayValues": true,
+ "sortField": "@timestamp"
+ },
+ "scale": "ordinal",
+ "sourceField": "aws.securityhub_findings.workflow.status"
+ },
+ "b19f4eb7-2ec2-4460-bf0a-388680b3347b": {
+ "customLabel": true,
+ "dataType": "string",
+ "filter": {
+ "language": "kuery",
+ "query": "aws.securityhub_findings.record_state: *"
+ },
+ "isBucketed": false,
+ "label": "Record State",
+ "operationType": "last_value",
+ "params": {
+ "showArrayValues": true,
+ "sortField": "@timestamp"
+ },
+ "scale": "ordinal",
+ "sourceField": "aws.securityhub_findings.record_state"
+ },
+ "cb8daec8-89a8-4f60-aae2-df7f72f8e2e0": {
+ "customLabel": true,
+ "dataType": "string",
+ "filter": {
+ "language": "kuery",
+ "query": "aws.securityhub_findings.compliance.status: *"
+ },
+ "isBucketed": false,
+ "label": "Compliance",
+ "operationType": "last_value",
+ "params": {
+ "showArrayValues": true,
+ "sortField": "@timestamp"
+ },
+ "scale": "ordinal",
+ "sourceField": "aws.securityhub_findings.compliance.status"
+ },
+ "e4aa3ccd-813f-4021-95f5-476c643bf49c": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Generator Id",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "type": "alphabetical"
+ },
+ "orderDirection": "asc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10000
+ },
+ "scale": "ordinal",
+ "sourceField": "aws.securityhub_findings.generator.id"
+ }
},
- "schema": "orderAgg",
- "type": "count"
- },
- "orderBy": "custom",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 10000
- },
- "schema": "bucket",
- "type": "terms"
+ "incompleteColumns": {}
+ }
+ }
},
- {
- "enabled": true,
- "id": "3",
- "params": {
- "customLabel": "Region",
- "excludeIsRegex": true,
- "field": "aws.securityhub_findings.region",
- "includeIsRegex": true,
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "_key",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 10000
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": "data_stream.dataset : \"aws.securityhub_findings\" or data_stream.dataset : \"aws.securityhub_insights\" "
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "5c861f3b-9f9c-44e8-a2d8-90f6b315460f"
},
- "schema": "bucket",
- "type": "terms"
- },
- {
- "enabled": true,
- "id": "7",
- "params": {
- "customLabel": "Generator Id",
- "excludeIsRegex": true,
- "field": "aws.securityhub_findings.generator.id",
- "includeIsRegex": true,
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "asc",
- "orderBy": "_key",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 10000
+ {
+ "alignment": "left",
+ "columnId": "cb8daec8-89a8-4f60-aae2-df7f72f8e2e0"
},
- "schema": "bucket",
- "type": "terms"
- },
- {
- "enabled": true,
- "id": "4",
- "params": {
- "customLabel": "Id",
- "excludeIsRegex": true,
- "field": "event.id",
- "includeIsRegex": true,
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "_key",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 5
+ {
+ "alignment": "left",
+ "columnId": "b19f4eb7-2ec2-4460-bf0a-388680b3347b"
},
- "schema": "bucket",
- "type": "terms"
- },
- {
- "enabled": true,
- "id": "5",
- "params": {
- "aggregate": "concat",
- "customLabel": "Compliance",
- "field": "aws.securityhub_findings.compliance.status",
- "size": 1,
- "sortField": "@timestamp",
- "sortOrder": "desc"
+ {
+ "alignment": "left",
+ "columnId": "2e4c0553-5188-4999-b833-39de963396a9"
},
- "schema": "metric",
- "type": "top_hits"
- },
- {
- "enabled": true,
- "id": "6",
- "params": {
- "aggregate": "concat",
- "customLabel": "Record State",
- "field": "aws.securityhub_findings.record_state",
- "size": 1,
- "sortField": "@timestamp",
- "sortOrder": "desc"
+ {
+ "alignment": "left",
+ "columnId": "440bc381-b954-4fb5-b0dd-8445f16fd495"
},
- "schema": "metric",
- "type": "top_hits"
- },
- {
- "enabled": true,
- "id": "8",
- "params": {
- "customLabel": "Timestamp",
- "field": "@timestamp"
+ {
+ "alignment": "left",
+ "columnId": "e4aa3ccd-813f-4021-95f5-476c643bf49c"
},
- "schema": "metric",
- "type": "max"
- }
- ],
- "searchSource": {
- "filter": [],
- "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
- "query": {
- "language": "kuery",
- "query": "data_stream.dataset : \"aws.securityhub_findings\" or data_stream.dataset : \"aws.securityhub_insights\" "
- }
- }
- },
- "description": "",
- "params": {
- "autoFitRowToContent": false,
- "perPage": 10,
- "percentageCol": "",
- "showMetricsAtAllLevels": false,
- "showPartialRows": false,
- "showToolbar": true,
- "showTotal": false,
- "sort": {
- "columnIndex": null,
- "direction": null
- },
- "totalFunc": "sum"
- },
- "title": "",
- "type": "table",
- "uiState": {
- "vis": {
- "params": {
- "sort": {
- "columnIndex": null,
- "direction": null
+ {
+ "alignment": "left",
+ "columnId": "10ef0679-7a1e-49ee-926e-572f24e60f8c"
+ },
+ {
+ "columnId": "006be8f8-7a9c-444b-9368-ff77309d1f40",
+ "isTransposed": false
}
- }
+ ],
+ "headerRowHeight": "single",
+ "layerId": "946ff939-5488-4f22-9b9c-f96707dd1e6a",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 10
+ },
+ "rowHeight": "single"
}
- }
- }
+ },
+ "title": "Data table visualization (converted)",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 17,
@@ -1330,8 +1606,8 @@
},
"panelIndex": "9c9ea523-c04c-4783-9737-494bb8a1d068",
"title": "",
- "type": "visualization",
- "version": "8.4.0"
+ "type": "lens",
+ "version": "8.8.1"
},
{
"embeddableConfig": {
@@ -1367,7 +1643,7 @@
"panelIndex": "a22c199d-3314-4dc0-9c99-79d7dad12c6c",
"title": "",
"type": "visualization",
- "version": "8.4.0"
+ "version": "8.8.1"
},
{
"embeddableConfig": {
@@ -1383,7 +1659,7 @@
"panelIndex": "7fad8ba7-c80b-45f5-ace4-0757caa63766",
"panelRefName": "panel_7fad8ba7-c80b-45f5-ace4-0757caa63766",
"type": "search",
- "version": "8.4.0"
+ "version": "8.8.1"
},
{
"embeddableConfig": {
@@ -1399,7 +1675,7 @@
"panelIndex": "d730fda4-95c3-4c8f-9236-6dd187a9f63c",
"panelRefName": "panel_d730fda4-95c3-4c8f-9236-6dd187a9f63c",
"type": "search",
- "version": "8.4.0"
+ "version": "8.8.1"
},
{
"embeddableConfig": {
@@ -1436,17 +1712,18 @@
"panelIndex": "d5280fe0-536d-45b0-87c4-1fb9c41065fd",
"title": "Dashboards [Logs AWS]",
"type": "visualization",
- "version": "8.4.0"
+ "version": "8.8.1"
}
],
"timeRestore": false,
"title": "[Logs AWS] Security Hub Summary Dashboard",
"version": 1
},
- "coreMigrationVersion": "8.4.0",
+ "coreMigrationVersion": "8.7.0",
+ "created_at": "2023-07-18T08:47:59.330Z",
"id": "aws-c9f103d0-5f63-11ed-bd69-473ce047ef30",
"migrationVersion": {
- "dashboard": "8.4.0"
+ "dashboard": "8.7.0"
},
"references": [
{
@@ -1481,27 +1758,27 @@
},
{
"id": "logs-*",
- "name": "d296bb5b-a63d-4931-84aa-d3a2d0fa754d:kibanaSavedObjectMeta.searchSourceJSON.index",
+ "name": "d296bb5b-a63d-4931-84aa-d3a2d0fa754d:indexpattern-datasource-layer-b6d482c4-5861-4768-a01d-df114f2df10c",
"type": "index-pattern"
},
{
"id": "logs-*",
- "name": "933df910-8ae4-4a4b-9af7-87b30a92d952:kibanaSavedObjectMeta.searchSourceJSON.index",
+ "name": "933df910-8ae4-4a4b-9af7-87b30a92d952:indexpattern-datasource-layer-82d08903-c849-4c8d-b8b8-8fd454fc4ff3",
"type": "index-pattern"
},
{
"id": "logs-*",
- "name": "a4cba719-5f51-4090-910f-12e39dc01239:kibanaSavedObjectMeta.searchSourceJSON.index",
+ "name": "a4cba719-5f51-4090-910f-12e39dc01239:indexpattern-datasource-layer-9ef8c19c-b6ff-405a-9d42-514495ccd36c",
"type": "index-pattern"
},
{
"id": "logs-*",
- "name": "5c3b2b5f-b097-4b2e-adae-a4d9149e808f:kibanaSavedObjectMeta.searchSourceJSON.index",
+ "name": "5c3b2b5f-b097-4b2e-adae-a4d9149e808f:indexpattern-datasource-layer-62cff437-61bd-46d9-91ce-412aa336de04",
"type": "index-pattern"
},
{
"id": "logs-*",
- "name": "9c9ea523-c04c-4783-9737-494bb8a1d068:kibanaSavedObjectMeta.searchSourceJSON.index",
+ "name": "9c9ea523-c04c-4783-9737-494bb8a1d068:indexpattern-datasource-layer-946ff939-5488-4f22-9b9c-f96707dd1e6a",
"type": "index-pattern"
},
{
diff --git a/packages/aws/kibana/dashboard/aws-dfa76470-4ba1-11ec-8282-5342b8988acc.json b/packages/aws/kibana/dashboard/aws-dfa76470-4ba1-11ec-8282-5342b8988acc.json
index 384ad3e7f6f..a95c50e470f 100644
--- a/packages/aws/kibana/dashboard/aws-dfa76470-4ba1-11ec-8282-5342b8988acc.json
+++ b/packages/aws/kibana/dashboard/aws-dfa76470-4ba1-11ec-8282-5342b8988acc.json
@@ -1,14 +1,12 @@
{
- "id": "aws-dfa76470-4ba1-11ec-8282-5342b8988acc",
- "type": "dashboard",
- "namespaces": [
- "default"
- ],
- "updated_at": "2022-08-01T13:47:45.463Z",
- "version": "Wzg2NSwxXQ==",
"attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
+ "panelsJSON": "{\"95767951-d2dc-41b5-83ab-d7eb4938d076\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"95767951-d2dc-41b5-83ab-d7eb4938d076\",\"fieldName\":\"cloud.region\",\"title\":\"Region\",\"enhancements\":{}}},\"149de20b-7221-43eb-9447-0c3b42aeec24\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"149de20b-7221-43eb-9447-0c3b42aeec24\",\"fieldName\":\"cloud.availability_zone\",\"title\":\"Availability Zone\",\"enhancements\":{}}},\"5384c422-5326-4800-b08d-1c21c2fb3521\":{\"type\":\"optionsListControl\",\"order\":2,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"5384c422-5326-4800-b08d-1c21c2fb3521\",\"fieldName\":\"observer.name\",\"title\":\"Firewall\",\"enhancements\":{}}}}"
+ },
"description": "Dashboard providing statistics about alerts ingested from the AWS Network Firewall integration.",
- "hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [
@@ -64,20 +62,12 @@
"optionsJSON": {
"hidePanelTitles": false,
"syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
"useMargins": true
},
"panelsJSON": [
{
- "version": "8.1.0",
- "type": "visualization",
- "gridData": {
- "h": 14,
- "i": "258f7245-5011-4f03-bcd3-cada0180dc7a",
- "w": 12,
- "x": 0,
- "y": 0
- },
- "panelIndex": "258f7245-5011-4f03-bcd3-cada0180dc7a",
"embeddableConfig": {
"enhancements": {},
"savedVis": {
@@ -101,106 +91,20 @@
"title": "",
"type": "markdown",
"uiState": {}
- },
- "type": "visualization"
- }
- },
- {
- "embeddableConfig": {
- "enhancements": {},
- "hidePanelTitles": false,
- "savedVis": {
- "title": "Firewall Filters [Logs AWS]",
- "description": "",
- "uiState": {},
- "params": {
- "controls": [
- {
- "fieldName": "cloud.region",
- "id": "1637591016076",
- "indexPatternRefName": "control_0_index_pattern",
- "label": "Region",
- "options": {
- "dynamicOptions": true,
- "multiselect": true,
- "order": "desc",
- "size": 5,
- "type": "terms"
- },
- "parent": "",
- "type": "list"
- },
- {
- "fieldName": "cloud.availability_zone",
- "id": "1637591029629",
- "indexPatternRefName": "control_1_index_pattern",
- "label": "Availability Zone",
- "options": {
- "dynamicOptions": true,
- "multiselect": true,
- "order": "desc",
- "size": 5,
- "type": "terms"
- },
- "parent": "",
- "type": "list"
- },
- {
- "fieldName": "observer.name",
- "id": "1637591118622",
- "indexPatternRefName": "control_2_index_pattern",
- "label": "Firewall",
- "options": {
- "dynamicOptions": true,
- "multiselect": true,
- "order": "desc",
- "size": 5,
- "type": "terms"
- },
- "parent": "",
- "type": "list"
- }
- ],
- "pinFilters": false,
- "updateFiltersOnChange": false,
- "useTimeFilter": false
- },
- "type": "input_control_vis",
- "data": {
- "aggs": [],
- "searchSource": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- }
}
},
"gridData": {
- "h": 7,
- "i": "8bc8eff1-b70e-4f81-b2a1-de0db6742337",
- "w": 36,
- "x": 12,
+ "h": 16,
+ "i": "258f7245-5011-4f03-bcd3-cada0180dc7a",
+ "w": 18,
+ "x": 0,
"y": 0
},
- "panelIndex": "8bc8eff1-b70e-4f81-b2a1-de0db6742337",
- "title": "Firewall Filters",
+ "panelIndex": "258f7245-5011-4f03-bcd3-cada0180dc7a",
"type": "visualization",
- "version": "8.0.0"
+ "version": "8.8.1"
},
{
- "version": "8.1.0",
- "type": "lens",
- "gridData": {
- "h": 7,
- "i": "dfcf4383-4ce2-42a2-b0a9-a48dbf39db64",
- "w": 6,
- "x": 12,
- "y": 7
- },
- "panelIndex": "dfcf4383-4ce2-42a2-b0a9-a48dbf39db64",
"embeddableConfig": {
"attributes": {
"references": [
@@ -217,7 +121,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"454630b2-cff5-45ab-9cfc-ec19c5aeb97a": {
"columnOrder": [
@@ -263,30 +167,32 @@
"visualization": {
"accessor": "fe432a5c-5813-4a13-948e-ea6d83ec8c40",
"layerId": "454630b2-cff5-45ab-9cfc-ec19c5aeb97a",
- "layerType": "data"
+ "layerType": "data",
+ "size": "xl",
+ "textAlign": "center",
+ "titlePosition": "bottom"
}
},
"title": "",
"type": "lens",
- "visualizationType": "lnsMetric"
+ "visualizationType": "lnsLegacyMetric"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Unique Source IPs"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
- "h": 7,
- "i": "4c85d573-baea-49ca-bb9e-4013a0373da7",
- "w": 6,
+ "h": 8,
+ "i": "dfcf4383-4ce2-42a2-b0a9-a48dbf39db64",
+ "w": 10,
"x": 18,
- "y": 7
+ "y": 0
},
- "panelIndex": "4c85d573-baea-49ca-bb9e-4013a0373da7",
+ "panelIndex": "dfcf4383-4ce2-42a2-b0a9-a48dbf39db64",
+ "title": "Unique Source IPs",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -303,7 +209,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"454630b2-cff5-45ab-9cfc-ec19c5aeb97a": {
"columnOrder": [
@@ -349,30 +255,32 @@
"visualization": {
"accessor": "fe432a5c-5813-4a13-948e-ea6d83ec8c40",
"layerId": "454630b2-cff5-45ab-9cfc-ec19c5aeb97a",
- "layerType": "data"
+ "layerType": "data",
+ "size": "xl",
+ "textAlign": "center",
+ "titlePosition": "bottom"
}
},
"title": "",
"type": "lens",
- "visualizationType": "lnsMetric"
+ "visualizationType": "lnsLegacyMetric"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Unique Destination IPs"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
- "h": 7,
- "i": "b0b8c30c-2096-49ee-95b3-9adbf27808e5",
- "w": 6,
- "x": 24,
- "y": 7
+ "h": 8,
+ "i": "4c85d573-baea-49ca-bb9e-4013a0373da7",
+ "w": 10,
+ "x": 28,
+ "y": 0
},
- "panelIndex": "b0b8c30c-2096-49ee-95b3-9adbf27808e5",
+ "panelIndex": "4c85d573-baea-49ca-bb9e-4013a0373da7",
+ "title": "Unique Destination IPs",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -389,7 +297,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"454630b2-cff5-45ab-9cfc-ec19c5aeb97a": {
"columnOrder": [
@@ -435,30 +343,32 @@
"visualization": {
"accessor": "fe432a5c-5813-4a13-948e-ea6d83ec8c40",
"layerId": "454630b2-cff5-45ab-9cfc-ec19c5aeb97a",
- "layerType": "data"
+ "layerType": "data",
+ "size": "xl",
+ "textAlign": "center",
+ "titlePosition": "bottom"
}
},
"title": "",
"type": "lens",
- "visualizationType": "lnsMetric"
+ "visualizationType": "lnsLegacyMetric"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Unique Source Countries"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
- "h": 7,
- "i": "e0be3094-1544-4c59-858c-05320b57c3a7",
- "w": 6,
- "x": 30,
- "y": 7
+ "h": 8,
+ "i": "b0b8c30c-2096-49ee-95b3-9adbf27808e5",
+ "w": 10,
+ "x": 38,
+ "y": 0
},
- "panelIndex": "e0be3094-1544-4c59-858c-05320b57c3a7",
+ "panelIndex": "b0b8c30c-2096-49ee-95b3-9adbf27808e5",
+ "title": "Unique Source Countries",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -475,7 +385,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"454630b2-cff5-45ab-9cfc-ec19c5aeb97a": {
"columnOrder": [
@@ -521,30 +431,32 @@
"visualization": {
"accessor": "fe432a5c-5813-4a13-948e-ea6d83ec8c40",
"layerId": "454630b2-cff5-45ab-9cfc-ec19c5aeb97a",
- "layerType": "data"
+ "layerType": "data",
+ "size": "xl",
+ "textAlign": "center",
+ "titlePosition": "bottom"
}
},
"title": "",
"type": "lens",
- "visualizationType": "lnsMetric"
+ "visualizationType": "lnsLegacyMetric"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Unique Destination Countries"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
- "h": 7,
- "i": "673dd2b3-e271-4ad9-9b86-83e4e1070647",
- "w": 6,
- "x": 36,
- "y": 7
+ "h": 8,
+ "i": "e0be3094-1544-4c59-858c-05320b57c3a7",
+ "w": 10,
+ "x": 18,
+ "y": 8
},
- "panelIndex": "673dd2b3-e271-4ad9-9b86-83e4e1070647",
+ "panelIndex": "e0be3094-1544-4c59-858c-05320b57c3a7",
+ "title": "Unique Destination Countries",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -561,7 +473,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"454630b2-cff5-45ab-9cfc-ec19c5aeb97a": {
"columnOrder": [
@@ -607,30 +519,32 @@
"visualization": {
"accessor": "fe432a5c-5813-4a13-948e-ea6d83ec8c40",
"layerId": "454630b2-cff5-45ab-9cfc-ec19c5aeb97a",
- "layerType": "data"
+ "layerType": "data",
+ "size": "xl",
+ "textAlign": "center",
+ "titlePosition": "bottom"
}
},
"title": "",
"type": "lens",
- "visualizationType": "lnsMetric"
+ "visualizationType": "lnsLegacyMetric"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Unique Network Protocols"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
- "h": 7,
- "i": "09caeba8-1f98-4937-b1b8-60debe3e3728",
- "w": 6,
- "x": 42,
- "y": 7
+ "h": 8,
+ "i": "673dd2b3-e271-4ad9-9b86-83e4e1070647",
+ "w": 10,
+ "x": 28,
+ "y": 8
},
- "panelIndex": "09caeba8-1f98-4937-b1b8-60debe3e3728",
+ "panelIndex": "673dd2b3-e271-4ad9-9b86-83e4e1070647",
+ "title": "Unique Network Protocols",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -647,7 +561,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"454630b2-cff5-45ab-9cfc-ec19c5aeb97a": {
"columnOrder": [
@@ -693,30 +607,32 @@
"visualization": {
"accessor": "fe432a5c-5813-4a13-948e-ea6d83ec8c40",
"layerId": "454630b2-cff5-45ab-9cfc-ec19c5aeb97a",
- "layerType": "data"
+ "layerType": "data",
+ "size": "xl",
+ "textAlign": "center",
+ "titlePosition": "bottom"
}
},
"title": "",
"type": "lens",
- "visualizationType": "lnsMetric"
+ "visualizationType": "lnsLegacyMetric"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Unique Rules"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
- "h": 15,
- "i": "0e2449f9-149d-473f-99f6-28e3ef05f2fd",
- "w": 12,
- "x": 0,
- "y": 14
+ "h": 8,
+ "i": "09caeba8-1f98-4937-b1b8-60debe3e3728",
+ "w": 10,
+ "x": 38,
+ "y": 8
},
- "panelIndex": "0e2449f9-149d-473f-99f6-28e3ef05f2fd",
+ "panelIndex": "09caeba8-1f98-4937-b1b8-60debe3e3728",
+ "title": "Unique Rules",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -733,7 +649,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"1759e92e-4fa4-4b59-ad5b-333b72cc71b2": {
"columnOrder": [
@@ -795,6 +711,7 @@
],
"legend": {
"isVisible": true,
+ "legendSize": "auto",
"position": "right"
},
"preferredSeriesType": "bar_horizontal_stacked",
@@ -813,22 +730,21 @@
"visualizationType": "lnsXY"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Top Rules"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
"h": 15,
- "i": "2148efa5-f130-4751-909d-6a79eed2e16b",
+ "i": "0e2449f9-149d-473f-99f6-28e3ef05f2fd",
"w": 12,
- "x": 12,
- "y": 14
+ "x": 0,
+ "y": 16
},
- "panelIndex": "2148efa5-f130-4751-909d-6a79eed2e16b",
+ "panelIndex": "0e2449f9-149d-473f-99f6-28e3ef05f2fd",
+ "title": "Top Rules",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -845,7 +761,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"77c8c7dc-b073-4d7c-8403-b25ee4647152": {
"columnOrder": [
@@ -894,15 +810,18 @@
"layers": [
{
"categoryDisplay": "default",
- "groups": [
- "f49ff962-9e8a-4170-a0d8-54cee9438651"
- ],
"layerId": "77c8c7dc-b073-4d7c-8403-b25ee4647152",
"layerType": "data",
"legendDisplay": "default",
- "metric": "0e88e9b7-a2b1-4634-95c1-a7d38dce70a6",
+ "legendSize": "auto",
+ "metrics": [
+ "0e88e9b7-a2b1-4634-95c1-a7d38dce70a6"
+ ],
"nestedLegend": false,
- "numberDisplay": "percent"
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "f49ff962-9e8a-4170-a0d8-54cee9438651"
+ ]
}
],
"shape": "pie"
@@ -913,22 +832,21 @@
"visualizationType": "lnsPie"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Top Source Countries"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
"h": 15,
- "i": "6790d45f-4fa9-4a70-b0e1-a3e10682c852",
+ "i": "2148efa5-f130-4751-909d-6a79eed2e16b",
"w": 12,
- "x": 24,
- "y": 14
+ "x": 12,
+ "y": 16
},
- "panelIndex": "6790d45f-4fa9-4a70-b0e1-a3e10682c852",
+ "panelIndex": "2148efa5-f130-4751-909d-6a79eed2e16b",
+ "title": "Top Source Countries",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -945,7 +863,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"77c8c7dc-b073-4d7c-8403-b25ee4647152": {
"columnOrder": [
@@ -994,15 +912,18 @@
"layers": [
{
"categoryDisplay": "default",
- "groups": [
- "f49ff962-9e8a-4170-a0d8-54cee9438651"
- ],
"layerId": "77c8c7dc-b073-4d7c-8403-b25ee4647152",
"layerType": "data",
"legendDisplay": "default",
- "metric": "0e88e9b7-a2b1-4634-95c1-a7d38dce70a6",
+ "legendSize": "auto",
+ "metrics": [
+ "0e88e9b7-a2b1-4634-95c1-a7d38dce70a6"
+ ],
"nestedLegend": false,
- "numberDisplay": "percent"
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "f49ff962-9e8a-4170-a0d8-54cee9438651"
+ ]
}
],
"shape": "pie"
@@ -1013,22 +934,21 @@
"visualizationType": "lnsPie"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Top Destination Countries"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
"h": 15,
- "i": "f7c1e866-ba0d-45af-95bf-2736901431dc",
+ "i": "6790d45f-4fa9-4a70-b0e1-a3e10682c852",
"w": 12,
- "x": 36,
- "y": 14
+ "x": 24,
+ "y": 16
},
- "panelIndex": "f7c1e866-ba0d-45af-95bf-2736901431dc",
+ "panelIndex": "6790d45f-4fa9-4a70-b0e1-a3e10682c852",
+ "title": "Top Destination Countries",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -1045,7 +965,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"77c8c7dc-b073-4d7c-8403-b25ee4647152": {
"columnOrder": [
@@ -1113,20 +1033,23 @@
"layers": [
{
"categoryDisplay": "default",
- "groups": [
+ "layerId": "77c8c7dc-b073-4d7c-8403-b25ee4647152",
+ "layerType": "data",
+ "legendDisplay": "default",
+ "legendSize": "auto",
+ "metrics": [
+ "0e88e9b7-a2b1-4634-95c1-a7d38dce70a6"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
"76f26815-f13c-4273-b52f-7c25247f2b0d",
"76f26815-f13c-4273-b52f-7c25247f2b0d",
"9367ad41-b48b-438e-b4d8-2c3f85aff052",
"76f26815-f13c-4273-b52f-7c25247f2b0d",
"76f26815-f13c-4273-b52f-7c25247f2b0d",
"76f26815-f13c-4273-b52f-7c25247f2b0d"
- ],
- "layerId": "77c8c7dc-b073-4d7c-8403-b25ee4647152",
- "layerType": "data",
- "legendDisplay": "default",
- "metric": "0e88e9b7-a2b1-4634-95c1-a7d38dce70a6",
- "nestedLegend": false,
- "numberDisplay": "percent"
+ ]
}
],
"shape": "donut"
@@ -1137,22 +1060,21 @@
"visualizationType": "lnsPie"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Network Protocols and Applications"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
- "h": 11,
- "i": "ce8caf3c-c830-4500-a4bf-66a9f354cd49",
+ "h": 15,
+ "i": "f7c1e866-ba0d-45af-95bf-2736901431dc",
"w": 12,
- "x": 0,
- "y": 29
+ "x": 36,
+ "y": 16
},
- "panelIndex": "ce8caf3c-c830-4500-a4bf-66a9f354cd49",
+ "panelIndex": "f7c1e866-ba0d-45af-95bf-2736901431dc",
+ "title": "Network Protocols and Applications",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -1169,7 +1091,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"a5c93c96-5038-49e1-acca-2e876257c059": {
"columnOrder": [
@@ -1227,7 +1149,9 @@
}
],
"layerId": "a5c93c96-5038-49e1-acca-2e876257c059",
- "layerType": "data"
+ "layerType": "data",
+ "rowHeight": "single",
+ "rowHeightLines": 1
}
},
"title": "",
@@ -1235,22 +1159,21 @@
"visualizationType": "lnsDatatable"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Top Event Generating Firewalls"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
"h": 11,
- "i": "9609e04b-0043-4b3a-a31b-a2461c1e3dcb",
+ "i": "ce8caf3c-c830-4500-a4bf-66a9f354cd49",
"w": 12,
- "x": 12,
- "y": 29
+ "x": 0,
+ "y": 31
},
- "panelIndex": "9609e04b-0043-4b3a-a31b-a2461c1e3dcb",
+ "panelIndex": "ce8caf3c-c830-4500-a4bf-66a9f354cd49",
+ "title": "Top Event Generating Firewalls",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -1267,7 +1190,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"a5c93c96-5038-49e1-acca-2e876257c059": {
"columnOrder": [
@@ -1325,7 +1248,9 @@
}
],
"layerId": "a5c93c96-5038-49e1-acca-2e876257c059",
- "layerType": "data"
+ "layerType": "data",
+ "rowHeight": "single",
+ "rowHeightLines": 1
}
},
"title": "",
@@ -1333,22 +1258,21 @@
"visualizationType": "lnsDatatable"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Top Event Source IPs"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
"h": 11,
- "i": "8a1bd282-e360-473d-b26d-e73f2b470c81",
+ "i": "9609e04b-0043-4b3a-a31b-a2461c1e3dcb",
"w": 12,
- "x": 24,
- "y": 29
+ "x": 12,
+ "y": 31
},
- "panelIndex": "8a1bd282-e360-473d-b26d-e73f2b470c81",
+ "panelIndex": "9609e04b-0043-4b3a-a31b-a2461c1e3dcb",
+ "title": "Top Event Source IPs",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -1365,7 +1289,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"a5c93c96-5038-49e1-acca-2e876257c059": {
"columnOrder": [
@@ -1423,7 +1347,9 @@
}
],
"layerId": "a5c93c96-5038-49e1-acca-2e876257c059",
- "layerType": "data"
+ "layerType": "data",
+ "rowHeight": "single",
+ "rowHeightLines": 1
}
},
"title": "",
@@ -1431,22 +1357,21 @@
"visualizationType": "lnsDatatable"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Top Event Destination IPs"
- },
- {
- "version": "8.1.0",
- "type": "lens",
"gridData": {
"h": 11,
- "i": "3b9a2a5f-1226-415c-88d5-21496508d060",
+ "i": "8a1bd282-e360-473d-b26d-e73f2b470c81",
"w": 12,
- "x": 36,
- "y": 29
+ "x": 24,
+ "y": 31
},
- "panelIndex": "3b9a2a5f-1226-415c-88d5-21496508d060",
+ "panelIndex": "8a1bd282-e360-473d-b26d-e73f2b470c81",
+ "title": "Top Event Destination IPs",
+ "type": "lens",
+ "version": "8.8.1"
+ },
+ {
"embeddableConfig": {
"attributes": {
"references": [
@@ -1463,7 +1388,7 @@
],
"state": {
"datasourceStates": {
- "indexpattern": {
+ "formBased": {
"layers": {
"a5c93c96-5038-49e1-acca-2e876257c059": {
"columnOrder": [
@@ -1521,7 +1446,9 @@
}
],
"layerId": "a5c93c96-5038-49e1-acca-2e876257c059",
- "layerType": "data"
+ "layerType": "data",
+ "rowHeight": "single",
+ "rowHeightLines": 1
}
},
"title": "",
@@ -1529,10 +1456,19 @@
"visualizationType": "lnsDatatable"
},
"enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "hidePanelTitles": false
},
- "title": "Top Network Protocols"
+ "gridData": {
+ "h": 11,
+ "i": "3b9a2a5f-1226-415c-88d5-21496508d060",
+ "w": 12,
+ "x": 36,
+ "y": 31
+ },
+ "panelIndex": "3b9a2a5f-1226-415c-88d5-21496508d060",
+ "title": "Top Network Protocols",
+ "type": "lens",
+ "version": "8.8.1"
},
{
"embeddableConfig": {
@@ -1553,19 +1489,25 @@
"i": "cc6fd495-c70e-4805-b097-e40ac11d2fb8",
"w": 48,
"x": 0,
- "y": 40
+ "y": 42
},
"panelIndex": "cc6fd495-c70e-4805-b097-e40ac11d2fb8",
"panelRefName": "panel_cc6fd495-c70e-4805-b097-e40ac11d2fb8",
"title": "Firewall Logs",
"type": "search",
- "version": "7.15.1"
+ "version": "8.8.1"
}
],
"timeRestore": false,
"title": "[Logs AWS] Firewall Alerts",
"version": 1
},
+ "coreMigrationVersion": "8.7.0",
+ "created_at": "2023-07-18T09:17:37.345Z",
+ "id": "aws-dfa76470-4ba1-11ec-8282-5342b8988acc",
+ "migrationVersion": {
+ "dashboard": "8.7.0"
+ },
"references": [
{
"id": "logs-*",
@@ -1723,23 +1665,20 @@
"type": "search"
},
{
- "type": "index-pattern",
- "name": "8bc8eff1-b70e-4f81-b2a1-de0db6742337:control_0_index_pattern",
- "id": "logs-*"
+ "id": "logs-*",
+ "name": "controlGroup_95767951-d2dc-41b5-83ab-d7eb4938d076:optionsListDataView",
+ "type": "index-pattern"
},
{
- "type": "index-pattern",
- "name": "8bc8eff1-b70e-4f81-b2a1-de0db6742337:control_1_index_pattern",
- "id": "logs-*"
+ "id": "logs-*",
+ "name": "controlGroup_149de20b-7221-43eb-9447-0c3b42aeec24:optionsListDataView",
+ "type": "index-pattern"
},
{
- "type": "index-pattern",
- "name": "8bc8eff1-b70e-4f81-b2a1-de0db6742337:control_2_index_pattern",
- "id": "logs-*"
+ "id": "logs-*",
+ "name": "controlGroup_5384c422-5326-4800-b08d-1c21c2fb3521:optionsListDataView",
+ "type": "index-pattern"
}
],
- "migrationVersion": {
- "dashboard": "8.1.0"
- },
- "coreMigrationVersion": "8.1.0"
+ "type": "dashboard"
}
\ No newline at end of file
diff --git a/packages/aws/kibana/dashboard/aws-e6776b10-1534-11ea-841c-01bf20a6c8ba.json b/packages/aws/kibana/dashboard/aws-e6776b10-1534-11ea-841c-01bf20a6c8ba.json
index b9d82d7c95e..7e7999564e4 100644
--- a/packages/aws/kibana/dashboard/aws-e6776b10-1534-11ea-841c-01bf20a6c8ba.json
+++ b/packages/aws/kibana/dashboard/aws-e6776b10-1534-11ea-841c-01bf20a6c8ba.json
@@ -1,14 +1,12 @@
{
- "id": "aws-e6776b10-1534-11ea-841c-01bf20a6c8ba",
- "type": "dashboard",
- "namespaces": [
- "default"
- ],
- "updated_at": "2022-08-01T13:47:45.463Z",
- "version": "Wzg2NiwxXQ==",
"attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
+ "panelsJSON": "{\"68e8bd22-884f-4cd1-8483-844cd707bf67\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":false,\"width\":\"medium\",\"explicitInput\":{\"id\":\"68e8bd22-884f-4cd1-8483-844cd707bf67\",\"fieldName\":\"cloud.account.name\",\"title\":\"Account Name\",\"enhancements\":{},\"selectedOptions\":[]}}}"
+ },
"description": "Overview of AWS Billing Metrics",
- "hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [
@@ -42,174 +40,230 @@
},
"optionsJSON": {
"hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
"useMargins": true
},
"panelsJSON": [
{
"embeddableConfig": {
- "title": "AWS Account Filter",
- "savedVis": {
- "title": "AWS Account Filter [Metrics AWS]",
- "description": "",
- "uiState": {},
- "params": {
- "controls": [
- {
- "fieldName": "cloud.account.name",
- "id": "1549397251041",
- "indexPatternRefName": "control_0_index_pattern",
- "label": "account name",
- "options": {
- "dynamicOptions": true,
- "multiselect": true,
- "order": "desc",
- "size": 5,
- "type": "terms"
- },
- "parent": "",
- "type": "list"
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-fe01457b-2279-4f97-9032-3a29f57e877a",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
}
- ],
- "pinFilters": false,
- "updateFiltersOnChange": true,
- "useTimeFilter": false
- },
- "type": "input_control_vis",
- "data": {
- "aggs": [],
- "searchSource": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "fe01457b-2279-4f97-9032-3a29f57e877a": {
+ "columnOrder": [
+ "bc3ef8f7-e93e-4e67-9ff3-3f7aa140c4f7"
+ ],
+ "columns": {
+ "bc3ef8f7-e93e-4e67-9ff3-3f7aa140c4f7": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "aws.billing.EstimatedCharges : * and not aws.billing.ServiceName : *"
+ },
+ "isBucketed": false,
+ "label": "Total Estimated Charges ($)",
+ "operationType": "sum",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 2,
+ "suffix": ""
+ }
+ }
+ },
+ "reducedTimeRange": "12h",
+ "scale": "ratio",
+ "sourceField": "aws.billing.EstimatedCharges"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
}
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "accessor": "bc3ef8f7-e93e-4e67-9ff3-3f7aa140c4f7",
+ "layerId": "fe01457b-2279-4f97-9032-3a29f57e877a",
+ "layerType": "data",
+ "size": "l",
+ "textAlign": "center"
}
- }
- }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsLegacyMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
- "h": 5,
- "i": "89dccfe8-a25e-44ea-afdb-ff01ab1f05d6",
+ "h": 16,
+ "i": "221aab02-2747-4d84-9dde-028ccd51bdce",
"w": 16,
"x": 0,
"y": 0
},
- "panelIndex": "89dccfe8-a25e-44ea-afdb-ff01ab1f05d6",
- "title": "AWS Account Filter",
- "version": "8.0.0",
- "type": "visualization"
+ "panelIndex": "221aab02-2747-4d84-9dde-028ccd51bdce",
+ "title": "Total Estimated Charges",
+ "type": "lens",
+ "version": "8.7.1"
},
{
"embeddableConfig": {
- "title": "Estimated Billing Chart",
- "savedVis": {
- "title": "Estimated Billing Pie Chart [Metrics AWS]",
- "description": "",
- "uiState": {
- "vis": {
- "colors": {
- "16": "#629E51",
- "80": "#E24D42",
- "272": "#DEDAF7",
- "running": "#7EB26D",
- "stopped": "#E24D42"
- },
- "legendOpen": true
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-7e1a8acb-2b07-4cb4-b0ff-447afa6375d1",
+ "type": "index-pattern"
}
- },
- "params": {
- "addLegend": true,
- "addTooltip": true,
- "dimensions": {
- "buckets": [
- {
- "accessor": 0,
- "aggType": "terms",
- "format": {
- "id": "terms",
- "params": {
- "id": "string",
- "missingBucketLabel": "Missing",
- "otherBucketLabel": "Other"
- }
- },
- "params": {}
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "7e1a8acb-2b07-4cb4-b0ff-447afa6375d1": {
+ "columnOrder": [
+ "b9f52cbe-6769-4bf3-b2a7-cabf3239cb8a",
+ "05b1916d-7ebc-40ae-8a8b-d5a8503d2672"
+ ],
+ "columns": {
+ "05b1916d-7ebc-40ae-8a8b-d5a8503d2672": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Sum of aws.billing.EstimatedCharges",
+ "operationType": "sum",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "aws.billing.EstimatedCharges"
+ },
+ "b9f52cbe-6769-4bf3-b2a7-cabf3239cb8a": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of aws.billing.ServiceName",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Average of aws.billing.EstimatedCharges",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "aws.billing.EstimatedCharges"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "aws.billing.ServiceName"
+ }
+ },
+ "incompleteColumns": {}
+ }
}
- ],
- "metric": {
- "accessor": 1,
- "aggType": "sum",
- "format": {
- "id": "number"
- },
- "params": {}
+ },
+ "textBased": {
+ "layers": {}
}
},
- "isDonut": false,
- "labels": {
- "last_level": true,
- "show": true,
- "truncate": 100,
- "values": true
- },
- "legendPosition": "right",
- "type": "pie",
- "palette": {
- "type": "palette",
- "name": "kibana_palette"
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
},
- "distinctColors": true
- },
- "type": "pie",
- "data": {
- "aggs": [
- {
- "enabled": true,
- "id": "1",
- "params": {
- "customLabel": "",
- "field": "aws.billing.EstimatedCharges"
- },
- "schema": "metric",
- "type": "sum"
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "emptySizeRatio": 0.3,
+ "layerId": "7e1a8acb-2b07-4cb4-b0ff-447afa6375d1",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "legendMaxLines": 1,
+ "legendPosition": "right",
+ "legendSize": "auto",
+ "metrics": [
+ "05b1916d-7ebc-40ae-8a8b-d5a8503d2672"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "percentDecimals": 2,
+ "primaryGroups": [
+ "b9f52cbe-6769-4bf3-b2a7-cabf3239cb8a"
+ ],
+ "secondaryGroups": [],
+ "showValuesInLegend": true,
+ "truncateLegend": true
+ }
+ ],
+ "palette": {
+ "name": "default",
+ "type": "palette"
},
- {
- "enabled": true,
- "id": "2",
- "params": {
- "customLabel": "",
- "field": "aws.billing.ServiceName",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderAgg": {
- "enabled": true,
- "id": "2-orderAgg",
- "params": {
- "field": "aws.billing.EstimatedCharges"
- },
- "schema": "orderAgg",
- "type": "avg"
- },
- "orderBy": "custom",
- "otherBucket": true,
- "otherBucketLabel": "Other",
- "size": 10
- },
- "schema": "segment",
- "type": "terms"
- }
- ],
- "searchSource": {
- "filter": [],
- "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
- "query": {
- "language": "kuery",
- "query": ""
- }
+ "shape": "pie"
}
- }
- }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 16,
@@ -220,172 +274,198 @@
},
"panelIndex": "26670498-b079-4447-bbc8-e4ca8215898c",
"title": "Estimated Billing Chart",
- "version": "8.0.0",
- "type": "visualization"
+ "type": "lens",
+ "version": "8.7.1"
},
{
"embeddableConfig": {
- "title": "Total Estimated Charges",
- "savedVis": {
- "title": "Total Estimated Charges [Metrics AWS]",
- "description": "",
- "uiState": {},
- "params": {
- "axis_formatter": "number",
- "axis_position": "left",
- "axis_scale": "normal",
- "background_color_rules": [
- {
- "id": "88a80e30-1530-11ea-961e-c1db9cc6166e"
- }
- ],
- "bar_color_rules": [
- {
- "id": "ebb52700-1531-11ea-961e-c1db9cc6166e"
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
}
- ],
- "drop_last_bucket": 0,
- "gauge_color_rules": [
- {
- "id": "e8a045e0-1531-11ea-961e-c1db9cc6166e"
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "3fc613f6-8db8-4fb4-889e-de4e079f0821": {
+ "columnOrder": [
+ "5a83d040-e3d3-4467-85fe-eb3e6ed95a15",
+ "1b5242d7-8eab-4fd2-a2c2-6c04031c2ba2",
+ "3e6b810b-7a82-4574-ab3b-d20480ede81e"
+ ],
+ "columns": {
+ "1b5242d7-8eab-4fd2-a2c2-6c04031c2ba2": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "12h"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "3e6b810b-7a82-4574-ab3b-d20480ede81e": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "isBucketed": false,
+ "label": "avg(aws.billing.EstimatedCharges)",
+ "operationType": "sum",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 2,
+ "suffix": "$"
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "aws.billing.EstimatedCharges",
+ "timeShift": ""
+ },
+ "5a83d040-e3d3-4467-85fe-eb3e6ed95a15": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of aws.billing.ServiceName",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "3e6b810b-7a82-4574-ab3b-d20480ede81e",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "aws.billing.ServiceName"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
}
- ],
- "gauge_inner_width": 10,
- "gauge_style": "half",
- "gauge_width": 10,
- "id": "61ca57f0-469d-11e7-af02-69e470af7417",
- "index_pattern": "metrics-*",
- "interval": "12h",
- "isModelInvalid": false,
- "series": [
+ },
+ "filters": [],
+ "internalReferences": [
{
- "axis_position": "right",
- "chart_type": "line",
- "color": "#68BC00",
- "fill": 0.5,
- "filter": {
- "language": "kuery",
- "query": "not aws.billing.ServiceName : * "
- },
- "formatter": "number",
- "id": "61ca57f1-469d-11e7-af02-69e470af7417",
- "label": "Total Estimated Charges",
- "line_width": 1,
- "metrics": [
- {
- "field": "aws.billing.EstimatedCharges",
- "id": "61ca57f2-469d-11e7-af02-69e470af7417",
- "type": "sum"
- }
- ],
- "override_index_pattern": 0,
- "point_size": 1,
- "separate_axis": 0,
- "series_drop_last_bucket": 0,
- "series_interval": "12h",
- "split_color_mode": "gradient",
- "split_mode": "filter",
- "stacked": "none",
- "time_range_mode": "last_value",
- "value_template": "${{value}}"
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-3fc613f6-8db8-4fb4-889e-de4e079f0821",
+ "type": "index-pattern"
}
],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "metric",
- "use_kibana_indexes": false,
- "hide_last_value_indicator": true
- },
- "type": "metrics",
- "data": {
- "aggs": [],
- "searchSource": {}
- }
- }
- },
- "gridData": {
- "h": 11,
- "i": "221aab02-2747-4d84-9dde-028ccd51bdce",
- "w": 16,
- "x": 0,
- "y": 5
- },
- "panelIndex": "221aab02-2747-4d84-9dde-028ccd51bdce",
- "title": "Total Estimated Charges",
- "version": "8.0.0",
- "type": "visualization"
- },
- {
- "embeddableConfig": {
- "title": "Top 10 Estimated Billing Per Service Name",
- "savedVis": {
- "title": "Top 10 Billing per Service Name [Metrics AWS]",
- "description": "",
- "uiState": {},
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "drop_last_bucket": 0,
- "filter": {
+ "query": {
"language": "kuery",
"query": ""
},
- "id": "729af8b0-152a-11ea-ae8f-79fec1a0d4d3",
- "index_pattern": "metrics-*",
- "interval": "12h",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "#3185FC",
- "fill": 0,
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "formatter": "number",
- "id": "729b1fc0-152a-11ea-ae8f-79fec1a0d4d3",
- "label": "avg(aws.billing.EstimatedCharges)",
- "line_width": 2,
- "metrics": [
- {
- "field": "aws.billing.EstimatedCharges",
- "id": "729b1fc1-152a-11ea-ae8f-79fec1a0d4d3",
- "type": "sum"
- }
- ],
- "override_index_pattern": 0,
- "point_size": "4",
- "separate_axis": 0,
- "series_drop_last_bucket": 0,
- "split_color_mode": "rainbow",
- "split_mode": "terms",
- "stacked": "none",
- "steps": 0,
- "terms_field": "aws.billing.ServiceName",
- "terms_include": "",
- "terms_order_by": "729b1fc1-152a-11ea-ae8f-79fec1a0d4d3",
- "terms_size": "10",
- "type": "timeseries",
- "value_template": "${{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "curveType": "LINEAR",
+ "emphasizeFitting": false,
+ "endValue": "Zero",
+ "fillOpacity": 0,
+ "fittingFunction": "Linear",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "3e6b810b-7a82-4574-ab3b-d20480ede81e"
+ ],
+ "layerId": "3fc613f6-8db8-4fb4-889e-de4e079f0821",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "5a83d040-e3d3-4467-85fe-eb3e6ed95a15",
+ "xAccessor": "1b5242d7-8eab-4fd2-a2c2-6c04031c2ba2",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "#3185FC",
+ "forAccessor": "3e6b810b-7a82-4574-ab3b-d20480ede81e"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "legendSize": "large",
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yLeftScale": "linear",
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yRightScale": "linear"
+ }
},
- "type": "metrics",
- "data": {
- "aggs": [],
- "searchSource": {}
- }
- }
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 15,
@@ -396,14 +476,20 @@
},
"panelIndex": "21e91e6b-0ff0-42ba-9132-6f30c5c6bbb7",
"title": "Top 10 Estimated Billing Per Service Name",
- "version": "8.0.0",
- "type": "visualization"
+ "type": "lens",
+ "version": "8.7.1"
}
],
"timeRestore": false,
"title": "[Metrics AWS] Billing Overview",
"version": 1
},
+ "coreMigrationVersion": "8.7.0",
+ "created_at": "2023-07-18T08:47:59.330Z",
+ "id": "aws-e6776b10-1534-11ea-841c-01bf20a6c8ba",
+ "migrationVersion": {
+ "dashboard": "8.7.0"
+ },
"references": [
{
"id": "metrics-*",
@@ -411,18 +497,20 @@
"type": "index-pattern"
},
{
- "type": "index-pattern",
- "name": "89dccfe8-a25e-44ea-afdb-ff01ab1f05d6:control_0_index_pattern",
- "id": "metrics-*"
+ "id": "metrics-*",
+ "name": "221aab02-2747-4d84-9dde-028ccd51bdce:indexpattern-datasource-layer-fe01457b-2279-4f97-9032-3a29f57e877a",
+ "type": "index-pattern"
},
{
- "type": "index-pattern",
- "name": "26670498-b079-4447-bbc8-e4ca8215898c:kibanaSavedObjectMeta.searchSourceJSON.index",
- "id": "metrics-*"
+ "id": "metrics-*",
+ "name": "26670498-b079-4447-bbc8-e4ca8215898c:indexpattern-datasource-layer-7e1a8acb-2b07-4cb4-b0ff-447afa6375d1",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "controlGroup_68e8bd22-884f-4cd1-8483-844cd707bf67:optionsListDataView",
+ "type": "index-pattern"
}
],
- "migrationVersion": {
- "dashboard": "8.1.0"
- },
- "coreMigrationVersion": "8.1.0"
+ "type": "dashboard"
}
\ No newline at end of file
diff --git a/packages/aws/kibana/dashboard/aws-e74bf320-b3ce-11e9-87a4-078dbbae220d.json b/packages/aws/kibana/dashboard/aws-e74bf320-b3ce-11e9-87a4-078dbbae220d.json
index 9e3fb9d25ae..2e7e38bd398 100644
--- a/packages/aws/kibana/dashboard/aws-e74bf320-b3ce-11e9-87a4-078dbbae220d.json
+++ b/packages/aws/kibana/dashboard/aws-e74bf320-b3ce-11e9-87a4-078dbbae220d.json
@@ -446,7 +446,6 @@
"query": ""
},
"visualization": {
- "color": "#ffffff",
"layerId": "d825a0ad-7b01-4867-b39d-b265fa804a77",
"layerType": "data",
"metricAccessor": "0459af2a-4945-405a-8b39-3aa3c7387d51"
@@ -522,7 +521,6 @@
"query": ""
},
"visualization": {
- "color": "#FFF",
"layerId": "95c74866-a10c-4846-99a6-d4478075f9aa",
"layerType": "data",
"metricAccessor": "f16d2264-abf6-4a3a-b7e1-be8e69f239de"
diff --git a/packages/aws/kibana/search/aws-4f41d150-2704-11ee-81f9-fdf97c8e03a6.json b/packages/aws/kibana/search/aws-4f41d150-2704-11ee-81f9-fdf97c8e03a6.json
new file mode 100644
index 00000000000..b05c1395d7d
--- /dev/null
+++ b/packages/aws/kibana/search/aws-4f41d150-2704-11ee-81f9-fdf97c8e03a6.json
@@ -0,0 +1,42 @@
+{
+ "attributes": {
+ "columns": [],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": "data_stream.dataset : \"aws.apigateway_logs\" "
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "API Gateway Logs",
+ "usesAdHocDataView": false
+ },
+ "coreMigrationVersion": "8.7.1",
+ "created_at": "2023-07-20T13:49:55.813Z",
+ "id": "aws-4f41d150-2704-11ee-81f9-fdf97c8e03a6",
+ "migrationVersion": {
+ "search": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search"
+}
\ No newline at end of file
diff --git a/packages/aws/kibana/search/aws-5e5a3c90-bac0-11e9-9f70-1f7bda85a5eb.json b/packages/aws/kibana/search/aws-5e5a3c90-bac0-11e9-9f70-1f7bda85a5eb.json
index cc40f991b33..ce5257aa644 100644
--- a/packages/aws/kibana/search/aws-5e5a3c90-bac0-11e9-9f70-1f7bda85a5eb.json
+++ b/packages/aws/kibana/search/aws-5e5a3c90-bac0-11e9-9f70-1f7bda85a5eb.json
@@ -80,7 +80,12 @@
"title": "Error Logs [Logs AWS]",
"version": 1
},
+ "coreMigrationVersion": "8.7.0",
+ "created_at": "2023-07-18T08:47:59.330Z",
"id": "aws-5e5a3c90-bac0-11e9-9f70-1f7bda85a5eb",
+ "migrationVersion": {
+ "search": "8.0.0"
+ },
"references": [
{
"id": "logs-*",
diff --git a/packages/aws/kibana/search/aws-b111d3a0-5f3e-11ed-b2ee-f91fa284c4b5.json b/packages/aws/kibana/search/aws-b111d3a0-5f3e-11ed-b2ee-f91fa284c4b5.json
index cd60efee265..e4dd11b43a5 100644
--- a/packages/aws/kibana/search/aws-b111d3a0-5f3e-11ed-b2ee-f91fa284c4b5.json
+++ b/packages/aws/kibana/search/aws-b111d3a0-5f3e-11ed-b2ee-f91fa284c4b5.json
@@ -22,7 +22,8 @@
],
"title": "Security Hub - Raw Events [Logs AWS]"
},
- "coreMigrationVersion": "8.4.0",
+ "coreMigrationVersion": "8.7.0",
+ "created_at": "2023-07-18T08:47:59.330Z",
"id": "aws-b111d3a0-5f3e-11ed-b2ee-f91fa284c4b5",
"migrationVersion": {
"search": "8.0.0"
diff --git a/packages/aws/kibana/search/aws-c1543010-2724-11ee-a3cb-33de1feb08f6.json b/packages/aws/kibana/search/aws-c1543010-2724-11ee-a3cb-33de1feb08f6.json
new file mode 100644
index 00000000000..b3e3b7760fe
--- /dev/null
+++ b/packages/aws/kibana/search/aws-c1543010-2724-11ee-a3cb-33de1feb08f6.json
@@ -0,0 +1,41 @@
+{
+ "attributes": {
+ "columns": [],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": "data_stream.dataset : \"aws.emr_logs\" "
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "[AWS] EMR Logs Search",
+ "usesAdHocDataView": false
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2023-07-20T17:42:11.089Z",
+ "id": "aws-c1543010-2724-11ee-a3cb-33de1feb08f6",
+ "managed": false,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "8.0.0"
+}
\ No newline at end of file
diff --git a/packages/aws/kibana/search/aws-c1aee600-4487-11ea-ad63-791a5dc86f10.json b/packages/aws/kibana/search/aws-c1aee600-4487-11ea-ad63-791a5dc86f10.json
index 0f814f2ddc0..28c806ae3c5 100644
--- a/packages/aws/kibana/search/aws-c1aee600-4487-11ea-ad63-791a5dc86f10.json
+++ b/packages/aws/kibana/search/aws-c1aee600-4487-11ea-ad63-791a5dc86f10.json
@@ -79,7 +79,12 @@
"title": "VPC Flow Reject Logs [Logs AWS]",
"version": 1
},
+ "coreMigrationVersion": "8.7.1",
+ "created_at": "2023-05-30T07:18:21.141Z",
"id": "aws-c1aee600-4487-11ea-ad63-791a5dc86f10",
+ "migrationVersion": {
+ "search": "8.0.0"
+ },
"references": [
{
"id": "logs-*",
diff --git a/packages/aws/kibana/search/aws-cc2e2cf0-5f3f-11ed-b2ee-f91fa284c4b5.json b/packages/aws/kibana/search/aws-cc2e2cf0-5f3f-11ed-b2ee-f91fa284c4b5.json
index aa4e3f96f57..c49bdff5dc0 100644
--- a/packages/aws/kibana/search/aws-cc2e2cf0-5f3f-11ed-b2ee-f91fa284c4b5.json
+++ b/packages/aws/kibana/search/aws-cc2e2cf0-5f3f-11ed-b2ee-f91fa284c4b5.json
@@ -31,7 +31,8 @@
],
"title": "Essential Details - Security Hub [Logs AWS]"
},
- "coreMigrationVersion": "8.4.0",
+ "coreMigrationVersion": "8.7.0",
+ "created_at": "2023-07-18T08:47:59.330Z",
"id": "aws-cc2e2cf0-5f3f-11ed-b2ee-f91fa284c4b5",
"migrationVersion": {
"search": "8.0.0"
diff --git a/packages/aws/kibana/search/aws-f4856850-4d32-11ec-a678-057fce71e8cd.json b/packages/aws/kibana/search/aws-f4856850-4d32-11ec-a678-057fce71e8cd.json
index f5ac0e3875d..c230d9ca975 100644
--- a/packages/aws/kibana/search/aws-f4856850-4d32-11ec-a678-057fce71e8cd.json
+++ b/packages/aws/kibana/search/aws-f4856850-4d32-11ec-a678-057fce71e8cd.json
@@ -53,10 +53,11 @@
"title": "Firewall Logs [Logs AWS]",
"version": 1
},
- "coreMigrationVersion": "7.15.1",
+ "coreMigrationVersion": "8.7.0",
+ "created_at": "2023-07-18T09:17:37.345Z",
"id": "aws-f4856850-4d32-11ec-a678-057fce71e8cd",
"migrationVersion": {
- "search": "7.9.3"
+ "search": "8.0.0"
},
"references": [
{
diff --git a/packages/aws/manifest.yml b/packages/aws/manifest.yml
index 361afa29c91..9a308134d08 100644
--- a/packages/aws/manifest.yml
+++ b/packages/aws/manifest.yml
@@ -1,7 +1,7 @@
format_version: 1.0.0
name: aws
title: AWS
-version: 1.46.0
+version: 2.2.1
license: basic
description: Collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent.
type: integration
@@ -9,7 +9,7 @@ categories:
- aws
release: ga
conditions:
- kibana.version: "^8.8.1"
+ kibana.version: "^8.9.0"
screenshots:
- src: /img/metricbeat-aws-overview.png
title: metricbeat aws overview
@@ -136,10 +136,6 @@ policy_templates:
- observability
- monitoring
inputs:
- - type: aws-s3
- title: Collect logs from S3 (Deprecated)
- description: Collecting logs using aws-s3 input
- input_group: logs
- type: aws-cloudwatch
title: Collect logs from CloudWatch
description: Collecting logs using aws-cloudwatch input
@@ -744,6 +740,7 @@ policy_templates:
description: Collect logs and metrics for AWS API Gateway with Elastic Agent.
data_streams:
- apigateway_metrics
+ - apigateway_logs
categories:
- observability
inputs:
@@ -751,6 +748,19 @@ policy_templates:
title: Collect API Gateway metrics
description: Collect API Gateway metrics using AWS CloudWatch.
input_group: metrics
+ - type: aws-s3
+ title: Collect API Gateway logs from S3
+ description: Collecting API Gateway logs using aws-s3 input
+ input_group: logs
+ - type: aws-cloudwatch
+ title: Collect API Gateway logs from CloudWatch
+ description: Collecting API Gateway logs using aws-cloudwatch input
+ input_group: logs
+ screenshots:
+ - src: /img/filebeat-aws-apigateway-overview.png
+ title: filebeat aws api gateway overview
+ size: 1280x1431
+ type: image/png
icons:
- src: /img/logo_apigateway.svg
title: AWS API Gateway logo
@@ -761,6 +771,7 @@ policy_templates:
description: Collect logs and metrics for Amazon EMR service with Elastic Agent
data_streams:
- emr_metrics
+ - emr_logs
categories:
- observability
inputs:
@@ -768,6 +779,19 @@ policy_templates:
title: Collect EMR metrics
description: Collect EMR metrics using AWS CloudWatch
input_group: metrics
+ - type: aws-s3
+ title: Collect EMR logs from S3
+ description: Collecting logs from EMR using aws-s3 input
+ input_group: logs
+ - type: aws-cloudwatch
+ title: Collect EMR logs from CloudWatch
+ description: Collecting logs from EMR using aws-cloudwatch input
+ input_group: logs
+ screenshots:
+ - src: /img/filebeat-aws-emr-overview.png
+ title: filebeat aws emr overview
+ size: 1714x893
+ type: image/png
icons:
- src: /img/logo_emr.svg
title: AWS EMR logo
diff --git a/packages/aws_logs/changelog.yml b/packages/aws_logs/changelog.yml
index 631644bf81d..5d1d9a7d2a0 100644
--- a/packages/aws_logs/changelog.yml
+++ b/packages/aws_logs/changelog.yml
@@ -1,3 +1,8 @@
+- version: "0.5.1"
+ changes:
+ - description: Remove duplicated number_of_workers settings
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7481
- version: "0.5.0"
changes:
- description: Add permissions to reroute events to logs-*-* for generic datastream
diff --git a/packages/aws_logs/data_stream/generic/_dev/deploy/tf/env.yml b/packages/aws_logs/data_stream/generic/_dev/deploy/tf/env.yml
new file mode 100644
index 00000000000..b795fcdeb2c
--- /dev/null
+++ b/packages/aws_logs/data_stream/generic/_dev/deploy/tf/env.yml
@@ -0,0 +1,9 @@
+version: '2.3'
+services:
+ terraform:
+ environment:
+ - AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
+ - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
+ - AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}
+ - AWS_PROFILE=${AWS_PROFILE}
+ - AWS_REGION=${AWS_REGION:-us-east-1}
diff --git a/packages/aws_logs/data_stream/generic/_dev/deploy/tf/main.tf b/packages/aws_logs/data_stream/generic/_dev/deploy/tf/main.tf
new file mode 100644
index 00000000000..f7d5618cd35
--- /dev/null
+++ b/packages/aws_logs/data_stream/generic/_dev/deploy/tf/main.tf
@@ -0,0 +1,64 @@
+variable "TEST_RUN_ID" {
+ default = "detached"
+}
+
+provider "aws" {
+ default_tags {
+ tags = {
+ environment = var.ENVIRONMENT
+ repo = var.REPO
+ branch = var.BRANCH
+ build = var.BUILD_ID
+ created_date = var.CREATED_DATE
+ }
+ }
+}
+
+resource "aws_s3_bucket" "bucket" {
+ bucket = "elastic-package-aws-logs-bucket-${var.TEST_RUN_ID}"
+}
+
+resource "aws_sqs_queue" "queue" {
+ name = "elastic-package-aws-logs-queue-${var.TEST_RUN_ID}"
+ policy = <
Total bytes
- name: peak
type: long
+ metric_type: counter
format: bytes
description: >
Peak committed bytes on Windows
- name: private_working_set.total
type: long
+ metric_type: gauge
format: bytes
description: >
- private working sets on Windows
+ Private working sets on Windows
- name: fail.count
type: scaled_float
+ metric_type: counter
description: |
Fail counter.
- name: limit
type: long
+ metric_type: gauge
format: bytes
description: |
Memory limit.
@@ -231,11 +271,13 @@
fields:
- name: total
type: long
+ metric_type: gauge
format: bytes
description: |
Total memory resident set size.
- name: pct
type: scaled_float
+ metric_type: gauge
format: percent
description: |
Memory resident set size percentage.
@@ -244,16 +286,19 @@
fields:
- name: max
type: long
+ metric_type: counter
format: bytes
description: |
Max memory usage.
- name: pct
type: scaled_float
+ metric_type: gauge
format: percent
description: |
Memory usage percentage.
- name: total
type: long
+ metric_type: gauge
format: bytes
description: |
Total memory usage.
@@ -266,16 +311,19 @@
fields:
- name: max
type: long
+ metric_type: counter
format: bytes
description: |
Max memory usage.
- name: pct
type: scaled_float
+ metric_type: gauge
format: percent
description: |
Memory usage percentage.
- name: total
type: long
+ metric_type: gauge
format: bytes
description: |
Total memory usage.
@@ -284,19 +332,23 @@
fields:
- name: bytes
type: long
+ metric_type: counter
format: bytes
description: |
Total number of incoming bytes.
- name: dropped
type: long
+ metric_type: counter
description: |
Total number of dropped incoming packets.
- name: errors
type: long
+ metric_type: counter
description: |
Total errors on incoming packets.
- name: packets
type: long
+ metric_type: counter
description: |
Total number of incoming packets.
- name: network.*.outbound
@@ -304,18 +356,22 @@
fields:
- name: bytes
type: long
+ metric_type: counter
format: bytes
description: |
Total number of incoming bytes.
- name: dropped
type: long
+ metric_type: counter
description: |
Total number of dropped incoming packets.
- name: errors
type: long
+ metric_type: counter
description: |
Total errors on incoming packets.
- name: packets
type: long
+ metric_type: counter
description: |
Total number of incoming packets.
diff --git a/packages/awsfargate/data_stream/task_stats/manifest.yml b/packages/awsfargate/data_stream/task_stats/manifest.yml
index 97f6c7e8f51..6aee989ec6b 100644
--- a/packages/awsfargate/data_stream/task_stats/manifest.yml
+++ b/packages/awsfargate/data_stream/task_stats/manifest.yml
@@ -1,6 +1,8 @@
type: metrics
title: AWS Fargate task_stats metrics
release: beta
+elasticsearch:
+ index_mode: "time_series"
streams:
- input: awsfargate/metrics
vars:
diff --git a/packages/awsfargate/docs/README.md b/packages/awsfargate/docs/README.md
index a7bfdd926f9..ac632808f48 100644
--- a/packages/awsfargate/docs/README.md
+++ b/packages/awsfargate/docs/README.md
@@ -299,96 +299,97 @@ If you want to learn more about Amazon ECS metrics, take a look at the blog post
**Exported fields**
-| Field | Description | Type |
-|---|---|---|
-| @timestamp | Event timestamp. | date |
-| awsfargate.task_stats.cluster_name | Cluster name | keyword |
-| awsfargate.task_stats.cpu.core | | object |
-| awsfargate.task_stats.cpu.core.\*.norm.pct | Percentage of time per CPU core normalized by the number of CPU cores. | scaled_float |
-| awsfargate.task_stats.cpu.core.\*.pct | Percentage of time per CPU core. | scaled_float |
-| awsfargate.task_stats.cpu.core.\*.ticks | CPU ticks per CPU core. | long |
-| awsfargate.task_stats.cpu.kernel.norm.pct | Percentage of time in kernel space normalized by the number of CPU cores. | scaled_float |
-| awsfargate.task_stats.cpu.kernel.pct | Percentage of time in kernel space. | scaled_float |
-| awsfargate.task_stats.cpu.kernel.ticks | CPU ticks in kernel space. | long |
-| awsfargate.task_stats.cpu.system.norm.pct | Percentage of total CPU time in the system normalized by the number of CPU cores. | scaled_float |
-| awsfargate.task_stats.cpu.system.pct | Percentage of total CPU time in the system. | scaled_float |
-| awsfargate.task_stats.cpu.system.ticks | CPU system ticks. | long |
-| awsfargate.task_stats.cpu.total.norm.pct | Total CPU usage normalized by the number of CPU cores. | scaled_float |
-| awsfargate.task_stats.cpu.total.pct | Total CPU usage. | scaled_float |
-| awsfargate.task_stats.cpu.user.norm.pct | Percentage of time in user space normalized by the number of CPU cores. | scaled_float |
-| awsfargate.task_stats.cpu.user.pct | Percentage of time in user space. | scaled_float |
-| awsfargate.task_stats.cpu.user.ticks | CPU ticks in user space. | long |
-| awsfargate.task_stats.diskio.read.bytes | Bytes read during the life of the container | long |
-| awsfargate.task_stats.diskio.read.ops | Number of reads during the life of the container | long |
-| awsfargate.task_stats.diskio.read.queued | Total number of queued requests | long |
-| awsfargate.task_stats.diskio.read.rate | Number of current reads per second | long |
-| awsfargate.task_stats.diskio.read.service_time | Total time to service IO requests, in nanoseconds | long |
-| awsfargate.task_stats.diskio.read.wait_time | Total time requests spent waiting in queues for service, in nanoseconds | long |
-| awsfargate.task_stats.diskio.reads | Number of current reads per second | scaled_float |
-| awsfargate.task_stats.diskio.summary.bytes | Bytes read and written during the life of the container | long |
-| awsfargate.task_stats.diskio.summary.ops | Number of I/O operations during the life of the container | long |
-| awsfargate.task_stats.diskio.summary.queued | Total number of queued requests | long |
-| awsfargate.task_stats.diskio.summary.rate | Number of current operations per second | long |
-| awsfargate.task_stats.diskio.summary.service_time | Total time to service IO requests, in nanoseconds | long |
-| awsfargate.task_stats.diskio.summary.wait_time | Total time requests spent waiting in queues for service, in nanoseconds | long |
-| awsfargate.task_stats.diskio.total | Number of reads and writes per second | scaled_float |
-| awsfargate.task_stats.diskio.write.bytes | Bytes written during the life of the container | long |
-| awsfargate.task_stats.diskio.write.ops | Number of writes during the life of the container | long |
-| awsfargate.task_stats.diskio.write.queued | Total number of queued requests | long |
-| awsfargate.task_stats.diskio.write.rate | Number of current writes per second | long |
-| awsfargate.task_stats.diskio.write.service_time | Total time to service IO requests, in nanoseconds | long |
-| awsfargate.task_stats.diskio.write.wait_time | Total time requests spent waiting in queues for service, in nanoseconds | long |
-| awsfargate.task_stats.diskio.writes | Number of current writes per second | scaled_float |
-| awsfargate.task_stats.identifier | Container identifier across tasks and clusters, which equals to container.name + '/' + container.id. | keyword |
-| awsfargate.task_stats.memory.commit.peak | Peak committed bytes on Windows | long |
-| awsfargate.task_stats.memory.commit.total | Total bytes | long |
-| awsfargate.task_stats.memory.fail.count | Fail counter. | scaled_float |
-| awsfargate.task_stats.memory.limit | Memory limit. | long |
-| awsfargate.task_stats.memory.private_working_set.total | private working sets on Windows | long |
-| awsfargate.task_stats.memory.rss.pct | Memory resident set size percentage. | scaled_float |
-| awsfargate.task_stats.memory.rss.total | Total memory resident set size. | long |
-| awsfargate.task_stats.memory.rss.usage.max | Max memory usage. | long |
-| awsfargate.task_stats.memory.rss.usage.pct | Memory usage percentage. | scaled_float |
-| awsfargate.task_stats.memory.rss.usage.total | Total memory usage. | long |
-| awsfargate.task_stats.memory.stats.\* | Raw memory stats from the cgroups memory.stat interface | object |
-| awsfargate.task_stats.memory.usage.max | Max memory usage. | long |
-| awsfargate.task_stats.memory.usage.pct | Memory usage percentage. | scaled_float |
-| awsfargate.task_stats.memory.usage.total | Total memory usage. | long |
-| awsfargate.task_stats.network.\*.inbound.bytes | Total number of incoming bytes. | long |
-| awsfargate.task_stats.network.\*.inbound.dropped | Total number of dropped incoming packets. | long |
-| awsfargate.task_stats.network.\*.inbound.errors | Total errors on incoming packets. | long |
-| awsfargate.task_stats.network.\*.inbound.packets | Total number of incoming packets. | long |
-| awsfargate.task_stats.network.\*.outbound.bytes | Total number of incoming bytes. | long |
-| awsfargate.task_stats.network.\*.outbound.dropped | Total number of dropped incoming packets. | long |
-| awsfargate.task_stats.network.\*.outbound.errors | Total errors on incoming packets. | long |
-| awsfargate.task_stats.network.\*.outbound.packets | Total number of incoming packets. | long |
-| awsfargate.task_stats.task_desired_status | The desired status for the task from Amazon ECS. | keyword |
-| awsfargate.task_stats.task_known_status | The known status for the task from Amazon ECS. | keyword |
-| awsfargate.task_stats.task_name | ECS task name | keyword |
-| cloud | Fields related to the cloud or infrastructure the events are coming from. | group |
-| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
-| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword |
-| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword |
-| cloud.instance.id | Instance ID of the host machine. | keyword |
-| cloud.machine.type | Machine type of the host machine. | keyword |
-| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
-| cloud.region | Region in which this host, resource, or service is located. | keyword |
-| container | Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime. | group |
-| container.id | Unique container id. | keyword |
-| container.image.name | Name of the image the container was built on. | keyword |
-| container.labels.com_amazonaws_ecs_cluster | ECS Cluster name | keyword |
-| container.labels.com_amazonaws_ecs_container-name | ECS container name | keyword |
-| container.labels.com_amazonaws_ecs_task-arn | ECS task ARN | keyword |
-| container.labels.com_amazonaws_ecs_task-definition-family | ECS task definition family | keyword |
-| container.labels.com_amazonaws_ecs_task-definition-version | ECS task definition version | keyword |
-| container.name | Container name. | keyword |
-| data_stream.dataset | Data stream dataset. | constant_keyword |
-| data_stream.namespace | Data stream namespace. | constant_keyword |
-| data_stream.type | Data stream type. | constant_keyword |
-| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
-| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group |
-| error.message | Error message. | match_only_text |
-| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword |
+| Field | Description | Type | Metric Type |
+|---|---|---|---|
+| @timestamp | Event timestamp. | date | |
+| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | |
+| awsfargate.task_stats.cluster_name | Cluster name | keyword | |
+| awsfargate.task_stats.cpu.core | | object | |
+| awsfargate.task_stats.cpu.core.\*.norm.pct | Percentage of time per CPU core normalized by the number of CPU cores. | scaled_float | gauge |
+| awsfargate.task_stats.cpu.core.\*.pct | Percentage of time per CPU core. | scaled_float | gauge |
+| awsfargate.task_stats.cpu.core.\*.ticks | CPU ticks per CPU core. | long | counter |
+| awsfargate.task_stats.cpu.kernel.norm.pct | Percentage of time in kernel space normalized by the number of CPU cores. | scaled_float | gauge |
+| awsfargate.task_stats.cpu.kernel.pct | Percentage of time in kernel space. | scaled_float | gauge |
+| awsfargate.task_stats.cpu.kernel.ticks | CPU ticks in kernel space. | long | counter |
+| awsfargate.task_stats.cpu.system.norm.pct | Percentage of total CPU time in the system normalized by the number of CPU cores. | scaled_float | gauge |
+| awsfargate.task_stats.cpu.system.pct | Percentage of total CPU time in the system. | scaled_float | gauge |
+| awsfargate.task_stats.cpu.system.ticks | CPU system ticks. | long | counter |
+| awsfargate.task_stats.cpu.total.norm.pct | Total CPU usage normalized by the number of CPU cores. | scaled_float | gauge |
+| awsfargate.task_stats.cpu.total.pct | Total CPU usage. | scaled_float | gauge |
+| awsfargate.task_stats.cpu.user.norm.pct | Percentage of time in user space normalized by the number of CPU cores. | scaled_float | gauge |
+| awsfargate.task_stats.cpu.user.pct | Percentage of time in user space. | scaled_float | gauge |
+| awsfargate.task_stats.cpu.user.ticks | CPU ticks in user space. | long | counter |
+| awsfargate.task_stats.diskio.read.bytes | Bytes read during the life of the container | long | counter |
+| awsfargate.task_stats.diskio.read.ops | Number of reads during the life of the container | long | counter |
+| awsfargate.task_stats.diskio.read.queued | Total number of queued requests | long | counter |
+| awsfargate.task_stats.diskio.read.rate | Number of current reads per second | long | gauge |
+| awsfargate.task_stats.diskio.read.service_time | Total time to service IO requests, in nanoseconds | long | counter |
+| awsfargate.task_stats.diskio.read.wait_time | Total time requests spent waiting in queues for service, in nanoseconds | long | counter |
+| awsfargate.task_stats.diskio.reads | Number of current reads per second | scaled_float | gauge |
+| awsfargate.task_stats.diskio.summary.bytes | Bytes read and written during the life of the container | long | counter |
+| awsfargate.task_stats.diskio.summary.ops | Number of I/O operations during the life of the container | long | counter |
+| awsfargate.task_stats.diskio.summary.queued | Total number of queued requests | long | counter |
+| awsfargate.task_stats.diskio.summary.rate | Number of current operations per second | long | gauge |
+| awsfargate.task_stats.diskio.summary.service_time | Total time to service IO requests, in nanoseconds | long | counter |
+| awsfargate.task_stats.diskio.summary.wait_time | Total time requests spent waiting in queues for service, in nanoseconds | long | counter |
+| awsfargate.task_stats.diskio.total | Number of reads and writes per second | scaled_float | gauge |
+| awsfargate.task_stats.diskio.write.bytes | Bytes written during the life of the container | long | counter |
+| awsfargate.task_stats.diskio.write.ops | Number of writes during the life of the container | long | counter |
+| awsfargate.task_stats.diskio.write.queued | Total number of queued requests | long | counter |
+| awsfargate.task_stats.diskio.write.rate | Number of current writes per second | long | gauge |
+| awsfargate.task_stats.diskio.write.service_time | Total time to service IO requests, in nanoseconds | long | counter |
+| awsfargate.task_stats.diskio.write.wait_time | Total time requests spent waiting in queues for service, in nanoseconds | long | counter |
+| awsfargate.task_stats.diskio.writes | Number of current writes per second | scaled_float | gauge |
+| awsfargate.task_stats.identifier | Container identifier across tasks and clusters, which equals to container.name + '/' + container.id. | keyword | |
+| awsfargate.task_stats.memory.commit.peak | Peak committed bytes on Windows | long | counter |
+| awsfargate.task_stats.memory.commit.total | Total bytes | long | counter |
+| awsfargate.task_stats.memory.fail.count | Fail counter. | scaled_float | counter |
+| awsfargate.task_stats.memory.limit | Memory limit. | long | gauge |
+| awsfargate.task_stats.memory.private_working_set.total | Private working sets on Windows | long | gauge |
+| awsfargate.task_stats.memory.rss.pct | Memory resident set size percentage. | scaled_float | gauge |
+| awsfargate.task_stats.memory.rss.total | Total memory resident set size. | long | gauge |
+| awsfargate.task_stats.memory.rss.usage.max | Max memory usage. | long | counter |
+| awsfargate.task_stats.memory.rss.usage.pct | Memory usage percentage. | scaled_float | gauge |
+| awsfargate.task_stats.memory.rss.usage.total | Total memory usage. | long | gauge |
+| awsfargate.task_stats.memory.stats.\* | Raw memory stats from the cgroups memory.stat interface | object | |
+| awsfargate.task_stats.memory.usage.max | Max memory usage. | long | counter |
+| awsfargate.task_stats.memory.usage.pct | Memory usage percentage. | scaled_float | gauge |
+| awsfargate.task_stats.memory.usage.total | Total memory usage. | long | gauge |
+| awsfargate.task_stats.network.\*.inbound.bytes | Total number of incoming bytes. | long | counter |
+| awsfargate.task_stats.network.\*.inbound.dropped | Total number of dropped incoming packets. | long | counter |
+| awsfargate.task_stats.network.\*.inbound.errors | Total errors on incoming packets. | long | counter |
+| awsfargate.task_stats.network.\*.inbound.packets | Total number of incoming packets. | long | counter |
+| awsfargate.task_stats.network.\*.outbound.bytes | Total number of incoming bytes. | long | counter |
+| awsfargate.task_stats.network.\*.outbound.dropped | Total number of dropped incoming packets. | long | counter |
+| awsfargate.task_stats.network.\*.outbound.errors | Total errors on incoming packets. | long | counter |
+| awsfargate.task_stats.network.\*.outbound.packets | Total number of incoming packets. | long | counter |
+| awsfargate.task_stats.task_desired_status | The desired status for the task from Amazon ECS. | keyword | |
+| awsfargate.task_stats.task_known_status | The known status for the task from Amazon ECS. | keyword | |
+| awsfargate.task_stats.task_name | ECS task name | keyword | |
+| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | |
+| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | |
+| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | |
+| cloud.instance.id | Instance ID of the host machine. | keyword | |
+| cloud.machine.type | Machine type of the host machine. | keyword | |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | |
+| cloud.region | Region in which this host, resource, or service is located. | keyword | |
+| container | Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime. | group | |
+| container.id | Unique container id. | keyword | |
+| container.image.name | Name of the image the container was built on. | keyword | |
+| container.labels.com_amazonaws_ecs_cluster | ECS Cluster name | keyword | |
+| container.labels.com_amazonaws_ecs_container-name | ECS container name | keyword | |
+| container.labels.com_amazonaws_ecs_task-arn | ECS task ARN | keyword | |
+| container.labels.com_amazonaws_ecs_task-definition-family | ECS task definition family | keyword | |
+| container.labels.com_amazonaws_ecs_task-definition-version | ECS task definition version | keyword | |
+| container.name | Container name. | keyword | |
+| data_stream.dataset | Data stream dataset. | constant_keyword | |
+| data_stream.namespace | Data stream namespace. | constant_keyword | |
+| data_stream.type | Data stream type. | constant_keyword | |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | |
+| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | |
+| error.message | Error message. | match_only_text | |
+| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | |
An example event for `task_stats` looks as following:
diff --git a/packages/awsfargate/img/awsfargate-integration-overview.png b/packages/awsfargate/img/awsfargate-integration-overview.png
index 90a1f7bf5f3..79e79267004 100644
Binary files a/packages/awsfargate/img/awsfargate-integration-overview.png and b/packages/awsfargate/img/awsfargate-integration-overview.png differ
diff --git a/packages/awsfargate/kibana/dashboard/awsfargate-20dc7c50-2e89-11eb-991c-c5fd3b7f5a63.json b/packages/awsfargate/kibana/dashboard/awsfargate-20dc7c50-2e89-11eb-991c-c5fd3b7f5a63.json
index 12ee10a56f1..16271ba9b23 100644
--- a/packages/awsfargate/kibana/dashboard/awsfargate-20dc7c50-2e89-11eb-991c-c5fd3b7f5a63.json
+++ b/packages/awsfargate/kibana/dashboard/awsfargate-20dc7c50-2e89-11eb-991c-c5fd3b7f5a63.json
@@ -1,1194 +1,1107 @@
{
- "id": "awsfargate-20dc7c50-2e89-11eb-991c-c5fd3b7f5a63",
- "type": "dashboard",
- "namespaces": [
- "default"
- ],
- "updated_at": "2022-12-06T18:13:42.072Z",
- "version": "WzU5MCwxXQ==",
- "attributes": {
- "description": "Overview of AWS Fargate Metrics",
- "hits": 0,
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "optionsJSON": {
- "hidePanelTitles": false,
- "useMargins": true
- },
- "panelsJSON": [
- {
- "embeddableConfig": {
- "enhancements": {},
- "hidePanelTitles": false,
- "savedVis": {
- "title": "ECS Task Filter [Metrics AWSFargate]",
- "description": "",
- "uiState": {},
- "params": {
- "controls": [
- {
- "fieldName": "cloud.region",
- "id": "1607442436907",
- "indexPatternRefName": "control_0_index_pattern",
- "label": "Region Name",
- "options": {
- "dynamicOptions": true,
- "multiselect": true,
- "order": "desc",
- "size": 5,
- "type": "terms"
- },
- "parent": "",
- "type": "list"
- },
- {
- "fieldName": "awsfargate.task_stats.cluster_name",
- "id": "1607442399749",
- "indexPatternRefName": "control_1_index_pattern",
- "label": "Cluster Name",
- "options": {
- "dynamicOptions": true,
- "multiselect": true,
- "order": "desc",
- "size": 5,
- "type": "terms"
- },
- "parent": "",
- "type": "list"
- },
- {
- "fieldName": "container.labels.com_amazonaws_ecs_task-definition-family",
- "id": "1606248025028",
- "indexPatternRefName": "control_2_index_pattern",
- "label": "Task Name",
- "options": {
- "dynamicOptions": true,
- "multiselect": true,
- "order": "desc",
- "size": 5,
- "type": "terms"
- },
- "parent": "",
- "type": "list"
- }
- ],
- "pinFilters": false,
- "updateFiltersOnChange": false,
- "useTimeFilter": false
- },
- "type": "input_control_vis",
- "data": {
- "aggs": [],
- "searchSource": {
+ "attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
+ "panelsJSON": "{\"ee100059-0e56-4e9b-ae09-ff53234bdf8c\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"cloud.region\",\"title\":\"Region Name\",\"id\":\"ee100059-0e56-4e9b-ae09-ff53234bdf8c\",\"enhancements\":{}}},\"e967cd1f-7491-4e72-8d63-23fcef40b9cc\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"awsfargate.task_stats.cluster_name\",\"title\":\"Cluster Name\",\"id\":\"e967cd1f-7491-4e72-8d63-23fcef40b9cc\",\"enhancements\":{}}},\"b2adcf17-72de-46e8-87b1-94c16c399bf0\":{\"order\":2,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"container.labels.com_amazonaws_ecs_task-definition-family\",\"title\":\"Task Name\",\"id\":\"b2adcf17-72de-46e8-87b1-94c16c399bf0\",\"enhancements\":{}}}}"
+ },
+ "description": "Overview of AWS Fargate Metrics",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
"filter": [],
"query": {
- "language": "kuery",
- "query": ""
+ "language": "kuery",
+ "query": ""
}
- }
}
- }
},
- "gridData": {
- "h": 14,
- "i": "2429ae11-ccb3-4016-b18d-c88140e29f67",
- "w": 9,
- "x": 0,
- "y": 0
+ "optionsJSON": {
+ "hidePanelTitles": false,
+ "useMargins": true
},
- "panelIndex": "2429ae11-ccb3-4016-b18d-c88140e29f67",
- "title": "ECS Task Filter",
- "type": "visualization",
- "version": "8.0.0"
- },
- {
- "embeddableConfig": {
- "enhancements": {},
- "hidePanelTitles": false,
- "attributes": {
- "description": "",
- "state": {
- "datasourceStates": {
- "indexpattern": {
- "layers": {
- "e350c9e6-e6b7-40f1-83ed-94a38ed9467a": {
- "columnOrder": [
- "040803fd-23f9-4f4f-95da-e8be99becbc1",
- "eb452b61-bf12-46c0-afae-c0f1c776156c",
- "b1e08425-6a1e-4db6-bb47-a65167b7e14f",
- "09de0d9e-c174-46cf-bdc8-50158475b4a7",
- "e0782143-0636-43b4-8fac-b857ea5282b2",
- "7626706b-6efa-4fe7-b45c-6e9afa07f982",
- "441ceb32-53e7-4408-9638-6dfd38202144"
- ],
- "columns": {
- "040803fd-23f9-4f4f-95da-e8be99becbc1": {
- "customLabel": true,
- "dataType": "string",
- "isBucketed": true,
- "label": "Task Name",
- "operationType": "terms",
- "params": {
- "orderBy": {
- "type": "alphabetical"
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
},
- "orderDirection": "asc",
- "size": 20,
- "parentFormat": {
- "id": "terms"
- }
- },
- "scale": "ordinal",
- "sourceField": "container.labels.com_amazonaws_ecs_task-definition-family"
- },
- "09de0d9e-c174-46cf-bdc8-50158475b4a7": {
- "customLabel": true,
- "dataType": "number",
- "isBucketed": false,
- "label": "CPU",
- "operationType": "average",
- "params": {
- "format": {
- "id": "percent",
- "params": {
- "decimals": 3
- }
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-e350c9e6-e6b7-40f1-83ed-94a38ed9467a",
+ "type": "index-pattern"
}
- },
- "scale": "ratio",
- "sourceField": "awsfargate.task_stats.cpu.total.norm.pct"
- },
- "441ceb32-53e7-4408-9638-6dfd38202144": {
- "customLabel": true,
- "dataType": "number",
- "isBucketed": false,
- "label": "Memory",
- "operationType": "average",
- "params": {
- "format": {
- "id": "percent",
- "params": {
- "decimals": 3
- }
- }
- },
- "scale": "ratio",
- "sourceField": "awsfargate.task_stats.memory.usage.pct"
- },
- "7626706b-6efa-4fe7-b45c-6e9afa07f982": {
- "customLabel": true,
- "dataType": "number",
- "isBucketed": false,
- "label": "Memory Usage",
- "operationType": "average",
- "params": {
- "format": {
- "id": "bytes",
- "params": {
- "decimals": 2
- }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "e350c9e6-e6b7-40f1-83ed-94a38ed9467a": {
+ "columnOrder": [
+ "040803fd-23f9-4f4f-95da-e8be99becbc1",
+ "eb452b61-bf12-46c0-afae-c0f1c776156c",
+ "b1e08425-6a1e-4db6-bb47-a65167b7e14f",
+ "09de0d9e-c174-46cf-bdc8-50158475b4a7",
+ "e0782143-0636-43b4-8fac-b857ea5282b2",
+ "7626706b-6efa-4fe7-b45c-6e9afa07f982",
+ "441ceb32-53e7-4408-9638-6dfd38202144"
+ ],
+ "columns": {
+ "040803fd-23f9-4f4f-95da-e8be99becbc1": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Task Name",
+ "operationType": "terms",
+ "params": {
+ "orderBy": {
+ "type": "alphabetical"
+ },
+ "orderDirection": "asc",
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 20
+ },
+ "scale": "ordinal",
+ "sourceField": "container.labels.com_amazonaws_ecs_task-definition-family"
+ },
+ "09de0d9e-c174-46cf-bdc8-50158475b4a7": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "CPU",
+ "operationType": "average",
+ "params": {
+ "format": {
+ "id": "percent",
+ "params": {
+ "decimals": 3
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "awsfargate.task_stats.cpu.total.norm.pct"
+ },
+ "441ceb32-53e7-4408-9638-6dfd38202144": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Memory",
+ "operationType": "average",
+ "params": {
+ "format": {
+ "id": "percent",
+ "params": {
+ "decimals": 3
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "awsfargate.task_stats.memory.usage.pct"
+ },
+ "7626706b-6efa-4fe7-b45c-6e9afa07f982": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Memory Usage",
+ "operationType": "average",
+ "params": {
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 2
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "awsfargate.task_stats.memory.usage.total"
+ },
+ "b1e08425-6a1e-4db6-bb47-a65167b7e14f": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "ECS Cluster ARN",
+ "operationType": "terms",
+ "params": {
+ "orderBy": {
+ "type": "alphabetical"
+ },
+ "orderDirection": "asc",
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 20
+ },
+ "scale": "ordinal",
+ "sourceField": "container.labels.com_amazonaws_ecs_cluster"
+ },
+ "e0782143-0636-43b4-8fac-b857ea5282b2": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "DiskIO",
+ "operationType": "average",
+ "scale": "ratio",
+ "sourceField": "awsfargate.task_stats.diskio.total"
+ },
+ "eb452b61-bf12-46c0-afae-c0f1c776156c": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Container Name",
+ "operationType": "terms",
+ "params": {
+ "orderBy": {
+ "type": "alphabetical"
+ },
+ "orderDirection": "asc",
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 20
+ },
+ "scale": "ordinal",
+ "sourceField": "container.name"
+ }
+ }
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "eb452b61-bf12-46c0-afae-c0f1c776156c"
+ },
+ {
+ "columnId": "040803fd-23f9-4f4f-95da-e8be99becbc1"
+ },
+ {
+ "columnId": "b1e08425-6a1e-4db6-bb47-a65167b7e14f"
+ },
+ {
+ "columnId": "09de0d9e-c174-46cf-bdc8-50158475b4a7"
+ },
+ {
+ "columnId": "e0782143-0636-43b4-8fac-b857ea5282b2"
+ },
+ {
+ "columnId": "7626706b-6efa-4fe7-b45c-6e9afa07f982"
+ },
+ {
+ "columnId": "441ceb32-53e7-4408-9638-6dfd38202144"
+ }
+ ],
+ "layerId": "e350c9e6-e6b7-40f1-83ed-94a38ed9467a",
+ "layerType": "data",
+ "rowHeight": "single",
+ "rowHeightLines": 1
}
- },
- "scale": "ratio",
- "sourceField": "awsfargate.task_stats.memory.usage.total"
},
- "b1e08425-6a1e-4db6-bb47-a65167b7e14f": {
- "customLabel": true,
- "dataType": "string",
- "isBucketed": true,
- "label": "ECS Cluster ARN",
- "operationType": "terms",
- "params": {
- "orderBy": {
- "type": "alphabetical"
+ "title": "Container Table [Metrics AWSFargate]",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 14,
+ "i": "735a25cb-f781-4a8b-99e6-2adf582f8a37",
+ "w": 48,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "735a25cb-f781-4a8b-99e6-2adf582f8a37",
+ "title": "Containers",
+ "type": "lens",
+ "version": "8.3.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
},
- "orderDirection": "asc",
- "size": 20,
- "parentFormat": {
- "id": "terms"
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-450490b7-c7f9-42bf-8e7d-227cbf960e94",
+ "type": "index-pattern"
}
- },
- "scale": "ordinal",
- "sourceField": "container.labels.com_amazonaws_ecs_cluster"
- },
- "e0782143-0636-43b4-8fac-b857ea5282b2": {
- "customLabel": true,
- "dataType": "number",
- "isBucketed": false,
- "label": "DiskIO",
- "operationType": "average",
- "scale": "ratio",
- "sourceField": "awsfargate.task_stats.diskio.total"
- },
- "eb452b61-bf12-46c0-afae-c0f1c776156c": {
- "customLabel": true,
- "dataType": "string",
- "isBucketed": true,
- "label": "Container Name",
- "operationType": "terms",
- "params": {
- "orderBy": {
- "type": "alphabetical"
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "450490b7-c7f9-42bf-8e7d-227cbf960e94": {
+ "columnOrder": [
+ "b20aebaf-7126-4b1c-acca-79cfa113b44d",
+ "915eda3d-00ce-40d0-ada8-4eb372202b42"
+ ],
+ "columns": {
+ "915eda3d-00ce-40d0-ada8-4eb372202b42": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Unique count of container.id",
+ "operationType": "unique_count",
+ "scale": "ratio",
+ "sourceField": "container.id"
+ },
+ "b20aebaf-7126-4b1c-acca-79cfa113b44d": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ }
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
},
- "orderDirection": "asc",
- "size": 20,
- "parentFormat": {
- "id": "terms"
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "layers": [
+ {
+ "accessors": [
+ "915eda3d-00ce-40d0-ada8-4eb372202b42"
+ ],
+ "layerId": "450490b7-c7f9-42bf-8e7d-227cbf960e94",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_stacked",
+ "showGridlines": false,
+ "xAccessor": "b20aebaf-7126-4b1c-acca-79cfa113b44d"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "legendSize": "auto",
+ "position": "right"
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ }
}
- },
- "scale": "ordinal",
- "sourceField": "container.name"
- }
- }
- }
- }
- }
- },
- "filters": [],
- "query": {
- "language": "kuery",
- "query": ""
- },
- "visualization": {
- "columns": [
- {
- "columnId": "eb452b61-bf12-46c0-afae-c0f1c776156c"
- },
- {
- "columnId": "040803fd-23f9-4f4f-95da-e8be99becbc1"
- },
- {
- "columnId": "b1e08425-6a1e-4db6-bb47-a65167b7e14f"
- },
- {
- "columnId": "09de0d9e-c174-46cf-bdc8-50158475b4a7"
- },
- {
- "columnId": "e0782143-0636-43b4-8fac-b857ea5282b2"
- },
- {
- "columnId": "7626706b-6efa-4fe7-b45c-6e9afa07f982"
- },
- {
- "columnId": "441ceb32-53e7-4408-9638-6dfd38202144"
- }
- ],
- "layerId": "e350c9e6-e6b7-40f1-83ed-94a38ed9467a",
- "layerType": "data"
- }
- },
- "title": "Container Table [Metrics AWSFargate]",
- "visualizationType": "lnsDatatable",
- "references": [
- {
- "id": "metrics-*",
- "name": "indexpattern-datasource-current-indexpattern",
- "type": "index-pattern"
- },
- {
- "id": "metrics-*",
- "name": "indexpattern-datasource-layer-e350c9e6-e6b7-40f1-83ed-94a38ed9467a",
- "type": "index-pattern"
- }
- ]
- }
- },
- "gridData": {
- "h": 14,
- "i": "735a25cb-f781-4a8b-99e6-2adf582f8a37",
- "w": 39,
- "x": 9,
- "y": 0
- },
- "panelIndex": "735a25cb-f781-4a8b-99e6-2adf582f8a37",
- "title": "Containers",
- "type": "lens",
- "version": "8.1.0"
- },
- {
- "embeddableConfig": {
- "enhancements": {},
- "hidePanelTitles": false,
- "attributes": {
- "description": "",
- "state": {
- "datasourceStates": {
- "indexpattern": {
- "layers": {
- "450490b7-c7f9-42bf-8e7d-227cbf960e94": {
- "columnOrder": [
- "b20aebaf-7126-4b1c-acca-79cfa113b44d",
- "915eda3d-00ce-40d0-ada8-4eb372202b42"
- ],
- "columns": {
- "915eda3d-00ce-40d0-ada8-4eb372202b42": {
- "dataType": "number",
- "isBucketed": false,
- "label": "Unique count of container.id",
- "operationType": "unique_count",
- "scale": "ratio",
- "sourceField": "container.id"
},
- "b20aebaf-7126-4b1c-acca-79cfa113b44d": {
- "dataType": "date",
- "isBucketed": true,
- "label": "@timestamp",
- "operationType": "date_histogram",
- "params": {
- "interval": "auto"
- },
- "scale": "interval",
- "sourceField": "@timestamp"
- }
- }
- }
- }
- }
- },
- "filters": [],
- "query": {
- "language": "kuery",
- "query": ""
- },
- "visualization": {
- "axisTitlesVisibilitySettings": {
- "x": true,
- "yLeft": true,
- "yRight": true
- },
- "fittingFunction": "None",
- "gridlinesVisibilitySettings": {
- "x": true,
- "yLeft": true,
- "yRight": true
+ "title": "Total Number of Containers [Metrics AWSFargate]",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
- "layers": [
- {
- "accessors": [
- "915eda3d-00ce-40d0-ada8-4eb372202b42"
- ],
- "layerId": "450490b7-c7f9-42bf-8e7d-227cbf960e94",
- "position": "top",
- "seriesType": "bar_stacked",
- "showGridlines": false,
- "xAccessor": "b20aebaf-7126-4b1c-acca-79cfa113b44d",
- "layerType": "data"
- }
- ],
- "legend": {
- "isVisible": true,
- "position": "right"
+ "gridData": {
+ "h": 15,
+ "i": "5d4537e8-9aee-47e6-8580-1961d8a3a38e",
+ "w": 24,
+ "x": 0,
+ "y": 14
},
- "preferredSeriesType": "bar_stacked",
- "tickLabelsVisibilitySettings": {
- "x": true,
- "yLeft": true,
- "yRight": true
- }
- }
+ "panelIndex": "5d4537e8-9aee-47e6-8580-1961d8a3a38e",
+ "title": "Total Number of Containers",
+ "type": "lens",
+ "version": "8.3.0"
},
- "title": "Total Number of Containers [Metrics AWSFargate]",
- "visualizationType": "lnsXY",
- "references": [
- {
- "id": "metrics-*",
- "name": "indexpattern-datasource-current-indexpattern",
- "type": "index-pattern"
- },
- {
- "id": "metrics-*",
- "name": "indexpattern-datasource-layer-450490b7-c7f9-42bf-8e7d-227cbf960e94",
- "type": "index-pattern"
- }
- ]
- }
- },
- "gridData": {
- "h": 15,
- "i": "5d4537e8-9aee-47e6-8580-1961d8a3a38e",
- "w": 24,
- "x": 0,
- "y": 14
- },
- "panelIndex": "5d4537e8-9aee-47e6-8580-1961d8a3a38e",
- "title": "Total Number of Containers",
- "type": "lens",
- "version": "8.1.0"
- },
- {
- "embeddableConfig": {
- "enhancements": {},
- "hidePanelTitles": false,
- "attributes": {
- "description": "",
- "state": {
- "datasourceStates": {
- "indexpattern": {
- "layers": {
- "82f43ff6-6ac1-4f73-b532-61b6b9fe15b0": {
- "columnOrder": [
- "e139ccbc-54ff-4921-b345-e3c3ff6a9efc",
- "d7b9836e-d606-4aab-b2d8-44cbc726a950"
- ],
- "columns": {
- "d7b9836e-d606-4aab-b2d8-44cbc726a950": {
- "customLabel": true,
- "dataType": "number",
- "isBucketed": false,
- "label": "CPU Utilization",
- "operationType": "average",
- "params": {
- "format": {
- "id": "percent",
- "params": {
- "decimals": 2
- }
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-82f43ff6-6ac1-4f73-b532-61b6b9fe15b0",
+ "type": "index-pattern"
}
- },
- "scale": "ratio",
- "sourceField": "awsfargate.task_stats.cpu.total.norm.pct"
- },
- "e139ccbc-54ff-4921-b345-e3c3ff6a9efc": {
- "customLabel": true,
- "dataType": "string",
- "isBucketed": true,
- "label": "Cluster Name",
- "operationType": "terms",
- "params": {
- "orderBy": {
- "columnId": "d7b9836e-d606-4aab-b2d8-44cbc726a950",
- "type": "column"
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "82f43ff6-6ac1-4f73-b532-61b6b9fe15b0": {
+ "columnOrder": [
+ "e139ccbc-54ff-4921-b345-e3c3ff6a9efc",
+ "d7b9836e-d606-4aab-b2d8-44cbc726a950"
+ ],
+ "columns": {
+ "d7b9836e-d606-4aab-b2d8-44cbc726a950": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "CPU Utilization",
+ "operationType": "average",
+ "params": {
+ "format": {
+ "id": "percent",
+ "params": {
+ "decimals": 2
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "awsfargate.task_stats.cpu.total.norm.pct"
+ },
+ "e139ccbc-54ff-4921-b345-e3c3ff6a9efc": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Cluster Name",
+ "operationType": "terms",
+ "params": {
+ "orderBy": {
+ "columnId": "d7b9836e-d606-4aab-b2d8-44cbc726a950",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 20
+ },
+ "scale": "ordinal",
+ "sourceField": "awsfargate.task_stats.cluster_name"
+ }
+ }
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
},
- "orderDirection": "desc",
- "size": 20,
- "parentFormat": {
- "id": "terms"
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "layers": [
+ {
+ "accessors": [
+ "d7b9836e-d606-4aab-b2d8-44cbc726a950"
+ ],
+ "layerId": "82f43ff6-6ac1-4f73-b532-61b6b9fe15b0",
+ "layerType": "data",
+ "seriesType": "bar_horizontal",
+ "xAccessor": "e139ccbc-54ff-4921-b345-e3c3ff6a9efc"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "legendSize": "auto",
+ "position": "right"
+ },
+ "preferredSeriesType": "bar_horizontal",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ }
}
- },
- "scale": "ordinal",
- "sourceField": "awsfargate.task_stats.cluster_name"
- }
- }
- }
- }
- }
- },
- "filters": [],
- "query": {
- "language": "kuery",
- "query": ""
- },
- "visualization": {
- "axisTitlesVisibilitySettings": {
- "x": true,
- "yLeft": true,
- "yRight": true
- },
- "fittingFunction": "None",
- "gridlinesVisibilitySettings": {
- "x": true,
- "yLeft": true,
- "yRight": true
+ },
+ "title": "CPU Utilization Per Cluster [Metrics AWSFargate]",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
- "layers": [
- {
- "accessors": [
- "d7b9836e-d606-4aab-b2d8-44cbc726a950"
- ],
- "layerId": "82f43ff6-6ac1-4f73-b532-61b6b9fe15b0",
- "seriesType": "bar_horizontal",
- "xAccessor": "e139ccbc-54ff-4921-b345-e3c3ff6a9efc",
- "layerType": "data"
- }
- ],
- "legend": {
- "isVisible": true,
- "position": "right"
+ "gridData": {
+ "h": 15,
+ "i": "d3c9208e-c699-4514-a091-a731d28ab9af",
+ "w": 24,
+ "x": 24,
+ "y": 14
},
- "preferredSeriesType": "bar_horizontal",
- "tickLabelsVisibilitySettings": {
- "x": true,
- "yLeft": true,
- "yRight": true
- }
- }
+ "panelIndex": "d3c9208e-c699-4514-a091-a731d28ab9af",
+ "title": "CPU Utilization Per Cluster",
+ "type": "lens",
+ "version": "8.3.0"
},
- "title": "CPU Utilization Per Cluster [Metrics AWSFargate]",
- "visualizationType": "lnsXY",
- "references": [
- {
- "id": "metrics-*",
- "name": "indexpattern-datasource-current-indexpattern",
- "type": "index-pattern"
- },
- {
- "id": "metrics-*",
- "name": "indexpattern-datasource-layer-82f43ff6-6ac1-4f73-b532-61b6b9fe15b0",
- "type": "index-pattern"
- }
- ]
- }
- },
- "gridData": {
- "h": 15,
- "i": "d3c9208e-c699-4514-a091-a731d28ab9af",
- "w": 24,
- "x": 24,
- "y": 14
- },
- "panelIndex": "d3c9208e-c699-4514-a091-a731d28ab9af",
- "title": "CPU Utilization Per Cluster",
- "type": "lens",
- "version": "8.1.0"
- },
- {
- "embeddableConfig": {
- "enhancements": {},
- "hidePanelTitles": false,
- "attributes": {
- "description": "",
- "state": {
- "datasourceStates": {
- "indexpattern": {
- "layers": {
- "e350c9e6-e6b7-40f1-83ed-94a38ed9467a": {
- "columnOrder": [
- "55121be2-80f6-407c-9352-3e13705ac860",
- "eb452b61-bf12-46c0-afae-c0f1c776156c",
- "5b846eff-5ca7-45b0-b4c2-0346e9986302"
- ],
- "columns": {
- "55121be2-80f6-407c-9352-3e13705ac860": {
- "dataType": "date",
- "isBucketed": true,
- "label": "@timestamp",
- "operationType": "date_histogram",
- "params": {
- "interval": "10s"
- },
- "scale": "interval",
- "sourceField": "@timestamp"
- },
- "5b846eff-5ca7-45b0-b4c2-0346e9986302": {
- "customLabel": true,
- "dataType": "number",
- "isBucketed": false,
- "label": "Container Memory Usage Pct",
- "operationType": "average",
- "params": {
- "format": {
- "id": "percent",
- "params": {
- "decimals": 2
- }
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-e350c9e6-e6b7-40f1-83ed-94a38ed9467a",
+ "type": "index-pattern"
}
- },
- "scale": "ratio",
- "sourceField": "awsfargate.task_stats.memory.usage.pct"
- },
- "eb452b61-bf12-46c0-afae-c0f1c776156c": {
- "customLabel": true,
- "dataType": "string",
- "isBucketed": true,
- "label": "container identifier",
- "operationType": "terms",
- "params": {
- "orderBy": {
- "columnId": "5b846eff-5ca7-45b0-b4c2-0346e9986302",
- "type": "column"
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "e350c9e6-e6b7-40f1-83ed-94a38ed9467a": {
+ "columnOrder": [
+ "55121be2-80f6-407c-9352-3e13705ac860",
+ "eb452b61-bf12-46c0-afae-c0f1c776156c",
+ "5b846eff-5ca7-45b0-b4c2-0346e9986302"
+ ],
+ "columns": {
+ "55121be2-80f6-407c-9352-3e13705ac860": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "includeEmptyRows": true,
+ "interval": "10s"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "5b846eff-5ca7-45b0-b4c2-0346e9986302": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Container Memory Usage Pct",
+ "operationType": "average",
+ "params": {
+ "format": {
+ "id": "percent",
+ "params": {
+ "decimals": 2
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "awsfargate.task_stats.memory.usage.pct"
+ },
+ "eb452b61-bf12-46c0-afae-c0f1c776156c": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "container identifier",
+ "operationType": "terms",
+ "params": {
+ "orderBy": {
+ "columnId": "5b846eff-5ca7-45b0-b4c2-0346e9986302",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 20
+ },
+ "scale": "ordinal",
+ "sourceField": "awsfargate.task_stats.identifier"
+ }
+ }
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
},
- "orderDirection": "desc",
- "size": 20,
- "parentFormat": {
- "id": "terms"
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "layers": [
+ {
+ "accessors": [
+ "5b846eff-5ca7-45b0-b4c2-0346e9986302"
+ ],
+ "layerId": "e350c9e6-e6b7-40f1-83ed-94a38ed9467a",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "line",
+ "showGridlines": false,
+ "splitAccessor": "eb452b61-bf12-46c0-afae-c0f1c776156c",
+ "xAccessor": "55121be2-80f6-407c-9352-3e13705ac860"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "legendSize": "auto",
+ "position": "right"
+ },
+ "preferredSeriesType": "line",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ }
}
- },
- "scale": "ordinal",
- "sourceField": "awsfargate.task_stats.identifier"
- }
- }
- }
- }
- }
- },
- "filters": [],
- "query": {
- "language": "kuery",
- "query": ""
- },
- "visualization": {
- "axisTitlesVisibilitySettings": {
- "x": true,
- "yLeft": true,
- "yRight": true
- },
- "fittingFunction": "None",
- "gridlinesVisibilitySettings": {
- "x": true,
- "yLeft": true,
- "yRight": true
+ },
+ "title": "Container Memory Usage Pct [Metrics AWSFargate]",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
- "layers": [
- {
- "accessors": [
- "5b846eff-5ca7-45b0-b4c2-0346e9986302"
- ],
- "layerId": "e350c9e6-e6b7-40f1-83ed-94a38ed9467a",
- "position": "top",
- "seriesType": "line",
- "showGridlines": false,
- "splitAccessor": "eb452b61-bf12-46c0-afae-c0f1c776156c",
- "xAccessor": "55121be2-80f6-407c-9352-3e13705ac860",
- "layerType": "data"
- }
- ],
- "legend": {
- "isVisible": true,
- "position": "right"
+ "gridData": {
+ "h": 15,
+ "i": "9dd2b002-5170-49ea-afc2-30b0b46b0fd7",
+ "w": 24,
+ "x": 0,
+ "y": 29
},
- "preferredSeriesType": "line",
- "tickLabelsVisibilitySettings": {
- "x": true,
- "yLeft": true,
- "yRight": true
- }
- }
+ "panelIndex": "9dd2b002-5170-49ea-afc2-30b0b46b0fd7",
+ "title": "Container Memory Usage Pct",
+ "type": "lens",
+ "version": "8.3.0"
},
- "title": "Container Memory Usage Pct [Metrics AWSFargate]",
- "visualizationType": "lnsXY",
- "references": [
- {
- "id": "metrics-*",
- "name": "indexpattern-datasource-current-indexpattern",
- "type": "index-pattern"
- },
- {
- "id": "metrics-*",
- "name": "indexpattern-datasource-layer-e350c9e6-e6b7-40f1-83ed-94a38ed9467a",
- "type": "index-pattern"
- }
- ]
- }
- },
- "gridData": {
- "h": 15,
- "i": "9dd2b002-5170-49ea-afc2-30b0b46b0fd7",
- "w": 24,
- "x": 0,
- "y": 29
- },
- "panelIndex": "9dd2b002-5170-49ea-afc2-30b0b46b0fd7",
- "title": "Container Memory Usage Pct",
- "type": "lens",
- "version": "8.1.0"
- },
- {
- "embeddableConfig": {
- "enhancements": {},
- "hidePanelTitles": false,
- "attributes": {
- "description": "",
- "state": {
- "datasourceStates": {
- "indexpattern": {
- "layers": {
- "c8d70f88-6554-41ca-ac1e-a3cf8b992972": {
- "columnOrder": [
- "0505d890-632e-4434-a68f-f019e7893eaf",
- "989ce63a-7fcd-4c83-980b-d595a1dd2469",
- "ab00dce2-6c01-4a0d-8d7c-71330afbaa3b"
- ],
- "columns": {
- "0505d890-632e-4434-a68f-f019e7893eaf": {
- "dataType": "string",
- "isBucketed": true,
- "label": "Top values of awsfargate.task_stats.identifier",
- "operationType": "terms",
- "params": {
- "orderBy": {
- "columnId": "ab00dce2-6c01-4a0d-8d7c-71330afbaa3b",
- "type": "column"
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
},
- "orderDirection": "desc",
- "size": 20,
- "parentFormat": {
- "id": "terms"
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-0749cbce-4a88-471d-9715-9f4f54510864",
+ "type": "index-pattern"
}
- },
- "scale": "ordinal",
- "sourceField": "awsfargate.task_stats.identifier"
- },
- "989ce63a-7fcd-4c83-980b-d595a1dd2469": {
- "dataType": "date",
- "isBucketed": true,
- "label": "@timestamp",
- "operationType": "date_histogram",
- "params": {
- "interval": "auto"
- },
- "scale": "interval",
- "sourceField": "@timestamp"
- },
- "ab00dce2-6c01-4a0d-8d7c-71330afbaa3b": {
- "customLabel": true,
- "dataType": "number",
- "isBucketed": false,
- "label": "DiskIO Write",
- "operationType": "average",
- "params": {
- "format": {
- "id": "bytes",
- "params": {
- "decimals": 2
- }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "0749cbce-4a88-471d-9715-9f4f54510864": {
+ "columnOrder": [
+ "35481ca7-cebb-495c-974f-34ede5f3935c",
+ "33d4857c-800a-4854-9369-dbf019501bdd",
+ "ec425562-fe79-4326-b753-20b408c806fb"
+ ],
+ "columns": {
+ "33d4857c-800a-4854-9369-dbf019501bdd": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Container Identifier",
+ "operationType": "terms",
+ "params": {
+ "orderBy": {
+ "columnId": "ec425562-fe79-4326-b753-20b408c806fb",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 20
+ },
+ "scale": "ordinal",
+ "sourceField": "awsfargate.task_stats.identifier"
+ },
+ "35481ca7-cebb-495c-974f-34ede5f3935c": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "includeEmptyRows": true,
+ "interval": "10s"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "ec425562-fe79-4326-b753-20b408c806fb": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Container CPU Total Norm Pct",
+ "operationType": "average",
+ "params": {
+ "format": {
+ "id": "percent",
+ "params": {
+ "decimals": 2
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "awsfargate.task_stats.cpu.total.norm.pct"
+ }
+ }
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "fittingFunction": "None",
+ "layers": [
+ {
+ "accessors": [
+ "ec425562-fe79-4326-b753-20b408c806fb"
+ ],
+ "layerId": "0749cbce-4a88-471d-9715-9f4f54510864",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "line",
+ "showGridlines": false,
+ "splitAccessor": "33d4857c-800a-4854-9369-dbf019501bdd",
+ "xAccessor": "35481ca7-cebb-495c-974f-34ede5f3935c"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "legendSize": "auto",
+ "position": "right"
+ },
+ "preferredSeriesType": "line"
}
- },
- "scale": "ratio",
- "sourceField": "awsfargate.task_stats.diskio.write.bytes"
- }
- }
- }
- }
- }
- },
- "filters": [],
- "query": {
- "language": "kuery",
- "query": ""
- },
- "visualization": {
- "axisTitlesVisibilitySettings": {
- "x": true,
- "yLeft": true,
- "yRight": true
- },
- "fittingFunction": "None",
- "gridlinesVisibilitySettings": {
- "x": true,
- "yLeft": true,
- "yRight": true
+ },
+ "title": "Container CPU Total Norm Pct [Metrics AWSFargate]",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
- "layers": [
- {
- "accessors": [
- "ab00dce2-6c01-4a0d-8d7c-71330afbaa3b"
- ],
- "layerId": "c8d70f88-6554-41ca-ac1e-a3cf8b992972",
- "position": "top",
- "seriesType": "line",
- "showGridlines": false,
- "splitAccessor": "0505d890-632e-4434-a68f-f019e7893eaf",
- "xAccessor": "989ce63a-7fcd-4c83-980b-d595a1dd2469",
- "layerType": "data"
- }
- ],
- "legend": {
- "isVisible": true,
- "position": "right"
+ "gridData": {
+ "h": 15,
+ "i": "a7a6e425-98fd-4210-b3d5-005268be6274",
+ "w": 24,
+ "x": 24,
+ "y": 29
},
- "preferredSeriesType": "line",
- "tickLabelsVisibilitySettings": {
- "x": true,
- "yLeft": true,
- "yRight": true
- }
- }
+ "panelIndex": "a7a6e425-98fd-4210-b3d5-005268be6274",
+ "title": "Container CPU Total Norm Pct",
+ "type": "lens",
+ "version": "8.3.0"
},
- "title": "DiskIO Write [Metrics AWSFargate]",
- "visualizationType": "lnsXY",
- "references": [
- {
- "id": "metrics-*",
- "name": "indexpattern-datasource-current-indexpattern",
- "type": "index-pattern"
- },
- {
- "id": "metrics-*",
- "name": "indexpattern-datasource-layer-c8d70f88-6554-41ca-ac1e-a3cf8b992972",
- "type": "index-pattern"
- }
- ]
- }
- },
- "gridData": {
- "h": 15,
- "i": "89b0cd8b-13d9-4a43-8f93-3410aff125c3",
- "w": 24,
- "x": 24,
- "y": 44
- },
- "panelIndex": "89b0cd8b-13d9-4a43-8f93-3410aff125c3",
- "title": "DiskIO Write",
- "type": "lens",
- "version": "8.1.0"
- },
- {
- "embeddableConfig": {
- "enhancements": {},
- "hidePanelTitles": false,
- "attributes": {
- "description": "",
- "state": {
- "datasourceStates": {
- "indexpattern": {
- "layers": {
- "c8d70f88-6554-41ca-ac1e-a3cf8b992972": {
- "columnOrder": [
- "0505d890-632e-4434-a68f-f019e7893eaf",
- "989ce63a-7fcd-4c83-980b-d595a1dd2469",
- "ab00dce2-6c01-4a0d-8d7c-71330afbaa3b"
- ],
- "columns": {
- "0505d890-632e-4434-a68f-f019e7893eaf": {
- "dataType": "string",
- "isBucketed": true,
- "label": "Top values of awsfargate.task_stats.identifier",
- "operationType": "terms",
- "params": {
- "orderBy": {
- "columnId": "ab00dce2-6c01-4a0d-8d7c-71330afbaa3b",
- "type": "column"
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-c8d70f88-6554-41ca-ac1e-a3cf8b992972",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "c8d70f88-6554-41ca-ac1e-a3cf8b992972": {
+ "columnOrder": [
+ "0505d890-632e-4434-a68f-f019e7893eaf",
+ "989ce63a-7fcd-4c83-980b-d595a1dd2469",
+ "ab00dce2-6c01-4a0d-8d7c-71330afbaa3b"
+ ],
+ "columns": {
+ "0505d890-632e-4434-a68f-f019e7893eaf": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top values of awsfargate.task_stats.identifier",
+ "operationType": "terms",
+ "params": {
+ "orderBy": {
+ "columnId": "ab00dce2-6c01-4a0d-8d7c-71330afbaa3b",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 20
+ },
+ "scale": "ordinal",
+ "sourceField": "awsfargate.task_stats.identifier"
+ },
+ "989ce63a-7fcd-4c83-980b-d595a1dd2469": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "ab00dce2-6c01-4a0d-8d7c-71330afbaa3b": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "DiskIO Read",
+ "operationType": "last_value",
+ "params": {
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 2
+ }
+ },
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "awsfargate.task_stats.diskio.read.bytes"
+ }
+ }
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
},
- "orderDirection": "desc",
- "size": 20,
- "parentFormat": {
- "id": "terms"
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "layers": [
+ {
+ "accessors": [
+ "ab00dce2-6c01-4a0d-8d7c-71330afbaa3b"
+ ],
+ "layerId": "c8d70f88-6554-41ca-ac1e-a3cf8b992972",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "line",
+ "showGridlines": false,
+ "splitAccessor": "0505d890-632e-4434-a68f-f019e7893eaf",
+ "xAccessor": "989ce63a-7fcd-4c83-980b-d595a1dd2469"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "legendSize": "auto",
+ "position": "right"
+ },
+ "preferredSeriesType": "line",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ }
}
- },
- "scale": "ordinal",
- "sourceField": "awsfargate.task_stats.identifier"
},
- "989ce63a-7fcd-4c83-980b-d595a1dd2469": {
- "dataType": "date",
- "isBucketed": true,
- "label": "@timestamp",
- "operationType": "date_histogram",
- "params": {
- "interval": "auto"
- },
- "scale": "interval",
- "sourceField": "@timestamp"
- },
- "ab00dce2-6c01-4a0d-8d7c-71330afbaa3b": {
- "customLabel": true,
- "dataType": "number",
- "isBucketed": false,
- "label": "DiskIO Read",
- "operationType": "average",
- "params": {
- "format": {
- "id": "bytes",
- "params": {
- "decimals": 2
- }
- }
- },
- "scale": "ratio",
- "sourceField": "awsfargate.task_stats.diskio.read.bytes"
- }
- }
- }
- }
- }
- },
- "filters": [],
- "query": {
- "language": "kuery",
- "query": ""
- },
- "visualization": {
- "axisTitlesVisibilitySettings": {
- "x": true,
- "yLeft": true,
- "yRight": true
- },
- "fittingFunction": "None",
- "gridlinesVisibilitySettings": {
- "x": true,
- "yLeft": true,
- "yRight": true
+ "title": "DiskIO Read [Metrics AWSFargate]",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
- "layers": [
- {
- "accessors": [
- "ab00dce2-6c01-4a0d-8d7c-71330afbaa3b"
- ],
- "layerId": "c8d70f88-6554-41ca-ac1e-a3cf8b992972",
- "position": "top",
- "seriesType": "line",
- "showGridlines": false,
- "splitAccessor": "0505d890-632e-4434-a68f-f019e7893eaf",
- "xAccessor": "989ce63a-7fcd-4c83-980b-d595a1dd2469",
- "layerType": "data"
- }
- ],
- "legend": {
- "isVisible": true,
- "position": "right"
+ "gridData": {
+ "h": 15,
+ "i": "d7a6623a-14cf-411c-ab73-ded3734a359b",
+ "w": 24,
+ "x": 0,
+ "y": 44
},
- "preferredSeriesType": "line",
- "tickLabelsVisibilitySettings": {
- "x": true,
- "yLeft": true,
- "yRight": true
- }
- }
+ "panelIndex": "d7a6623a-14cf-411c-ab73-ded3734a359b",
+ "title": "DiskIO Read",
+ "type": "lens",
+ "version": "8.3.0"
},
- "title": "DiskIO Read [Metrics AWSFargate]",
- "visualizationType": "lnsXY",
- "references": [
- {
- "id": "metrics-*",
- "name": "indexpattern-datasource-current-indexpattern",
- "type": "index-pattern"
- },
- {
- "id": "metrics-*",
- "name": "indexpattern-datasource-layer-c8d70f88-6554-41ca-ac1e-a3cf8b992972",
- "type": "index-pattern"
- }
- ]
- }
- },
- "gridData": {
- "h": 15,
- "i": "d7a6623a-14cf-411c-ab73-ded3734a359b",
- "w": 24,
- "x": 0,
- "y": 44
- },
- "panelIndex": "d7a6623a-14cf-411c-ab73-ded3734a359b",
- "title": "DiskIO Read",
- "type": "lens",
- "version": "8.1.0"
- },
- {
- "embeddableConfig": {
- "enhancements": {},
- "hidePanelTitles": false,
- "attributes": {
- "description": "",
- "state": {
- "datasourceStates": {
- "indexpattern": {
- "layers": {
- "0749cbce-4a88-471d-9715-9f4f54510864": {
- "columnOrder": [
- "35481ca7-cebb-495c-974f-34ede5f3935c",
- "33d4857c-800a-4854-9369-dbf019501bdd",
- "ec425562-fe79-4326-b753-20b408c806fb"
- ],
- "columns": {
- "33d4857c-800a-4854-9369-dbf019501bdd": {
- "customLabel": true,
- "dataType": "string",
- "isBucketed": true,
- "label": "Container Identifier",
- "operationType": "terms",
- "params": {
- "orderBy": {
- "columnId": "ec425562-fe79-4326-b753-20b408c806fb",
- "type": "column"
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "",
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-c8d70f88-6554-41ca-ac1e-a3cf8b992972",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "c8d70f88-6554-41ca-ac1e-a3cf8b992972": {
+ "columnOrder": [
+ "0505d890-632e-4434-a68f-f019e7893eaf",
+ "989ce63a-7fcd-4c83-980b-d595a1dd2469",
+ "ab00dce2-6c01-4a0d-8d7c-71330afbaa3b"
+ ],
+ "columns": {
+ "0505d890-632e-4434-a68f-f019e7893eaf": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top values of awsfargate.task_stats.identifier",
+ "operationType": "terms",
+ "params": {
+ "orderBy": {
+ "columnId": "ab00dce2-6c01-4a0d-8d7c-71330afbaa3b",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 20
+ },
+ "scale": "ordinal",
+ "sourceField": "awsfargate.task_stats.identifier"
+ },
+ "989ce63a-7fcd-4c83-980b-d595a1dd2469": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "ab00dce2-6c01-4a0d-8d7c-71330afbaa3b": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "DiskIO Write",
+ "operationType": "last_value",
+ "params": {
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 2
+ }
+ },
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "awsfargate.task_stats.diskio.write.bytes"
+ }
+ }
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
},
- "orderDirection": "desc",
- "size": 20,
- "parentFormat": {
- "id": "terms"
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "layers": [
+ {
+ "accessors": [
+ "ab00dce2-6c01-4a0d-8d7c-71330afbaa3b"
+ ],
+ "layerId": "c8d70f88-6554-41ca-ac1e-a3cf8b992972",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "line",
+ "showGridlines": false,
+ "splitAccessor": "0505d890-632e-4434-a68f-f019e7893eaf",
+ "xAccessor": "989ce63a-7fcd-4c83-980b-d595a1dd2469"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "legendSize": "auto",
+ "position": "right"
+ },
+ "preferredSeriesType": "line",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ }
}
- },
- "scale": "ordinal",
- "sourceField": "awsfargate.task_stats.identifier"
},
- "35481ca7-cebb-495c-974f-34ede5f3935c": {
- "dataType": "date",
- "isBucketed": true,
- "label": "@timestamp",
- "operationType": "date_histogram",
- "params": {
- "interval": "10s"
- },
- "scale": "interval",
- "sourceField": "@timestamp"
- },
- "ec425562-fe79-4326-b753-20b408c806fb": {
- "customLabel": true,
- "dataType": "number",
- "isBucketed": false,
- "label": "Container CPU Total Norm Pct",
- "operationType": "average",
- "params": {
- "format": {
- "id": "percent",
- "params": {
- "decimals": 2
- }
- }
- },
- "scale": "ratio",
- "sourceField": "awsfargate.task_stats.cpu.total.norm.pct"
- }
- }
- }
- }
- }
- },
- "filters": [],
- "query": {
- "language": "kuery",
- "query": ""
- },
- "visualization": {
- "fittingFunction": "None",
- "layers": [
- {
- "accessors": [
- "ec425562-fe79-4326-b753-20b408c806fb"
- ],
- "layerId": "0749cbce-4a88-471d-9715-9f4f54510864",
- "position": "top",
- "seriesType": "line",
- "showGridlines": false,
- "splitAccessor": "33d4857c-800a-4854-9369-dbf019501bdd",
- "xAccessor": "35481ca7-cebb-495c-974f-34ede5f3935c",
- "layerType": "data"
- }
- ],
- "legend": {
- "isVisible": true,
- "position": "right"
+ "title": "DiskIO Write [Metrics AWSFargate]",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
- "preferredSeriesType": "line"
- }
- },
- "title": "Container CPU Total Norm Pct [Metrics AWSFargate]",
- "visualizationType": "lnsXY",
- "references": [
- {
- "id": "metrics-*",
- "name": "indexpattern-datasource-current-indexpattern",
- "type": "index-pattern"
- },
- {
- "id": "metrics-*",
- "name": "indexpattern-datasource-layer-0749cbce-4a88-471d-9715-9f4f54510864",
- "type": "index-pattern"
- }
- ]
- }
+ "gridData": {
+ "h": 15,
+ "i": "89b0cd8b-13d9-4a43-8f93-3410aff125c3",
+ "w": 24,
+ "x": 24,
+ "y": 44
+ },
+ "panelIndex": "89b0cd8b-13d9-4a43-8f93-3410aff125c3",
+ "title": "DiskIO Write",
+ "type": "lens",
+ "version": "8.3.0"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[AWS Fargate] Fargate Overview",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.3.0",
+ "id": "awsfargate-20dc7c50-2e89-11eb-991c-c5fd3b7f5a63",
+ "migrationVersion": {
+ "dashboard": "8.3.0"
+ },
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "735a25cb-f781-4a8b-99e6-2adf582f8a37:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "735a25cb-f781-4a8b-99e6-2adf582f8a37:indexpattern-datasource-layer-e350c9e6-e6b7-40f1-83ed-94a38ed9467a",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "5d4537e8-9aee-47e6-8580-1961d8a3a38e:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "5d4537e8-9aee-47e6-8580-1961d8a3a38e:indexpattern-datasource-layer-450490b7-c7f9-42bf-8e7d-227cbf960e94",
+ "type": "index-pattern"
},
- "gridData": {
- "h": 15,
- "i": "a7a6e425-98fd-4210-b3d5-005268be6274",
- "w": 24,
- "x": 24,
- "y": 29
+ {
+ "id": "metrics-*",
+ "name": "d3c9208e-c699-4514-a091-a731d28ab9af:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
},
- "panelIndex": "a7a6e425-98fd-4210-b3d5-005268be6274",
- "title": "Container CPU Total Norm Pct",
- "type": "lens",
- "version": "8.1.0"
- }
+ {
+ "id": "metrics-*",
+ "name": "d3c9208e-c699-4514-a091-a731d28ab9af:indexpattern-datasource-layer-82f43ff6-6ac1-4f73-b532-61b6b9fe15b0",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "9dd2b002-5170-49ea-afc2-30b0b46b0fd7:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "9dd2b002-5170-49ea-afc2-30b0b46b0fd7:indexpattern-datasource-layer-e350c9e6-e6b7-40f1-83ed-94a38ed9467a",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "a7a6e425-98fd-4210-b3d5-005268be6274:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "a7a6e425-98fd-4210-b3d5-005268be6274:indexpattern-datasource-layer-0749cbce-4a88-471d-9715-9f4f54510864",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "d7a6623a-14cf-411c-ab73-ded3734a359b:indexpattern-datasource-layer-c8d70f88-6554-41ca-ac1e-a3cf8b992972",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "89b0cd8b-13d9-4a43-8f93-3410aff125c3:indexpattern-datasource-layer-c8d70f88-6554-41ca-ac1e-a3cf8b992972",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "controlGroup_ee100059-0e56-4e9b-ae09-ff53234bdf8c:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "controlGroup_e967cd1f-7491-4e72-8d63-23fcef40b9cc:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "controlGroup_b2adcf17-72de-46e8-87b1-94c16c399bf0:optionsListDataView",
+ "type": "index-pattern"
+ }
],
- "timeRestore": false,
- "title": "[AWS Fargate] Fargate Overview",
- "version": 1
- },
- "references": [
- {
- "type": "index-pattern",
- "name": "2429ae11-ccb3-4016-b18d-c88140e29f67:control_0_index_pattern",
- "id": "metrics-*"
- },
- {
- "type": "index-pattern",
- "name": "2429ae11-ccb3-4016-b18d-c88140e29f67:control_1_index_pattern",
- "id": "metrics-*"
- },
- {
- "type": "index-pattern",
- "name": "2429ae11-ccb3-4016-b18d-c88140e29f67:control_2_index_pattern",
- "id": "metrics-*"
- },
- {
- "type": "index-pattern",
- "name": "735a25cb-f781-4a8b-99e6-2adf582f8a37:indexpattern-datasource-current-indexpattern",
- "id": "metrics-*"
- },
- {
- "type": "index-pattern",
- "name": "735a25cb-f781-4a8b-99e6-2adf582f8a37:indexpattern-datasource-layer-e350c9e6-e6b7-40f1-83ed-94a38ed9467a",
- "id": "metrics-*"
- },
- {
- "type": "index-pattern",
- "name": "5d4537e8-9aee-47e6-8580-1961d8a3a38e:indexpattern-datasource-current-indexpattern",
- "id": "metrics-*"
- },
- {
- "type": "index-pattern",
- "name": "5d4537e8-9aee-47e6-8580-1961d8a3a38e:indexpattern-datasource-layer-450490b7-c7f9-42bf-8e7d-227cbf960e94",
- "id": "metrics-*"
- },
- {
- "type": "index-pattern",
- "name": "d3c9208e-c699-4514-a091-a731d28ab9af:indexpattern-datasource-current-indexpattern",
- "id": "metrics-*"
- },
- {
- "type": "index-pattern",
- "name": "d3c9208e-c699-4514-a091-a731d28ab9af:indexpattern-datasource-layer-82f43ff6-6ac1-4f73-b532-61b6b9fe15b0",
- "id": "metrics-*"
- },
- {
- "type": "index-pattern",
- "name": "9dd2b002-5170-49ea-afc2-30b0b46b0fd7:indexpattern-datasource-current-indexpattern",
- "id": "metrics-*"
- },
- {
- "type": "index-pattern",
- "name": "9dd2b002-5170-49ea-afc2-30b0b46b0fd7:indexpattern-datasource-layer-e350c9e6-e6b7-40f1-83ed-94a38ed9467a",
- "id": "metrics-*"
- },
- {
- "type": "index-pattern",
- "name": "89b0cd8b-13d9-4a43-8f93-3410aff125c3:indexpattern-datasource-current-indexpattern",
- "id": "metrics-*"
- },
- {
- "type": "index-pattern",
- "name": "89b0cd8b-13d9-4a43-8f93-3410aff125c3:indexpattern-datasource-layer-c8d70f88-6554-41ca-ac1e-a3cf8b992972",
- "id": "metrics-*"
- },
- {
- "type": "index-pattern",
- "name": "d7a6623a-14cf-411c-ab73-ded3734a359b:indexpattern-datasource-current-indexpattern",
- "id": "metrics-*"
- },
- {
- "type": "index-pattern",
- "name": "d7a6623a-14cf-411c-ab73-ded3734a359b:indexpattern-datasource-layer-c8d70f88-6554-41ca-ac1e-a3cf8b992972",
- "id": "metrics-*"
- },
- {
- "type": "index-pattern",
- "name": "a7a6e425-98fd-4210-b3d5-005268be6274:indexpattern-datasource-current-indexpattern",
- "id": "metrics-*"
- },
- {
- "type": "index-pattern",
- "name": "a7a6e425-98fd-4210-b3d5-005268be6274:indexpattern-datasource-layer-0749cbce-4a88-471d-9715-9f4f54510864",
- "id": "metrics-*"
- }
- ],
- "migrationVersion": {
- "dashboard": "8.1.0"
- },
- "coreMigrationVersion": "8.1.0"
+ "type": "dashboard"
}
\ No newline at end of file
diff --git a/packages/awsfargate/manifest.yml b/packages/awsfargate/manifest.yml
index 8b80567b747..ce30db10ac3 100644
--- a/packages/awsfargate/manifest.yml
+++ b/packages/awsfargate/manifest.yml
@@ -1,7 +1,7 @@
format_version: 1.0.0
name: awsfargate
title: AWS Fargate
-version: 0.2.1
+version: 0.3.0
license: basic
description: Collects metrics from containers and tasks running on Amazon ECS clusters with Elastic Agent.
type: integration
@@ -10,7 +10,7 @@ categories:
- aws
release: beta
conditions:
- kibana.version: "^8.1.0"
+ kibana.version: "^8.8.0"
owner:
github: elastic/obs-cloud-monitoring
screenshots:
diff --git a/packages/awsfirehose/_dev/build/build.yml b/packages/awsfirehose/_dev/build/build.yml
new file mode 100644
index 00000000000..47cbed9fed8
--- /dev/null
+++ b/packages/awsfirehose/_dev/build/build.yml
@@ -0,0 +1,3 @@
+dependencies:
+ ecs:
+ reference: git@v8.0.0
diff --git a/packages/awsfirehose/_dev/build/docs/README.md b/packages/awsfirehose/_dev/build/docs/README.md
new file mode 100644
index 00000000000..655f3c32885
--- /dev/null
+++ b/packages/awsfirehose/_dev/build/docs/README.md
@@ -0,0 +1,93 @@
+# Amazon Kinesis Data Firehose
+Amazon Kinesis Data Firehose integration offers users a way to stream logs from Firehose to Elastic Cloud.
+This integration includes predefined rules that automatically route AWS service logs to the respective integrations, which
+include field mappings, ingest pipelines, predefined dashboards and ect. Here is a list of log types that are supported
+by this integration:
+
+| AWS service log | Log destination |
+|--------------------|---------------------------|
+| API Gateway | CloudWatch |
+| CloudTrail | CloudWatch |
+| Network Firewall | Firehose, CloudWatch, S3 |
+| Route53 Public DNS | CloudWatch |
+| Route53 Resolver | Firehose, CloudWatch, S3 |
+| VPC Flow | Firehose, CloudWatch, S3 |
+| WAF | Firehose, CloudWatch |
+
+## Limitation
+It is not possible to configure a delivery stream to send data to Elastic Cloud via PrivateLink (VPC endpoint).
+This is a current limitation in Firehose, which we are working with AWS to resolve.
+
+## Instructions
+1. Install the relevant integrations in Kibana
+
+ In order to make the most of your data, install AWS integrations to load index templates, ingest pipelines, and
+ dashboards into Kibana. In Kibana, navigate to **Management** > **Integrations** in the sidebar.
+ Find the **AWS** integration by searching or browsing the catalog.
+
+ 
+
+ Navigate to the **Settings** tab and click **Install AWS assets**. Confirm by clicking **Install AWS** in the popup.
+
+ 
+
+2. Create a delivery stream in Amazon Kinesis Data Firehose
+
+ Sign into the AWS console and navigate to Amazon Kinesis. Click **Create delivery stream**.
+ Configure the delivery stream using the following settings:
+
+ 
+
+ **Choose source and destination**
+
+ Unless you are streaming data from Kinesis Data Streams, set source to Direct PUT (see Setup guide for more details on data sources).
+
+ Set destination to **Elastic**.
+
+ **Delivery stream name**
+
+ Provide a meaningful name that will allow you to identify this delivery stream later.
+
+ 
+
+ **Destination settings**
+
+ 1. Set **Elastic endpoint URL** to point to your Elasticsearch cluster running in Elastic Cloud.
+ This endpoint can be found in the Elastic Cloud console. An example is https://my-deployment-28u274.es.eu-west-1.aws.found.io.
+
+ 2. **API key** should be a Base64 encoded Elastic API key, which can be created in Kibana by following the
+ instructions under API Keys. If you are using an API key with “Restrict privileges”, be sure to review the Indices
+ privileges to provide at least "auto_configure" & "write" permissions for the indices you will be using with this
+ delivery stream.
+
+ 3. We recommend leaving **Content encoding** set to **GZIP** for improved network efficiency.
+
+ 4. **Retry duration** determines how long Firehose continues retrying the request in the event of an error.
+ A duration of 60-300s should be suitable for most use cases.
+
+ 5. Elastic requires a **Buffer size** of `1MiB` to avoid exceeding the Elasticsearch `http.max_content_length`
+ setting (typically 100MB) when the buffer is uncompressed.
+
+ 6. The default **Buffer interval** of `60s` is recommended to ensure data freshness in Elastic.
+
+ 7. **Parameters**
+
+ 1. Elastic recommends setting the `es_datastream_name` parameter to `logs-awsfirehose.logs-default` in order to
+ leverage the routing rules defined in this integration. If this parameter is not specified, data is sent to the
+ `logs-generic-default` data stream by default.
+ 
+
+ 2. The **include_cw_extracted_fields** parameter is optional and can be set when using a CloudWatch logs subscription
+ filter as the Firehose data source. When set to true, extracted fields generated by the filter pattern in the
+ subscription filter will be collected. Setting this parameter can add many fields into each record and may significantly
+ increase data volume in Elasticsearch. As such, use of this parameter should be carefully considered and used only when
+ the extracted fields are required for specific filtering and/or aggregation.
+
+ 3. The **include_event_original** field is optional and should only be used for debugging purposes. When set to `true`, each
+ log record will contain an additional field named `event.original`, which contains the raw (unprocessed) log message.
+ This parameter will increase the data volume in Elasticsearch and should be used with care.
+
+3. Send data to the Firehose delivery stream
+
+ Consult the [AWS documentation](https://docs.aws.amazon.com/firehose/latest/dev/basic-write.html) for details on how to
+ configure a variety of log sources to send data to Firehose delivery streams.
diff --git a/packages/awsfirehose/changelog.yml b/packages/awsfirehose/changelog.yml
new file mode 100644
index 00000000000..cb42a8a3062
--- /dev/null
+++ b/packages/awsfirehose/changelog.yml
@@ -0,0 +1,16 @@
+# newer versions go on top
+- version: 0.2.1
+ changes:
+ - description: Route WAF logs based on log format
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7836
+- version: 0.2.0
+ changes:
+ - description: Add support for routing api gateway logs
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7701
+- version: 0.1.0
+ changes:
+ - description: initial release
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7146
diff --git a/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-apigateway-log.json b/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-apigateway-log.json
new file mode 100644
index 00000000000..510593b2812
--- /dev/null
+++ b/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-apigateway-log.json
@@ -0,0 +1,58 @@
+{
+ "events": [
+ {
+ "cloud.region": "us-east-1",
+ "aws.firehose.arn": "arn:aws:firehose:us-east-2:123456:deliverystream/firehose-apigateway-logs-to-elastic",
+ "data_stream.namespace": "default",
+ "aws.firehose.subscription_filters": "[apigateway-to-firehose]",
+ "message": "{\"requestId\":\"GQIVriFLIAMEMsA=\",\"ip\":\"1.128.0.0\",\"requestTime\":\"09/Jun/2023:12:54:08 +0000\",\"httpMethod\":\"GET\",\"routeKey\":\"GET /\",\"status\":\"200\",\"protocol\":\"HTTP/1.1\",\"responseLength\":\"47140\"}",
+ "aws.kinesis.type": "deliverystream",
+ "data_stream.type": "logs",
+ "aws.firehose.request_id": "971ae05f-a128-4a7f-b623-30f9bc513e55",
+ "aws.cloudwatch.log_stream": "6am6mj7iqf_.default-2023-07-25-21-04",
+ "cloud.provider": "aws",
+ "@timestamp": "2023-07-25T21:04:35Z",
+ "cloud.account.id": "123456",
+ "data_stream.dataset": "awsfirehose.logs",
+ "aws.kinesis.name": "firehose-apigateway-logs-to-elastic",
+ "event.id": "37670326805251200781477669690942747782212394134076063744",
+ "aws.cloudwatch.log_group": "aws/api-gateway/test-HTTP"
+ },
+ {
+ "cloud.region": "us-east-1",
+ "aws.firehose.arn": "arn:aws:firehose:us-east-2:123456:deliverystream/firehose-apigateway-logs-to-elastic",
+ "data_stream.namespace": "default",
+ "aws.firehose.subscription_filters": "[apigateway-to-firehose]",
+ "message": "{\"requestId\":\"Iq9gjE_aIAMFZTg=\",\"ip\":\"1.128.0.0\",\"caller\":\"-\",\"user\":\"-\",\"requestTime\":\"26/Jul/2023:12:20:44 +0000\",\"eventType\":\"CONNECT\",\"routeKey\":\"$connect\",\"status\":\"500\",\"connectionId\":\"Iq8gj1UmIAMCKpA=\",\"apiId\":\"z1ctxygne5\",\"stage\":\"production\",\"domainName\":\"z1ctxygne5.execute-api.us-east-1.amazonaws.com\"}",
+ "aws.kinesis.type": "deliverystream",
+ "data_stream.type": "logs",
+ "aws.firehose.request_id": "971ae05f-a128-4a7f-b623-30f9bc513e55",
+ "aws.cloudwatch.log_stream": "640eb3bb5f9b64a78b51fd67d59e53d1",
+ "cloud.provider": "aws",
+ "@timestamp": "2023-07-25T21:04:35Z",
+ "cloud.account.id": "123456",
+ "data_stream.dataset": "awsfirehose.logs",
+ "aws.kinesis.name": "firehose-apigateway-logs-to-elastic",
+ "event.id": "37670326805251200781477669690942747782212394134076063744",
+ "aws.cloudwatch.log_group": "aws/api-gateway/test-websocket"
+ },
+ {
+ "cloud.region": "us-east-1",
+ "aws.firehose.arn": "arn:aws:firehose:us-east-2:123456:deliverystream/firehose-apigateway-logs-to-elastic",
+ "data_stream.namespace": "default",
+ "aws.firehose.subscription_filters": "[apigateway-to-firehose]",
+ "message": "{\"requestId\":\"48752d0f-c99d-4cfa-a5a7-f3c6834d19e5\",\"ip\":\"1.128.0.0\",\"caller\":\"-\",\"user\":\"-\",\"requestTime\":\"10/Jun/2023:15:36:28 +0000\",\"httpMethod\":\"GET\",\"resourcePath\":\"/pets\",\"status\":\"200\",\"protocol\":\"HTTP/1.1\",\"responseLength\":\"184\"}",
+ "aws.kinesis.type": "deliverystream",
+ "data_stream.type": "logs",
+ "aws.firehose.request_id": "971ae05f-a128-4a7f-b623-30f9bc513e55",
+ "aws.cloudwatch.log_stream": "198fbff89762157ff651566b645c6730",
+ "cloud.provider": "aws",
+ "@timestamp": "2023-07-25T21:04:35Z",
+ "cloud.account.id": "123456",
+ "data_stream.dataset": "awsfirehose.logs",
+ "aws.kinesis.name": "firehose-apigateway-logs-to-elastic",
+ "event.id": "37670326805251200781477669690942747782212394134076063744",
+ "aws.cloudwatch.log_group": "aws/api-gateway/test-REST"
+ }
+ ]
+}
diff --git a/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-apigateway-log.json-expected.json b/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-apigateway-log.json-expected.json
new file mode 100644
index 00000000000..da13eb2384b
--- /dev/null
+++ b/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-apigateway-log.json-expected.json
@@ -0,0 +1,76 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2023-07-25T21:04:35Z",
+ "aws.cloudwatch.log_group": "aws/api-gateway/test-HTTP",
+ "aws.cloudwatch.log_stream": "6am6mj7iqf_.default-2023-07-25-21-04",
+ "aws.firehose.arn": "arn:aws:firehose:us-east-2:123456:deliverystream/firehose-apigateway-logs-to-elastic",
+ "aws.firehose.request_id": "971ae05f-a128-4a7f-b623-30f9bc513e55",
+ "aws.firehose.subscription_filters": "[apigateway-to-firehose]",
+ "aws.kinesis.name": "firehose-apigateway-logs-to-elastic",
+ "aws.kinesis.type": "deliverystream",
+ "cloud": {
+ "provider": "aws"
+ },
+ "cloud.account.id": "123456",
+ "cloud.provider": "aws",
+ "cloud.region": "us-east-1",
+ "data_stream.dataset": "aws.apigateway_logs",
+ "data_stream.namespace": "default",
+ "data_stream.type": "logs",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event.id": "37670326805251200781477669690942747782212394134076063744",
+ "message": "{\"requestId\":\"GQIVriFLIAMEMsA=\",\"ip\":\"1.128.0.0\",\"requestTime\":\"09/Jun/2023:12:54:08 +0000\",\"httpMethod\":\"GET\",\"routeKey\":\"GET /\",\"status\":\"200\",\"protocol\":\"HTTP/1.1\",\"responseLength\":\"47140\"}"
+ },
+ {
+ "@timestamp": "2023-07-25T21:04:35Z",
+ "aws.cloudwatch.log_group": "aws/api-gateway/test-websocket",
+ "aws.cloudwatch.log_stream": "640eb3bb5f9b64a78b51fd67d59e53d1",
+ "aws.firehose.arn": "arn:aws:firehose:us-east-2:123456:deliverystream/firehose-apigateway-logs-to-elastic",
+ "aws.firehose.request_id": "971ae05f-a128-4a7f-b623-30f9bc513e55",
+ "aws.firehose.subscription_filters": "[apigateway-to-firehose]",
+ "aws.kinesis.name": "firehose-apigateway-logs-to-elastic",
+ "aws.kinesis.type": "deliverystream",
+ "cloud": {
+ "provider": "aws"
+ },
+ "cloud.account.id": "123456",
+ "cloud.provider": "aws",
+ "cloud.region": "us-east-1",
+ "data_stream.dataset": "aws.apigateway_logs",
+ "data_stream.namespace": "default",
+ "data_stream.type": "logs",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event.id": "37670326805251200781477669690942747782212394134076063744",
+ "message": "{\"requestId\":\"Iq9gjE_aIAMFZTg=\",\"ip\":\"1.128.0.0\",\"caller\":\"-\",\"user\":\"-\",\"requestTime\":\"26/Jul/2023:12:20:44 +0000\",\"eventType\":\"CONNECT\",\"routeKey\":\"$connect\",\"status\":\"500\",\"connectionId\":\"Iq8gj1UmIAMCKpA=\",\"apiId\":\"z1ctxygne5\",\"stage\":\"production\",\"domainName\":\"z1ctxygne5.execute-api.us-east-1.amazonaws.com\"}"
+ },
+ {
+ "@timestamp": "2023-07-25T21:04:35Z",
+ "aws.cloudwatch.log_group": "aws/api-gateway/test-REST",
+ "aws.cloudwatch.log_stream": "198fbff89762157ff651566b645c6730",
+ "aws.firehose.arn": "arn:aws:firehose:us-east-2:123456:deliverystream/firehose-apigateway-logs-to-elastic",
+ "aws.firehose.request_id": "971ae05f-a128-4a7f-b623-30f9bc513e55",
+ "aws.firehose.subscription_filters": "[apigateway-to-firehose]",
+ "aws.kinesis.name": "firehose-apigateway-logs-to-elastic",
+ "aws.kinesis.type": "deliverystream",
+ "cloud": {
+ "provider": "aws"
+ },
+ "cloud.account.id": "123456",
+ "cloud.provider": "aws",
+ "cloud.region": "us-east-1",
+ "data_stream.dataset": "aws.apigateway_logs",
+ "data_stream.namespace": "default",
+ "data_stream.type": "logs",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event.id": "37670326805251200781477669690942747782212394134076063744",
+ "message": "{\"requestId\":\"48752d0f-c99d-4cfa-a5a7-f3c6834d19e5\",\"ip\":\"1.128.0.0\",\"caller\":\"-\",\"user\":\"-\",\"requestTime\":\"10/Jun/2023:15:36:28 +0000\",\"httpMethod\":\"GET\",\"resourcePath\":\"/pets\",\"status\":\"200\",\"protocol\":\"HTTP/1.1\",\"responseLength\":\"184\"}"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-cloudtrail-log.json b/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-cloudtrail-log.json
new file mode 100644
index 00000000000..5e409d50d56
--- /dev/null
+++ b/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-cloudtrail-log.json
@@ -0,0 +1,22 @@
+{
+ "events": [
+ {
+ "cloud.region": "us-east-2",
+ "aws.firehose.arn": "arn:aws:firehose:us-east-2:123456:deliverystream/firehose-cloudtrail-logs-to-elastic",
+ "data_stream.namespace": "default",
+ "aws.firehose.subscription_filters": "[cloudtrail-to-firehose]",
+ "message": "{\"eventVersion\":\"1.08\",\"userIdentity\":{\"type\":\"AWSService\",\"invokedBy\":\"cloudtrail.amazonaws.com\"},\"eventTime\":\"2023-07-17T21:02:26Z\",\"eventSource\":\"sts.amazonaws.com\",\"eventName\":\"AssumeRole\",\"awsRegion\":\"sa-east-1\",\"sourceIPAddress\":\"cloudtrail.amazonaws.com\",\"userAgent\":\"cloudtrail.amazonaws.com\",\"requestParameters\":{\"roleArn\":\"arn:aws:iam::123456:role/service-role/aws-cloudtrail-logs-123456-b888baff_Role\",\"roleSessionName\":\"CLOUDWATCH_LOGS_DELIVERY_SESSION\"},\"responseElements\":{\"credentials\":{\"accessKeyId\":\"ASIAZEDJODE3A5LVGLFB\",\"sessionToken\":\"IQoJb3JpZ2luX2VjEGUaCXNhLWVhc3QtMSJHMEUCIHgHmtcrhwDhosJlQVky+C2zsYDKuR99qVlNjGIp8FLWAiEAsJtTDQ3Arq8iXEOHwv0ImEQdGb5tbgc+fLpoK58Enb4q9AII3v//////////ARAEGgw2MjcyODYzNTAxMzQiDN5gNdfO4ZdSqDmmwSrIAicTBYZg+ZXjwiJTN/Bz2YsMWYU6psw5znG3/Gh3EJ1P3RCmB7d79X6XZzFVi2u2xdrnaY/sTKDfp1jdl8OoAsSKYwJiGbzjoQlv59bB6JqPbKfAKUPAmz6JEMWNFgWTtaQL9rNkdPz23u/1msoUSzxCcxR9f3A2dD4yqnVpNJe8ipuhxpBMzQ61vcGL4G5hQEDM/o8sORP2PXbK4O7QAuWOyuryYkHAPwY9RrL0WHfflGBEBQV6XlidGpsRCtIppZVn025n3DQOypDEaL3fKp0gUsMkDH+frFjxop4o4wRYC3CxXe3XRJ5/Te886rQry7RUfXlQtiCfojZO5ohcLB+z6Y/uCK0IHp3zrfl5shKsQIAFt7p0B8W7PK5yHE4W9HHRiktJ9wTtq1YCTaWECpnjW0bISNgumRmDOAJvVHAjSjfkr4yAlJkw4qm8pQY6vwGbBiuf98AfRFrXMy01hVdE3GNTBrIS68zxUJaOjBLgw8l0nEC00L+LPuqaASFWz65Dnq5JAjXaDD9E3iCi4klp4gZFAcj7uGgeBIPkP7Bpr4SvBfnnqCgE2oyFrWke3NnYtqkL5iHLJeGlOTrvI5ND2H4jurQv0KbiqwHt6DmGF3poZOrtf8R3piNcuCCDLU8RvhRVLHy5rKPzsWgNokBc9XXmgltwvB6rIgdZhBJzupzmy/NSoWZcOeH2ooEELw==\",\"expiration\":\"Jul 12, 2023, 10:02:26 PM\"},\"assumedRoleUser\":{\"assumedRoleId\":\"AROAZEDJODE3NLJAH2FZC:CLOUDWATCH_LOGS_DELIVERY_SESSION\",\"arn\":\"arn:aws:sts::123456:assumed-role/aws-cloudtrail-logs-123456-b888baff_Role/CLOUDWATCH_LOGS_DELIVERY_SESSION\"}},\"requestID\":\"041c9e5f-a031-47d2-a4a0-011bc8d5352c\",\"eventID\":\"3096b662-7aa9-43e6-8bee-541a45686745\",\"readOnly\":true,\"resources\":[{\"accountId\":\"123456\",\"type\":\"AWS::IAM::Role\",\"ARN\":\"arn:aws:iam::123456:role/service-role/aws-cloudtrail-logs-123456-b888baff_Role\"}],\"eventType\":\"AwsApiCall\",\"managementEvent\":true,\"recipientAccountId\":\"123456\",\"sharedEventID\":\"a1c94275-884f-4c1f-b8dc-2e1bf4c94d29\",\"eventCategory\":\"Management\"}",
+ "aws.kinesis.type": "deliverystream",
+ "data_stream.type": "logs",
+ "aws.firehose.request_id": "971ae05f-a128-4a7f-b623-30f9bc513e55",
+ "aws.cloudwatch.log_stream": "123456_CloudTrail_us-east-2_3",
+ "cloud.provider": "aws",
+ "@timestamp": "2023-07-25T21:04:35Z",
+ "cloud.account.id": "123456",
+ "data_stream.dataset": "awsfirehose.logs",
+ "aws.kinesis.name": "firehose-cloudtrail-logs-to-elastic",
+ "event.id": "37670326805251200781477669690942747782212394134076063744",
+ "aws.cloudwatch.log_group": "aws-cloudtrail-logs-123456-1c167310"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-cloudtrail-log.json-expected.json b/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-cloudtrail-log.json-expected.json
new file mode 100644
index 00000000000..ff73078498f
--- /dev/null
+++ b/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-cloudtrail-log.json-expected.json
@@ -0,0 +1,28 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2023-07-25T21:04:35Z",
+ "aws.cloudwatch.log_group": "aws-cloudtrail-logs-123456-1c167310",
+ "aws.cloudwatch.log_stream": "123456_CloudTrail_us-east-2_3",
+ "aws.firehose.arn": "arn:aws:firehose:us-east-2:123456:deliverystream/firehose-cloudtrail-logs-to-elastic",
+ "aws.firehose.request_id": "971ae05f-a128-4a7f-b623-30f9bc513e55",
+ "aws.firehose.subscription_filters": "[cloudtrail-to-firehose]",
+ "aws.kinesis.name": "firehose-cloudtrail-logs-to-elastic",
+ "aws.kinesis.type": "deliverystream",
+ "cloud": {
+ "provider": "aws"
+ },
+ "cloud.account.id": "123456",
+ "cloud.provider": "aws",
+ "cloud.region": "us-east-2",
+ "data_stream.dataset": "aws.cloudtrail",
+ "data_stream.namespace": "default",
+ "data_stream.type": "logs",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event.id": "37670326805251200781477669690942747782212394134076063744",
+ "message": "{\"eventVersion\":\"1.08\",\"userIdentity\":{\"type\":\"AWSService\",\"invokedBy\":\"cloudtrail.amazonaws.com\"},\"eventTime\":\"2023-07-17T21:02:26Z\",\"eventSource\":\"sts.amazonaws.com\",\"eventName\":\"AssumeRole\",\"awsRegion\":\"sa-east-1\",\"sourceIPAddress\":\"cloudtrail.amazonaws.com\",\"userAgent\":\"cloudtrail.amazonaws.com\",\"requestParameters\":{\"roleArn\":\"arn:aws:iam::123456:role/service-role/aws-cloudtrail-logs-123456-b888baff_Role\",\"roleSessionName\":\"CLOUDWATCH_LOGS_DELIVERY_SESSION\"},\"responseElements\":{\"credentials\":{\"accessKeyId\":\"ASIAZEDJODE3A5LVGLFB\",\"sessionToken\":\"IQoJb3JpZ2luX2VjEGUaCXNhLWVhc3QtMSJHMEUCIHgHmtcrhwDhosJlQVky+C2zsYDKuR99qVlNjGIp8FLWAiEAsJtTDQ3Arq8iXEOHwv0ImEQdGb5tbgc+fLpoK58Enb4q9AII3v//////////ARAEGgw2MjcyODYzNTAxMzQiDN5gNdfO4ZdSqDmmwSrIAicTBYZg+ZXjwiJTN/Bz2YsMWYU6psw5znG3/Gh3EJ1P3RCmB7d79X6XZzFVi2u2xdrnaY/sTKDfp1jdl8OoAsSKYwJiGbzjoQlv59bB6JqPbKfAKUPAmz6JEMWNFgWTtaQL9rNkdPz23u/1msoUSzxCcxR9f3A2dD4yqnVpNJe8ipuhxpBMzQ61vcGL4G5hQEDM/o8sORP2PXbK4O7QAuWOyuryYkHAPwY9RrL0WHfflGBEBQV6XlidGpsRCtIppZVn025n3DQOypDEaL3fKp0gUsMkDH+frFjxop4o4wRYC3CxXe3XRJ5/Te886rQry7RUfXlQtiCfojZO5ohcLB+z6Y/uCK0IHp3zrfl5shKsQIAFt7p0B8W7PK5yHE4W9HHRiktJ9wTtq1YCTaWECpnjW0bISNgumRmDOAJvVHAjSjfkr4yAlJkw4qm8pQY6vwGbBiuf98AfRFrXMy01hVdE3GNTBrIS68zxUJaOjBLgw8l0nEC00L+LPuqaASFWz65Dnq5JAjXaDD9E3iCi4klp4gZFAcj7uGgeBIPkP7Bpr4SvBfnnqCgE2oyFrWke3NnYtqkL5iHLJeGlOTrvI5ND2H4jurQv0KbiqwHt6DmGF3poZOrtf8R3piNcuCCDLU8RvhRVLHy5rKPzsWgNokBc9XXmgltwvB6rIgdZhBJzupzmy/NSoWZcOeH2ooEELw==\",\"expiration\":\"Jul 12, 2023, 10:02:26 PM\"},\"assumedRoleUser\":{\"assumedRoleId\":\"AROAZEDJODE3NLJAH2FZC:CLOUDWATCH_LOGS_DELIVERY_SESSION\",\"arn\":\"arn:aws:sts::123456:assumed-role/aws-cloudtrail-logs-123456-b888baff_Role/CLOUDWATCH_LOGS_DELIVERY_SESSION\"}},\"requestID\":\"041c9e5f-a031-47d2-a4a0-011bc8d5352c\",\"eventID\":\"3096b662-7aa9-43e6-8bee-541a45686745\",\"readOnly\":true,\"resources\":[{\"accountId\":\"123456\",\"type\":\"AWS::IAM::Role\",\"ARN\":\"arn:aws:iam::123456:role/service-role/aws-cloudtrail-logs-123456-b888baff_Role\"}],\"eventType\":\"AwsApiCall\",\"managementEvent\":true,\"recipientAccountId\":\"123456\",\"sharedEventID\":\"a1c94275-884f-4c1f-b8dc-2e1bf4c94d29\",\"eventCategory\":\"Management\"}"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-firewall-log.json b/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-firewall-log.json
new file mode 100644
index 00000000000..3ac09b242df
--- /dev/null
+++ b/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-firewall-log.json
@@ -0,0 +1,20 @@
+{
+ "events": [
+ {
+ "cloud.region": "us-east-1",
+ "aws.firehose.arn": "arn:aws:firehose:us-east-1:123456789:deliverystream/test-firewall-logs",
+ "data_stream.namespace": "default",
+ "aws.firehose.subscription_filters": "[test-firewall-logs-to-firehose]",
+ "message": "{\"firewall_name\":\"AWSNetworkFirewall\",\"availability_zone\":\"us-east-2a\",\"event_timestamp\":\"1636381332\",\"event\":{\"timestamp\":\"2021-11-08T14:22:12.637611+0000\",\"flow_id\":706471429191862,\"event_type\":\"alert\",\"src_ip\":\"81.2.69.143\",\"src_port\":51254,\"dest_ip\":\"216.160.83.57\",\"dest_port\":80,\"proto\":\"TCP\",\"alert\":{\"action\":\"blocked\",\"signature_id\":1000003,\"rev\":1,\"signature\":\"Deny all other TCP traffic\",\"category\":\"\",\"severity\":3},\"http\":{\"hostname\":\"216.160.83.57\",\"url\":\"/\",\"http_user_agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"length\":0},\"app_proto\":\"http\"}}",
+ "aws.kinesis.type": "deliverystream",
+ "data_stream.type": "logs",
+ "aws.firehose.request_id": "afa49f89-ad73-4f39-807f-7f4d666b038e",
+ "cloud.provider": "aws",
+ "@timestamp": "2023-08-11T20:01:37Z",
+ "cloud.account.id": "123456789",
+ "data_stream.dataset": "awsfirehose.logs",
+ "aws.kinesis.name": "test-firewall-logs",
+ "event.id": "37728046078123216000395549868459931814660237705210691585"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-firewall-log.json-expected.json b/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-firewall-log.json-expected.json
new file mode 100644
index 00000000000..677a47d4067
--- /dev/null
+++ b/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-firewall-log.json-expected.json
@@ -0,0 +1,26 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2023-08-11T20:01:37Z",
+ "aws.firehose.arn": "arn:aws:firehose:us-east-1:123456789:deliverystream/test-firewall-logs",
+ "aws.firehose.request_id": "afa49f89-ad73-4f39-807f-7f4d666b038e",
+ "aws.firehose.subscription_filters": "[test-firewall-logs-to-firehose]",
+ "aws.kinesis.name": "test-firewall-logs",
+ "aws.kinesis.type": "deliverystream",
+ "cloud": {
+ "provider": "aws"
+ },
+ "cloud.account.id": "123456789",
+ "cloud.provider": "aws",
+ "cloud.region": "us-east-1",
+ "data_stream.dataset": "aws.firewall_logs",
+ "data_stream.namespace": "default",
+ "data_stream.type": "logs",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event.id": "37728046078123216000395549868459931814660237705210691585",
+ "message": "{\"firewall_name\":\"AWSNetworkFirewall\",\"availability_zone\":\"us-east-2a\",\"event_timestamp\":\"1636381332\",\"event\":{\"timestamp\":\"2021-11-08T14:22:12.637611+0000\",\"flow_id\":706471429191862,\"event_type\":\"alert\",\"src_ip\":\"81.2.69.143\",\"src_port\":51254,\"dest_ip\":\"216.160.83.57\",\"dest_port\":80,\"proto\":\"TCP\",\"alert\":{\"action\":\"blocked\",\"signature_id\":1000003,\"rev\":1,\"signature\":\"Deny all other TCP traffic\",\"category\":\"\",\"severity\":3},\"http\":{\"hostname\":\"216.160.83.57\",\"url\":\"/\",\"http_user_agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"length\":0},\"app_proto\":\"http\"}}"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-route53-public-log.json b/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-route53-public-log.json
new file mode 100644
index 00000000000..e49aa1537aa
--- /dev/null
+++ b/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-route53-public-log.json
@@ -0,0 +1,22 @@
+{
+ "events": [
+ {
+ "cloud.region": "us-east-1",
+ "aws.firehose.arn": "arn:aws:firehose:us-east-1:123456789:deliverystream/test-route53-public-logs",
+ "data_stream.namespace": "default",
+ "aws.firehose.subscription_filters": "[test-route53-public-logs-to-firehose]",
+ "message": "1.0 2023-08-11T20:01:37Z Z0786514BU8K9GJ587CT filebeat-firehose.com NAPTR NOERROR UDP EWR52-C2 44.199.191.178 -",
+ "aws.kinesis.type": "deliverystream",
+ "data_stream.type": "logs",
+ "aws.firehose.request_id": "afa49f89-ad73-4f39-807f-7f4d666b038e",
+ "aws.cloudwatch.log_stream": "Z0786514BU8K9GJ587CT/EWR52-C2",
+ "cloud.provider": "aws",
+ "@timestamp": "2023-08-11T20:01:37Z",
+ "cloud.account.id": "123456789",
+ "data_stream.dataset": "awsfirehose.logs",
+ "aws.kinesis.name": "test-route53-public-logs",
+ "event.id": "37728046078123216000395549868459931814660237705210691585",
+ "aws.cloudwatch.log_group": "/aws/route53/filebeat-firehose.com"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-route53-public-log.json-expected.json b/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-route53-public-log.json-expected.json
new file mode 100644
index 00000000000..d3308f579c1
--- /dev/null
+++ b/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-route53-public-log.json-expected.json
@@ -0,0 +1,28 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2023-08-11T20:01:37Z",
+ "aws.cloudwatch.log_group": "/aws/route53/filebeat-firehose.com",
+ "aws.cloudwatch.log_stream": "Z0786514BU8K9GJ587CT/EWR52-C2",
+ "aws.firehose.arn": "arn:aws:firehose:us-east-1:123456789:deliverystream/test-route53-public-logs",
+ "aws.firehose.request_id": "afa49f89-ad73-4f39-807f-7f4d666b038e",
+ "aws.firehose.subscription_filters": "[test-route53-public-logs-to-firehose]",
+ "aws.kinesis.name": "test-route53-public-logs",
+ "aws.kinesis.type": "deliverystream",
+ "cloud": {
+ "provider": "aws"
+ },
+ "cloud.account.id": "123456789",
+ "cloud.provider": "aws",
+ "cloud.region": "us-east-1",
+ "data_stream.dataset": "aws.route53_public_logs",
+ "data_stream.namespace": "default",
+ "data_stream.type": "logs",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event.id": "37728046078123216000395549868459931814660237705210691585",
+ "message": "1.0 2023-08-11T20:01:37Z Z0786514BU8K9GJ587CT filebeat-firehose.com NAPTR NOERROR UDP EWR52-C2 44.199.191.178 -"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-route53-resolver-log.json b/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-route53-resolver-log.json
new file mode 100644
index 00000000000..a7368324d78
--- /dev/null
+++ b/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-route53-resolver-log.json
@@ -0,0 +1,22 @@
+{
+ "events": [
+ {
+ "cloud.region": "us-east-1",
+ "aws.firehose.arn": "arn:aws:firehose:us-east-1:123456789:deliverystream/test-route53-resolver-logs",
+ "data_stream.namespace": "default",
+ "aws.firehose.subscription_filters": "[test-route53-resolver-logs-to-firehose]",
+ "message": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:46:23Z\",\"query_name\":\"does-not-exist.abc.com.\",\"query_type\":\"A\",\"query_class\":\"IN\",\"rcode\":\"NXDOMAIN\",\"answers\":[],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"48701\",\"transport\":\"UDP\",\"srcids\":{}}",
+ "aws.kinesis.type": "deliverystream",
+ "data_stream.type": "logs",
+ "aws.firehose.request_id": "afa49f89-ad73-4f39-807f-7f4d666b038e",
+ "aws.cloudwatch.log_stream": "Z0786514BU8K9GJ587CT/EWR52-C2",
+ "cloud.provider": "aws",
+ "@timestamp": "2023-08-11T20:01:37Z",
+ "cloud.account.id": "123456789",
+ "data_stream.dataset": "awsfirehose.logs",
+ "aws.kinesis.name": "test-route53-resolver-logs",
+ "event.id": "37728046078123216000395549868459931814660237705210691585",
+ "aws.cloudwatch.log_group": "/aws/route53/filebeat-firehose.com"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-route53-resolver-log.json-expected.json b/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-route53-resolver-log.json-expected.json
new file mode 100644
index 00000000000..d1838501d88
--- /dev/null
+++ b/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-route53-resolver-log.json-expected.json
@@ -0,0 +1,28 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2023-08-11T20:01:37Z",
+ "aws.cloudwatch.log_group": "/aws/route53/filebeat-firehose.com",
+ "aws.cloudwatch.log_stream": "Z0786514BU8K9GJ587CT/EWR52-C2",
+ "aws.firehose.arn": "arn:aws:firehose:us-east-1:123456789:deliverystream/test-route53-resolver-logs",
+ "aws.firehose.request_id": "afa49f89-ad73-4f39-807f-7f4d666b038e",
+ "aws.firehose.subscription_filters": "[test-route53-resolver-logs-to-firehose]",
+ "aws.kinesis.name": "test-route53-resolver-logs",
+ "aws.kinesis.type": "deliverystream",
+ "cloud": {
+ "provider": "aws"
+ },
+ "cloud.account.id": "123456789",
+ "cloud.provider": "aws",
+ "cloud.region": "us-east-1",
+ "data_stream.dataset": "aws.route53_resolver_logs",
+ "data_stream.namespace": "default",
+ "data_stream.type": "logs",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event.id": "37728046078123216000395549868459931814660237705210691585",
+ "message": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:46:23Z\",\"query_name\":\"does-not-exist.abc.com.\",\"query_type\":\"A\",\"query_class\":\"IN\",\"rcode\":\"NXDOMAIN\",\"answers\":[],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"48701\",\"transport\":\"UDP\",\"srcids\":{}}"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-vpcflow-log.json b/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-vpcflow-log.json
new file mode 100644
index 00000000000..b8c2a833d8b
--- /dev/null
+++ b/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-vpcflow-log.json
@@ -0,0 +1,18 @@
+{
+ "events": [
+ {
+ "cloud.provider": "aws",
+ "@timestamp": "2023-08-23T16:47:26Z",
+ "cloud.region": "us-east-2",
+ "cloud.account.id": "428152502467",
+ "aws.firehose.arn": "arn:aws:firehose:us-east-2:428152502467:deliverystream/test-vpcflow-logs",
+ "data_stream.namespace": "default",
+ "data_stream.dataset": "awsfirehose.logs",
+ "aws.kinesis.name": "test-vpcflow-logs",
+ "message": "{\"message\":\"2 428152502467 eni-0b584e1c714317ac6 176.111.174.91 10.0.0.102 41536 1135 6 1 40 1692809104 1692809162 REJECT OK\"}\n",
+ "aws.kinesis.type": "deliverystream",
+ "data_stream.type": "logs",
+ "aws.firehose.request_id": "1cfbed13-d631-4b8b-b20a-b7c5bf8fcd00"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-vpcflow-log.json-expected.json b/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-vpcflow-log.json-expected.json
new file mode 100644
index 00000000000..1c07807b08a
--- /dev/null
+++ b/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-vpcflow-log.json-expected.json
@@ -0,0 +1,24 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2023-08-23T16:47:26Z",
+ "aws.firehose.arn": "arn:aws:firehose:us-east-2:428152502467:deliverystream/test-vpcflow-logs",
+ "aws.firehose.request_id": "1cfbed13-d631-4b8b-b20a-b7c5bf8fcd00",
+ "aws.kinesis.name": "test-vpcflow-logs",
+ "aws.kinesis.type": "deliverystream",
+ "cloud": {
+ "provider": "aws"
+ },
+ "cloud.account.id": "428152502467",
+ "cloud.provider": "aws",
+ "cloud.region": "us-east-2",
+ "data_stream.dataset": "aws.vpcflow",
+ "data_stream.namespace": "default",
+ "data_stream.type": "logs",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "message": "{\"message\":\"2 428152502467 eni-0b584e1c714317ac6 176.111.174.91 10.0.0.102 41536 1135 6 1 40 1692809104 1692809162 REJECT OK\"}\n"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-waf-log.json b/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-waf-log.json
new file mode 100644
index 00000000000..893c3a1027f
--- /dev/null
+++ b/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-waf-log.json
@@ -0,0 +1,36 @@
+{
+ "events": [
+ {
+ "cloud.provider": "aws",
+ "@timestamp": "2023-08-23T16:47:26Z",
+ "cloud.region": "us-east-1",
+ "cloud.account.id": "428152502467",
+ "aws.firehose.arn": "arn:aws:firehose:us-east-1:428152502467:deliverystream/aws-waf-logs-test",
+ "data_stream.namespace": "default",
+ "data_stream.dataset": "awsfirehose.logs",
+ "aws.kinesis.name": "aws-waf-logs-test",
+ "message": "{\"timestamp\":1576280412771,\"formatVersion\":1,\"webaclId\":\"arn:aws:wafv2:ap-southeast-2:EXAMPLE12345:regional/webacl/STMTest/1EXAMPLE-2ARN-3ARN-4ARN-123456EXAMPLE\",\"terminatingRuleId\":\"STMTest_SQLi_XSS\",\"terminatingRuleType\":\"REGULAR\",\"action\":\"BLOCK\",\"terminatingRuleMatchDetails\":[{\"conditionType\":\"SQL_INJECTION\",\"location\":\"HEADER\",\"matchedData\":[\"10\",\"AND\",\"1\"]}],\"httpSourceName\":\"-\",\"httpSourceId\":\"-\",\"ruleGroupList\":[],\"rateBasedRuleList\":[],\"nonTerminatingMatchingRules\":[],\"httpRequest\":{\"clientIp\":\"89.160.20.156\",\"country\":\"AU\",\"headers\":[{\"name\":\"Host\",\"value\":\"localhost:1989\"},{\"name\":\"User-Agent\",\"value\":\"curl/7.61.1\"},{\"name\":\"Accept\",\"value\":\"*/*\"},{\"name\":\"x-stm-test\",\"value\":\"10 AND 1=1\"}],\"uri\":\"/foo\",\"args\":\"\",\"httpVersion\":\"HTTP/1.1\",\"httpMethod\":\"GET\",\"requestId\":\"rid\"},\"labels\":[{\"name\":\"value\"}]}\n",
+ "aws.kinesis.type": "deliverystream",
+ "data_stream.type": "logs",
+ "aws.firehose.request_id": "1cfbed13-d631-4b8b-b20a-b7c5bf8fcd00"
+ },
+ {
+ "cloud.region": "us-east-1",
+ "aws.firehose.arn": "arn:aws:firehose:us-east-1:123456789:deliverystream/test-waf-logs",
+ "data_stream.namespace": "default",
+ "aws.firehose.subscription_filters": "[test-waf-logs-to-firehose]",
+ "message": "{\"timestamp\":1576280412771,\"formatVersion\":1,\"webaclId\":\"arn:aws:wafv2:ap-southeast-2:EXAMPLE12345:regional/webacl/STMTest/1EXAMPLE-2ARN-3ARN-4ARN-123456EXAMPLE\",\"terminatingRuleId\":\"STMTest_SQLi_XSS\",\"terminatingRuleType\":\"REGULAR\",\"action\":\"BLOCK\",\"terminatingRuleMatchDetails\":[{\"conditionType\":\"SQL_INJECTION\",\"location\":\"HEADER\",\"matchedData\":[\"10\",\"AND\",\"1\"]}],\"httpSourceName\":\"-\",\"httpSourceId\":\"-\",\"ruleGroupList\":[],\"rateBasedRuleList\":[],\"nonTerminatingMatchingRules\":[],\"httpRequest\":{\"clientIp\":\"89.160.20.156\",\"country\":\"AU\",\"headers\":[{\"name\":\"Host\",\"value\":\"localhost:1989\"},{\"name\":\"User-Agent\",\"value\":\"curl/7.61.1\"},{\"name\":\"Accept\",\"value\":\"*/*\"},{\"name\":\"x-stm-test\",\"value\":\"10 AND 1=1\"}],\"uri\":\"/foo\",\"args\":\"\",\"httpVersion\":\"HTTP/1.1\",\"httpMethod\":\"GET\",\"requestId\":\"rid\"},\"labels\":[{\"name\":\"value\"}]}\n",
+ "aws.kinesis.type": "deliverystream",
+ "data_stream.type": "logs",
+ "aws.firehose.request_id": "afa49f89-ad73-4f39-807f-7f4d666b038e",
+ "aws.cloudwatch.log_stream": "us-east-1_web-acl-name_1",
+ "cloud.provider": "aws",
+ "@timestamp": "2023-08-23T16:47:26Z",
+ "cloud.account.id": "123456789",
+ "data_stream.dataset": "awsfirehose.logs",
+ "aws.kinesis.name": "test-waf-logs",
+ "event.id": "37728046078123216000395549868459931814660237705210691585",
+ "aws.cloudwatch.log_group": "aws-waf-logs-test-firehose"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-waf-log.json-expected.json b/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-waf-log.json-expected.json
new file mode 100644
index 00000000000..82037490543
--- /dev/null
+++ b/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-waf-log.json-expected.json
@@ -0,0 +1,48 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2023-08-23T16:47:26Z",
+ "aws.firehose.arn": "arn:aws:firehose:us-east-1:428152502467:deliverystream/aws-waf-logs-test",
+ "aws.firehose.request_id": "1cfbed13-d631-4b8b-b20a-b7c5bf8fcd00",
+ "aws.kinesis.name": "aws-waf-logs-test",
+ "aws.kinesis.type": "deliverystream",
+ "cloud": {
+ "provider": "aws"
+ },
+ "cloud.account.id": "428152502467",
+ "cloud.provider": "aws",
+ "cloud.region": "us-east-1",
+ "data_stream.dataset": "aws.waf",
+ "data_stream.namespace": "default",
+ "data_stream.type": "logs",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "message": "{\"timestamp\":1576280412771,\"formatVersion\":1,\"webaclId\":\"arn:aws:wafv2:ap-southeast-2:EXAMPLE12345:regional/webacl/STMTest/1EXAMPLE-2ARN-3ARN-4ARN-123456EXAMPLE\",\"terminatingRuleId\":\"STMTest_SQLi_XSS\",\"terminatingRuleType\":\"REGULAR\",\"action\":\"BLOCK\",\"terminatingRuleMatchDetails\":[{\"conditionType\":\"SQL_INJECTION\",\"location\":\"HEADER\",\"matchedData\":[\"10\",\"AND\",\"1\"]}],\"httpSourceName\":\"-\",\"httpSourceId\":\"-\",\"ruleGroupList\":[],\"rateBasedRuleList\":[],\"nonTerminatingMatchingRules\":[],\"httpRequest\":{\"clientIp\":\"89.160.20.156\",\"country\":\"AU\",\"headers\":[{\"name\":\"Host\",\"value\":\"localhost:1989\"},{\"name\":\"User-Agent\",\"value\":\"curl/7.61.1\"},{\"name\":\"Accept\",\"value\":\"*/*\"},{\"name\":\"x-stm-test\",\"value\":\"10 AND 1=1\"}],\"uri\":\"/foo\",\"args\":\"\",\"httpVersion\":\"HTTP/1.1\",\"httpMethod\":\"GET\",\"requestId\":\"rid\"},\"labels\":[{\"name\":\"value\"}]}\n"
+ },
+ {
+ "@timestamp": "2023-08-23T16:47:26Z",
+ "aws.cloudwatch.log_group": "aws-waf-logs-test-firehose",
+ "aws.cloudwatch.log_stream": "us-east-1_web-acl-name_1",
+ "aws.firehose.arn": "arn:aws:firehose:us-east-1:123456789:deliverystream/test-waf-logs",
+ "aws.firehose.request_id": "afa49f89-ad73-4f39-807f-7f4d666b038e",
+ "aws.firehose.subscription_filters": "[test-waf-logs-to-firehose]",
+ "aws.kinesis.name": "test-waf-logs",
+ "aws.kinesis.type": "deliverystream",
+ "cloud": {
+ "provider": "aws"
+ },
+ "cloud.account.id": "123456789",
+ "cloud.provider": "aws",
+ "cloud.region": "us-east-1",
+ "data_stream.dataset": "aws.waf",
+ "data_stream.namespace": "default",
+ "data_stream.type": "logs",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event.id": "37728046078123216000395549868459931814660237705210691585",
+ "message": "{\"timestamp\":1576280412771,\"formatVersion\":1,\"webaclId\":\"arn:aws:wafv2:ap-southeast-2:EXAMPLE12345:regional/webacl/STMTest/1EXAMPLE-2ARN-3ARN-4ARN-123456EXAMPLE\",\"terminatingRuleId\":\"STMTest_SQLi_XSS\",\"terminatingRuleType\":\"REGULAR\",\"action\":\"BLOCK\",\"terminatingRuleMatchDetails\":[{\"conditionType\":\"SQL_INJECTION\",\"location\":\"HEADER\",\"matchedData\":[\"10\",\"AND\",\"1\"]}],\"httpSourceName\":\"-\",\"httpSourceId\":\"-\",\"ruleGroupList\":[],\"rateBasedRuleList\":[],\"nonTerminatingMatchingRules\":[],\"httpRequest\":{\"clientIp\":\"89.160.20.156\",\"country\":\"AU\",\"headers\":[{\"name\":\"Host\",\"value\":\"localhost:1989\"},{\"name\":\"User-Agent\",\"value\":\"curl/7.61.1\"},{\"name\":\"Accept\",\"value\":\"*/*\"},{\"name\":\"x-stm-test\",\"value\":\"10 AND 1=1\"}],\"uri\":\"/foo\",\"args\":\"\",\"httpVersion\":\"HTTP/1.1\",\"httpMethod\":\"GET\",\"requestId\":\"rid\"},\"labels\":[{\"name\":\"value\"}]}\n"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/awsfirehose/data_stream/logs/elasticsearch/ingest_pipeline/default.yml b/packages/awsfirehose/data_stream/logs/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 00000000000..bd196c5bb35
--- /dev/null
+++ b/packages/awsfirehose/data_stream/logs/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,13 @@
+---
+description: Pipeline for rerouting logs streams from Amazon Kinesis Data Firehose.
+processors:
+ - set:
+ field: ecs.version
+ value: 8.0.0
+ - set:
+ field: cloud.provider
+ value: aws
+on_failure:
+ - set:
+ field: error.message
+ value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/awsfirehose/data_stream/logs/fields/ecs.yml b/packages/awsfirehose/data_stream/logs/fields/ecs.yml
new file mode 100644
index 00000000000..c86ca327c7a
--- /dev/null
+++ b/packages/awsfirehose/data_stream/logs/fields/ecs.yml
@@ -0,0 +1,24 @@
+- external: ecs
+ name: cloud.account.id
+- external: ecs
+ name: cloud.provider
+- external: ecs
+ name: cloud.region
+- external: ecs
+ name: data_stream.type
+- external: ecs
+ name: data_stream.dataset
+- external: ecs
+ name: data_stream.namespace
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: error.message
+- external: ecs
+ name: event.id
+- external: ecs
+ name: event.original
+- external: ecs
+ name: message
+- external: ecs
+ name: '@timestamp'
diff --git a/packages/awsfirehose/data_stream/logs/fields/fields.yml b/packages/awsfirehose/data_stream/logs/fields/fields.yml
new file mode 100644
index 00000000000..be203bcfeb6
--- /dev/null
+++ b/packages/awsfirehose/data_stream/logs/fields/fields.yml
@@ -0,0 +1,44 @@
+- name: aws
+ type: object
+ fields:
+ - name: cloudwatch
+ type: object
+ fields:
+ - name: log_group
+ type: keyword
+ description: |
+ CloudWatch log group name.
+ - name: log_stream
+ type: keyword
+ description: |
+ CloudWatch log stream name.
+ - name: firehose
+ type: object
+ fields:
+ - name: arn
+ type: keyword
+ description: |
+ Firehose ARN.
+ - name: request_id
+ type: keyword
+ description: |
+ Firehose request ID.
+ - name: subscription_filters
+ type: keyword
+ description: |
+ Firehose request ID.
+ - name: parameters.*
+ type: object
+ description: |
+ Key-value pairs users set up when creating the Kinesis Data Firehose. These parameters are included in each HTTP call.
+ - name: kinesis
+ type: object
+ fields:
+ - name: name
+ type: keyword
+ description: |
+ Kinesis name.
+ - name: type
+ type: keyword
+ description: |-
+ Kinesis type.
diff --git a/packages/awsfirehose/data_stream/logs/manifest.yml b/packages/awsfirehose/data_stream/logs/manifest.yml
new file mode 100644
index 00000000000..db3cb47aeae
--- /dev/null
+++ b/packages/awsfirehose/data_stream/logs/manifest.yml
@@ -0,0 +1,8 @@
+title: Logs from Amazon Kinesis Data Firehose
+type: logs
+dataset: awsfirehose.logs
+# This integration includes predefined rules that automatically route AWS service logs to the respective integrations.
+# Adding these permissions to ensure the agents have permissions to write data to `logs-*-*`.
+elasticsearch:
+ dynamic_dataset: true
+ dynamic_namespace: true
diff --git a/packages/awsfirehose/data_stream/logs/routing_rules.yml b/packages/awsfirehose/data_stream/logs/routing_rules.yml
new file mode 100644
index 00000000000..c905a166888
--- /dev/null
+++ b/packages/awsfirehose/data_stream/logs/routing_rules.yml
@@ -0,0 +1,87 @@
+- source_dataset: awsfirehose.logs
+ rules:
+ - target_dataset: aws.firewall_logs
+ if: ctx.message != null && ctx.message.contains('firewall_name') && ctx.message.contains('availability_zone') && ctx.message.contains('event_timestamp') && ctx.message.contains('event')
+ namespace:
+ - "{{data_stream.namespace}}"
+ - default
+ - target_dataset: aws.cloudtrail
+ if: ctx['aws.cloudwatch.log_stream'] != null && ctx['aws.cloudwatch.log_stream'].contains('CloudTrail')
+ namespace:
+ - "{{data_stream.namespace}}"
+ - default
+ - target_dataset: aws.route53_public_logs
+ if: >-
+ if (ctx['aws.cloudwatch.log_stream'] == null) {
+ return false;
+ }
+ def split_log_stream_name=ctx['aws.cloudwatch.log_stream'].splitOnToken('/');
+ if (split_log_stream_name.length!=2) {
+ return false;
+ }
+ def hosted_zone_id=split_log_stream_name[0];
+ def edge_location_id=split_log_stream_name[1];
+ if (ctx.message != null && ctx.message.contains(hosted_zone_id) && ctx.message.contains(edge_location_id)){
+ return true;
+ }
+ return false;
+ namespace:
+ - "{{data_stream.namespace}}"
+ - default
+ - target_dataset: aws.route53_resolver_logs
+ if: >-
+ ctx.message != null && ctx.message.contains('version') && ctx.message.contains('account_id') && ctx.message.contains('region') &&
+ ctx.message.contains('vpc_id') && ctx.message.contains('query_timestamp') && ctx.message.contains('query_name')
+ && ctx.message.contains('query_type') && ctx.message.contains('query_class') && ctx.message.contains('rcode')
+ && ctx.message.contains('answers') && ctx.message.contains('srcaddr') && ctx.message.contains('srcport')
+ && ctx.message.contains('transport') && ctx.message.contains('srcids')
+ namespace:
+ - "{{data_stream.namespace}}"
+ - default
+ - target_dataset: aws.vpcflow
+ if: >-
+ if (ctx.message!= null) {
+ def message_token_count=ctx.message.splitOnToken(" ").length;
+ if (message_token_count==14) {
+ return true;
+ }
+ }
+ return false;
+ namespace:
+ - "{{data_stream.namespace}}"
+ - default
+ - target_dataset: aws.waf
+ # Kinesis Data Firehose stream name begins with `aws-waf-logs-`
+ # CloudWatch log group name begins with `aws-waf-logs-`
+ # Log fields:
+ # timestamp formatVersion webaclld terminatingRuleId terminatingRuleType action
+ # terminatingRuleMatchDetails httpSourceName httpSourceId ruleGroupList rateBasedRuleList
+ # nonTerminatingMatchingRules httpRequest labels
+ if: >-
+ (ctx['aws.kinesis.name'] != null && ctx['aws.kinesis.name'].contains('aws-waf-logs-'))
+ || (ctx['aws.cloudwatch.log_group'] != null && ctx['aws.cloudwatch.log_group'].contains('aws-waf-logs-'))
+ || (ctx.message != null && ctx.message.contains('webaclld') && ctx.message.contains('terminatingRule')
+ && ctx.message.contains('httpSource') && ctx.message.contains('ruleGroupList') && ctx.message.contains('rateBasedRuleList')
+ && ctx.message.contains('nonTerminatingMatchingRules') && ctx.message.contains('httpRequest') && ctx.message.contains('labels'))
+ namespace:
+ - "{{data_stream.namespace}}"
+ - default
+ - target_dataset: aws.apigateway_logs
+ # Supported API Gateway log format by API type
+ # HTTP: requestId ip requestTime httpMethod routeKey status protocol responseLength
+ # REST: requestId ip caller user requestTime httpMethod resourcePath status protocol responseLength
+ # WebSockets: requestId ip caller user requestTime eventType routeKey status connectionId
+ if: >-
+ (ctx.message != null && ctx.message.contains('requestId') && ctx.message.contains('ip')
+ && ctx.message.contains('requestTime') && ctx.message.contains('httpMethod') && ctx.message.contains('routeKey')
+ && ctx.message.contains('status') && ctx.message.contains('protocol') && ctx.message.contains('responseLength'))
+ || (ctx.message != null && ctx.message.contains('requestId') && ctx.message.contains('ip') && ctx.message.contains('caller')
+ && ctx.message.contains('user') && ctx.message.contains('requestTime') && ctx.message.contains('httpMethod')
+ && ctx.message.contains('resourcePath') && ctx.message.contains('status') && ctx.message.contains('protocol')
+ && ctx.message.contains('responseLength'))
+ || (ctx.message != null && ctx.message.contains('requestId') && ctx.message.contains('ip') && ctx.message.contains('caller')
+ && ctx.message.contains('user') && ctx.message.contains('requestTime') && ctx.message.contains('eventType')
+ && ctx.message.contains('routeKey') && ctx.message.contains('status') && ctx.message.contains('connectionId'))
+ namespace:
+ - "{{data_stream.namespace}}"
+ - default
\ No newline at end of file
diff --git a/packages/awsfirehose/docs/README.md b/packages/awsfirehose/docs/README.md
new file mode 100644
index 00000000000..655f3c32885
--- /dev/null
+++ b/packages/awsfirehose/docs/README.md
@@ -0,0 +1,93 @@
+# Amazon Kinesis Data Firehose
+Amazon Kinesis Data Firehose integration offers users a way to stream logs from Firehose to Elastic Cloud.
+This integration includes predefined rules that automatically route AWS service logs to the respective integrations, which
+include field mappings, ingest pipelines, predefined dashboards and ect. Here is a list of log types that are supported
+by this integration:
+
+| AWS service log | Log destination |
+|--------------------|---------------------------|
+| API Gateway | CloudWatch |
+| CloudTrail | CloudWatch |
+| Network Firewall | Firehose, CloudWatch, S3 |
+| Route53 Public DNS | CloudWatch |
+| Route53 Resolver | Firehose, CloudWatch, S3 |
+| VPC Flow | Firehose, CloudWatch, S3 |
+| WAF | Firehose, CloudWatch |
+
+## Limitation
+It is not possible to configure a delivery stream to send data to Elastic Cloud via PrivateLink (VPC endpoint).
+This is a current limitation in Firehose, which we are working with AWS to resolve.
+
+## Instructions
+1. Install the relevant integrations in Kibana
+
+ In order to make the most of your data, install AWS integrations to load index templates, ingest pipelines, and
+ dashboards into Kibana. In Kibana, navigate to **Management** > **Integrations** in the sidebar.
+ Find the **AWS** integration by searching or browsing the catalog.
+
+ 
+
+ Navigate to the **Settings** tab and click **Install AWS assets**. Confirm by clicking **Install AWS** in the popup.
+
+ 
+
+2. Create a delivery stream in Amazon Kinesis Data Firehose
+
+ Sign into the AWS console and navigate to Amazon Kinesis. Click **Create delivery stream**.
+ Configure the delivery stream using the following settings:
+
+ 
+
+ **Choose source and destination**
+
+ Unless you are streaming data from Kinesis Data Streams, set source to Direct PUT (see Setup guide for more details on data sources).
+
+ Set destination to **Elastic**.
+
+ **Delivery stream name**
+
+ Provide a meaningful name that will allow you to identify this delivery stream later.
+
+ 
+
+ **Destination settings**
+
+ 1. Set **Elastic endpoint URL** to point to your Elasticsearch cluster running in Elastic Cloud.
+ This endpoint can be found in the Elastic Cloud console. An example is https://my-deployment-28u274.es.eu-west-1.aws.found.io.
+
+ 2. **API key** should be a Base64 encoded Elastic API key, which can be created in Kibana by following the
+ instructions under API Keys. If you are using an API key with “Restrict privileges”, be sure to review the Indices
+ privileges to provide at least "auto_configure" & "write" permissions for the indices you will be using with this
+ delivery stream.
+
+ 3. We recommend leaving **Content encoding** set to **GZIP** for improved network efficiency.
+
+ 4. **Retry duration** determines how long Firehose continues retrying the request in the event of an error.
+ A duration of 60-300s should be suitable for most use cases.
+
+ 5. Elastic requires a **Buffer size** of `1MiB` to avoid exceeding the Elasticsearch `http.max_content_length`
+ setting (typically 100MB) when the buffer is uncompressed.
+
+ 6. The default **Buffer interval** of `60s` is recommended to ensure data freshness in Elastic.
+
+ 7. **Parameters**
+
+ 1. Elastic recommends setting the `es_datastream_name` parameter to `logs-awsfirehose.logs-default` in order to
+ leverage the routing rules defined in this integration. If this parameter is not specified, data is sent to the
+ `logs-generic-default` data stream by default.
+ 
+
+ 2. The **include_cw_extracted_fields** parameter is optional and can be set when using a CloudWatch logs subscription
+ filter as the Firehose data source. When set to true, extracted fields generated by the filter pattern in the
+ subscription filter will be collected. Setting this parameter can add many fields into each record and may significantly
+ increase data volume in Elasticsearch. As such, use of this parameter should be carefully considered and used only when
+ the extracted fields are required for specific filtering and/or aggregation.
+
+ 3. The **include_event_original** field is optional and should only be used for debugging purposes. When set to `true`, each
+ log record will contain an additional field named `event.original`, which contains the raw (unprocessed) log message.
+ This parameter will increase the data volume in Elasticsearch and should be used with care.
+
+3. Send data to the Firehose delivery stream
+
+ Consult the [AWS documentation](https://docs.aws.amazon.com/firehose/latest/dev/basic-write.html) for details on how to
+ configure a variety of log sources to send data to Firehose delivery streams.
diff --git a/packages/awsfirehose/img/aws-firehose.png b/packages/awsfirehose/img/aws-firehose.png
new file mode 100644
index 00000000000..b3fb863df1f
Binary files /dev/null and b/packages/awsfirehose/img/aws-firehose.png differ
diff --git a/packages/awsfirehose/img/aws.png b/packages/awsfirehose/img/aws.png
new file mode 100644
index 00000000000..be98056181d
Binary files /dev/null and b/packages/awsfirehose/img/aws.png differ
diff --git a/packages/awsfirehose/img/destination-settings.png b/packages/awsfirehose/img/destination-settings.png
new file mode 100644
index 00000000000..ea933a69da3
Binary files /dev/null and b/packages/awsfirehose/img/destination-settings.png differ
diff --git a/packages/awsfirehose/img/install-assets.png b/packages/awsfirehose/img/install-assets.png
new file mode 100644
index 00000000000..af67e0a0003
Binary files /dev/null and b/packages/awsfirehose/img/install-assets.png differ
diff --git a/packages/awsfirehose/img/logo_firehose.svg b/packages/awsfirehose/img/logo_firehose.svg
new file mode 100644
index 00000000000..53739b79bef
--- /dev/null
+++ b/packages/awsfirehose/img/logo_firehose.svg
@@ -0,0 +1,12 @@
+
+
\ No newline at end of file
diff --git a/packages/awsfirehose/img/source-destination.png b/packages/awsfirehose/img/source-destination.png
new file mode 100644
index 00000000000..e52705d91c8
Binary files /dev/null and b/packages/awsfirehose/img/source-destination.png differ
diff --git a/packages/awsfirehose/manifest.yml b/packages/awsfirehose/manifest.yml
new file mode 100644
index 00000000000..e5a652cb5c1
--- /dev/null
+++ b/packages/awsfirehose/manifest.yml
@@ -0,0 +1,18 @@
+format_version: 2.9.0
+name: awsfirehose
+title: Amazon Kinesis Data Firehose
+version: 0.2.1
+description: Stream logs from Amazon Kinesis Data Firehose into Elastic Cloud.
+type: integration
+categories:
+ - observability
+ - aws
+conditions:
+ kibana.version: "^8.10.1"
+owner:
+ github: elastic/obs-cloud-monitoring
+icons:
+ - src: /img/logo_firehose.svg
+ title: logo aws firehose
+ size: 64x64
+ type: image/svg+xml
diff --git a/packages/azure/changelog.yml b/packages/azure/changelog.yml
index 9418e333394..99bb7df0c24 100644
--- a/packages/azure/changelog.yml
+++ b/packages/azure/changelog.yml
@@ -1,3 +1,38 @@
+- version: "1.5.31"
+ changes:
+ - description: Migration of Azure AD Identity Protection dashboard to Lens.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7376
+- version: "1.5.30"
+ changes:
+ - description: Migration of Azure AD Provisioning Logs dashboard to Lens.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7375
+- version: "1.5.29"
+ changes:
+ - description: Fix Azure dashboards descriptions and titles.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7525
+- version: "1.5.28"
+ changes:
+ - description: Migration Alerts Overview dashboard to Lens
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/5954
+- version: "1.5.27"
+ changes:
+ - description: Fix in Firewall dashboards
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/6960
+- version: "1.5.26"
+ changes:
+ - description: Handle duplicate user_agent.original field in signinlogs logs
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/6867
+- version: "1.5.25"
+ changes:
+ - description: Handle duplicate url.path field in application gateway logs
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/6866
- version: "1.5.24"
changes:
- description: Handle firewall events for DNAT'ed requests with attributes
diff --git a/packages/azure/data_stream/application_gateway/elasticsearch/ingest_pipeline/default.yml b/packages/azure/data_stream/application_gateway/elasticsearch/ingest_pipeline/default.yml
index 4c2380efb89..46f5174345b 100644
--- a/packages/azure/data_stream/application_gateway/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/azure/data_stream/application_gateway/elasticsearch/ingest_pipeline/default.yml
@@ -76,6 +76,13 @@ processors:
field: json.properties.requestUri
target_field: url.path
ignore_missing: true
+ if: 'ctx.url?.path == null'
+ description: 'Renames the original `json.properties.requestUri` field to `url.path` to match the ECS field name. The `url.path` field is not touched if the document already has one.'
+ - remove:
+ field: json.properties.httpMethod
+ ignore_missing: true
+ if: 'ctx.url?.path != null'
+ description: 'The `json.properties.httpMethod` field is no longer required if the document has a `url.path` field.'
- set:
field: url.path
copy_from: url.original
diff --git a/packages/azure/data_stream/signinlogs/elasticsearch/ingest_pipeline/default.yml b/packages/azure/data_stream/signinlogs/elasticsearch/ingest_pipeline/default.yml
index ed2f1d2eee5..d1a21856a02 100644
--- a/packages/azure/data_stream/signinlogs/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/azure/data_stream/signinlogs/elasticsearch/ingest_pipeline/default.yml
@@ -274,6 +274,13 @@ processors:
field: azure.signinlogs.properties.user_agent
target_field: user_agent.original
ignore_missing: true
+ if: 'ctx.user_agent?.original == null'
+ description: 'Renames the original `azure.signinlogs.properties.user_agent` field to `user_agent.original` to match the ECS field name. The `user_agent.original` field is not touched if the document already has one.'
+ - remove:
+ field: azure.signinlogs.properties.user_agent
+ ignore_missing: true
+ if: 'ctx.user_agent?.original != null'
+ description: 'The `azure.signinlogs.properties.user_agent` field is no longer required if the document has a `user_agent.original` field.'
- user_agent:
field: user_agent.original
ignore_missing: true
diff --git a/packages/azure/kibana/dashboard/azure-0f559cc0-f0d5-11e9-90ec-112a988266d5.json b/packages/azure/kibana/dashboard/azure-0f559cc0-f0d5-11e9-90ec-112a988266d5.json
index 5eb82f3020a..c14f40b1af3 100644
--- a/packages/azure/kibana/dashboard/azure-0f559cc0-f0d5-11e9-90ec-112a988266d5.json
+++ b/packages/azure/kibana/dashboard/azure-0f559cc0-f0d5-11e9-90ec-112a988266d5.json
@@ -1,481 +1,525 @@
{
- "id": "azure-0f559cc0-f0d5-11e9-90ec-112a988266d5",
- "type": "dashboard",
- "namespaces": [
- "default"
- ],
- "updated_at": "2023-03-07T09:38:25.166Z",
- "created_at": "2023-03-07T09:38:25.166Z",
- "version": "WzExMjc0LDFd",
- "attributes": {
- "controlGroupInput": {
- "chainingSystem": "HIERARCHICAL",
- "controlStyle": "oneLine",
- "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
- "panelsJSON": "{\"676fd632-a9c1-46ed-829b-ca5b55817379\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"azure.subscription_id\",\"title\":\"Subscription\",\"id\":\"676fd632-a9c1-46ed-829b-ca5b55817379\",\"enhancements\":{}}}}"
- },
- "description": "This dashboard provides expanded alerts overview for Azure cloud",
- "hits": 0,
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [
- {
- "$state": {
- "store": "appState"
- },
- "meta": {
- "alias": null,
- "disabled": false,
- "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
- "key": "data_stream.dataset",
- "negate": false,
- "params": {
- "query": "azure.activitylogs"
- },
- "type": "phrase"
- },
- "query": {
- "match_phrase": {
- "data_stream.dataset": "azure.activitylogs"
- }
- }
- }
- ],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "optionsJSON": {
- "hidePanelTitles": false,
- "useMargins": true
- },
- "panelsJSON": [
- {
- "version": "8.5.0",
- "type": "visualization",
- "gridData": {
- "h": 4,
- "i": "9d1a26e6-2ff0-4d3e-bab3-7bb3c50cd060",
- "w": 21,
- "x": 0,
- "y": 0
+ "attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
+ "panelsJSON": "{\"676fd632-a9c1-46ed-829b-ca5b55817379\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"azure.subscription_id\",\"title\":\"Subscription\",\"id\":\"676fd632-a9c1-46ed-829b-ca5b55817379\",\"enhancements\":{}}}}"
},
- "panelIndex": "9d1a26e6-2ff0-4d3e-bab3-7bb3c50cd060",
- "embeddableConfig": {
- "enhancements": {},
- "savedVis": {
- "title": "Navigation Alerts [Logs Azure]",
- "description": "",
- "uiState": {},
- "params": {
- "fontSize": 10,
- "markdown": "### Azure Monitoring\n\n[Overview](#/dashboard/azure-41e84340-ec20-11e9-90ec-112a988266d5) | [Users](#/dashboard/azure-87095750-f05a-11e9-90ec-112a988266d5) | [**Alerts**](#/dashboard/azure-0f559cc0-f0d5-11e9-90ec-112a988266d5) ",
- "openLinksInNewTab": false
- },
- "type": "markdown",
- "data": {
- "aggs": [],
- "searchSource": {
+ "description": "This dashboard provides expanded alerts overview for Azure cloud.",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
"filter": [],
"query": {
- "language": "kuery",
- "query": ""
+ "language": "kuery",
+ "query": ""
}
- }
}
- }
},
- "title": "Navigation Alerts"
- },
- {
- "version": "8.5.0",
- "type": "visualization",
- "gridData": {
- "h": 15,
- "i": "096b4eaa-072e-455f-befa-3076f71be12d",
- "w": 27,
- "x": 21,
- "y": 0
+ "optionsJSON": {
+ "hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "useMargins": true
},
- "panelIndex": "096b4eaa-072e-455f-befa-3076f71be12d",
- "embeddableConfig": {
- "enhancements": {},
- "savedVis": {
- "title": "Alerts Overview [Logs Azure]",
- "description": "",
- "uiState": {},
- "params": {
- "axis_formatter": "number",
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": "data_stream.dataset :\"azure.activitylogs\" and azure.activitylogs.event_category : \"Alert\""
- },
- "id": "61ca57f0-469d-11e7-af02-69e470af7417",
- "index_pattern": "logs-*",
- "interval": "",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(252,220,0,1)",
- "fill": 0.5,
- "filter": {
- "language": "kuery",
- "query": "azure.activitylogs.result_type: \"Activated\""
- },
- "formatter": "number",
- "hide_in_legend": 0,
- "id": "61ca57f1-469d-11e7-af02-69e470af7417",
- "line_width": 1,
- "metrics": [
- {
- "id": "61ca57f2-469d-11e7-af02-69e470af7417",
- "type": "count"
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "fontSize": 10,
+ "markdown": "### Azure Monitoring\n\n[Overview](#/dashboard/azure-41e84340-ec20-11e9-90ec-112a988266d5) | [Users](#/dashboard/azure-87095750-f05a-11e9-90ec-112a988266d5) | [**Alerts**](#/dashboard/azure-0f559cc0-f0d5-11e9-90ec-112a988266d5) ",
+ "openLinksInNewTab": false
+ },
+ "title": "Navigation Alerts [Logs Azure]",
+ "type": "markdown",
+ "uiState": {}
}
- ],
- "point_size": 1,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "filter",
- "stacked": "none"
},
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "#68BC00",
- "fill": 0.5,
- "filter": {
- "language": "kuery",
- "query": "azure.activitylogs.result_type: \"Resolved\" or azure.activitylogs.result_type: \"Succeeded\""
- },
- "formatter": "number",
- "hide_in_legend": 0,
- "id": "5a52f170-ec1e-11e9-b6a7-21d19b63822a",
- "line_width": 1,
- "metrics": [
- {
- "id": "5a52f171-ec1e-11e9-b6a7-21d19b63822a",
- "type": "count"
- }
- ],
- "point_size": 1,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "filter",
- "stacked": "none"
- }
- ],
- "show_grid": 1,
- "show_legend": 0,
- "time_field": "",
- "type": "timeseries",
- "use_kibana_indexes": false,
- "drop_last_bucket": 1
- },
- "type": "metrics",
- "data": {
- "aggs": [],
- "searchSource": {}
- }
- }
- },
- "title": "Alerts Overview"
- },
- {
- "version": "8.5.0",
- "type": "visualization",
- "gridData": {
- "h": 9,
- "i": "162fb43e-fff3-4f50-aa9b-a713418bd651",
- "w": 27,
- "x": 21,
- "y": 15
- },
- "panelIndex": "162fb43e-fff3-4f50-aa9b-a713418bd651",
- "embeddableConfig": {
- "enhancements": {},
- "savedVis": {
- "title": "Alerts Count [Logs Azure]",
- "description": "",
- "uiState": {},
- "params": {
- "addLegend": false,
- "addTooltip": true,
- "dimensions": {
- "bucket": {
- "accessor": 0,
- "format": {
- "id": "string",
- "params": {}
- },
- "type": "vis_dimension"
+ "gridData": {
+ "h": 4,
+ "i": "9d1a26e6-2ff0-4d3e-bab3-7bb3c50cd060",
+ "w": 21,
+ "x": 0,
+ "y": 0
},
- "metrics": [
- {
- "accessor": 1,
- "format": {
- "id": "number",
- "params": {}
+ "panelIndex": "9d1a26e6-2ff0-4d3e-bab3-7bb3c50cd060",
+ "title": "Navigation Alerts",
+ "type": "visualization",
+ "version": "8.6.2"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-c0e8cd55-a662-40d4-87f4-a889776f3a75",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "c0e8cd55-a662-40d4-87f4-a889776f3a75": {
+ "columnOrder": [
+ "b72d2ce7-da41-406b-9a5a-ff07a74d439a",
+ "5e01096c-ce58-478d-856a-31852542c710",
+ "87204ef0-75a9-4d9b-9f9b-7442b1234b2a"
+ ],
+ "columns": {
+ "5e01096c-ce58-478d-856a-31852542c710": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "azure.activitylogs.result_type: \"Activated\""
+ },
+ "isBucketed": false,
+ "label": "Activated",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false
+ },
+ "scale": "ratio",
+ "sourceField": "@timestamp"
+ },
+ "87204ef0-75a9-4d9b-9f9b-7442b1234b2a": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "azure.activitylogs.result_type: \"Resolved\" or azure.activitylogs.result_type: \"Succeeded\""
+ },
+ "isBucketed": false,
+ "label": "Resolved/Succeeded",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false
+ },
+ "scale": "ratio",
+ "sourceField": "@timestamp"
+ },
+ "b72d2ce7-da41-406b-9a5a-ff07a74d439a": {
+ "customLabel": true,
+ "dataType": "date",
+ "isBucketed": true,
+ "label": " ",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": "data_stream.dataset :\"azure.activitylogs\" and (azure.activitylogs.category : \"Alert\" or azure.activitylogs.event_category: \"Alert\")"
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "layers": [
+ {
+ "accessors": [
+ "5e01096c-ce58-478d-856a-31852542c710",
+ "87204ef0-75a9-4d9b-9f9b-7442b1234b2a"
+ ],
+ "layerId": "c0e8cd55-a662-40d4-87f4-a889776f3a75",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "area",
+ "showGridlines": false,
+ "xAccessor": "b72d2ce7-da41-406b-9a5a-ff07a74d439a",
+ "yConfig": [
+ {
+ "color": "#54b399",
+ "forAccessor": "87204ef0-75a9-4d9b-9f9b-7442b1234b2a"
+ },
+ {
+ "color": "#d6bf57",
+ "forAccessor": "5e01096c-ce58-478d-856a-31852542c710"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": false,
+ "position": "right",
+ "showSingleSeries": false
+ },
+ "preferredSeriesType": "area",
+ "title": "Empty XY chart",
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
},
- "type": "vis_dimension"
- }
- ]
- },
- "metric": {
- "colorSchema": "Green to Red",
- "colorsRange": [
- {
- "from": 0,
- "to": 10000,
- "type": "range"
- }
- ],
- "invertColors": false,
- "labels": {
- "show": true
+ "enhancements": {},
+ "hidePanelTitles": false
},
- "metricColorMode": "None",
- "percentageMode": false,
- "style": {
- "bgColor": false,
- "bgFill": "#000",
- "fontSize": 60,
- "labelColor": false,
- "subText": ""
+ "gridData": {
+ "h": 15,
+ "i": "e5e45365-c81a-4f7f-b58b-8d2d781329a5",
+ "w": 27,
+ "x": 21,
+ "y": 0
},
- "useRanges": false
- },
- "type": "metric"
+ "panelIndex": "e5e45365-c81a-4f7f-b58b-8d2d781329a5",
+ "title": "Alerts Overview",
+ "type": "lens",
+ "version": "8.6.2"
},
- "type": "metric",
- "data": {
- "aggs": [
- {
- "enabled": true,
- "id": "1",
- "params": {
- "customLabel": "Alerts"
- },
- "schema": "metric",
- "type": "count"
- },
- {
- "enabled": true,
- "id": "2",
- "params": {
- "filters": [
- {
- "input": {
- "language": "kuery",
- "query": "azure.activitylogs.result_type : \"Activated\""
- },
- "label": "Activated"
- },
- {
- "input": {
- "language": "kuery",
- "query": "azure.activitylogs.result_type : \"Resolved\""
- },
- "label": "Resolved"
- },
- {
- "input": {
- "language": "kuery",
- "query": "azure.activitylogs.result_type : \"Succeeded\""
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-edee18c5-648c-4f00-8293-cd72ff805e62",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "edee18c5-648c-4f00-8293-cd72ff805e62": {
+ "columnOrder": [
+ "5aaf5c65-ba9f-4c98-a049-23758ac0943b",
+ "12b20199-3021-4ffc-8010-10cd8688ee21",
+ "03722365-3d88-43ad-bae5-922daf2a7a7d"
+ ],
+ "columns": {
+ "03722365-3d88-43ad-bae5-922daf2a7a7d": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "12b20199-3021-4ffc-8010-10cd8688ee21": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Resource Group",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "03722365-3d88-43ad-bae5-922daf2a7a7d",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.group"
+ },
+ "5aaf5c65-ba9f-4c98-a049-23758ac0943b": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Provider",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "03722365-3d88-43ad-bae5-922daf2a7a7d",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.provider"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": "data_stream.dataset :\"azure.activitylogs\" and (azure.activitylogs.event_category : \"Alert\" or azure.activitylogs.category : \"Alert\" )"
+ },
+ "visualization": {
+ "gridConfig": {
+ "isCellLabelVisible": false,
+ "isXAxisLabelVisible": true,
+ "isXAxisTitleVisible": true,
+ "isYAxisLabelVisible": true,
+ "isYAxisTitleVisible": true,
+ "type": "heatmap_grid"
+ },
+ "layerId": "edee18c5-648c-4f00-8293-cd72ff805e62",
+ "layerType": "data",
+ "legend": {
+ "position": "right",
+ "type": "heatmap_legend"
+ },
+ "palette": {
+ "accessor": "03722365-3d88-43ad-bae5-922daf2a7a7d",
+ "name": "status",
+ "params": {
+ "continuity": "above",
+ "maxSteps": 5,
+ "name": "status",
+ "progression": "fixed",
+ "rangeMax": null,
+ "rangeMin": 0,
+ "rangeType": "percent",
+ "reverse": false,
+ "stops": [
+ {
+ "color": "#209280",
+ "stop": 0
+ },
+ {
+ "color": "#54b399",
+ "stop": 20
+ },
+ {
+ "color": "#d6bf57",
+ "stop": 40
+ },
+ {
+ "color": "#e7664c",
+ "stop": 60
+ },
+ {
+ "color": "#cc5642",
+ "stop": 80
+ }
+ ]
+ },
+ "type": "palette"
+ },
+ "shape": "heatmap",
+ "valueAccessor": "03722365-3d88-43ad-bae5-922daf2a7a7d",
+ "xAccessor": "5aaf5c65-ba9f-4c98-a049-23758ac0943b",
+ "yAccessor": "12b20199-3021-4ffc-8010-10cd8688ee21"
+ }
},
- "label": "Succeeded"
- }
- ]
- },
- "schema": "group",
- "type": "filters"
- }
- ],
- "searchSource": {
- "filter": [],
- "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
- "query": {
- "language": "kuery",
- "query": "data_stream.dataset :\"azure.activitylogs\" and azure.activitylogs.event_category : \"Alert\" "
- }
- }
- }
- }
- },
- "title": "Alerts Count"
- },
- {
- "version": "8.5.0",
- "type": "visualization",
- "gridData": {
- "h": 20,
- "i": "36fb5c08-80d9-4a1c-8fde-9c063381fdd8",
- "w": 21,
- "x": 0,
- "y": 4
- },
- "panelIndex": "36fb5c08-80d9-4a1c-8fde-9c063381fdd8",
- "embeddableConfig": {
- "enhancements": {},
- "savedVis": {
- "title": "Alerts Heatmap [Logs Azure]",
- "description": "",
- "uiState": {
- "vis": {
- "defaultColors": {
- "0": "rgb(247,252,245)"
- }
- }
- },
- "params": {
- "addLegend": true,
- "addTooltip": true,
- "colorSchema": "Greens",
- "colorsNumber": 4,
- "colorsRange": [],
- "dimensions": {
- "x": {
- "accessor": 0,
- "aggType": "terms",
- "format": {
- "id": "terms",
- "params": {
- "id": "string",
- "missingBucketLabel": "Missing",
- "otherBucketLabel": "Other"
- }
- },
- "params": {}
- },
- "y": [
- {
- "accessor": 1,
- "aggType": "count",
- "format": {
- "id": "number"
+ "title": "Alerts Heatmap [Logs Azure]",
+ "type": "lens",
+ "visualizationType": "lnsHeatmap"
},
- "params": {}
- }
- ]
- },
- "enableHover": false,
- "invertColors": false,
- "legendPosition": "right",
- "percentageMode": false,
- "setColorRange": false,
- "times": [],
- "type": "heatmap",
- "valueAxes": [
- {
- "id": "ValueAxis-1",
- "labels": {
- "color": "black",
- "overwriteColor": false,
- "rotate": 0,
- "show": false
- },
- "scale": {
- "defaultYExtents": false,
- "type": "linear"
- },
- "show": false,
- "type": "value"
- }
- ],
- "legendSize": "auto"
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 20,
+ "i": "36fb5c08-80d9-4a1c-8fde-9c063381fdd8",
+ "w": 21,
+ "x": 0,
+ "y": 4
+ },
+ "panelIndex": "36fb5c08-80d9-4a1c-8fde-9c063381fdd8",
+ "title": "Alerts Heatmap",
+ "type": "lens",
+ "version": "8.6.2"
},
- "type": "heatmap",
- "data": {
- "aggs": [
- {
- "enabled": true,
- "id": "1",
- "params": {},
- "schema": "metric",
- "type": "count"
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-814d0ae5-ed18-49ad-942d-8cd942a901e9",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "814d0ae5-ed18-49ad-942d-8cd942a901e9": {
+ "columnOrder": [
+ "6674f0d1-fc76-4845-80fa-3797c6fcdcbc",
+ "36d81bee-ff41-4d97-aed5-80a4e06cebd9"
+ ],
+ "columns": {
+ "36d81bee-ff41-4d97-aed5-80a4e06cebd9": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Alerts",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "6674f0d1-fc76-4845-80fa-3797c6fcdcbc": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Filters",
+ "operationType": "filters",
+ "params": {
+ "filters": [
+ {
+ "input": {
+ "language": "kuery",
+ "query": "azure.activitylogs.result_type : \"Activated\""
+ },
+ "label": "Activated"
+ },
+ {
+ "input": {
+ "language": "kuery",
+ "query": "azure.activitylogs.result_type : \"Resolved\""
+ },
+ "label": "Resolved"
+ },
+ {
+ "input": {
+ "language": "kuery",
+ "query": "azure.activitylogs.result_type : \"Succeeded\""
+ },
+ "label": "Succeeded"
+ }
+ ]
+ },
+ "scale": "ordinal"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": "data_stream.dataset :\"azure.activitylogs\" and (azure.activitylogs.event_category : \"Alert\" or azure.activitylogs.category : \"Alert\")"
+ },
+ "visualization": {
+ "breakdownByAccessor": "6674f0d1-fc76-4845-80fa-3797c6fcdcbc",
+ "layerId": "814d0ae5-ed18-49ad-942d-8cd942a901e9",
+ "layerType": "data",
+ "metricAccessor": "36d81bee-ff41-4d97-aed5-80a4e06cebd9"
+ }
+ },
+ "title": "Alerts Count [Logs Azure]",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
- {
- "enabled": true,
- "id": "2",
- "params": {
- "customLabel": "Provider",
- "field": "azure.resource.provider",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "1",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 5
- },
- "schema": "segment",
- "type": "terms"
+ "gridData": {
+ "h": 9,
+ "i": "162fb43e-fff3-4f50-aa9b-a713418bd651",
+ "w": 27,
+ "x": 21,
+ "y": 15
},
- {
- "enabled": true,
- "id": "3",
- "params": {
- "customLabel": "Resource Group",
- "field": "azure.resource.group",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "1",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 5
- },
- "schema": "group",
- "type": "terms"
- }
- ],
- "searchSource": {
- "filter": [],
- "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
- "query": {
- "language": "kuery",
- "query": "data_stream.dataset :\"azure.activitylogs\" and azure.activitylogs.event_category : \"Alert\" "
- }
- }
+ "panelIndex": "162fb43e-fff3-4f50-aa9b-a713418bd651",
+ "title": "Alerts Count",
+ "type": "lens",
+ "version": "8.6.2"
}
- }
- },
- "title": "Alerts Heatmap"
- }
- ],
- "timeRestore": false,
- "title": "[Logs Azure] Alerts Overview",
- "version": 1
- },
- "references": [
- {
- "id": "logs-*",
- "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
- "type": "index-pattern"
- },
- {
- "type": "index-pattern",
- "name": "162fb43e-fff3-4f50-aa9b-a713418bd651:kibanaSavedObjectMeta.searchSourceJSON.index",
- "id": "logs-*"
+ ],
+ "timeRestore": false,
+ "title": "[Logs Azure] Alerts Overview",
+ "version": 1
},
- {
- "type": "index-pattern",
- "name": "36fb5c08-80d9-4a1c-8fde-9c063381fdd8:kibanaSavedObjectMeta.searchSourceJSON.index",
- "id": "logs-*"
+ "coreMigrationVersion": "8.6.2",
+ "created_at": "2023-06-08T07:33:56.370Z",
+ "id": "azure-0f559cc0-f0d5-11e9-90ec-112a988266d5",
+ "migrationVersion": {
+ "dashboard": "8.6.0"
},
- {
- "name": "controlGroup_676fd632-a9c1-46ed-829b-ca5b55817379:optionsListDataView",
- "type": "index-pattern",
- "id": "logs-*"
- }
- ],
- "migrationVersion": {
- "dashboard": "8.6.0"
- },
- "coreMigrationVersion": "8.6.1"
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "e5e45365-c81a-4f7f-b58b-8d2d781329a5:indexpattern-datasource-layer-c0e8cd55-a662-40d4-87f4-a889776f3a75",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "36fb5c08-80d9-4a1c-8fde-9c063381fdd8:indexpattern-datasource-layer-edee18c5-648c-4f00-8293-cd72ff805e62",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "162fb43e-fff3-4f50-aa9b-a713418bd651:indexpattern-datasource-layer-814d0ae5-ed18-49ad-942d-8cd942a901e9",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_676fd632-a9c1-46ed-829b-ca5b55817379:optionsListDataView",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "dashboard"
}
\ No newline at end of file
diff --git a/packages/azure/kibana/dashboard/azure-1adf52d0-f50f-11eb-a831-732d3e9bbd43.json b/packages/azure/kibana/dashboard/azure-1adf52d0-f50f-11eb-a831-732d3e9bbd43.json
index f04963239b9..1d196ef4e3a 100644
--- a/packages/azure/kibana/dashboard/azure-1adf52d0-f50f-11eb-a831-732d3e9bbd43.json
+++ b/packages/azure/kibana/dashboard/azure-1adf52d0-f50f-11eb-a831-732d3e9bbd43.json
@@ -6,7 +6,7 @@
"ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
"panelsJSON": "{\"5cbc2c45-1213-4bb9-ab65-8dfc0cfbad8a\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"azure.subscription_id\",\"title\":\"Subscription\",\"id\":\"5cbc2c45-1213-4bb9-ab65-8dfc0cfbad8a\",\"enhancements\":{}}},\"35a7fa77-1459-438c-8cb7-28770a0d7374\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"azure.springcloudlogs.category\",\"title\":\"Spring Cloud Logs Type\",\"id\":\"35a7fa77-1459-438c-8cb7-28770a0d7374\",\"enhancements\":{}}}}"
},
- "description": "[Logs Azure] Azure Spring cloud Logs System Logs",
+ "description": "Dashboard providing statistics about System Logs ingested from Azure Spring Cloud.",
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [],
diff --git a/packages/azure/kibana/dashboard/azure-1e5c9b50-f24a-11ec-a5a8-bf965bcd5646.json b/packages/azure/kibana/dashboard/azure-1e5c9b50-f24a-11ec-a5a8-bf965bcd5646.json
index 6b1fa405615..2d96f804c6b 100644
--- a/packages/azure/kibana/dashboard/azure-1e5c9b50-f24a-11ec-a5a8-bf965bcd5646.json
+++ b/packages/azure/kibana/dashboard/azure-1e5c9b50-f24a-11ec-a5a8-bf965bcd5646.json
@@ -12,7 +12,7 @@
"chainingSystem": "HIERARCHICAL",
"controlStyle": "oneLine",
"ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
- "panelsJSON": "{\"7cbe886c-4cc4-4fec-beff-7336b0965067\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"azure.account.id\",\"title\":\"Subscription\",\"id\":\"7cbe886c-4cc4-4fec-beff-7336b0965067\",\"enhancements\":{}}},\"3ae71a2b-35ee-4659-b6b5-c2ea9e1ab609\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"observer.name\",\"title\":\"Firewall \",\"id\":\"3ae71a2b-35ee-4659-b6b5-c2ea9e1ab609\",\"enhancements\":{}}}}"
+ "panelsJSON": "{\"7cbe886c-4cc4-4fec-beff-7336b0965067\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"cloud.account.id\",\"title\":\"Subscription\",\"id\":\"7cbe886c-4cc4-4fec-beff-7336b0965067\",\"enhancements\":{}}},\"3ae71a2b-35ee-4659-b6b5-c2ea9e1ab609\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"observer.name\",\"title\":\"Firewall \",\"id\":\"3ae71a2b-35ee-4659-b6b5-c2ea9e1ab609\",\"enhancements\":{}}}}"
},
"description": "Dashboard providing statistics about alerts ingested from the Azure Firewall Application Rule Log events.",
"hits": 0,
diff --git a/packages/azure/kibana/dashboard/azure-280493a0-f1a1-11ec-a5a8-bf965bcd5646.json b/packages/azure/kibana/dashboard/azure-280493a0-f1a1-11ec-a5a8-bf965bcd5646.json
index 94d5839535f..961af9dc1bd 100644
--- a/packages/azure/kibana/dashboard/azure-280493a0-f1a1-11ec-a5a8-bf965bcd5646.json
+++ b/packages/azure/kibana/dashboard/azure-280493a0-f1a1-11ec-a5a8-bf965bcd5646.json
@@ -14,7 +14,7 @@
"ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
"panelsJSON": "{\"c0dc0cdb-57cb-4bee-9a88-2b680fa911da\":{\"order\":0,\"width\":\"medium\",\"grow\":false,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"cloud.account.id\",\"title\":\"Subscription ID\",\"id\":\"c0dc0cdb-57cb-4bee-9a88-2b680fa911da\",\"enhancements\":{}}},\"fb42737f-72dc-4ace-89ac-746160498381\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"observer.name\",\"title\":\"Firewall\",\"id\":\"fb42737f-72dc-4ace-89ac-746160498381\",\"enhancements\":{}}}}"
},
- "description": "Dashboard providing an overall view of the AWS Network Firewall integration.",
+ "description": "Dashboard providing an overall view of the Azure Firewall integration.",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
diff --git a/packages/azure/kibana/dashboard/azure-32aedb00-f524-11eb-b9f3-73fa29f35762.json b/packages/azure/kibana/dashboard/azure-32aedb00-f524-11eb-b9f3-73fa29f35762.json
index ae220e9aeb2..e01882a2e8c 100644
--- a/packages/azure/kibana/dashboard/azure-32aedb00-f524-11eb-b9f3-73fa29f35762.json
+++ b/packages/azure/kibana/dashboard/azure-32aedb00-f524-11eb-b9f3-73fa29f35762.json
@@ -6,7 +6,7 @@
"ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
"panelsJSON": "{\"92623f66-de82-45c4-b8ef-63131d89c01e\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"azure.subscription_id\",\"title\":\"Subscription\",\"id\":\"92623f66-de82-45c4-b8ef-63131d89c01e\",\"enhancements\":{}}},\"bce239d6-6bc4-4bcf-8faa-2024ba2ed657\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"azure.springcloudlogs.category\",\"title\":\"Spring Cloud Logs Type\",\"id\":\"bce239d6-6bc4-4bcf-8faa-2024ba2ed657\",\"enhancements\":{}}}}"
},
- "description": "",
+ "description": "Dashboard providing statistics about Application Console Logs ingested from Azure Spring Cloud.",
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [],
@@ -1204,7 +1204,7 @@
}
],
"timeRestore": false,
- "title": "[Logs Azure] Azure Spring Cloud Logs Application Cloud Logs",
+ "title": "[Logs Azure] Azure Spring Cloud Logs Application Console Logs",
"version": 1
},
"coreMigrationVersion": "8.6.0",
diff --git a/packages/azure/kibana/dashboard/azure-3cdf69c0-32d9-11ed-a2e6-916b60bbea71.json b/packages/azure/kibana/dashboard/azure-3cdf69c0-32d9-11ed-a2e6-916b60bbea71.json
index 2e203bb0eaa..0fd1066d8cc 100644
--- a/packages/azure/kibana/dashboard/azure-3cdf69c0-32d9-11ed-a2e6-916b60bbea71.json
+++ b/packages/azure/kibana/dashboard/azure-3cdf69c0-32d9-11ed-a2e6-916b60bbea71.json
@@ -1,760 +1,787 @@
{
- "id": "azure-3cdf69c0-32d9-11ed-a2e6-916b60bbea71",
- "type": "dashboard",
- "namespaces": [
- "default"
- ],
- "updated_at": "2023-03-07T09:38:25.166Z",
- "created_at": "2023-03-07T09:38:25.166Z",
- "version": "WzExMjc5LDFd",
- "attributes": {
-
- "description": "Provide an overview and statistics of the provisioning activities on your enterprise applications.",
- "hits": 0,
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [
- {
- "$state": {
- "store": "appState"
- },
- "meta": {
- "alias": null,
- "disabled": false,
- "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
- "key": "data_stream.dataset",
- "negate": false,
- "params": {
- "query": "azure.provisioning"
- },
- "type": "phrase"
- },
- "query": {
- "match_phrase": {
- "data_stream.dataset": "azure.provisioning"
- }
- }
- }
- ],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "optionsJSON": {
- "hidePanelTitles": false,
- "syncColors": false,
- "useMargins": true
- },
- "panelsJSON": [
- {
- "version": "8.6.0",
- "type": "lens",
- "gridData": {
- "h": 12,
- "i": "3e85d806-64f3-4fef-9094-95820e962a59",
- "w": 8,
- "x": 0,
- "y": 0
- },
- "panelIndex": "3e85d806-64f3-4fef-9094-95820e962a59",
- "embeddableConfig": {
- "attributes": {
- "references": [
- {
- "id": "logs-*",
- "name": "indexpattern-datasource-current-indexpattern",
- "type": "index-pattern"
- },
- {
- "id": "logs-*",
- "name": "indexpattern-datasource-layer-2ac1988b-9f69-439c-8898-0a385bb56434",
- "type": "index-pattern"
- }
- ],
- "state": {
- "datasourceStates": {
- "formBased": {
- "layers": {
- "2ac1988b-9f69-439c-8898-0a385bb56434": {
- "columnOrder": [
- "bb6d8913-2437-461c-a5cb-95f745f2e061",
- "37aa3be8-a77c-4241-92a7-4d1b58bc0d47"
- ],
- "columns": {
- "37aa3be8-a77c-4241-92a7-4d1b58bc0d47": {
- "dataType": "number",
- "isBucketed": false,
- "label": "Count of records",
- "operationType": "count",
- "scale": "ratio",
- "sourceField": "___records___"
+ "attributes": {
+ "description": "Provide an overview and statistics of the Azure AD Provisioning activities on your enterprise applications.",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
},
- "bb6d8913-2437-461c-a5cb-95f745f2e061": {
- "customLabel": true,
- "dataType": "string",
- "isBucketed": true,
- "label": "System Name",
- "operationType": "terms",
- "params": {
- "missingBucket": false,
- "orderBy": {
- "columnId": "37aa3be8-a77c-4241-92a7-4d1b58bc0d47",
- "type": "column"
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "azure.provisioning"
},
- "orderDirection": "desc",
- "otherBucket": true,
- "size": 5
- },
- "scale": "ordinal",
- "sourceField": "azure.provisioning.properties.source_system.name"
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "azure.provisioning"
+ }
}
- },
- "incompleteColumns": {}
}
- }
- }
- },
- "filters": [],
- "query": {
- "language": "kuery",
- "query": "azure.provisioning.category : \"ProvisioningLogs\" "
- },
- "visualization": {
- "layers": [
- {
- "categoryDisplay": "default",
- "layerId": "2ac1988b-9f69-439c-8898-0a385bb56434",
- "layerType": "data",
- "legendDisplay": "default",
- "nestedLegend": false,
- "numberDisplay": "percent",
- "legendSize": "auto",
- "primaryGroups": [
- "bb6d8913-2437-461c-a5cb-95f745f2e061"
- ],
- "metrics": [
- "37aa3be8-a77c-4241-92a7-4d1b58bc0d47"
- ]
- }
],
- "shape": "donut"
- }
- },
- "title": "",
- "type": "lens",
- "visualizationType": "lnsPie"
- },
- "enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
},
- "title": "Source Systems"
- },
- {
- "version": "8.6.0",
- "type": "lens",
- "gridData": {
- "h": 12,
- "i": "2f5e0c64-5e96-420c-bc64-afacc08e6170",
- "w": 40,
- "x": 8,
- "y": 0
+ "optionsJSON": {
+ "hidePanelTitles": false,
+ "syncColors": false,
+ "useMargins": true
},
- "panelIndex": "2f5e0c64-5e96-420c-bc64-afacc08e6170",
- "embeddableConfig": {
- "attributes": {
- "references": [
- {
- "id": "logs-*",
- "name": "indexpattern-datasource-current-indexpattern",
- "type": "index-pattern"
- },
- {
- "id": "logs-*",
- "name": "indexpattern-datasource-layer-1f69b72b-c265-4fe1-b20d-88a15cff56f9",
- "type": "index-pattern"
- }
- ],
- "state": {
- "datasourceStates": {
- "formBased": {
- "layers": {
- "1f69b72b-c265-4fe1-b20d-88a15cff56f9": {
- "columnOrder": [
- "a586c6fb-aa02-42c6-a12b-8a283461a055",
- "284e3e1d-c5d0-4e97-ac45-ab7348467727",
- "e8e6a775-ed41-4215-9037-a7ee9e4b2b95"
- ],
- "columns": {
- "284e3e1d-c5d0-4e97-ac45-ab7348467727": {
- "customLabel": true,
- "dataType": "date",
- "isBucketed": true,
- "label": "Activity Date",
- "operationType": "date_histogram",
- "params": {
- "interval": "auto",
- "includeEmptyRows": true
- },
- "scale": "interval",
- "sourceField": "azure.provisioning.properties.activity_datetime"
- },
- "a586c6fb-aa02-42c6-a12b-8a283461a055": {
- "customLabel": true,
- "dataType": "string",
- "isBucketed": true,
- "label": "Status",
- "operationType": "terms",
- "params": {
- "missingBucket": false,
- "orderBy": {
- "columnId": "e8e6a775-ed41-4215-9037-a7ee9e4b2b95",
- "type": "column"
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-2ac1988b-9f69-439c-8898-0a385bb56434",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "2ac1988b-9f69-439c-8898-0a385bb56434": {
+ "columnOrder": [
+ "bb6d8913-2437-461c-a5cb-95f745f2e061",
+ "37aa3be8-a77c-4241-92a7-4d1b58bc0d47"
+ ],
+ "columns": {
+ "37aa3be8-a77c-4241-92a7-4d1b58bc0d47": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "bb6d8913-2437-461c-a5cb-95f745f2e061": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "System Name",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "37aa3be8-a77c-4241-92a7-4d1b58bc0d47",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.provisioning.properties.source_system.name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.provisioning.category : \"ProvisioningLogs\" "
},
- "orderDirection": "desc",
- "otherBucket": true,
- "size": 3
- },
- "scale": "ordinal",
- "sourceField": "azure.provisioning.properties.provisioning_status_info.status"
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "layerId": "2ac1988b-9f69-439c-8898-0a385bb56434",
+ "layerType": "data",
+ "legendDisplay": "default",
+ "legendSize": "auto",
+ "metrics": [
+ "37aa3be8-a77c-4241-92a7-4d1b58bc0d47"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "bb6d8913-2437-461c-a5cb-95f745f2e061"
+ ]
+ }
+ ],
+ "shape": "donut"
+ }
},
- "e8e6a775-ed41-4215-9037-a7ee9e4b2b95": {
- "dataType": "number",
- "isBucketed": false,
- "label": "Count of records",
- "operationType": "count",
- "scale": "ratio",
- "sourceField": "___records___"
- }
- },
- "incompleteColumns": {}
- }
- }
- }
- },
- "filters": [],
- "query": {
- "language": "kuery",
- "query": "azure.provisioning.category : \"ProvisioningLogs\" "
- },
- "visualization": {
- "axisTitlesVisibilitySettings": {
- "x": true,
- "yLeft": true,
- "yRight": true
- },
- "fittingFunction": "None",
- "gridlinesVisibilitySettings": {
- "x": true,
- "yLeft": true,
- "yRight": true
- },
- "labelsOrientation": {
- "x": 0,
- "yLeft": 0,
- "yRight": 0
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
- "layers": [
- {
- "accessors": [
- "e8e6a775-ed41-4215-9037-a7ee9e4b2b95"
- ],
- "layerId": "1f69b72b-c265-4fe1-b20d-88a15cff56f9",
- "layerType": "data",
- "position": "top",
- "seriesType": "bar_stacked",
- "showGridlines": false,
- "splitAccessor": "a586c6fb-aa02-42c6-a12b-8a283461a055",
- "xAccessor": "284e3e1d-c5d0-4e97-ac45-ab7348467727"
- }
- ],
- "legend": {
- "isVisible": true,
- "position": "right",
- "legendSize": "auto"
- },
- "preferredSeriesType": "bar_stacked",
- "tickLabelsVisibilitySettings": {
- "x": true,
- "yLeft": true,
- "yRight": true
- },
- "valueLabels": "hide",
- "yLeftExtent": {
- "mode": "full"
+ "gridData": {
+ "h": 12,
+ "i": "3e85d806-64f3-4fef-9094-95820e962a59",
+ "w": 8,
+ "x": 0,
+ "y": 0
},
- "yRightExtent": {
- "mode": "full"
- }
- }
+ "panelIndex": "3e85d806-64f3-4fef-9094-95820e962a59",
+ "title": "Source Systems",
+ "type": "lens",
+ "version": "8.6.0"
},
- "title": "",
- "type": "lens",
- "visualizationType": "lnsXY"
- },
- "enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
- },
- "title": "Provisioning Timeline"
- },
- {
- "version": "8.6.0",
- "type": "lens",
- "gridData": {
- "h": 12,
- "i": "bbb69b3c-5709-44bf-9fb2-282185863941",
- "w": 8,
- "x": 0,
- "y": 12
- },
- "panelIndex": "bbb69b3c-5709-44bf-9fb2-282185863941",
- "embeddableConfig": {
- "attributes": {
- "references": [
- {
- "id": "logs-*",
- "name": "indexpattern-datasource-current-indexpattern",
- "type": "index-pattern"
- },
- {
- "id": "logs-*",
- "name": "indexpattern-datasource-layer-2ac1988b-9f69-439c-8898-0a385bb56434",
- "type": "index-pattern"
- }
- ],
- "state": {
- "datasourceStates": {
- "formBased": {
- "layers": {
- "2ac1988b-9f69-439c-8898-0a385bb56434": {
- "columnOrder": [
- "bb6d8913-2437-461c-a5cb-95f745f2e061",
- "37aa3be8-a77c-4241-92a7-4d1b58bc0d47"
- ],
- "columns": {
- "37aa3be8-a77c-4241-92a7-4d1b58bc0d47": {
- "dataType": "number",
- "isBucketed": false,
- "label": "Count of records",
- "operationType": "count",
- "scale": "ratio",
- "sourceField": "___records___"
- },
- "bb6d8913-2437-461c-a5cb-95f745f2e061": {
- "customLabel": true,
- "dataType": "string",
- "isBucketed": true,
- "label": "System Name",
- "operationType": "terms",
- "params": {
- "missingBucket": false,
- "orderBy": {
- "columnId": "37aa3be8-a77c-4241-92a7-4d1b58bc0d47",
- "type": "column"
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
},
- "orderDirection": "desc",
- "otherBucket": true,
- "size": 5
- },
- "scale": "ordinal",
- "sourceField": "azure.provisioning.properties.target_system.name"
- }
- },
- "incompleteColumns": {}
- }
- }
- }
- },
- "filters": [],
- "query": {
- "language": "kuery",
- "query": "azure.provisioning.category : \"ProvisioningLogs\" "
- },
- "visualization": {
- "layers": [
- {
- "categoryDisplay": "default",
- "layerId": "2ac1988b-9f69-439c-8898-0a385bb56434",
- "layerType": "data",
- "legendDisplay": "default",
- "nestedLegend": false,
- "numberDisplay": "percent",
- "legendSize": "auto",
- "primaryGroups": [
- "bb6d8913-2437-461c-a5cb-95f745f2e061"
- ],
- "metrics": [
- "37aa3be8-a77c-4241-92a7-4d1b58bc0d47"
- ]
- }
- ],
- "shape": "donut"
- }
- },
- "title": "",
- "type": "lens",
- "visualizationType": "lnsPie"
- },
- "enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
- },
- "title": "Target Systems"
- },
- {
- "version": "8.6.0",
- "type": "lens",
- "gridData": {
- "h": 12,
- "i": "30ec913d-7cc6-46e6-aa9a-8fab0c3102e8",
- "w": 6,
- "x": 8,
- "y": 12
- },
- "panelIndex": "30ec913d-7cc6-46e6-aa9a-8fab0c3102e8",
- "embeddableConfig": {
- "attributes": {
- "references": [
- {
- "id": "logs-*",
- "name": "indexpattern-datasource-current-indexpattern",
- "type": "index-pattern"
- },
- {
- "id": "logs-*",
- "name": "indexpattern-datasource-layer-294d1395-9af2-4496-a6a1-0092fe28f2c1",
- "type": "index-pattern"
- }
- ],
- "state": {
- "datasourceStates": {
- "formBased": {
- "layers": {
- "294d1395-9af2-4496-a6a1-0092fe28f2c1": {
- "columnOrder": [
- "c3972110-af8a-4610-9c78-356de76c5b42"
- ],
- "columns": {
- "c3972110-af8a-4610-9c78-356de76c5b42": {
- "customLabel": true,
- "dataType": "number",
- "isBucketed": false,
- "label": "Activities",
- "operationType": "count",
- "scale": "ratio",
- "sourceField": "___records___"
- }
- },
- "incompleteColumns": {}
- }
- }
- }
- },
- "filters": [],
- "query": {
- "language": "kuery",
- "query": "azure.provisioning.category : \"ProvisioningLogs\" and azure.provisioning.operation_name : \"Provisioning activity\" "
- },
- "visualization": {
- "accessor": "c3972110-af8a-4610-9c78-356de76c5b42",
- "layerId": "294d1395-9af2-4496-a6a1-0092fe28f2c1",
- "layerType": "data",
- "textAlign": "center",
- "titlePosition": "bottom",
- "size": "xl"
- }
- },
- "title": "",
- "type": "lens",
- "visualizationType": "lnsLegacyMetric"
- },
- "enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
- },
- "title": "Provisioning Activities"
- },
- {
- "version": "8.6.0",
- "type": "visualization",
- "gridData": {
- "h": 12,
- "i": "357e6699-3227-4674-a833-84c6487dc22e",
- "w": 34,
- "x": 14,
- "y": 12
- },
- "panelIndex": "357e6699-3227-4674-a833-84c6487dc22e",
- "embeddableConfig": {
- "enhancements": {},
- "hidePanelTitles": false,
- "savedVis": {
- "data": {
- "aggs": [
- {
- "enabled": true,
- "id": "1",
- "params": {
- "aggregate": "concat",
- "customLabel": "Date",
- "field": "azure.provisioning.properties.activity_datetime",
- "size": 1,
- "sortField": "@timestamp",
- "sortOrder": "desc"
- },
- "schema": "metric",
- "type": "top_hits"
- },
- {
- "enabled": true,
- "id": "2",
- "params": {
- "customLabel": "Name",
- "field": "azure.provisioning.properties.source_identity.name",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "_key",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 3
- },
- "schema": "bucket",
- "type": "terms"
- },
- {
- "enabled": true,
- "id": "3",
- "params": {
- "customLabel": "Type",
- "field": "azure.provisioning.properties.source_identity.identity_type",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "_key",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 5
- },
- "schema": "bucket",
- "type": "terms"
- },
- {
- "enabled": true,
- "id": "4",
- "params": {
- "customLabel": "Action",
- "field": "azure.provisioning.properties.action",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "_key",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 5
- },
- "schema": "bucket",
- "type": "terms"
- },
- {
- "enabled": true,
- "id": "5",
- "params": {
- "customLabel": "Source",
- "field": "azure.provisioning.properties.source_system.name",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "_key",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 5
- },
- "schema": "bucket",
- "type": "terms"
- },
- {
- "enabled": true,
- "id": "6",
- "params": {
- "customLabel": "Target",
- "field": "azure.provisioning.properties.target_system.name",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "_key",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 5
- },
- "schema": "bucket",
- "type": "terms"
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-1f69b72b-c265-4fe1-b20d-88a15cff56f9",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "1f69b72b-c265-4fe1-b20d-88a15cff56f9": {
+ "columnOrder": [
+ "a586c6fb-aa02-42c6-a12b-8a283461a055",
+ "284e3e1d-c5d0-4e97-ac45-ab7348467727",
+ "e8e6a775-ed41-4215-9037-a7ee9e4b2b95"
+ ],
+ "columns": {
+ "284e3e1d-c5d0-4e97-ac45-ab7348467727": {
+ "customLabel": true,
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "Activity Date",
+ "operationType": "date_histogram",
+ "params": {
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "azure.provisioning.properties.activity_datetime"
+ },
+ "a586c6fb-aa02-42c6-a12b-8a283461a055": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Status",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "e8e6a775-ed41-4215-9037-a7ee9e4b2b95",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "size": 3
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.provisioning.properties.provisioning_status_info.status"
+ },
+ "e8e6a775-ed41-4215-9037-a7ee9e4b2b95": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.provisioning.category : \"ProvisioningLogs\" "
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "e8e6a775-ed41-4215-9037-a7ee9e4b2b95"
+ ],
+ "layerId": "1f69b72b-c265-4fe1-b20d-88a15cff56f9",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_stacked",
+ "showGridlines": false,
+ "splitAccessor": "a586c6fb-aa02-42c6-a12b-8a283461a055",
+ "xAccessor": "284e3e1d-c5d0-4e97-ac45-ab7348467727"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "legendSize": "auto",
+ "position": "right"
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ }
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
- {
- "enabled": true,
- "id": "7",
- "params": {
- "customLabel": "Status",
- "field": "azure.provisioning.properties.provisioning_status_info.status",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "_key",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 5
- },
- "schema": "bucket",
- "type": "terms"
+ "gridData": {
+ "h": 12,
+ "i": "2f5e0c64-5e96-420c-bc64-afacc08e6170",
+ "w": 40,
+ "x": 8,
+ "y": 0
},
- {
- "enabled": false,
- "id": "8",
- "params": {
- "customLabel": "Date",
- "field": "azure.provisioning.properties.activity_datetime",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "_key",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 5
- },
- "schema": "bucket",
- "type": "terms"
- }
- ],
- "savedSearchId": "azure-a3664560-32ed-11ed-8fa6-3121b5e93ca0",
- "searchSource": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": "azure.provisioning.category : \"ProvisioningLogs\" "
- }
- }
+ "panelIndex": "2f5e0c64-5e96-420c-bc64-afacc08e6170",
+ "title": "Provisioning Timeline",
+ "type": "lens",
+ "version": "8.6.0"
},
- "description": "",
- "id": "",
- "params": {
- "autoFitRowToContent": false,
- "perPage": 10,
- "percentageCol": "",
- "showMetricsAtAllLevels": false,
- "showPartialRows": false,
- "showToolbar": false,
- "showTotal": false,
- "totalFunc": "sum"
- },
- "title": "",
- "type": "table",
- "uiState": {}
- },
- "table": null,
- "vis": {
- "params": {
- "colWidth": [
- {
- "colIndex": 1,
- "width": 121.42857142857142
- },
- {
- "colIndex": 2,
- "width": 123.0952380952381
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-2ac1988b-9f69-439c-8898-0a385bb56434",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "2ac1988b-9f69-439c-8898-0a385bb56434": {
+ "columnOrder": [
+ "bb6d8913-2437-461c-a5cb-95f745f2e061",
+ "37aa3be8-a77c-4241-92a7-4d1b58bc0d47"
+ ],
+ "columns": {
+ "37aa3be8-a77c-4241-92a7-4d1b58bc0d47": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "bb6d8913-2437-461c-a5cb-95f745f2e061": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "System Name",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "37aa3be8-a77c-4241-92a7-4d1b58bc0d47",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.provisioning.properties.target_system.name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.provisioning.category : \"ProvisioningLogs\" "
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "layerId": "2ac1988b-9f69-439c-8898-0a385bb56434",
+ "layerType": "data",
+ "legendDisplay": "default",
+ "legendSize": "auto",
+ "metrics": [
+ "37aa3be8-a77c-4241-92a7-4d1b58bc0d47"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "bb6d8913-2437-461c-a5cb-95f745f2e061"
+ ]
+ }
+ ],
+ "shape": "donut"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
- {
- "colIndex": 3,
- "width": 256.8952380952381
+ "gridData": {
+ "h": 12,
+ "i": "bbb69b3c-5709-44bf-9fb2-282185863941",
+ "w": 8,
+ "x": 0,
+ "y": 12
},
- {
- "colIndex": 4,
- "width": 213.89523809523808
+ "panelIndex": "bbb69b3c-5709-44bf-9fb2-282185863941",
+ "title": "Target Systems",
+ "type": "lens",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-294d1395-9af2-4496-a6a1-0092fe28f2c1",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "294d1395-9af2-4496-a6a1-0092fe28f2c1": {
+ "columnOrder": [
+ "c3972110-af8a-4610-9c78-356de76c5b42"
+ ],
+ "columns": {
+ "c3972110-af8a-4610-9c78-356de76c5b42": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Activities",
+ "operationType": "count",
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.provisioning.category : \"ProvisioningLogs\" and azure.provisioning.operation_name : \"Provisioning activity\" "
+ },
+ "visualization": {
+ "layerId": "294d1395-9af2-4496-a6a1-0092fe28f2c1",
+ "layerType": "data",
+ "metricAccessor": "c3972110-af8a-4610-9c78-356de76c5b42"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
- {
- "colIndex": 5,
- "width": 107.2285714285714
+ "gridData": {
+ "h": 12,
+ "i": "30ec913d-7cc6-46e6-aa9a-8fab0c3102e8",
+ "w": 6,
+ "x": 8,
+ "y": 12
},
- {
- "colIndex": 0,
- "width": 179.22857142857146
+ "panelIndex": "30ec913d-7cc6-46e6-aa9a-8fab0c3102e8",
+ "title": "Provisioning Activities",
+ "type": "lens",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-8ba5f9b8-92e5-4fce-ad9a-8d588ff49d8a",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "8ba5f9b8-92e5-4fce-ad9a-8d588ff49d8a": {
+ "columnOrder": [
+ "4f1630a4-71ec-4bd0-b539-3ab147c30327",
+ "61e95905-b4ca-4627-8a67-0f8a2fe90afc",
+ "e8fad825-d394-49b5-b109-c231cedbb231",
+ "5bb5c164-10f0-4b24-b2d5-eef7d9620559",
+ "c3d5651d-662b-408d-a06e-8cf0f5b7b341",
+ "6c44f32b-481b-4940-a6e9-d0fd17408d86",
+ "128b662b-436d-49c7-9823-a5b500e98311"
+ ],
+ "columns": {
+ "128b662b-436d-49c7-9823-a5b500e98311": {
+ "customLabel": true,
+ "dataType": "date",
+ "filter": {
+ "language": "kuery",
+ "query": "azure.provisioning.properties.activity_datetime: *"
+ },
+ "isBucketed": false,
+ "label": "Date",
+ "operationType": "last_value",
+ "params": {
+ "showArrayValues": true,
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "azure.provisioning.properties.activity_datetime"
+ },
+ "4f1630a4-71ec-4bd0-b539-3ab147c30327": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "type": "alphabetical"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 3
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.provisioning.properties.source_identity.name"
+ },
+ "5bb5c164-10f0-4b24-b2d5-eef7d9620559": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Source",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "type": "alphabetical"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.provisioning.properties.source_system.name"
+ },
+ "61e95905-b4ca-4627-8a67-0f8a2fe90afc": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Type",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "type": "alphabetical"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.provisioning.properties.source_identity.identity_type"
+ },
+ "6c44f32b-481b-4940-a6e9-d0fd17408d86": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Status",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "type": "alphabetical"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.provisioning.properties.provisioning_status_info.status"
+ },
+ "c3d5651d-662b-408d-a06e-8cf0f5b7b341": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Target",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "type": "alphabetical"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.provisioning.properties.target_system.name"
+ },
+ "e8fad825-d394-49b5-b109-c231cedbb231": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Action",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "type": "alphabetical"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.provisioning.properties.action"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.provisioning.category : \"ProvisioningLogs\" "
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "128b662b-436d-49c7-9823-a5b500e98311"
+ },
+ {
+ "alignment": "left",
+ "columnId": "4f1630a4-71ec-4bd0-b539-3ab147c30327"
+ },
+ {
+ "alignment": "left",
+ "columnId": "61e95905-b4ca-4627-8a67-0f8a2fe90afc"
+ },
+ {
+ "alignment": "left",
+ "columnId": "e8fad825-d394-49b5-b109-c231cedbb231"
+ },
+ {
+ "alignment": "left",
+ "columnId": "5bb5c164-10f0-4b24-b2d5-eef7d9620559"
+ },
+ {
+ "alignment": "left",
+ "columnId": "c3d5651d-662b-408d-a06e-8cf0f5b7b341"
+ },
+ {
+ "alignment": "left",
+ "columnId": "6c44f32b-481b-4940-a6e9-d0fd17408d86"
+ }
+ ],
+ "headerRowHeight": "single",
+ "layerId": "8ba5f9b8-92e5-4fce-ad9a-8d588ff49d8a",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 10
+ },
+ "rowHeight": "single"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
- {
- "colIndex": 6,
- "width": 295.61428571428564
+ "gridData": {
+ "h": 12,
+ "i": "357e6699-3227-4674-a833-84c6487dc22e",
+ "w": 34,
+ "x": 14,
+ "y": 12
},
- {
- "colIndex": 7,
- "width": 89
- }
- ]
+ "panelIndex": "357e6699-3227-4674-a833-84c6487dc22e",
+ "title": "Last Activity",
+ "type": "lens",
+ "version": "8.6.0"
}
- },
- "type": "visualization"
- },
- "title": "Last Activity"
- }
- ],
- "timeRestore": false,
- "title": "[Logs Azure] Azure AD Provisioning Logs",
- "version": 1
- },
- "references": [
- {
- "id": "logs-*",
- "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
- "type": "index-pattern"
- },
- {
- "id": "logs-*",
- "name": "3e85d806-64f3-4fef-9094-95820e962a59:indexpattern-datasource-current-indexpattern",
- "type": "index-pattern"
- },
- {
- "id": "logs-*",
- "name": "3e85d806-64f3-4fef-9094-95820e962a59:indexpattern-datasource-layer-2ac1988b-9f69-439c-8898-0a385bb56434",
- "type": "index-pattern"
- },
- {
- "id": "logs-*",
- "name": "2f5e0c64-5e96-420c-bc64-afacc08e6170:indexpattern-datasource-current-indexpattern",
- "type": "index-pattern"
- },
- {
- "id": "logs-*",
- "name": "2f5e0c64-5e96-420c-bc64-afacc08e6170:indexpattern-datasource-layer-1f69b72b-c265-4fe1-b20d-88a15cff56f9",
- "type": "index-pattern"
- },
- {
- "id": "logs-*",
- "name": "bbb69b3c-5709-44bf-9fb2-282185863941:indexpattern-datasource-current-indexpattern",
- "type": "index-pattern"
- },
- {
- "id": "logs-*",
- "name": "bbb69b3c-5709-44bf-9fb2-282185863941:indexpattern-datasource-layer-2ac1988b-9f69-439c-8898-0a385bb56434",
- "type": "index-pattern"
- },
- {
- "id": "logs-*",
- "name": "30ec913d-7cc6-46e6-aa9a-8fab0c3102e8:indexpattern-datasource-current-indexpattern",
- "type": "index-pattern"
+ ],
+ "timeRestore": false,
+ "title": "[Logs Azure] Azure AD Provisioning Logs",
+ "version": 1
},
- {
- "id": "logs-*",
- "name": "30ec913d-7cc6-46e6-aa9a-8fab0c3102e8:indexpattern-datasource-layer-294d1395-9af2-4496-a6a1-0092fe28f2c1",
- "type": "index-pattern"
+ "coreMigrationVersion": "8.6.0",
+ "created_at": "2023-08-07T12:48:32.302Z",
+ "id": "azure-3cdf69c0-32d9-11ed-a2e6-916b60bbea71",
+ "migrationVersion": {
+ "dashboard": "8.6.0"
},
- {
- "id": "azure-a3664560-32ed-11ed-8fa6-3121b5e93ca0",
- "name": "357e6699-3227-4674-a833-84c6487dc22e:search_0",
- "type": "search"
- }
- ],
- "migrationVersion": {
- "dashboard": "8.6.0"
- },
- "coreMigrationVersion": "8.6.1"
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "3e85d806-64f3-4fef-9094-95820e962a59:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "3e85d806-64f3-4fef-9094-95820e962a59:indexpattern-datasource-layer-2ac1988b-9f69-439c-8898-0a385bb56434",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "2f5e0c64-5e96-420c-bc64-afacc08e6170:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "2f5e0c64-5e96-420c-bc64-afacc08e6170:indexpattern-datasource-layer-1f69b72b-c265-4fe1-b20d-88a15cff56f9",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "bbb69b3c-5709-44bf-9fb2-282185863941:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "bbb69b3c-5709-44bf-9fb2-282185863941:indexpattern-datasource-layer-2ac1988b-9f69-439c-8898-0a385bb56434",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "30ec913d-7cc6-46e6-aa9a-8fab0c3102e8:indexpattern-datasource-layer-294d1395-9af2-4496-a6a1-0092fe28f2c1",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "357e6699-3227-4674-a833-84c6487dc22e:indexpattern-datasource-layer-8ba5f9b8-92e5-4fce-ad9a-8d588ff49d8a",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "dashboard"
}
\ No newline at end of file
diff --git a/packages/azure/kibana/dashboard/azure-5ad41d90-f50e-11eb-a831-732d3e9bbd43.json b/packages/azure/kibana/dashboard/azure-5ad41d90-f50e-11eb-a831-732d3e9bbd43.json
index 659f079ea3e..ed07a228e64 100644
--- a/packages/azure/kibana/dashboard/azure-5ad41d90-f50e-11eb-a831-732d3e9bbd43.json
+++ b/packages/azure/kibana/dashboard/azure-5ad41d90-f50e-11eb-a831-732d3e9bbd43.json
@@ -6,7 +6,7 @@
"ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
"panelsJSON": "{\"a71b2a03-663d-4897-a3c2-4a363a5cd13c\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"azure.subscription_id\",\"title\":\"Subscription\",\"id\":\"a71b2a03-663d-4897-a3c2-4a363a5cd13c\",\"enhancements\":{}}},\"19286679-ff18-4cb1-b048-e32dd60c3ff9\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"azure.springcloudlogs.category\",\"title\":\"Spring Cloud Logs Type\",\"id\":\"19286679-ff18-4cb1-b048-e32dd60c3ff9\",\"enhancements\":{}}}}"
},
- "description": "Logs Azure] Azure Spring Cloud logs Overview",
+ "description": "Dashboard providing an overall view of the Azure Spring Cloud logs integration.",
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [],
@@ -997,7 +997,7 @@
}
],
"timeRestore": false,
- "title": "[Logs Azure] Azure Spring Cloud logs Overview",
+ "title": "[Logs Azure] Azure Spring Cloud Logs Overview",
"version": 1
},
"coreMigrationVersion": "8.6.0",
diff --git a/packages/azure/kibana/dashboard/azure-5ee36c30-32dc-11ed-a2e6-916b60bbea71.json b/packages/azure/kibana/dashboard/azure-5ee36c30-32dc-11ed-a2e6-916b60bbea71.json
index 32b52c6b3f6..a9b748cedc3 100644
--- a/packages/azure/kibana/dashboard/azure-5ee36c30-32dc-11ed-a2e6-916b60bbea71.json
+++ b/packages/azure/kibana/dashboard/azure-5ee36c30-32dc-11ed-a2e6-916b60bbea71.json
@@ -1,748 +1,809 @@
{
- "id": "azure-5ee36c30-32dc-11ed-a2e6-916b60bbea71",
- "type": "dashboard",
- "namespaces": [
- "default"
- ],
- "updated_at": "2023-03-07T09:38:25.166Z",
- "created_at": "2023-03-07T09:38:25.166Z",
- "version": "WzExMjgyLDFd",
- "attributes": {
-
- "description": "Provide an overview and statistics of the provisioning activities on your enterprise applications.",
- "hits": 0,
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [
- {
- "$state": {
- "store": "appState"
- },
- "meta": {
- "alias": null,
- "disabled": false,
- "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
- "key": "data_stream.dataset",
- "negate": false,
- "params": {
- "query": "azure.identityprotection"
- },
- "type": "phrase"
- },
- "query": {
- "match_phrase": {
- "data_stream.dataset": "azure.identityprotection"
- }
- }
- }
- ],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "optionsJSON": {
- "hidePanelTitles": false,
- "syncColors": false,
- "useMargins": true
- },
- "panelsJSON": [
- {
- "version": "8.6.0",
- "type": "lens",
- "gridData": {
- "h": 10,
- "i": "0705b471-583f-4593-916e-46b213966691",
- "w": 8,
- "x": 0,
- "y": 0
- },
- "panelIndex": "0705b471-583f-4593-916e-46b213966691",
- "embeddableConfig": {
- "attributes": {
- "references": [
- {
- "id": "logs-*",
- "name": "indexpattern-datasource-current-indexpattern",
- "type": "index-pattern"
- },
- {
- "id": "logs-*",
- "name": "indexpattern-datasource-layer-2b0a18e6-25a6-40ef-ade8-5dddbd897856",
- "type": "index-pattern"
- }
- ],
- "state": {
- "datasourceStates": {
- "formBased": {
- "layers": {
- "2b0a18e6-25a6-40ef-ade8-5dddbd897856": {
- "columnOrder": [
- "a1c2991d-9586-4c81-893a-e29584070568",
- "bd75d029-b44e-4c22-b06e-df0e4da1e694"
- ],
- "columns": {
- "a1c2991d-9586-4c81-893a-e29584070568": {
- "customLabel": true,
- "dataType": "string",
- "isBucketed": true,
- "label": "Source",
- "operationType": "terms",
- "params": {
- "missingBucket": false,
- "orderBy": {
- "columnId": "bd75d029-b44e-4c22-b06e-df0e4da1e694",
- "type": "column"
+ "attributes": {
+ "description": "Provide an overview and statistics of the Azure AD Identity Protection activities on your enterprise applications.",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "azure.identity_protection"
},
- "orderDirection": "desc",
- "otherBucket": true,
- "size": 5
- },
- "scale": "ordinal",
- "sourceField": "azure.identityprotection.properties.source"
+ "type": "phrase"
},
- "bd75d029-b44e-4c22-b06e-df0e4da1e694": {
- "dataType": "number",
- "isBucketed": false,
- "label": "Count of records",
- "operationType": "count",
- "scale": "ratio",
- "sourceField": "___records___"
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "azure.identity_protection"
+ }
}
- },
- "incompleteColumns": {}
}
- }
- }
- },
- "filters": [],
- "query": {
- "language": "kuery",
- "query": "azure.identityprotection.category : \"UserRiskEvents\" "
- },
- "visualization": {
- "layers": [
- {
- "categoryDisplay": "default",
- "layerId": "2b0a18e6-25a6-40ef-ade8-5dddbd897856",
- "layerType": "data",
- "legendDisplay": "default",
- "nestedLegend": false,
- "numberDisplay": "percent",
- "legendSize": "auto",
- "primaryGroups": [
- "a1c2991d-9586-4c81-893a-e29584070568"
- ],
- "metrics": [
- "bd75d029-b44e-4c22-b06e-df0e4da1e694"
- ]
- }
],
- "shape": "donut"
- }
- },
- "title": "",
- "type": "lens",
- "visualizationType": "lnsPie"
- },
- "enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
- },
- "title": "Detection Sources"
- },
- {
- "version": "8.6.0",
- "type": "lens",
- "gridData": {
- "h": 10,
- "i": "b5e5ace6-ace9-4c70-a6d2-60e2991a1d40",
- "w": 8,
- "x": 8,
- "y": 0
- },
- "panelIndex": "b5e5ace6-ace9-4c70-a6d2-60e2991a1d40",
- "embeddableConfig": {
- "attributes": {
- "references": [
- {
- "id": "logs-*",
- "name": "indexpattern-datasource-current-indexpattern",
- "type": "index-pattern"
- },
- {
- "id": "logs-*",
- "name": "indexpattern-datasource-layer-2b0a18e6-25a6-40ef-ade8-5dddbd897856",
- "type": "index-pattern"
- }
- ],
- "state": {
- "datasourceStates": {
- "formBased": {
- "layers": {
- "2b0a18e6-25a6-40ef-ade8-5dddbd897856": {
- "columnOrder": [
- "fab280b9-af2c-4256-a89f-19371827be79",
- "bd75d029-b44e-4c22-b06e-df0e4da1e694"
- ],
- "columns": {
- "bd75d029-b44e-4c22-b06e-df0e4da1e694": {
- "dataType": "number",
- "isBucketed": false,
- "label": "Count of records",
- "operationType": "count",
- "scale": "ratio",
- "sourceField": "___records___"
- },
- "fab280b9-af2c-4256-a89f-19371827be79": {
- "customLabel": true,
- "dataType": "string",
- "isBucketed": true,
- "label": "Detected Risk Type",
- "operationType": "terms",
- "params": {
- "missingBucket": false,
- "orderBy": {
- "columnId": "bd75d029-b44e-4c22-b06e-df0e4da1e694",
- "type": "column"
- },
- "orderDirection": "desc",
- "otherBucket": true,
- "size": 5
- },
- "scale": "ordinal",
- "sourceField": "azure.identityprotection.properties.risk_event_type"
- }
- },
- "incompleteColumns": {}
- }
- }
+ "query": {
+ "language": "kuery",
+ "query": ""
}
- },
- "filters": [],
- "query": {
- "language": "kuery",
- "query": "azure.identityprotection.category : \"UserRiskEvents\" "
- },
- "visualization": {
- "layers": [
- {
- "categoryDisplay": "default",
- "layerId": "2b0a18e6-25a6-40ef-ade8-5dddbd897856",
- "layerType": "data",
- "legendDisplay": "default",
- "nestedLegend": false,
- "numberDisplay": "percent",
- "legendSize": "auto",
- "primaryGroups": [
- "fab280b9-af2c-4256-a89f-19371827be79"
- ],
- "metrics": [
- "bd75d029-b44e-4c22-b06e-df0e4da1e694"
- ]
- }
- ],
- "shape": "donut"
- }
- },
- "title": "",
- "type": "lens",
- "visualizationType": "lnsPie"
- },
- "enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
+ }
},
- "title": "Detected Risk Type"
- },
- {
- "version": "8.6.0",
- "type": "lens",
- "gridData": {
- "h": 10,
- "i": "854eeccf-1660-4c42-b5c9-23fd59f8546e",
- "w": 32,
- "x": 16,
- "y": 0
+ "optionsJSON": {
+ "hidePanelTitles": false,
+ "syncColors": false,
+ "useMargins": true
},
- "panelIndex": "854eeccf-1660-4c42-b5c9-23fd59f8546e",
- "embeddableConfig": {
- "attributes": {
- "references": [
- {
- "id": "logs-*",
- "name": "indexpattern-datasource-current-indexpattern",
- "type": "index-pattern"
- },
- {
- "id": "logs-*",
- "name": "indexpattern-datasource-layer-88e4665c-0d7e-4529-91b3-d4dd23b4c842",
- "type": "index-pattern"
- }
- ],
- "state": {
- "datasourceStates": {
- "formBased": {
- "layers": {
- "88e4665c-0d7e-4529-91b3-d4dd23b4c842": {
- "columnOrder": [
- "3756bebc-5376-45e4-a3b0-5d7d8aed12fb",
- "526f2da3-311e-491a-b0d2-46122d1582ee",
- "545a5a92-574f-445c-8fc8-c3414408702b"
- ],
- "columns": {
- "3756bebc-5376-45e4-a3b0-5d7d8aed12fb": {
- "customLabel": true,
- "dataType": "string",
- "isBucketed": true,
- "label": "Risk Type Event",
- "operationType": "terms",
- "params": {
- "missingBucket": false,
- "orderBy": {
- "columnId": "545a5a92-574f-445c-8fc8-c3414408702b",
- "type": "column"
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
},
- "orderDirection": "desc",
- "otherBucket": true,
- "size": 5
- },
- "scale": "ordinal",
- "sourceField": "azure.identityprotection.properties.risk_event_type"
- },
- "526f2da3-311e-491a-b0d2-46122d1582ee": {
- "customLabel": true,
- "dataType": "date",
- "isBucketed": true,
- "label": "Detected Date",
- "operationType": "date_histogram",
- "params": {
- "interval": "auto",
- "includeEmptyRows": true
- },
- "scale": "interval",
- "sourceField": "azure.identityprotection.properties.detected_datetime"
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-2b0a18e6-25a6-40ef-ade8-5dddbd897856",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "2b0a18e6-25a6-40ef-ade8-5dddbd897856": {
+ "columnOrder": [
+ "a1c2991d-9586-4c81-893a-e29584070568",
+ "bd75d029-b44e-4c22-b06e-df0e4da1e694"
+ ],
+ "columns": {
+ "a1c2991d-9586-4c81-893a-e29584070568": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Source",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "bd75d029-b44e-4c22-b06e-df0e4da1e694",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.identityprotection.properties.source"
+ },
+ "bd75d029-b44e-4c22-b06e-df0e4da1e694": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.identityprotection.category : \"UserRiskEvents\" "
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "layerId": "2b0a18e6-25a6-40ef-ade8-5dddbd897856",
+ "layerType": "data",
+ "legendDisplay": "default",
+ "legendSize": "auto",
+ "metrics": [
+ "bd75d029-b44e-4c22-b06e-df0e4da1e694"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "a1c2991d-9586-4c81-893a-e29584070568"
+ ]
+ }
+ ],
+ "shape": "donut"
+ }
},
- "545a5a92-574f-445c-8fc8-c3414408702b": {
- "dataType": "number",
- "isBucketed": false,
- "label": "Count of records",
- "operationType": "count",
- "scale": "ratio",
- "sourceField": "___records___"
- }
- },
- "incompleteColumns": {}
- }
- }
- }
- },
- "filters": [],
- "query": {
- "language": "kuery",
- "query": "azure.identityprotection.category : \"UserRiskEvents\" "
- },
- "visualization": {
- "axisTitlesVisibilitySettings": {
- "x": true,
- "yLeft": true,
- "yRight": true
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
- "fittingFunction": "None",
- "gridlinesVisibilitySettings": {
- "x": true,
- "yLeft": true,
- "yRight": true
+ "gridData": {
+ "h": 10,
+ "i": "0705b471-583f-4593-916e-46b213966691",
+ "w": 8,
+ "x": 0,
+ "y": 0
},
- "labelsOrientation": {
- "x": 0,
- "yLeft": 0,
- "yRight": 0
+ "panelIndex": "0705b471-583f-4593-916e-46b213966691",
+ "title": "Detection Sources",
+ "type": "lens",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-2b0a18e6-25a6-40ef-ade8-5dddbd897856",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "2b0a18e6-25a6-40ef-ade8-5dddbd897856": {
+ "columnOrder": [
+ "fab280b9-af2c-4256-a89f-19371827be79",
+ "bd75d029-b44e-4c22-b06e-df0e4da1e694"
+ ],
+ "columns": {
+ "bd75d029-b44e-4c22-b06e-df0e4da1e694": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "fab280b9-af2c-4256-a89f-19371827be79": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Detected Risk Type",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "bd75d029-b44e-4c22-b06e-df0e4da1e694",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.identityprotection.properties.risk_event_type"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.identityprotection.category : \"UserRiskEvents\" "
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "layerId": "2b0a18e6-25a6-40ef-ade8-5dddbd897856",
+ "layerType": "data",
+ "legendDisplay": "default",
+ "legendSize": "auto",
+ "metrics": [
+ "bd75d029-b44e-4c22-b06e-df0e4da1e694"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "fab280b9-af2c-4256-a89f-19371827be79"
+ ]
+ }
+ ],
+ "shape": "donut"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
- "layers": [
- {
- "accessors": [
- "545a5a92-574f-445c-8fc8-c3414408702b"
- ],
- "layerId": "88e4665c-0d7e-4529-91b3-d4dd23b4c842",
- "layerType": "data",
- "position": "top",
- "seriesType": "bar_stacked",
- "showGridlines": false,
- "splitAccessor": "3756bebc-5376-45e4-a3b0-5d7d8aed12fb",
- "xAccessor": "526f2da3-311e-491a-b0d2-46122d1582ee"
- }
- ],
- "legend": {
- "isVisible": true,
- "position": "right",
- "legendSize": "auto"
+ "gridData": {
+ "h": 10,
+ "i": "b5e5ace6-ace9-4c70-a6d2-60e2991a1d40",
+ "w": 8,
+ "x": 8,
+ "y": 0
},
- "preferredSeriesType": "bar_stacked",
- "tickLabelsVisibilitySettings": {
- "x": true,
- "yLeft": true,
- "yRight": true
+ "panelIndex": "b5e5ace6-ace9-4c70-a6d2-60e2991a1d40",
+ "title": "Detected Risk Type",
+ "type": "lens",
+ "version": "8.6.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-88e4665c-0d7e-4529-91b3-d4dd23b4c842",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "88e4665c-0d7e-4529-91b3-d4dd23b4c842": {
+ "columnOrder": [
+ "3756bebc-5376-45e4-a3b0-5d7d8aed12fb",
+ "526f2da3-311e-491a-b0d2-46122d1582ee",
+ "545a5a92-574f-445c-8fc8-c3414408702b"
+ ],
+ "columns": {
+ "3756bebc-5376-45e4-a3b0-5d7d8aed12fb": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Risk Type Event",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "545a5a92-574f-445c-8fc8-c3414408702b",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.identityprotection.properties.risk_event_type"
+ },
+ "526f2da3-311e-491a-b0d2-46122d1582ee": {
+ "customLabel": true,
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "Detected Date",
+ "operationType": "date_histogram",
+ "params": {
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "azure.identityprotection.properties.detected_datetime"
+ },
+ "545a5a92-574f-445c-8fc8-c3414408702b": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.identityprotection.category : \"UserRiskEvents\" "
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "545a5a92-574f-445c-8fc8-c3414408702b"
+ ],
+ "layerId": "88e4665c-0d7e-4529-91b3-d4dd23b4c842",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_stacked",
+ "showGridlines": false,
+ "splitAccessor": "3756bebc-5376-45e4-a3b0-5d7d8aed12fb",
+ "xAccessor": "526f2da3-311e-491a-b0d2-46122d1582ee"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "legendSize": "auto",
+ "position": "right"
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ }
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
- "valueLabels": "hide",
- "yLeftExtent": {
- "mode": "full"
+ "gridData": {
+ "h": 10,
+ "i": "854eeccf-1660-4c42-b5c9-23fd59f8546e",
+ "w": 32,
+ "x": 16,
+ "y": 0
},
- "yRightExtent": {
- "mode": "full"
- }
- }
+ "panelIndex": "854eeccf-1660-4c42-b5c9-23fd59f8546e",
+ "title": "Detection Timeline",
+ "type": "lens",
+ "version": "8.6.0"
},
- "title": "",
- "type": "lens",
- "visualizationType": "lnsXY"
- },
- "enhancements": {},
- "hidePanelTitles": false,
- "type": "lens"
- },
- "title": "Detection Timeline"
- },
- {
- "version": "8.6.0",
- "type": "visualization",
- "gridData": {
- "h": 15,
- "i": "48157948-c755-4eee-9f28-aa5846bcc8c9",
- "w": 16,
- "x": 0,
- "y": 10
- },
- "panelIndex": "48157948-c755-4eee-9f28-aa5846bcc8c9",
- "embeddableConfig": {
- "enhancements": {},
- "hidePanelTitles": false,
- "savedVis": {
- "data": {
- "aggs": [
- {
- "enabled": true,
- "id": "1",
- "params": {
- "aggregate": "concat",
- "customLabel": "Risk State",
- "field": "azure.identityprotection.properties.risk_state",
- "size": 1,
- "sortField": "@timestamp",
- "sortOrder": "desc"
- },
- "schema": "metric",
- "type": "top_hits"
- },
- {
- "enabled": true,
- "id": "2",
- "params": {
- "customLabel": "Name",
- "field": "azure.identityprotection.properties.user_display_name",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "_key",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 5
- },
- "schema": "bucket",
- "type": "terms"
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-ca9b2f0a-f382-4c5e-928e-f5b929162361",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "ca9b2f0a-f382-4c5e-928e-f5b929162361": {
+ "columnOrder": [
+ "d2a805b1-61ea-4fac-a13a-763d239d3517",
+ "ac8788e5-8a4c-4493-982a-9143a6b6bbab"
+ ],
+ "columns": {
+ "ac8788e5-8a4c-4493-982a-9143a6b6bbab": {
+ "customLabel": true,
+ "dataType": "string",
+ "filter": {
+ "language": "kuery",
+ "query": "azure.identityprotection.properties.risk_state: *"
+ },
+ "isBucketed": false,
+ "label": "Risk State",
+ "operationType": "last_value",
+ "params": {
+ "showArrayValues": true,
+ "sortField": "@timestamp"
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.identityprotection.properties.risk_state"
+ },
+ "d2a805b1-61ea-4fac-a13a-763d239d3517": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "type": "alphabetical"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.identityprotection.properties.user_display_name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.identityprotection.category : \"RiskyUsers\" "
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "ac8788e5-8a4c-4493-982a-9143a6b6bbab"
+ },
+ {
+ "alignment": "left",
+ "columnId": "d2a805b1-61ea-4fac-a13a-763d239d3517"
+ }
+ ],
+ "headerRowHeight": "single",
+ "layerId": "ca9b2f0a-f382-4c5e-928e-f5b929162361",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 10
+ },
+ "rowHeight": "single"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
- {
- "enabled": false,
- "id": "4",
- "params": {
- "customLabel": "Level",
- "field": "azure.identityprotection.properties.risk_level",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "_key",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 5
- },
- "schema": "bucket",
- "type": "terms"
+ "gridData": {
+ "h": 15,
+ "i": "48157948-c755-4eee-9f28-aa5846bcc8c9",
+ "w": 16,
+ "x": 0,
+ "y": 10
},
- {
- "enabled": false,
- "id": "5",
- "params": {
- "customLabel": "State",
- "field": "azure.identityprotection.properties.risk_state",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "_key",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 5
- },
- "schema": "bucket",
- "type": "terms"
- }
- ],
- "savedSearchId": "azure-f7cc8d20-32e9-11ed-8fa6-3121b5e93ca0",
- "searchSource": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "description": "",
- "id": "",
- "params": {
- "autoFitRowToContent": false,
- "perPage": 10,
- "percentageCol": "",
- "showMetricsAtAllLevels": false,
- "showPartialRows": false,
- "showToolbar": false,
- "showTotal": false,
- "totalFunc": "sum"
+ "panelIndex": "48157948-c755-4eee-9f28-aa5846bcc8c9",
+ "title": "Risky Users",
+ "type": "lens",
+ "version": "8.6.0"
},
- "title": "",
- "type": "table",
- "uiState": {}
- },
- "table": null,
- "vis": {
- "params": {
- "colWidth": [
- {
- "colIndex": 2,
- "width": 188.75
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-a3bd970e-1b56-4145-8614-72b06acc2d71",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "a3bd970e-1b56-4145-8614-72b06acc2d71": {
+ "columnOrder": [
+ "7f8e08dc-73bf-435d-bb2b-19940af59614",
+ "ece34404-7998-4c1b-bdf7-0e33903f43a9",
+ "dc018907-3f35-484a-88ac-5ef939431a65",
+ "5b960a06-7df2-4cda-8d09-8dda52ffc428",
+ "b5510eed-0a15-478a-b879-c12f23bd7180",
+ "d5041e63-a6b5-4feb-9cb5-78fb0c36d376"
+ ],
+ "columns": {
+ "5b960a06-7df2-4cda-8d09-8dda52ffc428": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Risk Level",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "type": "alphabetical"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.identityprotection.properties.risk_level"
+ },
+ "7f8e08dc-73bf-435d-bb2b-19940af59614": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "type": "alphabetical"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.identityprotection.properties.user_display_name"
+ },
+ "b5510eed-0a15-478a-b879-c12f23bd7180": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Detection Timing",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "type": "alphabetical"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.identityprotection.properties.detection_timing_type"
+ },
+ "d5041e63-a6b5-4feb-9cb5-78fb0c36d376": {
+ "customLabel": true,
+ "dataType": "date",
+ "filter": {
+ "language": "kuery",
+ "query": "azure.identityprotection.properties.detected_datetime: *"
+ },
+ "isBucketed": false,
+ "label": "Date",
+ "operationType": "last_value",
+ "params": {
+ "showArrayValues": true,
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "azure.identityprotection.properties.detected_datetime"
+ },
+ "dc018907-3f35-484a-88ac-5ef939431a65": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Risk State",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "type": "alphabetical"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.identityprotection.properties.risk_state"
+ },
+ "ece34404-7998-4c1b-bdf7-0e33903f43a9": {
+ "customLabel": true,
+ "dataType": "ip",
+ "isBucketed": true,
+ "label": "IP Address",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "type": "alphabetical"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.identityprotection.properties.ip_address"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": " azure.identityprotection.category : \"UserRiskEvents\" "
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "d5041e63-a6b5-4feb-9cb5-78fb0c36d376"
+ },
+ {
+ "alignment": "left",
+ "columnId": "7f8e08dc-73bf-435d-bb2b-19940af59614"
+ },
+ {
+ "alignment": "left",
+ "columnId": "ece34404-7998-4c1b-bdf7-0e33903f43a9"
+ },
+ {
+ "alignment": "left",
+ "columnId": "dc018907-3f35-484a-88ac-5ef939431a65"
+ },
+ {
+ "alignment": "left",
+ "columnId": "5b960a06-7df2-4cda-8d09-8dda52ffc428"
+ },
+ {
+ "alignment": "left",
+ "columnId": "b5510eed-0a15-478a-b879-c12f23bd7180"
+ }
+ ],
+ "headerRowHeight": "single",
+ "layerId": "a3bd970e-1b56-4145-8614-72b06acc2d71",
+ "layerType": "data",
+ "paging": {
+ "enabled": true,
+ "size": 10
+ },
+ "rowHeight": "single"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
- {
- "colIndex": 0,
- "width": 431.08333333333337
+ "gridData": {
+ "h": 15,
+ "i": "5d0136d7-0ba1-4054-95ce-218ad42e157e",
+ "w": 32,
+ "x": 16,
+ "y": 10
},
- {
- "colIndex": 1,
- "width": 160.08333333333331
- }
- ]
+ "panelIndex": "5d0136d7-0ba1-4054-95ce-218ad42e157e",
+ "title": "Risky Sign-ins",
+ "type": "lens",
+ "version": "8.6.0"
}
- },
- "type": "visualization"
+ ],
+ "timeRestore": false,
+ "title": "[Logs Azure] Azure AD Identity Protection",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.6.0",
+ "created_at": "2023-08-07T12:36:54.602Z",
+ "id": "azure-5ee36c30-32dc-11ed-a2e6-916b60bbea71",
+ "migrationVersion": {
+ "dashboard": "8.6.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
},
- "title": "Risky Users"
- },
- {
- "version": "8.6.0",
- "type": "visualization",
- "gridData": {
- "h": 15,
- "i": "5d0136d7-0ba1-4054-95ce-218ad42e157e",
- "w": 32,
- "x": 16,
- "y": 10
+ {
+ "id": "logs-*",
+ "name": "0705b471-583f-4593-916e-46b213966691:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
},
- "panelIndex": "5d0136d7-0ba1-4054-95ce-218ad42e157e",
- "embeddableConfig": {
- "enhancements": {},
- "hidePanelTitles": false,
- "savedVis": {
- "data": {
- "aggs": [
- {
- "enabled": true,
- "id": "1",
- "params": {
- "aggregate": "concat",
- "customLabel": "Date",
- "field": "azure.identityprotection.properties.detected_datetime",
- "size": 1,
- "sortField": "@timestamp",
- "sortOrder": "desc"
- },
- "schema": "metric",
- "type": "top_hits"
- },
- {
- "enabled": true,
- "id": "2",
- "params": {
- "customLabel": "Name",
- "field": "azure.identityprotection.properties.user_display_name",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "_key",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 5
- },
- "schema": "bucket",
- "type": "terms"
- },
- {
- "enabled": true,
- "id": "3",
- "params": {
- "customLabel": "IP Address",
- "field": "azure.identityprotection.properties.ip_address",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "_key",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 5
- },
- "schema": "bucket",
- "type": "terms"
- },
- {
- "enabled": true,
- "id": "4",
- "params": {
- "customLabel": "Risk State",
- "field": "azure.identityprotection.properties.risk_state",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "_key",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 5
- },
- "schema": "bucket",
- "type": "terms"
- },
- {
- "enabled": true,
- "id": "5",
- "params": {
- "customLabel": "Risk Level",
- "field": "azure.identityprotection.properties.risk_level",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "_key",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 5
- },
- "schema": "bucket",
- "type": "terms"
- },
- {
- "enabled": true,
- "id": "6",
- "params": {
- "customLabel": "Detection Timing",
- "field": "azure.identityprotection.properties.detection_timing_type",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "_key",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 5
- },
- "schema": "bucket",
- "type": "terms"
- }
- ],
- "savedSearchId": "azure-813b8ba0-32eb-11ed-8fa6-3121b5e93ca0",
- "searchSource": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "description": "",
- "id": "",
- "params": {
- "autoFitRowToContent": false,
- "perPage": 10,
- "percentageCol": "",
- "showMetricsAtAllLevels": false,
- "showPartialRows": false,
- "showToolbar": false,
- "showTotal": false,
- "totalFunc": "sum"
- },
- "title": "",
- "type": "table",
- "uiState": {}
- },
- "vis": {
- "params": {
- "sort": {
- "columnIndex": 5,
- "direction": "desc"
- }
- }
- },
- "type": "visualization"
+ {
+ "id": "logs-*",
+ "name": "0705b471-583f-4593-916e-46b213966691:indexpattern-datasource-layer-2b0a18e6-25a6-40ef-ade8-5dddbd897856",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "b5e5ace6-ace9-4c70-a6d2-60e2991a1d40:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "b5e5ace6-ace9-4c70-a6d2-60e2991a1d40:indexpattern-datasource-layer-2b0a18e6-25a6-40ef-ade8-5dddbd897856",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "854eeccf-1660-4c42-b5c9-23fd59f8546e:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "854eeccf-1660-4c42-b5c9-23fd59f8546e:indexpattern-datasource-layer-88e4665c-0d7e-4529-91b3-d4dd23b4c842",
+ "type": "index-pattern"
},
- "title": "Risky Sign-ins"
- }
+ {
+ "id": "logs-*",
+ "name": "48157948-c755-4eee-9f28-aa5846bcc8c9:indexpattern-datasource-layer-ca9b2f0a-f382-4c5e-928e-f5b929162361",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "5d0136d7-0ba1-4054-95ce-218ad42e157e:indexpattern-datasource-layer-a3bd970e-1b56-4145-8614-72b06acc2d71",
+ "type": "index-pattern"
+ }
],
- "timeRestore": false,
- "title": "[Logs Azure] Azure AD Identity Protection",
- "version": 1
- },
- "references": [
- {
- "id": "logs-*",
- "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
- "type": "index-pattern"
- },
- {
- "id": "logs-*",
- "name": "0705b471-583f-4593-916e-46b213966691:indexpattern-datasource-current-indexpattern",
- "type": "index-pattern"
- },
- {
- "id": "logs-*",
- "name": "0705b471-583f-4593-916e-46b213966691:indexpattern-datasource-layer-2b0a18e6-25a6-40ef-ade8-5dddbd897856",
- "type": "index-pattern"
- },
- {
- "id": "logs-*",
- "name": "b5e5ace6-ace9-4c70-a6d2-60e2991a1d40:indexpattern-datasource-current-indexpattern",
- "type": "index-pattern"
- },
- {
- "id": "logs-*",
- "name": "b5e5ace6-ace9-4c70-a6d2-60e2991a1d40:indexpattern-datasource-layer-2b0a18e6-25a6-40ef-ade8-5dddbd897856",
- "type": "index-pattern"
- },
- {
- "id": "logs-*",
- "name": "854eeccf-1660-4c42-b5c9-23fd59f8546e:indexpattern-datasource-current-indexpattern",
- "type": "index-pattern"
- },
- {
- "id": "logs-*",
- "name": "854eeccf-1660-4c42-b5c9-23fd59f8546e:indexpattern-datasource-layer-88e4665c-0d7e-4529-91b3-d4dd23b4c842",
- "type": "index-pattern"
- },
- {
- "id": "azure-f7cc8d20-32e9-11ed-8fa6-3121b5e93ca0",
- "name": "48157948-c755-4eee-9f28-aa5846bcc8c9:search_0",
- "type": "search"
- },
- {
- "id": "azure-813b8ba0-32eb-11ed-8fa6-3121b5e93ca0",
- "name": "5d0136d7-0ba1-4054-95ce-218ad42e157e:search_0",
- "type": "search"
- }
- ],
- "migrationVersion": {
- "dashboard": "8.6.0"
- },
- "coreMigrationVersion": "8.6.1"
+ "type": "dashboard"
}
\ No newline at end of file
diff --git a/packages/azure/kibana/dashboard/azure-8731b980-f1aa-11ec-a5a8-bf965bcd5646.json b/packages/azure/kibana/dashboard/azure-8731b980-f1aa-11ec-a5a8-bf965bcd5646.json
index 072e5147803..14eb4a96119 100644
--- a/packages/azure/kibana/dashboard/azure-8731b980-f1aa-11ec-a5a8-bf965bcd5646.json
+++ b/packages/azure/kibana/dashboard/azure-8731b980-f1aa-11ec-a5a8-bf965bcd5646.json
@@ -12,7 +12,7 @@
"chainingSystem": "HIERARCHICAL",
"controlStyle": "oneLine",
"ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
- "panelsJSON": "{\"7cbe886c-4cc4-4fec-beff-7336b0965067\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"azure.account.id\",\"title\":\"Subscription\",\"id\":\"7cbe886c-4cc4-4fec-beff-7336b0965067\",\"enhancements\":{}}},\"3ae71a2b-35ee-4659-b6b5-c2ea9e1ab609\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"observer.name\",\"title\":\"Firewall \",\"id\":\"3ae71a2b-35ee-4659-b6b5-c2ea9e1ab609\",\"enhancements\":{}}}}"
+ "panelsJSON": "{\"7cbe886c-4cc4-4fec-beff-7336b0965067\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"cloud.account.id\",\"title\":\"Subscription\",\"id\":\"7cbe886c-4cc4-4fec-beff-7336b0965067\",\"enhancements\":{}}},\"3ae71a2b-35ee-4659-b6b5-c2ea9e1ab609\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"observer.name\",\"title\":\"Firewall \",\"id\":\"3ae71a2b-35ee-4659-b6b5-c2ea9e1ab609\",\"enhancements\":{}}}}"
},
"description": "Dashboard providing statistics about alerts ingested from the Azure Firewall NAT Rule Log events.",
"hits": 0,
diff --git a/packages/azure/kibana/dashboard/azure-91224490-f1a6-11ec-a5a8-bf965bcd5646.json b/packages/azure/kibana/dashboard/azure-91224490-f1a6-11ec-a5a8-bf965bcd5646.json
index e691817b419..47244bcd7e9 100644
--- a/packages/azure/kibana/dashboard/azure-91224490-f1a6-11ec-a5a8-bf965bcd5646.json
+++ b/packages/azure/kibana/dashboard/azure-91224490-f1a6-11ec-a5a8-bf965bcd5646.json
@@ -12,9 +12,9 @@
"chainingSystem": "HIERARCHICAL",
"controlStyle": "oneLine",
"ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
- "panelsJSON": "{\"7cbe886c-4cc4-4fec-beff-7336b0965067\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"azure.account.id\",\"title\":\"Subscription\",\"id\":\"7cbe886c-4cc4-4fec-beff-7336b0965067\",\"enhancements\":{}}},\"3ae71a2b-35ee-4659-b6b5-c2ea9e1ab609\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"observer.name\",\"title\":\"Observer name\",\"id\":\"3ae71a2b-35ee-4659-b6b5-c2ea9e1ab609\",\"enhancements\":{}}}}"
+ "panelsJSON": "{\"7cbe886c-4cc4-4fec-beff-7336b0965067\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"cloud.account.id\",\"title\":\"Subscription\",\"id\":\"7cbe886c-4cc4-4fec-beff-7336b0965067\",\"enhancements\":{}}},\"3ae71a2b-35ee-4659-b6b5-c2ea9e1ab609\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"observer.name\",\"title\":\"Observer name\",\"id\":\"3ae71a2b-35ee-4659-b6b5-c2ea9e1ab609\",\"enhancements\":{}}}}"
},
- "description": "Dashboard providing statistics about alerts ingested from the AWS Network Firewall integration.",
+ "description": "Dashboard providing statistics about alerts ingested from Azure Firewall Network Rule Log events.",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
diff --git a/packages/azure/manifest.yml b/packages/azure/manifest.yml
index 652938b4e5d..0fbbc7c0dc7 100644
--- a/packages/azure/manifest.yml
+++ b/packages/azure/manifest.yml
@@ -1,6 +1,6 @@
name: azure
title: Azure Logs
-version: 1.5.24
+version: 1.5.31
release: ga
description: This Elastic integration collects logs from Azure
type: integration
diff --git a/packages/azure_app_service/_dev/build/build.yml b/packages/azure_app_service/_dev/build/build.yml
new file mode 100644
index 00000000000..47cbed9fed8
--- /dev/null
+++ b/packages/azure_app_service/_dev/build/build.yml
@@ -0,0 +1,3 @@
+dependencies:
+ ecs:
+ reference: git@v8.0.0
diff --git a/packages/azure_app_service/_dev/build/docs/README.md b/packages/azure_app_service/_dev/build/docs/README.md
new file mode 100644
index 00000000000..216a54d87c3
--- /dev/null
+++ b/packages/azure_app_service/_dev/build/docs/README.md
@@ -0,0 +1,58 @@
+# Azure App Service Integration
+
+The Azure App Service logs integration retrieves different types of logs categories from Azure App Service.
+Azure App Service provides different logging to help you track, monitor, and debug your web application.
+
+- HTTPLogs help monitor application health, performance and usage patterns.
+- AuditLogs provide insights when publishing users successfully log on via one of the App Service publishing protocols.
+- IPSecAuditLogs are generated through your application and pushed to Azure Monitoring.
+- PlatformLogs are generated through AppService platform for your application.
+- ConsoleLogs are generated from application or container.
+- AppLogs are generated through your application (ex. logging capabilities)
+
+## Data streams
+
+This integration currently collects one data stream:
+
+- App Service Logs
+
+## Requirements
+
+### Credentials
+
+`eventhub` :
+_string_
+Is the fully managed, real-time data ingestion service.
+
+`consumer_group` :
+_string_
+The publish/subscribe mechanism of Event Hubs is enabled through consumer groups. A consumer group is a view (state, position, or offset) of an entire event hub. Consumer groups enable multiple consuming applications to each have a separate view of the event stream, and to read the stream independently at their own pace and with their own offsets.
+Default value: `$Default`
+
+`connection_string` :
+_string_
+The connection string required to communicate with Event Hubs, steps here https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string.
+
+A Blob Storage account is required in order to store/retrieve/update the offset or state of the eventhub messages. This means that after stopping the filebeat azure module it can start back up at the spot that it stopped processing messages.
+
+`storage_account` :
+_string_
+The name of the storage account the state/offsets will be stored and updated.
+
+`storage_account_key` :
+_string_
+The storage account key, this key will be used to authorize access to data in your storage account.
+
+`resource_manager_endpoint` :
+_string_
+Optional, by default we are using the azure public environment, to override, users can provide a specific resource manager endpoint in order to use a different azure environment.
+Ex:
+https://management.chinacloudapi.cn/ for azure ChinaCloud
+https://management.microsoftazure.de/ for azure GermanCloud
+https://management.azure.com/ for azure PublicCloud
+https://management.usgovcloudapi.net/ for azure USGovernmentCloud
+Users can also use this in case of a Hybrid Cloud model, where one may define their own endpoints.
+
+## App Service Logs
+
+{{fields "app_service_logs"}}
diff --git a/packages/azure_app_service/changelog.yml b/packages/azure_app_service/changelog.yml
new file mode 100644
index 00000000000..7c6f0c0b8e4
--- /dev/null
+++ b/packages/azure_app_service/changelog.yml
@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: "0.0.1"
+ changes:
+ - description: Initial release
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/4818
diff --git a/packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-appserviceapplogs-raw.log b/packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-appserviceapplogs-raw.log
new file mode 100644
index 00000000000..51859aeaeea
--- /dev/null
+++ b/packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-appserviceapplogs-raw.log
@@ -0,0 +1,2 @@
+{ "resultDescription": "Exception on /favicon.ico [GET]", "resourceId": "/SUBSCRIPTIONS/0E072EC1-C22F-44L8-ADDE-DA36ED609CCD/RESOURCEGROUPS/LUCIAN.DEACONESCU_RG_6914/PROVIDERS/MICROSOFT.WEB/SITES/MANGO-TREE-3004D00656084194B08980B8DB637B86", "category": "AppServiceAppLogs", "time": "2023-02-16 10:18:01Z", "level": "Error", "EventStampType": "Stamp", "EventPrimaryStampName": "waws-prod-blu-219", "EventStampName": "waws-prod-blu-219", "Host": "lw1sdlwk0008EK", "EventIpAddress": "10.51.1.44"}
+{ "resultDescription": "hi there", "resourceId": "/SUBSCRIPTIONS/0E0733C1-C22F-4408-ADDE-DA35XD609CCD/RESOURCEGROUPS/LUCIAN.DEACONESCU_RG_6914/PROVIDERS/MICROSOFT.WEB/SITES/MANGO-TREE-3004D00656084194B08980B8DB637B86", "category": "AppServiceAppLogs", "time": "2023-02-16 10:18:46Z", "level": "Informational", "EventStampType": "Stamp", "EventPrimaryStampName": "waws-prod-blu-219", "EventStampName": "waws-prod-blu-219", "Host": "lw1sdlwk0008EK", "EventIpAddress": "10.51.1.44"}
diff --git a/packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-appserviceapplogs-raw.log-expected.json b/packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-appserviceapplogs-raw.log-expected.json
new file mode 100644
index 00000000000..b6d6f57bc0b
--- /dev/null
+++ b/packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-appserviceapplogs-raw.log-expected.json
@@ -0,0 +1,56 @@
+{
+ "expected": [
+ {
+ "azure": {
+ "app_service": {
+ "category": "AppServiceAppLogs",
+ "event_ip_address": "10.51.1.44",
+ "event_primary_stamp_name": "waws-prod-blu-219",
+ "event_stamp_name": "waws-prod-blu-219",
+ "event_stamp_type": "Stamp",
+ "host": "lw1sdlwk0008EK",
+ "level": "Error",
+ "result_description": "Exception on /favicon.ico [GET]"
+ },
+ "resource": {
+ "id": "/SUBSCRIPTIONS/0E072EC1-C22F-44L8-ADDE-DA36ED609CCD/RESOURCEGROUPS/LUCIAN.DEACONESCU_RG_6914/PROVIDERS/MICROSOFT.WEB/SITES/MANGO-TREE-3004D00656084194B08980B8DB637B86"
+ }
+ },
+ "ecs": {
+ "version": "8.3.0"
+ },
+ "event": {
+ "original": "{ \"resultDescription\": \"Exception on /favicon.ico [GET]\", \"resourceId\": \"/SUBSCRIPTIONS/0E072EC1-C22F-44L8-ADDE-DA36ED609CCD/RESOURCEGROUPS/LUCIAN.DEACONESCU_RG_6914/PROVIDERS/MICROSOFT.WEB/SITES/MANGO-TREE-3004D00656084194B08980B8DB637B86\", \"category\": \"AppServiceAppLogs\", \"time\": \"2023-02-16 10:18:01Z\", \"level\": \"Error\", \"EventStampType\": \"Stamp\", \"EventPrimaryStampName\": \"waws-prod-blu-219\", \"EventStampName\": \"waws-prod-blu-219\", \"Host\": \"lw1sdlwk0008EK\", \"EventIpAddress\": \"10.51.1.44\"}"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "azure": {
+ "app_service": {
+ "category": "AppServiceAppLogs",
+ "event_ip_address": "10.51.1.44",
+ "event_primary_stamp_name": "waws-prod-blu-219",
+ "event_stamp_name": "waws-prod-blu-219",
+ "event_stamp_type": "Stamp",
+ "host": "lw1sdlwk0008EK",
+ "level": "Informational",
+ "result_description": "hi there"
+ },
+ "resource": {
+ "id": "/SUBSCRIPTIONS/0E0733C1-C22F-4408-ADDE-DA35XD609CCD/RESOURCEGROUPS/LUCIAN.DEACONESCU_RG_6914/PROVIDERS/MICROSOFT.WEB/SITES/MANGO-TREE-3004D00656084194B08980B8DB637B86"
+ }
+ },
+ "ecs": {
+ "version": "8.3.0"
+ },
+ "event": {
+ "original": "{ \"resultDescription\": \"hi there\", \"resourceId\": \"/SUBSCRIPTIONS/0E0733C1-C22F-4408-ADDE-DA35XD609CCD/RESOURCEGROUPS/LUCIAN.DEACONESCU_RG_6914/PROVIDERS/MICROSOFT.WEB/SITES/MANGO-TREE-3004D00656084194B08980B8DB637B86\", \"category\": \"AppServiceAppLogs\", \"time\": \"2023-02-16 10:18:46Z\", \"level\": \"Informational\", \"EventStampType\": \"Stamp\", \"EventPrimaryStampName\": \"waws-prod-blu-219\", \"EventStampName\": \"waws-prod-blu-219\", \"Host\": \"lw1sdlwk0008EK\", \"EventIpAddress\": \"10.51.1.44\"}"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-appserviceauditlogs-raw.log b/packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-appserviceauditlogs-raw.log
new file mode 100644
index 00000000000..a96ec78bba6
--- /dev/null
+++ b/packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-appserviceauditlogs-raw.log
@@ -0,0 +1 @@
+{"time":"2022-12-14T12:17:57.2735099Z","ResourceId":"/SUBSCRIPTIONS/12CABCB5-36E8-104F-A3D2-1DC9982F45CA/RESOURCEGROUPS/USER-TEST/PROVIDERS/MICROSOFT.WEB/SITES/USER-TEST-APP","Category":"AppServiceAuditLogs","OperationName":"Authorization","Properties":{"User":"100320021ACECD34","UserDisplayName":"user@elastic.co","UserAddress":"0.0.0.0:5432","Protocol":"AAD"}}
\ No newline at end of file
diff --git a/packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-appserviceauditlogs-raw.log-expected.json b/packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-appserviceauditlogs-raw.log-expected.json
new file mode 100644
index 00000000000..9173be7dc01
--- /dev/null
+++ b/packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-appserviceauditlogs-raw.log-expected.json
@@ -0,0 +1,32 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2022-12-14T12:17:57.273Z",
+ "azure": {
+ "app_service": {
+ "category": "AppServiceAuditLogs",
+ "operation_name": "Authorization",
+ "properties": {
+ "client_ip": "0.0.0.0",
+ "client_port": 5432,
+ "protocol": "AAD",
+ "user": "100320021ACECD34",
+ "user_display_name": "user@elastic.co"
+ }
+ },
+ "resource": {
+ "id": "/SUBSCRIPTIONS/12CABCB5-36E8-104F-A3D2-1DC9982F45CA/RESOURCEGROUPS/USER-TEST/PROVIDERS/MICROSOFT.WEB/SITES/USER-TEST-APP"
+ }
+ },
+ "ecs": {
+ "version": "8.3.0"
+ },
+ "event": {
+ "original": "{\"time\":\"2022-12-14T12:17:57.2735099Z\",\"ResourceId\":\"/SUBSCRIPTIONS/12CABCB5-36E8-104F-A3D2-1DC9982F45CA/RESOURCEGROUPS/USER-TEST/PROVIDERS/MICROSOFT.WEB/SITES/USER-TEST-APP\",\"Category\":\"AppServiceAuditLogs\",\"OperationName\":\"Authorization\",\"Properties\":{\"User\":\"100320021ACECD34\",\"UserDisplayName\":\"user@elastic.co\",\"UserAddress\":\"0.0.0.0:5432\",\"Protocol\":\"AAD\"}}"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-appserviceconsolelogs-raw.log b/packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-appserviceconsolelogs-raw.log
new file mode 100644
index 00000000000..9a48ec156e3
--- /dev/null
+++ b/packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-appserviceconsolelogs-raw.log
@@ -0,0 +1,2 @@
+{ "time": "2023-02-16T08:28:44.834410441Z", "resourceId": "/SUBSCRIPTIONS/0E073EC1-C22F-4488-ADDE-DA35ED609CCD/RESOURCEGROUPS/LUCIAN.DEACONESCU_RG_6914/PROVIDERS/MICROSOFT.WEB/SITES/MANGO-TREE-3004D00656084194B08980B8DB637B86", "containerId": "01aa4f3e4be4c54ee115d64e99ecb3d4ad3b24a0af64c124f251de2c2a967e2c", "operationName": "Microsoft.Web/sites/log", "category": "AppServiceConsoleLogs", "resultDescription": " Request for index page received\n\n", "level": "Informational", "EventStampType": "Stamp", "EventPrimaryStampName": "waws-prod-blu-219", "EventStampName": "waws-prod-blu-219", "Host": "lw1sdlwk0008EK", "EventIpAddress": "10.61.5.44"}
+{ "time": "2023-02-16T08:28:44.834439441Z", "resourceId": "/SUBSCRIPTIONS/0E073EC1-C22F-4488-ADDE-DA35ED609CCD/RESOURCEGROUPS/LUCIAN.DEACONESCU_RG_6914/PROVIDERS/MICROSOFT.WEB/SITES/MANGO-TREE-3004D00656084194B08980B8DB637B86", "containerId": "01aa4f3e4be4c54ee115d44e99ecb4d4ad3b24a8af64c124f251de2c2a967e2c", "operationName": "Microsoft.Web/sites/log", "category": "AppServiceConsoleLogs", "resultDescription": " 169.254.129.1 - - [16/Feb/2023:08:28:44 +0000] \"GET / HTTP/1.1\" 200 1469 \"https://sandbox-92-3.reactblade.portal.azure.net/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36\"\n\n", "level": "Informational", "EventStampType": "Stamp", "EventPrimaryStampName": "waws-prod-blu-219", "EventStampName": "waws-prod-blu-219", "Host": "lw1sdlwk0008EK", "EventIpAddress": "10.61.5.44"}
\ No newline at end of file
diff --git a/packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-appserviceconsolelogs-raw.log-expected.json b/packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-appserviceconsolelogs-raw.log-expected.json
new file mode 100644
index 00000000000..8703a9debbf
--- /dev/null
+++ b/packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-appserviceconsolelogs-raw.log-expected.json
@@ -0,0 +1,62 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2023-02-16T08:28:44.834Z",
+ "azure": {
+ "app_service": {
+ "category": "AppServiceConsoleLogs",
+ "container_id": "01aa4f3e4be4c54ee115d64e99ecb3d4ad3b24a0af64c124f251de2c2a967e2c",
+ "event_ip_address": "10.61.5.44",
+ "event_primary_stamp_name": "waws-prod-blu-219",
+ "event_stamp_name": "waws-prod-blu-219",
+ "event_stamp_type": "Stamp",
+ "host": "lw1sdlwk0008EK",
+ "level": "Informational",
+ "operation_name": "Microsoft.Web/sites/log",
+ "result_description": " Request for index page received\n\n"
+ },
+ "resource": {
+ "id": "/SUBSCRIPTIONS/0E073EC1-C22F-4488-ADDE-DA35ED609CCD/RESOURCEGROUPS/LUCIAN.DEACONESCU_RG_6914/PROVIDERS/MICROSOFT.WEB/SITES/MANGO-TREE-3004D00656084194B08980B8DB637B86"
+ }
+ },
+ "ecs": {
+ "version": "8.3.0"
+ },
+ "event": {
+ "original": "{ \"time\": \"2023-02-16T08:28:44.834410441Z\", \"resourceId\": \"/SUBSCRIPTIONS/0E073EC1-C22F-4488-ADDE-DA35ED609CCD/RESOURCEGROUPS/LUCIAN.DEACONESCU_RG_6914/PROVIDERS/MICROSOFT.WEB/SITES/MANGO-TREE-3004D00656084194B08980B8DB637B86\", \"containerId\": \"01aa4f3e4be4c54ee115d64e99ecb3d4ad3b24a0af64c124f251de2c2a967e2c\", \"operationName\": \"Microsoft.Web/sites/log\", \"category\": \"AppServiceConsoleLogs\", \"resultDescription\": \" Request for index page received\\n\\n\", \"level\": \"Informational\", \"EventStampType\": \"Stamp\", \"EventPrimaryStampName\": \"waws-prod-blu-219\", \"EventStampName\": \"waws-prod-blu-219\", \"Host\": \"lw1sdlwk0008EK\", \"EventIpAddress\": \"10.61.5.44\"}"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-02-16T08:28:44.834Z",
+ "azure": {
+ "app_service": {
+ "category": "AppServiceConsoleLogs",
+ "container_id": "01aa4f3e4be4c54ee115d44e99ecb4d4ad3b24a8af64c124f251de2c2a967e2c",
+ "event_ip_address": "10.61.5.44",
+ "event_primary_stamp_name": "waws-prod-blu-219",
+ "event_stamp_name": "waws-prod-blu-219",
+ "event_stamp_type": "Stamp",
+ "host": "lw1sdlwk0008EK",
+ "level": "Informational",
+ "operation_name": "Microsoft.Web/sites/log",
+ "result_description": " 169.254.129.1 - - [16/Feb/2023:08:28:44 +0000] \"GET / HTTP/1.1\" 200 1469 \"https://sandbox-92-3.reactblade.portal.azure.net/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36\"\n\n"
+ },
+ "resource": {
+ "id": "/SUBSCRIPTIONS/0E073EC1-C22F-4488-ADDE-DA35ED609CCD/RESOURCEGROUPS/LUCIAN.DEACONESCU_RG_6914/PROVIDERS/MICROSOFT.WEB/SITES/MANGO-TREE-3004D00656084194B08980B8DB637B86"
+ }
+ },
+ "ecs": {
+ "version": "8.3.0"
+ },
+ "event": {
+ "original": "{ \"time\": \"2023-02-16T08:28:44.834439441Z\", \"resourceId\": \"/SUBSCRIPTIONS/0E073EC1-C22F-4488-ADDE-DA35ED609CCD/RESOURCEGROUPS/LUCIAN.DEACONESCU_RG_6914/PROVIDERS/MICROSOFT.WEB/SITES/MANGO-TREE-3004D00656084194B08980B8DB637B86\", \"containerId\": \"01aa4f3e4be4c54ee115d44e99ecb4d4ad3b24a8af64c124f251de2c2a967e2c\", \"operationName\": \"Microsoft.Web/sites/log\", \"category\": \"AppServiceConsoleLogs\", \"resultDescription\": \" 169.254.129.1 - - [16/Feb/2023:08:28:44 +0000] \\\"GET / HTTP/1.1\\\" 200 1469 \\\"https://sandbox-92-3.reactblade.portal.azure.net/\\\" \\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36\\\"\\n\\n\", \"level\": \"Informational\", \"EventStampType\": \"Stamp\", \"EventPrimaryStampName\": \"waws-prod-blu-219\", \"EventStampName\": \"waws-prod-blu-219\", \"Host\": \"lw1sdlwk0008EK\", \"EventIpAddress\": \"10.61.5.44\"}"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-appservicehttplogs-raw.log b/packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-appservicehttplogs-raw.log
new file mode 100644
index 00000000000..aac839beff0
--- /dev/null
+++ b/packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-appservicehttplogs-raw.log
@@ -0,0 +1,2 @@
+{"time": "2022-12-14T12:18:26.4843064Z", "resourceId": "/SUBSCRIPTIONS/12CA3CB4-86E8-404F-A352-1DC1000F45CA/RESOURCEGROUPS/USER-TEST/PROVIDERS/MICROSOFT.WEB/SITES/APP-TEST", "category": "AppServiceHTTPLogs", "properties": {"CsMethod":"POST","CsUriStem":"/api/command","SPort":"443","CIp":"81.2.69.142","UserAgent":"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/108.0.0.0+Safari/537.36","CsHost":"user-test.scm.azurewebsites.net","ScStatus":200,"ScSubStatus":"0","ScWin32Status":"0","ScBytes":778,"CsBytes":1523,"TimeTaken":1793,"Result":"Success","Cookie":"-","CsUriQuery":"X-ARR-LOG-ID=820d6db3-32ed-4b18-b1d2-2ce575080071","CsUsername":"-","Referer":"-","ComputerName":"WEBWK00000A"}}
+{ "time": "2022-12-14T12:18:26.4844541Z", "resourceId": "/SUBSCRIPTIONS/12CA3CB4-86E8-404F-A352-1DC1000F45CA/RESOURCEGROUPS/USER-TEST/PROVIDERS/MICROSOFT.WEB/SITES/APP-TEST", "category": "AppServiceHTTPLogs", "properties": {"CsMethod":"POST","CsUriStem":"/api/command","SPort":"443","CIp":"81.2.69.142","UserAgent":"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/108.0.0.0+Safari/537.36","CsHost":"user-test.scm.azurewebsites.net","ScStatus":200,"ScSubStatus":"0","ScWin32Status":"0","ScBytes":778,"CsBytes":1523,"TimeTaken":2578,"Result":"Success","Cookie":"-","CsUriQuery":"X-ARR-LOG-ID=3a3ea033-7afc-46fb-8cfc-9d1495fca2f1","CsUsername":"-","Referer":"-","ComputerName":"WEBWK00000A"}}
\ No newline at end of file
diff --git a/packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-appservicehttplogs-raw.log-expected.json b/packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-appservicehttplogs-raw.log-expected.json
new file mode 100644
index 00000000000..11c2a6aab7c
--- /dev/null
+++ b/packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-appservicehttplogs-raw.log-expected.json
@@ -0,0 +1,84 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2022-12-14T12:18:26.484Z",
+ "azure": {
+ "app_service": {
+ "category": "AppServiceHTTPLogs",
+ "properties": {
+ "client_ip": "81.2.69.142",
+ "computer_name": "WEBWK00000A",
+ "cookie": "-",
+ "cs_bytes": 1523,
+ "cs_host": "user-test.scm.azurewebsites.net",
+ "cs_method": "POST",
+ "cs_uri_query": "X-ARR-LOG-ID=820d6db3-32ed-4b18-b1d2-2ce575080071",
+ "cs_uri_stem": "/api/command",
+ "cs_username": "-",
+ "referer": "-",
+ "result": "Success",
+ "s_port": "443",
+ "sc_bytes": 778,
+ "sc_status": 200,
+ "sc_substatus": "0",
+ "sc_win32status": "0",
+ "time_taken": 1793,
+ "user_agent": "Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/108.0.0.0+Safari/537.36"
+ }
+ },
+ "resource": {
+ "id": "/SUBSCRIPTIONS/12CA3CB4-86E8-404F-A352-1DC1000F45CA/RESOURCEGROUPS/USER-TEST/PROVIDERS/MICROSOFT.WEB/SITES/APP-TEST"
+ }
+ },
+ "ecs": {
+ "version": "8.3.0"
+ },
+ "event": {
+ "original": "{\"time\": \"2022-12-14T12:18:26.4843064Z\", \"resourceId\": \"/SUBSCRIPTIONS/12CA3CB4-86E8-404F-A352-1DC1000F45CA/RESOURCEGROUPS/USER-TEST/PROVIDERS/MICROSOFT.WEB/SITES/APP-TEST\", \"category\": \"AppServiceHTTPLogs\", \"properties\": {\"CsMethod\":\"POST\",\"CsUriStem\":\"/api/command\",\"SPort\":\"443\",\"CIp\":\"81.2.69.142\",\"UserAgent\":\"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/108.0.0.0+Safari/537.36\",\"CsHost\":\"user-test.scm.azurewebsites.net\",\"ScStatus\":200,\"ScSubStatus\":\"0\",\"ScWin32Status\":\"0\",\"ScBytes\":778,\"CsBytes\":1523,\"TimeTaken\":1793,\"Result\":\"Success\",\"Cookie\":\"-\",\"CsUriQuery\":\"X-ARR-LOG-ID=820d6db3-32ed-4b18-b1d2-2ce575080071\",\"CsUsername\":\"-\",\"Referer\":\"-\",\"ComputerName\":\"WEBWK00000A\"}}"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2022-12-14T12:18:26.484Z",
+ "azure": {
+ "app_service": {
+ "category": "AppServiceHTTPLogs",
+ "properties": {
+ "client_ip": "81.2.69.142",
+ "computer_name": "WEBWK00000A",
+ "cookie": "-",
+ "cs_bytes": 1523,
+ "cs_host": "user-test.scm.azurewebsites.net",
+ "cs_method": "POST",
+ "cs_uri_query": "X-ARR-LOG-ID=3a3ea033-7afc-46fb-8cfc-9d1495fca2f1",
+ "cs_uri_stem": "/api/command",
+ "cs_username": "-",
+ "referer": "-",
+ "result": "Success",
+ "s_port": "443",
+ "sc_bytes": 778,
+ "sc_status": 200,
+ "sc_substatus": "0",
+ "sc_win32status": "0",
+ "time_taken": 2578,
+ "user_agent": "Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/108.0.0.0+Safari/537.36"
+ }
+ },
+ "resource": {
+ "id": "/SUBSCRIPTIONS/12CA3CB4-86E8-404F-A352-1DC1000F45CA/RESOURCEGROUPS/USER-TEST/PROVIDERS/MICROSOFT.WEB/SITES/APP-TEST"
+ }
+ },
+ "ecs": {
+ "version": "8.3.0"
+ },
+ "event": {
+ "original": "{ \"time\": \"2022-12-14T12:18:26.4844541Z\", \"resourceId\": \"/SUBSCRIPTIONS/12CA3CB4-86E8-404F-A352-1DC1000F45CA/RESOURCEGROUPS/USER-TEST/PROVIDERS/MICROSOFT.WEB/SITES/APP-TEST\", \"category\": \"AppServiceHTTPLogs\", \"properties\": {\"CsMethod\":\"POST\",\"CsUriStem\":\"/api/command\",\"SPort\":\"443\",\"CIp\":\"81.2.69.142\",\"UserAgent\":\"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/108.0.0.0+Safari/537.36\",\"CsHost\":\"user-test.scm.azurewebsites.net\",\"ScStatus\":200,\"ScSubStatus\":\"0\",\"ScWin32Status\":\"0\",\"ScBytes\":778,\"CsBytes\":1523,\"TimeTaken\":2578,\"Result\":\"Success\",\"Cookie\":\"-\",\"CsUriQuery\":\"X-ARR-LOG-ID=3a3ea033-7afc-46fb-8cfc-9d1495fca2f1\",\"CsUsername\":\"-\",\"Referer\":\"-\",\"ComputerName\":\"WEBWK00000A\"}}"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-appserviceipsecauditlogs-raw.log b/packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-appserviceipsecauditlogs-raw.log
new file mode 100644
index 00000000000..415fa13c580
--- /dev/null
+++ b/packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-appserviceipsecauditlogs-raw.log
@@ -0,0 +1 @@
+{ "time": "2023-02-16T09:54:20.7223739Z", "ResourceId": "/SUBSCRIPTIONS/0E073EC1-C22F-4488-ADDE-DA35ED609CCD/RESOURCEGROUPS/LUCIAN.DEACONESCU_RG_6914/PROVIDERS/MICROSOFT.WEB/SITES/MANGO-TREE-3004D00656084194B08980B8DB637B86", "Category": "AppServiceIPSecAuditLogs", "OperationName": "Authorization", "Properties": {"Result":"Denied","CsHost":"mango-tree-3004d00656084194b08980b8db637b86.azurewebsites.net","ServiceEndpoint":"False","CIp":"0.0.0.0:52580","XForwardedFor":"","XForwardedHost":"","XAzureFDID":"","XFDHealthProbe":"","Details":"Denied by 0.0.0.0/0 rule."}}
\ No newline at end of file
diff --git a/packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-appserviceipsecauditlogs-raw.log-expected.json b/packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-appserviceipsecauditlogs-raw.log-expected.json
new file mode 100644
index 00000000000..d555efeaa7e
--- /dev/null
+++ b/packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-appserviceipsecauditlogs-raw.log-expected.json
@@ -0,0 +1,37 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2023-02-16T09:54:20.722Z",
+ "azure": {
+ "app_service": {
+ "category": "AppServiceIPSecAuditLogs",
+ "operation_name": "Authorization",
+ "properties": {
+ "client_ip": "0.0.0.0",
+ "client_port": 52580,
+ "cs_host": "mango-tree-3004d00656084194b08980b8db637b86.azurewebsites.net",
+ "details": "Denied by 0.0.0.0/0 rule.",
+ "result": "Denied",
+ "service_endpoint": "False",
+ "xazurefdid": "",
+ "xfdhealth_probe": "",
+ "xforwarded_for": "",
+ "xforwarded_host": ""
+ }
+ },
+ "resource": {
+ "id": "/SUBSCRIPTIONS/0E073EC1-C22F-4488-ADDE-DA35ED609CCD/RESOURCEGROUPS/LUCIAN.DEACONESCU_RG_6914/PROVIDERS/MICROSOFT.WEB/SITES/MANGO-TREE-3004D00656084194B08980B8DB637B86"
+ }
+ },
+ "ecs": {
+ "version": "8.3.0"
+ },
+ "event": {
+ "original": "{ \"time\": \"2023-02-16T09:54:20.7223739Z\", \"ResourceId\": \"/SUBSCRIPTIONS/0E073EC1-C22F-4488-ADDE-DA35ED609CCD/RESOURCEGROUPS/LUCIAN.DEACONESCU_RG_6914/PROVIDERS/MICROSOFT.WEB/SITES/MANGO-TREE-3004D00656084194B08980B8DB637B86\", \"Category\": \"AppServiceIPSecAuditLogs\", \"OperationName\": \"Authorization\", \"Properties\": {\"Result\":\"Denied\",\"CsHost\":\"mango-tree-3004d00656084194b08980b8db637b86.azurewebsites.net\",\"ServiceEndpoint\":\"False\",\"CIp\":\"0.0.0.0:52580\",\"XForwardedFor\":\"\",\"XForwardedHost\":\"\",\"XAzureFDID\":\"\",\"XFDHealthProbe\":\"\",\"Details\":\"Denied by 0.0.0.0/0 rule.\"}}"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-appservicesplatformlogs-raw.log b/packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-appservicesplatformlogs-raw.log
new file mode 100644
index 00000000000..8b8b07e3cb1
--- /dev/null
+++ b/packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-appservicesplatformlogs-raw.log
@@ -0,0 +1,2 @@
+{ "resourceId": "/SUBSCRIPTIONS/0E073EC1-C22F-4488-ADDE-DA35ED609ACD/RESOURCEGROUPS/LUCIAN.DEACONESCU_RG_6914/PROVIDERS/MICROSOFT.WEB/SITES/MANGO-TREE-3004D0065608C194C08980B8DB637B86", "operationName": "ContainerLogs", "category": "AppServicePlatformLogs", "time": "2023-02-16T08:28:46.343Z", "level": "Informational", "properties": "{\"message\":\"EventName:SiteStopRequested - Reason:SiteNotStartableDuringChangeNotification - Message: - ContainerIDs:01aa4f3e4be4c54ee115d54e91ecb4d4ad3b24a0af64c124f251de2c2a967e2c - AdditionalInfo: \"}", "EventStampType": "Stamp", "EventPrimaryStampName": "waws-prod-blu-219", "EventStampName": "waws-prod-blu-219", "Host": "lw1sdlwk0008EK", "EventIpAddress": "10.61.1.44"}
+{ "resourceId": "/SUBSCRIPTIONS/0E073EC1-C22F-4438-ADBE-DA35ED609CCD/RESOURCEGROUPS/LUCIAN.DEACONESCU_RG_6914/PROVIDERS/MICROSOFT.WEB/SITES/MANGO-TREE-3004E00656084194C08980B8DB637B86", "operationName": "ContainerLogs", "category": "AppServicePlatformLogs", "time": "2023-02-16T08:28:46.541Z", "level": "Informational", "properties": "{\"message\":\"EventName:ContainerStopped - Reason: - Message: - ContainerIDs:01aa4f3e4be4c54ee115d54e91ecb4d4ad3b24a0af64c124f251de2c2a967e2c - AdditionalInfo: \"}", "EventStampType": "Stamp", "EventPrimaryStampName": "waws-prod-blu-219", "EventStampName": "waws-prod-blu-219", "Host": "lw1sdlwk0008EK", "EventIpAddress": "10.61.1.44"}
\ No newline at end of file
diff --git a/packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-appservicesplatformlogs-raw.log-expected.json b/packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-appservicesplatformlogs-raw.log-expected.json
new file mode 100644
index 00000000000..e734676f118
--- /dev/null
+++ b/packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-appservicesplatformlogs-raw.log-expected.json
@@ -0,0 +1,60 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2023-02-16T08:28:46.343Z",
+ "azure": {
+ "app_service": {
+ "category": "AppServicePlatformLogs",
+ "event_ip_address": "10.61.1.44",
+ "event_primary_stamp_name": "waws-prod-blu-219",
+ "event_stamp_name": "waws-prod-blu-219",
+ "event_stamp_type": "Stamp",
+ "host": "lw1sdlwk0008EK",
+ "level": "Informational",
+ "log": "{\"message\":\"EventName:SiteStopRequested - Reason:SiteNotStartableDuringChangeNotification - Message: - ContainerIDs:01aa4f3e4be4c54ee115d54e91ecb4d4ad3b24a0af64c124f251de2c2a967e2c - AdditionalInfo: \"}",
+ "operation_name": "ContainerLogs"
+ },
+ "resource": {
+ "id": "/SUBSCRIPTIONS/0E073EC1-C22F-4488-ADDE-DA35ED609ACD/RESOURCEGROUPS/LUCIAN.DEACONESCU_RG_6914/PROVIDERS/MICROSOFT.WEB/SITES/MANGO-TREE-3004D0065608C194C08980B8DB637B86"
+ }
+ },
+ "ecs": {
+ "version": "8.3.0"
+ },
+ "event": {
+ "original": "{ \"resourceId\": \"/SUBSCRIPTIONS/0E073EC1-C22F-4488-ADDE-DA35ED609ACD/RESOURCEGROUPS/LUCIAN.DEACONESCU_RG_6914/PROVIDERS/MICROSOFT.WEB/SITES/MANGO-TREE-3004D0065608C194C08980B8DB637B86\", \"operationName\": \"ContainerLogs\", \"category\": \"AppServicePlatformLogs\", \"time\": \"2023-02-16T08:28:46.343Z\", \"level\": \"Informational\", \"properties\": \"{\\\"message\\\":\\\"EventName:SiteStopRequested - Reason:SiteNotStartableDuringChangeNotification - Message: - ContainerIDs:01aa4f3e4be4c54ee115d54e91ecb4d4ad3b24a0af64c124f251de2c2a967e2c - AdditionalInfo: \\\"}\", \"EventStampType\": \"Stamp\", \"EventPrimaryStampName\": \"waws-prod-blu-219\", \"EventStampName\": \"waws-prod-blu-219\", \"Host\": \"lw1sdlwk0008EK\", \"EventIpAddress\": \"10.61.1.44\"}"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-02-16T08:28:46.541Z",
+ "azure": {
+ "app_service": {
+ "category": "AppServicePlatformLogs",
+ "event_ip_address": "10.61.1.44",
+ "event_primary_stamp_name": "waws-prod-blu-219",
+ "event_stamp_name": "waws-prod-blu-219",
+ "event_stamp_type": "Stamp",
+ "host": "lw1sdlwk0008EK",
+ "level": "Informational",
+ "log": "{\"message\":\"EventName:ContainerStopped - Reason: - Message: - ContainerIDs:01aa4f3e4be4c54ee115d54e91ecb4d4ad3b24a0af64c124f251de2c2a967e2c - AdditionalInfo: \"}",
+ "operation_name": "ContainerLogs"
+ },
+ "resource": {
+ "id": "/SUBSCRIPTIONS/0E073EC1-C22F-4438-ADBE-DA35ED609CCD/RESOURCEGROUPS/LUCIAN.DEACONESCU_RG_6914/PROVIDERS/MICROSOFT.WEB/SITES/MANGO-TREE-3004E00656084194C08980B8DB637B86"
+ }
+ },
+ "ecs": {
+ "version": "8.3.0"
+ },
+ "event": {
+ "original": "{ \"resourceId\": \"/SUBSCRIPTIONS/0E073EC1-C22F-4438-ADBE-DA35ED609CCD/RESOURCEGROUPS/LUCIAN.DEACONESCU_RG_6914/PROVIDERS/MICROSOFT.WEB/SITES/MANGO-TREE-3004E00656084194C08980B8DB637B86\", \"operationName\": \"ContainerLogs\", \"category\": \"AppServicePlatformLogs\", \"time\": \"2023-02-16T08:28:46.541Z\", \"level\": \"Informational\", \"properties\": \"{\\\"message\\\":\\\"EventName:ContainerStopped - Reason: - Message: - ContainerIDs:01aa4f3e4be4c54ee115d54e91ecb4d4ad3b24a0af64c124f251de2c2a967e2c - AdditionalInfo: \\\"}\", \"EventStampType\": \"Stamp\", \"EventPrimaryStampName\": \"waws-prod-blu-219\", \"EventStampName\": \"waws-prod-blu-219\", \"Host\": \"lw1sdlwk0008EK\", \"EventIpAddress\": \"10.61.1.44\"}"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-common-config.yml b/packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-common-config.yml
new file mode 100644
index 00000000000..4da22641654
--- /dev/null
+++ b/packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-common-config.yml
@@ -0,0 +1,3 @@
+fields:
+ tags:
+ - preserve_original_event
diff --git a/packages/azure_app_service/data_stream/app_service_logs/agent/stream/azure-eventhub.yml.hbs b/packages/azure_app_service/data_stream/app_service_logs/agent/stream/azure-eventhub.yml.hbs
new file mode 100644
index 00000000000..70a0e582651
--- /dev/null
+++ b/packages/azure_app_service/data_stream/app_service_logs/agent/stream/azure-eventhub.yml.hbs
@@ -0,0 +1,46 @@
+{{#if connection_string}}
+connection_string: {{connection_string}}
+{{/if}}
+{{#if storage_account_container }}
+storage_account_container: {{storage_account_container}}
+{{else}}
+{{#if eventhub}}
+storage_account_container: app-service-logs-{{eventhub}}
+{{/if}}
+{{/if}}
+{{#if eventhub}}
+eventhub: {{eventhub}}
+{{/if}}
+{{#if consumer_group}}
+consumer_group: {{consumer_group}}
+{{/if}}
+{{#if storage_account}}
+storage_account: {{storage_account}}
+{{/if}}
+{{#if storage_account_key}}
+storage_account_key: {{storage_account_key}}
+{{/if}}
+{{#if resource_manager_endpoint}}
+resource_manager_endpoint: {{resource_manager_endpoint}}
+{{/if}}
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
+sanitize_options:
+{{#if sanitize_newlines}}
+ - NEW_LINES
+{{/if}}
+{{#if sanitize_singlequotes}}
+ - SINGLE_QUOTES
+{{/if}}
diff --git a/packages/azure_app_service/data_stream/app_service_logs/agent/stream/log.yml.hbs b/packages/azure_app_service/data_stream/app_service_logs/agent/stream/log.yml.hbs
new file mode 100644
index 00000000000..d0bec8af049
--- /dev/null
+++ b/packages/azure_app_service/data_stream/app_service_logs/agent/stream/log.yml.hbs
@@ -0,0 +1,19 @@
+paths:
+{{#each paths as |path|}}
+ - {{path}}
+{{/each}}
+exclude_files: [".gz$"]
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/packages/azure_app_service/data_stream/app_service_logs/elasticsearch/ingest_pipeline/appservice-applogs-inner-pipeline.yml b/packages/azure_app_service/data_stream/app_service_logs/elasticsearch/ingest_pipeline/appservice-applogs-inner-pipeline.yml
new file mode 100644
index 00000000000..f739af0c5e2
--- /dev/null
+++ b/packages/azure_app_service/data_stream/app_service_logs/elasticsearch/ingest_pipeline/appservice-applogs-inner-pipeline.yml
@@ -0,0 +1,29 @@
+---
+description: Pipeline for processing Azure App Service App logs.
+processors:
+ - rename:
+ field: azure.app_service.resourceId
+ target_field: azure.resource.id
+ ignore_missing: true
+ - rename:
+ field: azure.app_service.resultDescription
+ target_field: azure.app_service.result_description
+ - rename:
+ field: azure.app_service.EventStampType
+ target_field: azure.app_service.event_stamp_type
+ - rename:
+ field: azure.app_service.EventPrimaryStampName
+ target_field: azure.app_service.event_primary_stamp_name
+ - rename:
+ field: azure.app_service.EventStampName
+ target_field: azure.app_service.event_stamp_name
+ - rename:
+ field: azure.app_service.Host
+ target_field: azure.app_service.host
+ - rename:
+ field: azure.app_service.EventIpAddress
+ target_field: azure.app_service.event_ip_address
+on_failure:
+ - append:
+ field: "error.message"
+ value: "{{ _ingest.on_failure_message }} {{ _ingest.on_failure_processor_type }}"
\ No newline at end of file
diff --git a/packages/azure_app_service/data_stream/app_service_logs/elasticsearch/ingest_pipeline/appservice-auditlogs-inner-pipeline.yml b/packages/azure_app_service/data_stream/app_service_logs/elasticsearch/ingest_pipeline/appservice-auditlogs-inner-pipeline.yml
new file mode 100644
index 00000000000..c85a86f65c2
--- /dev/null
+++ b/packages/azure_app_service/data_stream/app_service_logs/elasticsearch/ingest_pipeline/appservice-auditlogs-inner-pipeline.yml
@@ -0,0 +1,42 @@
+---
+description: Pipeline for processing Azure App Service Console Logs
+processors:
+ - rename:
+ field: azure.app_service.ResourceId
+ target_field: azure.resource.id
+ ignore_missing: true
+ - rename:
+ field: azure.app_service.Category
+ target_field: azure.app_service.category
+ - rename:
+ field: azure.app_service.OperationName
+ target_field: azure.app_service.operation_name
+ - rename:
+ field: azure.app_service.Properties
+ target_field: azure.app_service.properties
+ ignore_missing: true
+ - rename:
+ field: azure.app_service.properties.Protocol
+ target_field: azure.app_service.properties.protocol
+ - rename:
+ field: azure.app_service.properties.User
+ target_field: azure.app_service.properties.user
+ - rename:
+ field: azure.app_service.properties.UserAddress
+ target_field: azure.app_service.properties.client_ip
+ - rename:
+ field: azure.app_service.properties.UserDisplayName
+ target_field: azure.app_service.properties.user_display_name
+ - grok:
+ field: azure.app_service.properties.client_ip
+ patterns:
+ - '%{IPORHOST:azure.app_service.properties.client_ip}:%{POSINT:azure.app_service.properties.client_port:long}'
+ ignore_failure: true
+ - convert:
+ field: azure.app_service.properties.client_ip
+ type: ip
+ ignore_missing: true
+on_failure:
+ - append:
+ field: "error.message"
+ value: "{{ _ingest.on_failure_message }} {{ _ingest.on_failure_processor_type }}"
\ No newline at end of file
diff --git a/packages/azure_app_service/data_stream/app_service_logs/elasticsearch/ingest_pipeline/appservice-consolelogs-inner-pipeline.yml b/packages/azure_app_service/data_stream/app_service_logs/elasticsearch/ingest_pipeline/appservice-consolelogs-inner-pipeline.yml
new file mode 100644
index 00000000000..61c98bcd8d3
--- /dev/null
+++ b/packages/azure_app_service/data_stream/app_service_logs/elasticsearch/ingest_pipeline/appservice-consolelogs-inner-pipeline.yml
@@ -0,0 +1,35 @@
+---
+description: Pipeline for processing Azure App Service Audit logs.
+processors:
+ - rename:
+ field: azure.app_service.resourceId
+ target_field: azure.resource.id
+ ignore_missing: true
+ - rename:
+ field: azure.app_service.containerId
+ target_field: azure.app_service.container_id
+ - rename:
+ field: azure.app_service.operationName
+ target_field: azure.app_service.operation_name
+ - rename:
+ field: azure.app_service.resultDescription
+ target_field: azure.app_service.result_description
+ - rename:
+ field: azure.app_service.EventStampType
+ target_field: azure.app_service.event_stamp_type
+ - rename:
+ field: azure.app_service.EventPrimaryStampName
+ target_field: azure.app_service.event_primary_stamp_name
+ - rename:
+ field: azure.app_service.EventStampName
+ target_field: azure.app_service.event_stamp_name
+ - rename:
+ field: azure.app_service.Host
+ target_field: azure.app_service.host
+ - rename:
+ field: azure.app_service.EventIpAddress
+ target_field: azure.app_service.event_ip_address
+on_failure:
+ - append:
+ field: "error.message"
+ value: "{{ _ingest.on_failure_message }} {{ _ingest.on_failure_processor_type }}"
\ No newline at end of file
diff --git a/packages/azure_app_service/data_stream/app_service_logs/elasticsearch/ingest_pipeline/appservice-httplogs-inner-pipeline.yml b/packages/azure_app_service/data_stream/app_service_logs/elasticsearch/ingest_pipeline/appservice-httplogs-inner-pipeline.yml
new file mode 100644
index 00000000000..126e4c98736
--- /dev/null
+++ b/packages/azure_app_service/data_stream/app_service_logs/elasticsearch/ingest_pipeline/appservice-httplogs-inner-pipeline.yml
@@ -0,0 +1,65 @@
+---
+description: Pipeline for processing Azure App Service HTTP logs.
+processors:
+ - rename:
+ field: azure.app_service.resourceId
+ target_field: azure.resource.id
+ ignore_missing: true
+ - rename:
+ field: azure.app_service.properties.CIp
+ target_field: azure.app_service.properties.client_ip
+ - rename:
+ field: azure.app_service.properties.ComputerName
+ target_field: azure.app_service.properties.computer_name
+ - rename:
+ field: azure.app_service.properties.Cookie
+ target_field: azure.app_service.properties.cookie
+ - rename:
+ field: azure.app_service.properties.CsBytes
+ target_field: azure.app_service.properties.cs_bytes
+ - rename:
+ field: azure.app_service.properties.CsHost
+ target_field: azure.app_service.properties.cs_host
+ - rename:
+ field: azure.app_service.properties.CsMethod
+ target_field: azure.app_service.properties.cs_method
+ - rename:
+ field: azure.app_service.properties.CsUriQuery
+ target_field: azure.app_service.properties.cs_uri_query
+ - rename:
+ field: azure.app_service.properties.CsUriStem
+ target_field: azure.app_service.properties.cs_uri_stem
+ - rename:
+ field: azure.app_service.properties.CsUsername
+ target_field: azure.app_service.properties.cs_username
+ - rename:
+ field: azure.app_service.properties.Referer
+ target_field: azure.app_service.properties.referer
+ - rename:
+ field: azure.app_service.properties.Result
+ target_field: azure.app_service.properties.result
+ - rename:
+ field: azure.app_service.properties.SPort
+ target_field: azure.app_service.properties.s_port
+ - rename:
+ field: azure.app_service.properties.ScBytes
+ target_field: azure.app_service.properties.sc_bytes
+ - rename:
+ field: azure.app_service.properties.ScStatus
+ target_field: azure.app_service.properties.sc_status
+ - rename:
+ field: azure.app_service.properties.ScSubStatus
+ target_field: azure.app_service.properties.sc_substatus
+ - rename:
+ field: azure.app_service.properties.ScWin32Status
+ target_field: azure.app_service.properties.sc_win32status
+ - rename:
+ field: azure.app_service.properties.TimeTaken
+ target_field: azure.app_service.properties.time_taken
+ - rename:
+ field: azure.app_service.properties.UserAgent
+ target_field: azure.app_service.properties.user_agent
+on_failure:
+ - append:
+ field: "error.message"
+ value: "{{ _ingest.on_failure_message }} {{ _ingest.on_failure_processor_type }}"
\ No newline at end of file
diff --git a/packages/azure_app_service/data_stream/app_service_logs/elasticsearch/ingest_pipeline/appservice-ipsecauditlogs-inner-pipeline.yml b/packages/azure_app_service/data_stream/app_service_logs/elasticsearch/ingest_pipeline/appservice-ipsecauditlogs-inner-pipeline.yml
new file mode 100644
index 00000000000..5bcb306d553
--- /dev/null
+++ b/packages/azure_app_service/data_stream/app_service_logs/elasticsearch/ingest_pipeline/appservice-ipsecauditlogs-inner-pipeline.yml
@@ -0,0 +1,69 @@
+---
+description: Pipeline for processing Azure App Service IPSec Audit logs.
+processors:
+ - rename:
+ field: azure.app_service.ResourceId
+ target_field: azure.resource.id
+ ignore_missing: true
+ - rename:
+ field: azure.app_service.Category
+ target_field: azure.app_service.category
+ - rename:
+ field: azure.app_service.OperationName
+ target_field: azure.app_service.operation_name
+ - rename:
+ field: azure.app_service.Properties
+ target_field: azure.app_service.properties
+ ignore_missing: true
+ - rename:
+ field: azure.app_service.properties.CIp
+ target_field: azure.app_service.properties.client_ip
+ - rename:
+ field: azure.app_service.properties.CsHost
+ target_field: azure.app_service.properties.cs_host
+ - rename:
+ field: azure.app_service.properties.Result
+ target_field: azure.app_service.properties.result
+ - rename:
+ field: azure.app_service.properties.Details
+ target_field: azure.app_service.properties.details
+ - rename:
+ field: azure.app_service.properties.ServiceEndpoint
+ target_field: azure.app_service.properties.service_endpoint
+ - rename:
+ field: azure.app_service.properties.XForwardedFor
+ target_field: azure.app_service.properties.xforwarded_for
+ - rename:
+ field: azure.app_service.properties.XForwardedHost
+ target_field: azure.app_service.properties.xforwarded_host
+ - rename:
+ field: azure.app_service.properties.XAzureFDID
+ target_field: azure.app_service.properties.xazurefdid
+ - rename:
+ field: azure.app_service.properties.XFDHealthProbe
+ target_field: azure.app_service.properties.xfdhealth_probe
+ - rename:
+ field: azure.app_service.properties.Type
+ target_field: azure.app_service.properties.type
+ ignore_missing: true
+ - rename:
+ field: azure.app_service.properties.TimeGenerated
+ target_field: azure.app_service.properties.time_generated
+ ignore_missing: true
+ - rename:
+ field: azure.app_service.properties.SourceSystem
+ target_field: azure.app_service.properties.source_system
+ ignore_missing: true
+ - grok:
+ field: azure.app_service.properties.client_ip
+ patterns:
+ - '%{IPORHOST:azure.app_service.properties.client_ip}:%{POSINT:azure.app_service.properties.client_port:long}'
+ ignore_failure: true
+ - convert:
+ field: azure.app_service.properties.client_ip
+ type: ip
+ ignore_missing: true
+on_failure:
+ - append:
+ field: "error.message"
+ value: "{{ _ingest.on_failure_message }} {{ _ingest.on_failure_processor_type }}"
\ No newline at end of file
diff --git a/packages/azure_app_service/data_stream/app_service_logs/elasticsearch/ingest_pipeline/appservice-platformlogs-inner-pipeline.yml b/packages/azure_app_service/data_stream/app_service_logs/elasticsearch/ingest_pipeline/appservice-platformlogs-inner-pipeline.yml
new file mode 100644
index 00000000000..277167a2b0c
--- /dev/null
+++ b/packages/azure_app_service/data_stream/app_service_logs/elasticsearch/ingest_pipeline/appservice-platformlogs-inner-pipeline.yml
@@ -0,0 +1,32 @@
+---
+description: Pipeline for processing Azure App Service Platform logs.
+processors:
+ - rename:
+ field: azure.app_service.resourceId
+ target_field: azure.resource.id
+ ignore_missing: true
+ - rename:
+ field: azure.app_service.operationName
+ target_field: azure.app_service.operation_name
+ - rename:
+ field: azure.app_service.EventStampType
+ target_field: azure.app_service.event_stamp_type
+ - rename:
+ field: azure.app_service.EventPrimaryStampName
+ target_field: azure.app_service.event_primary_stamp_name
+ - rename:
+ field: azure.app_service.EventStampName
+ target_field: azure.app_service.event_stamp_name
+ - rename:
+ field: azure.app_service.Host
+ target_field: azure.app_service.host
+ - rename:
+ field: azure.app_service.EventIpAddress
+ target_field: azure.app_service.event_ip_address
+ - rename:
+ field: azure.app_service.properties
+ target_field: azure.app_service.log
+on_failure:
+ - append:
+ field: "error.message"
+ value: "{{ _ingest.on_failure_message }} {{ _ingest.on_failure_processor_type }}"
\ No newline at end of file
diff --git a/packages/azure_app_service/data_stream/app_service_logs/elasticsearch/ingest_pipeline/azure-shared-pipeline.yml b/packages/azure_app_service/data_stream/app_service_logs/elasticsearch/ingest_pipeline/azure-shared-pipeline.yml
new file mode 100644
index 00000000000..c4023f3d438
--- /dev/null
+++ b/packages/azure_app_service/data_stream/app_service_logs/elasticsearch/ingest_pipeline/azure-shared-pipeline.yml
@@ -0,0 +1,88 @@
+---
+description: Pipeline for parsing Azure shared log fields.
+processors:
+ - set:
+ field: cloud.provider
+ value: azure
+ - grok:
+ field: azure.resource_id
+ patterns:
+ - (?i)/subscriptions/%{SUBID:azure.subscription_id}/resourceGroups/%{GROUPID:azure.resource.group}/providers/%{PROVIDERNAME:azure.resource.provider}/namespaces/%{NAMESPACE:azure.resource.namespace}/authorizationRules/%{RULE:azure.resource.authorization_rule}
+ pattern_definitions:
+ SUBID: (\{){0,1}[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}(\}){0,1}
+ GROUPID: .+
+ PROVIDERNAME: .+
+ NAMESPACE: .+
+ RULE: .+
+ ignore_failure: true
+ - grok:
+ field: azure.resource_id
+ if: 'ctx.azure?.subscription_id == null'
+ patterns:
+ - (?i)/subscriptions/%{SUBID:azure.subscription_id}/resourceGroups/%{GROUPID:azure.resource.group}/providers/%{PROVIDERNAME:azure.resource.provider}/%{NAME:azure.resource.name}
+ pattern_definitions:
+ SUBID: (\{){0,1}[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}(\}){0,1}
+ GROUPID: .+
+ PROVIDERNAME: ([A-Za-z])\w+.([A-Za-z])\w+/([A-Za-z])\w+.
+ NAME: ((?!AUTHORIZATIONRULES).)*$
+ ignore_failure: true
+ - grok:
+ field: azure.resource_id
+ if: 'ctx.azure?.subscription_id == null'
+ patterns:
+ - (?i)/subscriptions/%{SUBID:azure.subscription_id}/resourceGroups/%{GROUPID:azure.resource.group}/providers/%{PROVIDERNAME:azure.resource.provider}/%{NAME:azure.resource.name}
+ pattern_definitions:
+ SUBID: (\{){0,1}[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}(\}){0,1}
+ GROUPID: .+
+ PROVIDERNAME: ([A-Za-z])\w+.([A-Za-z])\w+\/([A-Za-z][^\/])\w+
+ NAME: .+
+ ignore_failure: true
+ - grok:
+ field: azure.resource_id
+ if: 'ctx.azure?.subscription_id == null'
+ patterns:
+ - (?i)/providers/%{PROVIDER:azure.resource.provider}
+ pattern_definitions:
+ PROVIDER: .+
+ ignore_failure: true
+ - grok:
+ field: azure.resource_id
+ if: 'ctx.azure?.subscription_id == null'
+ patterns:
+ - (?i)/subscriptions/%{SUBID:azure.subscription_id}/providers/%{PROVIDERNAME:azure.resource.provider}
+ pattern_definitions:
+ SUBID: (\{){0,1}[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}(\}){0,1}
+ PROVIDERNAME: ([A-Za-z])\w+.([A-Za-z])\w+\/([A-Za-z][^\/])\w+
+ ignore_failure: true
+ - grok:
+ field: azure.resource_id
+ if: 'ctx.azure?.subscription_id == null'
+ patterns:
+ - (?i)/subscriptions/%{SUBID:azure.subscription_id}/resourceGroups/%{GROUPID:azure.resource.group}
+ pattern_definitions:
+ SUBID: (\{){0,1}[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}(\}){0,1}
+ GROUPID: .+
+ ignore_failure: true
+ - grok:
+ field: azure.resource_id
+ if: 'ctx.azure?.subscription_id == null'
+ patterns:
+ - (?i)/subscriptions/%{SUBID:azure.subscription_id}
+ pattern_definitions:
+ SUBID: (\{){0,1}[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}(\}){0,1}
+ ignore_failure: true
+ - rename:
+ field: azure.resource_id
+ target_field: azure.resource.id
+ ignore_missing: true
+ - lowercase:
+ field: event.outcome
+ ignore_missing: true
+ - set:
+ field: cloud.account.id
+ copy_from: azure.subscription_id
+ ignore_empty_value: true
+on_failure:
+ - set:
+ field: error.message
+ value: '{{ _ingest.on_failure_message }}'
diff --git a/packages/azure_app_service/data_stream/app_service_logs/elasticsearch/ingest_pipeline/default.yml b/packages/azure_app_service/data_stream/app_service_logs/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 00000000000..b546d755555
--- /dev/null
+++ b/packages/azure_app_service/data_stream/app_service_logs/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,67 @@
+---
+description: Pipeline for processing Azure App Service logs.
+processors:
+ - set:
+ field: ecs.version
+ value: '8.3.0'
+ - rename:
+ field: azure
+ target_field: azure-eventhub
+ ignore_missing: true
+ - script:
+ source: ctx.message = ctx.message.replace(params.empty_field_name, '')
+ params:
+ empty_field_name: '"":"",'
+ ignore_failure: true
+ - rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ if: 'ctx.event?.original == null'
+ description: 'Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document.'
+ - remove:
+ field: message
+ ignore_missing: true
+ if: 'ctx.event?.original != null'
+ description: 'The `message` field is no longer required if the document has an `event.original` field.'
+ - json:
+ field: event.original
+ target_field: azure.app_service
+ ignore_failure: true
+ - date:
+ field: azure.app_service.time
+ target_field: '@timestamp'
+ ignore_failure: true
+ formats:
+ - ISO8601
+ - remove:
+ field: azure.app_service.time
+ ignore_missing: true
+ - pipeline:
+ if: "ctx?.azure?.app_service?.Category == 'AppServiceAuditLogs'"
+ name: '{{ IngestPipeline "appservice-auditlogs-inner-pipeline" }}'
+ - pipeline:
+ if: "ctx?.azure?.app_service?.category == 'AppServiceHTTPLogs'"
+ name: '{{ IngestPipeline "appservice-httplogs-inner-pipeline" }}'
+ - pipeline:
+ if: "ctx?.azure?.app_service?.Category == 'AppServiceIPSecAuditLogs'"
+ name: '{{ IngestPipeline "appservice-ipsecauditlogs-inner-pipeline" }}'
+ - pipeline:
+ if: "ctx?.azure?.app_service?.category == 'AppServiceConsoleLogs'"
+ name: '{{ IngestPipeline "appservice-consolelogs-inner-pipeline" }}'
+ - pipeline:
+ if: "ctx?.azure?.app_service?.category == 'AppServicePlatformLogs'"
+ name: '{{ IngestPipeline "appservice-platformlogs-inner-pipeline" }}'
+ - pipeline:
+ if: "ctx?.azure?.app_service?.category == 'AppServiceAppLogs'"
+ name: '{{ IngestPipeline "appservice-applogs-inner-pipeline" }}'
+on_failure:
+ - append:
+ field: "error.message"
+ value: "{{ _ingest.on_failure_message }} {{ _ingest.on_failure_processor_type }}"
+ - remove:
+ field:
+ - json
+ - _conf
+ - message
+ ignore_missing: true
\ No newline at end of file
diff --git a/packages/azure_app_service/data_stream/app_service_logs/fields/base-fields.yml b/packages/azure_app_service/data_stream/app_service_logs/fields/base-fields.yml
new file mode 100644
index 00000000000..a9a65458fc5
--- /dev/null
+++ b/packages/azure_app_service/data_stream/app_service_logs/fields/base-fields.yml
@@ -0,0 +1,21 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset name.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: dataset.type
+ type: constant_keyword
+ description: Dataset type.
+- name: dataset.name
+ type: constant_keyword
+ description: Dataset name.
+- name: dataset.namespace
+ type: constant_keyword
+ description: Dataset namespace.
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
diff --git a/packages/azure_app_service/data_stream/app_service_logs/fields/ecs.yml b/packages/azure_app_service/data_stream/app_service_logs/fields/ecs.yml
new file mode 100644
index 00000000000..7cf456cbc90
--- /dev/null
+++ b/packages/azure_app_service/data_stream/app_service_logs/fields/ecs.yml
@@ -0,0 +1,145 @@
+- name: cloud.account.id
+ external: ecs
+- name: cloud.provider
+ external: ecs
+- name: destination.address
+ external: ecs
+- name: destination.as.number
+ external: ecs
+- name: destination.as.organization.name
+ external: ecs
+- name: destination.domain
+ external: ecs
+- name: destination.geo.city_name
+ external: ecs
+- name: destination.geo.continent_name
+ external: ecs
+- name: destination.geo.country_iso_code
+ external: ecs
+- name: destination.geo.country_name
+ external: ecs
+- name: destination.geo.location
+ external: ecs
+- name: destination.geo.name
+ external: ecs
+- name: destination.geo.region_iso_code
+ external: ecs
+- name: destination.geo.region_name
+ external: ecs
+- name: destination.bytes
+ external: ecs
+- name: destination.ip
+ external: ecs
+- name: destination.port
+ external: ecs
+- name: destination.nat.ip
+ external: ecs
+- name: destination.nat.port
+ external: ecs
+- name: dns.header_flags
+ external: ecs
+- name: dns.question.class
+ external: ecs
+- name: dns.question.name
+ external: ecs
+- name: dns.question.type
+ external: ecs
+- name: dns.response_code
+- name: ecs.version
+ external: ecs
+- name: message
+ external: ecs
+- name: event.action
+ external: ecs
+- name: event.category
+ external: ecs
+- name: event.created
+ external: ecs
+- name: event.duration
+ external: ecs
+- name: event.id
+ external: ecs
+- name: event.ingested
+ external: ecs
+- name: event.kind
+ external: ecs
+- name: event.type
+ external: ecs
+- name: network.iana_number
+ external: ecs
+- name: network.protocol
+ external: ecs
+- name: network.transport
+ external: ecs
+- name: observer.name
+ external: ecs
+- name: observer.product
+ external: ecs
+- name: observer.type
+ external: ecs
+- name: observer.vendor
+ external: ecs
+- name: related.hosts
+ external: ecs
+- name: related.ip
+ external: ecs
+- name: related.user
+ external: ecs
+- name: source.address
+ external: ecs
+- name: source.as.number
+ external: ecs
+- name: source.as.organization.name
+ external: ecs
+- name: source.bytes
+ external: ecs
+- name: source.port
+ external: ecs
+- name: geo.continent_name
+ external: ecs
+- name: geo.country_iso_code
+ external: ecs
+- name: geo.country_name
+ external: ecs
+- name: geo.location
+ external: ecs
+- name: geo.city_name
+ external: ecs
+- name: geo.region_name
+ external: ecs
+- name: geo.name
+ external: ecs
+- name: geo.region_iso_code
+ external: ecs
+- name: log.level
+ external: ecs
+- name: rule.id
+ external: ecs
+- name: rule.name
+ external: ecs
+- name: rule.ruleset
+ external: ecs
+- name: rule.category
+ external: ecs
+- name: source.geo.city_name
+ external: ecs
+- name: source.geo.continent_name
+ external: ecs
+- name: source.geo.country_iso_code
+ external: ecs
+- name: source.geo.country_name
+ external: ecs
+- name: source.geo.location
+ external: ecs
+- name: source.geo.name
+ external: ecs
+- name: source.geo.region_iso_code
+ external: ecs
+- name: source.geo.region_name
+ external: ecs
+- name: source.ip
+ external: ecs
+- name: url.original
+ external: ecs
+- name: tags
+ external: ecs
diff --git a/packages/azure_app_service/data_stream/app_service_logs/fields/fields.yml b/packages/azure_app_service/data_stream/app_service_logs/fields/fields.yml
new file mode 100644
index 00000000000..6e5f014e767
--- /dev/null
+++ b/packages/azure_app_service/data_stream/app_service_logs/fields/fields.yml
@@ -0,0 +1,131 @@
+- name: azure.app_service
+ type: group
+ fields:
+ - name: category
+ type: keyword
+ description: The category of the operation.
+ - name: operation_name
+ type: keyword
+ description: The operation name.
+ - name: properties
+ type: group
+ fields:
+ - name: user_agent
+ type: keyword
+ description: User agent on HTTP request.
+ - name: time_taken
+ type: long
+ description: Time taken by HTTP request in milliseconds.
+ - name: result
+ type: keyword
+ description: Success / Failure of HTTP request.
+ - name: referer
+ type: keyword
+ description: The site that the user last visited. This site provided a link to the current site.
+ - name: client_ip
+ type: ip
+ description: IP address of the client.
+ - name: client_port
+ type: long
+ description: IP address of the client.
+ - name: sc_win32status
+ type: keyword
+ description: Windows status code on HTTP request.
+ - name: sc_substatus
+ type: keyword
+ description: Substatus error code on HTTP request.
+ - name: sc_bytes
+ type: long
+ description: Number of bytes sent by server.
+ - name: sc_status
+ type: long
+ description: HTTP status code.
+ - name: cs_username
+ type: keyword
+ description: The name of the authenticated user on HTTP request.
+ - name: cs_uri_query
+ type: keyword
+ description: URI query on HTTP request.
+ - name: cs_uri_stem
+ type: keyword
+ description: The target of the request.
+ - name: cs_bytes
+ type: long
+ description: Number of bytes received by server.
+ - name: cs_host
+ type: keyword
+ description: Host name header on HTTP request.
+ - name: cs_method
+ type: keyword
+ - name: computer_name
+ type: keyword
+ description: The name of the server on which the log file entry was generated.
+ - name: s_port
+ type: keyword
+ description: Server port number.
+ - name: cookie
+ type: keyword
+ description: Cookie on HTTP request.
+ - name: user
+ type: keyword
+ description: Username used for publishing access.
+ - name: user_display_name
+ type: keyword
+ description: Email address of a user in case publishing was authorized via AAD authentication.
+ - name: protocol
+ type: keyword
+ description: Authentication protocol.
+ - name: details
+ type: keyword
+ description: Additional information
+ - name: service_endpoint
+ type: keyword
+ description: This indicates whether the access is via Virtual Network Service Endpoint communication
+ - name: xforwarded_for
+ type: keyword
+ description: X-Forwarded-For header of the HTTP request
+ - name: xforwarded_host
+ type: keyword
+ description: X-Forwarded-Host header of the HTTP request
+ - name: xazurefdid
+ type: keyword
+ description: X-Azure-FDID header (Azure Frontdoor Id) of the HTTP request
+ - name: xfdhealth_probe
+ type: keyword
+ description: X-FD-HealthProbe (Azure Frontdoor Health Probe) of the HTTP request
+ - name: type
+ type: keyword
+ description: The name of the table
+ - name: time_generated
+ type: keyword
+ description: Time of the Http Request
+ - name: source_system
+ type: keyword
+ description: The source system
+ - name: container_id
+ type: keyword
+ description: Application container id
+ - name: host
+ type: keyword
+ description: Host where the application is running
+ - name: level
+ type: keyword
+ description: Verbosity level of log
+ - name: result_description
+ type: keyword
+ description: Log message description
+ - name: event_stamp_type
+ type: keyword
+ description: Values that the service supports
+ - name: event_stamp_name
+ type: keyword
+ description: Name of the service
+ - name: event_primary_stamp_name
+ type: keyword
+ description: Primary name of the service
+ - name: event_ip_address
+ type: keyword
+ description: IP address of the event
+ - name: log
+ type: keyword
+ description: Details about the event depending on level
diff --git a/packages/azure_app_service/data_stream/app_service_logs/fields/package-fields.yml b/packages/azure_app_service/data_stream/app_service_logs/fields/package-fields.yml
new file mode 100644
index 00000000000..3a85154738f
--- /dev/null
+++ b/packages/azure_app_service/data_stream/app_service_logs/fields/package-fields.yml
@@ -0,0 +1,42 @@
+- name: azure
+ type: group
+ fields:
+ - name: subscription_id
+ type: keyword
+ description: |
+ Azure subscription ID
+ - name: correlation_id
+ type: keyword
+ description: |
+ Correlation ID
+ - name: tenant_id
+ type: keyword
+ description: |
+ tenant ID
+ - name: resource
+ type: group
+ fields:
+ - name: id
+ type: keyword
+ description: |
+ Resource ID
+ - name: group
+ type: keyword
+ description: |
+ Resource group
+ - name: provider
+ type: keyword
+ description: |
+ Resource type/namespace
+ - name: namespace
+ type: keyword
+ description: |
+ Resource type/namespace
+ - name: name
+ type: keyword
+ description: |
+ Name
+ - name: authorization_rule
+ type: keyword
+ description: |-
+ Authorization rule
diff --git a/packages/azure_app_service/data_stream/app_service_logs/manifest.yml b/packages/azure_app_service/data_stream/app_service_logs/manifest.yml
new file mode 100644
index 00000000000..1de6eaf57c9
--- /dev/null
+++ b/packages/azure_app_service/data_stream/app_service_logs/manifest.yml
@@ -0,0 +1,60 @@
+title: Collect App Service logs from Azure
+type: logs
+release: experimental
+streams:
+ - input: "azure-eventhub"
+ enabled: false
+ template_path: "azure-eventhub.yml.hbs"
+ title: Azure App Service logs
+ description: Collect Azure App Service logs using azure-eventhub input
+ vars:
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: storage_account_container
+ type: text
+ title: Storage Account Container
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ The storage account container where the integration stores the checkpoint data for the consumer group. It is an advanced option to use with extreme care. You MUST use a dedicated storage account container for each Azure log type (activity, sign-in, audit logs, and others). DO NOT REUSE the same container name for more than one Azure log type. See [Container Names](https://docs.microsoft.com/en-us/rest/api/storageservices/naming-and-referencing-containers--blobs--and-metadata#container-names) for details on naming rules from Microsoft. The integration generates a default container name if not specified.
+
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - azure-appservice
+ - forwarded
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >-
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+ - name: sanitize_newlines
+ type: bool
+ title: Sanitizes New Lines
+ description: Removes new lines in logs to ensure proper formatting of JSON data and avoid parsing issues during processing.
+ multi: false
+ required: false
+ show_user: false
+ default: false
+ - name: sanitize_singlequotes
+ required: true
+ show_user: false
+ title: Sanitizes Single Quotes
+ description: Replaces single quotes with double quotes (single quotes inside double quotes are omitted) in logs to ensure proper formatting of JSON data and avoid parsing issues during processing.
+ type: bool
+ multi: false
+ default: false
diff --git a/packages/azure_app_service/docs/README.md b/packages/azure_app_service/docs/README.md
new file mode 100644
index 00000000000..b5d92aed36a
--- /dev/null
+++ b/packages/azure_app_service/docs/README.md
@@ -0,0 +1,196 @@
+# Azure App Service Integration
+
+The Azure App Service logs integration retrieves different types of logs categories from Azure App Service.
+Azure App Service provides different logging to help you track, monitor, and debug your web application.
+
+- HTTPLogs help monitor application health, performance and usage patterns.
+- AuditLogs provide insights when publishing users successfully log on via one of the App Service publishing protocols.
+- IPSecAuditLogs are generated through your application and pushed to Azure Monitoring.
+- PlatformLogs are generated through AppService platform for your application.
+- ConsoleLogs are generated from application or container.
+- AppLogs are generated through your application (ex. logging capabilities)
+
+## Data streams
+
+This integration currently collects one data stream:
+
+- App Service Logs
+
+## Requirements
+
+### Credentials
+
+`eventhub` :
+_string_
+Is the fully managed, real-time data ingestion service.
+
+`consumer_group` :
+_string_
+The publish/subscribe mechanism of Event Hubs is enabled through consumer groups. A consumer group is a view (state, position, or offset) of an entire event hub. Consumer groups enable multiple consuming applications to each have a separate view of the event stream, and to read the stream independently at their own pace and with their own offsets.
+Default value: `$Default`
+
+`connection_string` :
+_string_
+The connection string required to communicate with Event Hubs, steps here https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string.
+
+A Blob Storage account is required in order to store/retrieve/update the offset or state of the eventhub messages. This means that after stopping the filebeat azure module it can start back up at the spot that it stopped processing messages.
+
+`storage_account` :
+_string_
+The name of the storage account the state/offsets will be stored and updated.
+
+`storage_account_key` :
+_string_
+The storage account key, this key will be used to authorize access to data in your storage account.
+
+`resource_manager_endpoint` :
+_string_
+Optional, by default we are using the azure public environment, to override, users can provide a specific resource manager endpoint in order to use a different azure environment.
+Ex:
+https://management.chinacloudapi.cn/ for azure ChinaCloud
+https://management.microsoftazure.de/ for azure GermanCloud
+https://management.azure.com/ for azure PublicCloud
+https://management.usgovcloudapi.net/ for azure USGovernmentCloud
+Users can also use this in case of a Hybrid Cloud model, where one may define their own endpoints.
+
+## App Service Logs
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| azure.app_service.category | The category of the operation. | keyword |
+| azure.app_service.container_id | Application container id | keyword |
+| azure.app_service.event_ip_address | IP address of the event | keyword |
+| azure.app_service.event_primary_stamp_name | Primary name of the service | keyword |
+| azure.app_service.event_stamp_name | Name of the service | keyword |
+| azure.app_service.event_stamp_type | Values that the service supports | keyword |
+| azure.app_service.host | Host where the application is running | keyword |
+| azure.app_service.level | Verbosity level of log | keyword |
+| azure.app_service.log | Details about the event depending on level | keyword |
+| azure.app_service.operation_name | The operation name. | keyword |
+| azure.app_service.properties.client_ip | IP address of the client. | ip |
+| azure.app_service.properties.client_port | IP address of the client. | long |
+| azure.app_service.properties.computer_name | The name of the server on which the log file entry was generated. | keyword |
+| azure.app_service.properties.cookie | Cookie on HTTP request. | keyword |
+| azure.app_service.properties.cs_bytes | Number of bytes received by server. | long |
+| azure.app_service.properties.cs_host | Host name header on HTTP request. | keyword |
+| azure.app_service.properties.cs_method | | keyword |
+| azure.app_service.properties.cs_uri_query | URI query on HTTP request. | keyword |
+| azure.app_service.properties.cs_uri_stem | The target of the request. | keyword |
+| azure.app_service.properties.cs_username | The name of the authenticated user on HTTP request. | keyword |
+| azure.app_service.properties.details | Additional information | keyword |
+| azure.app_service.properties.protocol | Authentication protocol. | keyword |
+| azure.app_service.properties.referer | The site that the user last visited. This site provided a link to the current site. | keyword |
+| azure.app_service.properties.result | Success / Failure of HTTP request. | keyword |
+| azure.app_service.properties.s_port | Server port number. | keyword |
+| azure.app_service.properties.sc_bytes | Number of bytes sent by server. | long |
+| azure.app_service.properties.sc_status | HTTP status code. | long |
+| azure.app_service.properties.sc_substatus | Substatus error code on HTTP request. | keyword |
+| azure.app_service.properties.sc_win32status | Windows status code on HTTP request. | keyword |
+| azure.app_service.properties.service_endpoint | This indicates whether the access is via Virtual Network Service Endpoint communication | keyword |
+| azure.app_service.properties.source_system | The source system | keyword |
+| azure.app_service.properties.time_generated | Time of the Http Request | keyword |
+| azure.app_service.properties.time_taken | Time taken by HTTP request in milliseconds. | long |
+| azure.app_service.properties.type | The name of the table | keyword |
+| azure.app_service.properties.user | Username used for publishing access. | keyword |
+| azure.app_service.properties.user_agent | User agent on HTTP request. | keyword |
+| azure.app_service.properties.user_display_name | Email address of a user in case publishing was authorized via AAD authentication. | keyword |
+| azure.app_service.properties.xazurefdid | X-Azure-FDID header (Azure Frontdoor Id) of the HTTP request | keyword |
+| azure.app_service.properties.xfdhealth_probe | X-FD-HealthProbe (Azure Frontdoor Health Probe) of the HTTP request | keyword |
+| azure.app_service.properties.xforwarded_for | X-Forwarded-For header of the HTTP request | keyword |
+| azure.app_service.properties.xforwarded_host | X-Forwarded-Host header of the HTTP request | keyword |
+| azure.app_service.result_description | Log message description | keyword |
+| azure.correlation_id | Correlation ID | keyword |
+| azure.resource.authorization_rule | Authorization rule | keyword |
+| azure.resource.group | Resource group | keyword |
+| azure.resource.id | Resource ID | keyword |
+| azure.resource.name | Name | keyword |
+| azure.resource.namespace | Resource type/namespace | keyword |
+| azure.resource.provider | Resource type/namespace | keyword |
+| azure.subscription_id | Azure subscription ID | keyword |
+| azure.tenant_id | tenant ID | keyword |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| data_stream.dataset | Data stream dataset name. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| dataset.name | Dataset name. | constant_keyword |
+| dataset.namespace | Dataset namespace. | constant_keyword |
+| dataset.type | Dataset type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| destination.as.organization.name | Organization name. | keyword |
+| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text |
+| destination.bytes | Bytes sent from the destination to the source. | long |
+| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.continent_name | Name of the continent. | keyword |
+| destination.geo.country_iso_code | Country ISO code. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location | Longitude and latitude. | geo_point |
+| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| destination.geo.region_iso_code | Region ISO code. | keyword |
+| destination.geo.region_name | Region name. | keyword |
+| destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
+| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip |
+| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long |
+| destination.port | Port of the destination. | long |
+| dns.header_flags | Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO. | keyword |
+| dns.question.class | The class of records being queried. | keyword |
+| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword |
+| dns.question.type | The type of record being queried. | keyword |
+| dns.response_code | | |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long |
+| event.id | Unique ID to describe the event. | keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| geo.city_name | City name. | keyword |
+| geo.continent_name | Name of the continent. | keyword |
+| geo.country_iso_code | Country ISO code. | keyword |
+| geo.country_name | Country name. | keyword |
+| geo.location | Longitude and latitude. | geo_point |
+| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| geo.region_iso_code | Region ISO code. | keyword |
+| geo.region_name | Region name. | keyword |
+| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword |
+| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword |
+| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword |
+| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword |
+| observer.product | The product name of the observer. | keyword |
+| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword |
+| observer.vendor | Vendor name of the observer. | keyword |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword |
+| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword |
+| rule.name | The name of the rule or signature generating the event. | keyword |
+| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.bytes | Bytes sent from the source to the destination. | long |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.port | Port of the source. | long |
+| tags | List of keywords used to tag each event. | keyword |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard |
+| url.original.text | Multi-field of `url.original`. | match_only_text |
+
diff --git a/packages/azure_app_service/img/app-service-logo.svg b/packages/azure_app_service/img/app-service-logo.svg
new file mode 100644
index 00000000000..54051fc58f5
--- /dev/null
+++ b/packages/azure_app_service/img/app-service-logo.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/packages/azure_app_service/manifest.yml b/packages/azure_app_service/manifest.yml
new file mode 100644
index 00000000000..35759dc3edd
--- /dev/null
+++ b/packages/azure_app_service/manifest.yml
@@ -0,0 +1,78 @@
+format_version: 2.8.0
+name: azure_app_service
+title: "Azure App Service"
+version: 0.0.1
+source:
+ license: "Elastic-2.0"
+description: "Collect logs and metrics from Azure App Service with Elastic Agent."
+type: integration
+categories:
+ - azure
+ - cloud
+conditions:
+ kibana.version: "^8.7.1"
+ elastic.subscription: "basic"
+vars:
+ - name: eventhub
+ type: text
+ title: Event Hub
+ multi: false
+ required: true
+ show_user: true
+ description: >-
+ Elastic recommends using one event hub for each integration. Visit [Create an event hub](https://docs.elastic.co/integrations/azure#create-an-event-hub) to learn more. Use event hub names up to 30 characters long to avoid compatibility issues.
+ - name: consumer_group
+ type: text
+ title: Consumer Group
+ multi: false
+ required: true
+ show_user: true
+ default: $Default
+ - name: connection_string
+ type: text
+ title: Connection String
+ multi: false
+ required: true
+ show_user: true
+ description: >-
+ The connection string required to communicate with Event Hubs. See [Get an Event Hubs connection string](https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string) to learn more.
+ - name: storage_account
+ type: text
+ title: Storage Account
+ multi: false
+ required: true
+ show_user: true
+ description: >-
+ The name of the storage account where the consumer group's state/offsets will be stored and updated.
+ - name: storage_account_key
+ type: text
+ title: Storage Account Key
+ multi: false
+ required: true
+ show_user: true
+ description: >-
+ The storage account key, this key will be used to authorize access to data in your storage account.
+ - name: resource_manager_endpoint
+ type: text
+ title: Resource Manager Endpoint
+ multi: false
+ required: false
+ show_user: false
+icons:
+ - src: /img/app-service-logo.svg
+ title: App Service Logo
+ size: 32x32
+ type: image/svg+xml
+policy_templates:
+ - name: app_service_logs
+ title: Azure App Service logs
+ description: Azure App Service logs integration
+ data_streams:
+ - app_service_logs
+ inputs:
+ - type: "azure-eventhub"
+ title: "Collect Azure App Service logs from Event Hub"
+ description: "Collecting App Service logs from Azure (input: azure-eventhub)"
+ input_group: logs
+owner:
+ github: elastic/obs-infraobs-integrations
diff --git a/packages/azure_application_insights/changelog.yml b/packages/azure_application_insights/changelog.yml
index 57cacc59975..f00ef0e8ba6 100644
--- a/packages/azure_application_insights/changelog.yml
+++ b/packages/azure_application_insights/changelog.yml
@@ -1,3 +1,13 @@
+- version: "1.1.0"
+ changes:
+ - description: Add app_insights dimensions and metric_type for metrics field.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7610
+- version: "1.0.6"
+ changes:
+ - description: Fix mappings of tags and dimensions
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6975
- version: "1.0.5"
changes:
- description: Added categories and/or subcategories.
diff --git a/packages/azure_application_insights/data_stream/app_insights/elasticsearch/ingest_pipeline/default.yml b/packages/azure_application_insights/data_stream/app_insights/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 00000000000..0ad98ca3a31
--- /dev/null
+++ b/packages/azure_application_insights/data_stream/app_insights/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,14 @@
+---
+description: Pipeline for parsing azure app_insights metrics.
+processors:
+ - fingerprint:
+ fields: ["azure.dimensions"]
+ target_field: 'azure.dimensions.fingerprint'
+ ignore_missing: true
+on_failure:
+ - set:
+ field: event.kind
+ value: pipeline_error
+ - set:
+ field: error.message
+ value: '{{{ _ingest.on_failure_message }}}'
\ No newline at end of file
diff --git a/packages/azure_application_insights/data_stream/app_insights/fields/agent.yml b/packages/azure_application_insights/data_stream/app_insights/fields/agent.yml
index da4e652c53b..ae1966205ad 100644
--- a/packages/azure_application_insights/data_stream/app_insights/fields/agent.yml
+++ b/packages/azure_application_insights/data_stream/app_insights/fields/agent.yml
@@ -48,6 +48,7 @@
ignore_above: 1024
description: Region in which this host is running.
example: us-east-1
+ dimension: true
- name: project.id
type: keyword
description: Name of the project in Google Cloud.
@@ -62,26 +63,11 @@
These fields help correlate data based containers from any runtime.'
type: group
fields:
- - name: id
- level: core
- type: keyword
- ignore_above: 1024
- description: Unique container id.
- - name: image.name
- level: extended
- type: keyword
- ignore_above: 1024
- description: Name of the image the container was built on.
- name: labels
level: extended
type: object
object_type: keyword
description: Image labels.
- - name: name
- level: extended
- type: keyword
- ignore_above: 1024
- description: Container name.
- name: host
title: Host
group: 2
diff --git a/packages/azure_application_insights/data_stream/app_insights/fields/ecs.yml b/packages/azure_application_insights/data_stream/app_insights/fields/ecs.yml
index c9ba9972270..0ef9d19c59d 100644
--- a/packages/azure_application_insights/data_stream/app_insights/fields/ecs.yml
+++ b/packages/azure_application_insights/data_stream/app_insights/fields/ecs.yml
@@ -15,3 +15,6 @@
external: ecs
- name: host
external: ecs
+- name: agent.id
+ external: ecs
+ dimension: true
diff --git a/packages/azure_application_insights/data_stream/app_insights/fields/fields.yml b/packages/azure_application_insights/data_stream/app_insights/fields/fields.yml
index 48e5fc5e886..a84fb824ecc 100644
--- a/packages/azure_application_insights/data_stream/app_insights/fields/fields.yml
+++ b/packages/azure_application_insights/data_stream/app_insights/fields/fields.yml
@@ -12,11 +12,4 @@
- name: end_date
type: date
description: >
- The end date
-
- - name: metrics.*.*
- type: object
- object_type: float
- object_type_mapping_type: "*"
- description: >-
- The metrics
+ The end date
\ No newline at end of file
diff --git a/packages/azure_application_insights/data_stream/app_insights/fields/package-fields.yml b/packages/azure_application_insights/data_stream/app_insights/fields/package-fields.yml
index 4ac170ddf8d..05c60170934 100644
--- a/packages/azure_application_insights/data_stream/app_insights/fields/package-fields.yml
+++ b/packages/azure_application_insights/data_stream/app_insights/fields/package-fields.yml
@@ -4,6 +4,7 @@
fields:
- name: timegrain
type: keyword
+ dimension: true
description: >
The Azure metric timegrain
@@ -25,6 +26,7 @@
- name: id
type: keyword
+ dimension: true
description: >
The id of the resource
@@ -33,15 +35,14 @@
description: >
The resource group
- - name: tags.*
+ - name: tags
type: flattened
- object_type: keyword
- object_type_mapping_type: "*"
description: >
Azure resource tags.
- name: namespace
type: keyword
+ dimension: true
description: >
The namespace selected
@@ -55,17 +56,22 @@
description: >
The application ID
- - name: dimensions.*
+ - name: dimensions
type: flattened
- object_type: keyword
- object_type_mapping_type: "*"
description: >
Azure metric dimensions.
+ - name: dimensions.fingerprint
+ type: keyword
+ dimension: true
+ description: |
+ Autogenerated ID representing the fingerprint of the azure.dimensions object
+
- name: metrics.*.*
type: object
object_type: float
object_type_mapping_type: "*"
+ metric_type: gauge
description: >
Metrics returned.
diff --git a/packages/azure_application_insights/data_stream/app_state/fields/agent.yml b/packages/azure_application_insights/data_stream/app_state/fields/agent.yml
index da4e652c53b..2db0bb802e6 100644
--- a/packages/azure_application_insights/data_stream/app_state/fields/agent.yml
+++ b/packages/azure_application_insights/data_stream/app_state/fields/agent.yml
@@ -62,26 +62,11 @@
These fields help correlate data based containers from any runtime.'
type: group
fields:
- - name: id
- level: core
- type: keyword
- ignore_above: 1024
- description: Unique container id.
- - name: image.name
- level: extended
- type: keyword
- ignore_above: 1024
- description: Name of the image the container was built on.
- name: labels
level: extended
type: object
object_type: keyword
description: Image labels.
- - name: name
- level: extended
- type: keyword
- ignore_above: 1024
- description: Container name.
- name: host
title: Host
group: 2
diff --git a/packages/azure_application_insights/data_stream/app_state/fields/package-fields.yml b/packages/azure_application_insights/data_stream/app_state/fields/package-fields.yml
index 4ac170ddf8d..a3671487091 100644
--- a/packages/azure_application_insights/data_stream/app_state/fields/package-fields.yml
+++ b/packages/azure_application_insights/data_stream/app_state/fields/package-fields.yml
@@ -33,10 +33,8 @@
description: >
The resource group
- - name: tags.*
+ - name: tags
type: flattened
- object_type: keyword
- object_type_mapping_type: "*"
description: >
Azure resource tags.
@@ -55,10 +53,8 @@
description: >
The application ID
- - name: dimensions.*
+ - name: dimensions
type: flattened
- object_type: keyword
- object_type_mapping_type: "*"
description: >
Azure metric dimensions.
diff --git a/packages/azure_application_insights/docs/README.md b/packages/azure_application_insights/docs/README.md
index 31278492cc9..7d853580754 100644
--- a/packages/azure_application_insights/docs/README.md
+++ b/packages/azure_application_insights/docs/README.md
@@ -171,13 +171,13 @@ An example event for `app_insights` looks as following:
| azure.app_state.users_authenticated.unique | Authenticated users count | float |
| azure.app_state.users_count.unique | User count | float |
| azure.application_id | The application ID | keyword |
-| azure.dimensions.\* | Azure metric dimensions. | flattened |
+| azure.dimensions | Azure metric dimensions. | flattened |
| azure.metrics.\*.\* | Metrics returned. | object |
| azure.namespace | The namespace selected | keyword |
| azure.resource.group | The resource group | keyword |
| azure.resource.id | The id of the resource | keyword |
| azure.resource.name | The name of the resource | keyword |
-| azure.resource.tags.\* | Azure resource tags. | flattened |
+| azure.resource.tags | Azure resource tags. | flattened |
| azure.resource.type | The type of the resource | keyword |
| azure.subscription_id | The subscription ID | keyword |
| azure.timegrain | The Azure metric timegrain | keyword |
diff --git a/packages/azure_application_insights/docs/app_state.md b/packages/azure_application_insights/docs/app_state.md
index c7845710dd9..dbc8d7acc52 100644
--- a/packages/azure_application_insights/docs/app_state.md
+++ b/packages/azure_application_insights/docs/app_state.md
@@ -39,13 +39,13 @@ Costs: Metric queries are charged based on the number of standard API calls. Mor
| azure.app_state.users_authenticated.unique | Authenticated users count | float |
| azure.app_state.users_count.unique | User count | float |
| azure.application_id | The application ID | keyword |
-| azure.dimensions.\* | Azure metric dimensions. | flattened |
+| azure.dimensions | Azure metric dimensions. | flattened |
| azure.metrics.\*.\* | Metrics returned. | object |
| azure.namespace | The namespace selected | keyword |
| azure.resource.group | The resource group | keyword |
| azure.resource.id | The id of the resource | keyword |
| azure.resource.name | The name of the resource | keyword |
-| azure.resource.tags.\* | Azure resource tags. | flattened |
+| azure.resource.tags | Azure resource tags. | flattened |
| azure.resource.type | The type of the resource | keyword |
| azure.subscription_id | The subscription ID | keyword |
| azure.timegrain | The Azure metric timegrain | keyword |
diff --git a/packages/azure_application_insights/manifest.yml b/packages/azure_application_insights/manifest.yml
index d95791f0d5f..baa34fc4748 100644
--- a/packages/azure_application_insights/manifest.yml
+++ b/packages/azure_application_insights/manifest.yml
@@ -1,7 +1,6 @@
name: azure_application_insights
title: Azure Application Insights Metrics Overview
-version: 1.0.5
-release: ga
+version: 1.1.0
description: Collect application insights metrics from Azure Monitor with Elastic Agent.
type: integration
icons:
@@ -14,13 +13,13 @@ screenshots:
title: App State Overview
size: 5120x2562
type: image/png
-format_version: 1.0.0
-license: basic
+format_version: 2.9.0
categories:
- azure
- observability
conditions:
- kibana.version: "^7.14.0 || ^8.0.0"
+ kibana.version: "^8.9.0"
+ elastic.subscription: "basic"
vars:
- name: application_id
type: text
diff --git a/packages/azure_billing/changelog.yml b/packages/azure_billing/changelog.yml
index 8d202cd5da2..2d8827d743a 100644
--- a/packages/azure_billing/changelog.yml
+++ b/packages/azure_billing/changelog.yml
@@ -1,3 +1,13 @@
+- version: "1.2.0"
+ changes:
+ - description: Migrate Azure Billing dashboard visualizations to lens.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7219
+- version: "1.1.3"
+ changes:
+ - description: Fix mappings of tags and dimensions
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6975
- version: "1.1.2"
changes:
- description: Added categories and/or subcategories.
@@ -5,7 +15,7 @@
link: https://github.com/elastic/integrations/pull/5123
- version: "1.1.1"
changes:
- - description: Fix documentations formatting (remove extra 'Overview' heading)
+ - description: Fix documentations formatting (remove extra 'Overview' heading)
type: enhancement
link: https://github.com/elastic/integrations/pull/4383
- version: "1.1.0"
diff --git a/packages/azure_billing/data_stream/billing/fields/agent.yml b/packages/azure_billing/data_stream/billing/fields/agent.yml
index da4e652c53b..2db0bb802e6 100644
--- a/packages/azure_billing/data_stream/billing/fields/agent.yml
+++ b/packages/azure_billing/data_stream/billing/fields/agent.yml
@@ -62,26 +62,11 @@
These fields help correlate data based containers from any runtime.'
type: group
fields:
- - name: id
- level: core
- type: keyword
- ignore_above: 1024
- description: Unique container id.
- - name: image.name
- level: extended
- type: keyword
- ignore_above: 1024
- description: Name of the image the container was built on.
- name: labels
level: extended
type: object
object_type: keyword
description: Image labels.
- - name: name
- level: extended
- type: keyword
- ignore_above: 1024
- description: Container name.
- name: host
title: Host
group: 2
diff --git a/packages/azure_billing/data_stream/billing/fields/package-fields.yml b/packages/azure_billing/data_stream/billing/fields/package-fields.yml
index 4ac170ddf8d..a3671487091 100644
--- a/packages/azure_billing/data_stream/billing/fields/package-fields.yml
+++ b/packages/azure_billing/data_stream/billing/fields/package-fields.yml
@@ -33,10 +33,8 @@
description: >
The resource group
- - name: tags.*
+ - name: tags
type: flattened
- object_type: keyword
- object_type_mapping_type: "*"
description: >
Azure resource tags.
@@ -55,10 +53,8 @@
description: >
The application ID
- - name: dimensions.*
+ - name: dimensions
type: flattened
- object_type: keyword
- object_type_mapping_type: "*"
description: >
Azure metric dimensions.
diff --git a/packages/azure_billing/docs/README.md b/packages/azure_billing/docs/README.md
index 9721976c70f..2788893ce36 100644
--- a/packages/azure_billing/docs/README.md
+++ b/packages/azure_billing/docs/README.md
@@ -294,13 +294,13 @@ An example event for `billing` looks as following:
| azure.billing.usage_date | The usage date | date |
| azure.billing.usage_end | The usage end date | date |
| azure.billing.usage_start | The usage start date | date |
-| azure.dimensions.\* | Azure metric dimensions. | flattened |
+| azure.dimensions | Azure metric dimensions. | flattened |
| azure.metrics.\*.\* | Metrics returned. | object |
| azure.namespace | The namespace selected | keyword |
| azure.resource.group | The resource group | keyword |
| azure.resource.id | The id of the resource | keyword |
| azure.resource.name | The name of the resource | keyword |
-| azure.resource.tags.\* | Azure resource tags. | flattened |
+| azure.resource.tags | Azure resource tags. | flattened |
| azure.resource.type | The type of the resource | keyword |
| azure.subscription_id | The subscription ID | keyword |
| azure.timegrain | The Azure metric timegrain | keyword |
diff --git a/packages/azure_billing/img/azure-billing-overview.png b/packages/azure_billing/img/azure-billing-overview.png
index 0dafde72902..76a2335d490 100644
Binary files a/packages/azure_billing/img/azure-billing-overview.png and b/packages/azure_billing/img/azure-billing-overview.png differ
diff --git a/packages/azure_billing/kibana/dashboard/azure_billing-d3efeb30-c1c7-11ea-b7e7-0f48178cdb3c.json b/packages/azure_billing/kibana/dashboard/azure_billing-d3efeb30-c1c7-11ea-b7e7-0f48178cdb3c.json
index 8f2ac23ba44..94c2ffdcfbf 100644
--- a/packages/azure_billing/kibana/dashboard/azure_billing-d3efeb30-c1c7-11ea-b7e7-0f48178cdb3c.json
+++ b/packages/azure_billing/kibana/dashboard/azure_billing-d3efeb30-c1c7-11ea-b7e7-0f48178cdb3c.json
@@ -1,5 +1,11 @@
{
"attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
+ "panelsJSON": "{\"3983c316-b2b5-40cb-8a49-1a4b17e7868b\":{\"order\":0,\"width\":\"small\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"azure.billing.department_name\",\"title\":\"Department\",\"id\":\"3983c316-b2b5-40cb-8a49-1a4b17e7868b\",\"enhancements\":{}}},\"37e30ae0-44c5-406d-8211-429d57e67eff\":{\"order\":1,\"width\":\"small\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"azure.billing.account_name\",\"title\":\"Account\",\"id\":\"37e30ae0-44c5-406d-8211-429d57e67eff\",\"enhancements\":{}}},\"0bf3bd17-49f6-4c1b-b4a9-afe2d4577aed\":{\"order\":2,\"width\":\"small\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"azure.subscription_id\",\"title\":\"Subscription\",\"singleSelect\":true,\"id\":\"0bf3bd17-49f6-4c1b-b4a9-afe2d4577aed\",\"enhancements\":{}}},\"caf9e826-fb3c-47bb-a533-8ede2b34b7b7\":{\"order\":3,\"width\":\"small\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"azure.resource.group\",\"title\":\"Resource Group\",\"id\":\"caf9e826-fb3c-47bb-a533-8ede2b34b7b7\",\"enhancements\":{}}},\"ee85a301-febf-4d9c-90b2-d414fcdb73e5\":{\"order\":4,\"width\":\"small\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"azure.resource.name\",\"title\":\"Resource Name\",\"id\":\"ee85a301-febf-4d9c-90b2-d414fcdb73e5\",\"enhancements\":{}}}}"
+ },
"description": "This dashboard gives an overview of resource costs and forecast",
"hits": 0,
"kibanaSavedObjectMeta": {
@@ -18,149 +24,740 @@
"panelsJSON": [
{
"embeddableConfig": {
- "enhancements": {}
- },
- "gridData": {
- "h": 5,
- "i": "3202a4c8-ed88-4592-9d39-73846426413b",
- "w": 48,
- "x": 0,
- "y": 0
- },
- "panelIndex": "3202a4c8-ed88-4592-9d39-73846426413b",
- "panelRefName": "panel_3202a4c8-ed88-4592-9d39-73846426413b",
- "title": "",
- "type": "visualization",
- "version": "8.0.0-SNAPSHOT"
- },
- {
- "embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-55c730ae-441d-4ba7-9642-4d559fc71334",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "55c730ae-441d-4ba7-9642-4d559fc71334": {
+ "columnOrder": [
+ "6a63eb28-dbd8-406f-83b1-190909e7997a",
+ "f925b265-0368-4070-9b44-dfee175035b0"
+ ],
+ "columns": {
+ "6a63eb28-dbd8-406f-83b1-190909e7997a": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 5 values of azure.subscription_id",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "f925b265-0368-4070-9b44-dfee175035b0",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.subscription_id"
+ },
+ "f925b265-0368-4070-9b44-dfee175035b0": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Total costs",
+ "operationType": "sum",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.billing.pretax_cost"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "hide",
+ "groups": [
+ "6a63eb28-dbd8-406f-83b1-190909e7997a"
+ ],
+ "layerId": "55c730ae-441d-4ba7-9642-4d559fc71334",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "legendSize": "large",
+ "metric": "f925b265-0368-4070-9b44-dfee175035b0",
+ "nestedLegend": false,
+ "numberDisplay": "hidden"
+ }
+ ],
+ "shape": "donut"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 16,
- "i": "c18f8802-6189-4966-abe5-30bf2c7c6d63",
+ "i": "85f7953a-8355-4b7d-b429-daf792f0aa00",
"w": 15,
"x": 0,
- "y": 5
+ "y": 0
},
- "panelIndex": "c18f8802-6189-4966-abe5-30bf2c7c6d63",
- "panelRefName": "panel_c18f8802-6189-4966-abe5-30bf2c7c6d63",
+ "panelIndex": "85f7953a-8355-4b7d-b429-daf792f0aa00",
"title": "Subscriptions",
- "type": "visualization",
- "version": "8.0.0-SNAPSHOT"
+ "type": "lens",
+ "version": "8.3.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-55c730ae-441d-4ba7-9642-4d559fc71334",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "55c730ae-441d-4ba7-9642-4d559fc71334": {
+ "columnOrder": [
+ "6a63eb28-dbd8-406f-83b1-190909e7997a",
+ "f925b265-0368-4070-9b44-dfee175035b0"
+ ],
+ "columns": {
+ "6a63eb28-dbd8-406f-83b1-190909e7997a": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 5 values of azure.resource.group",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "f925b265-0368-4070-9b44-dfee175035b0",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.group"
+ },
+ "f925b265-0368-4070-9b44-dfee175035b0": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Total costs",
+ "operationType": "sum",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.billing.pretax_cost"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "hide",
+ "groups": [
+ "6a63eb28-dbd8-406f-83b1-190909e7997a"
+ ],
+ "layerId": "55c730ae-441d-4ba7-9642-4d559fc71334",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "legendSize": "large",
+ "metric": "f925b265-0368-4070-9b44-dfee175035b0",
+ "nestedLegend": false,
+ "numberDisplay": "percent"
+ }
+ ],
+ "shape": "donut"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 16,
- "i": "0a93b125-de04-466e-a1d0-7b56d1b31b52",
+ "i": "d855962c-ebf7-482c-b66c-8c37f66c479b",
"w": 16,
"x": 15,
- "y": 5
+ "y": 0
},
- "panelIndex": "0a93b125-de04-466e-a1d0-7b56d1b31b52",
- "panelRefName": "panel_0a93b125-de04-466e-a1d0-7b56d1b31b52",
+ "panelIndex": "d855962c-ebf7-482c-b66c-8c37f66c479b",
"title": "Resource groups",
- "type": "visualization",
- "version": "8.0.0-SNAPSHOT"
+ "type": "lens",
+ "version": "8.3.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-55c730ae-441d-4ba7-9642-4d559fc71334",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "55c730ae-441d-4ba7-9642-4d559fc71334": {
+ "columnOrder": [
+ "6a63eb28-dbd8-406f-83b1-190909e7997a",
+ "f925b265-0368-4070-9b44-dfee175035b0"
+ ],
+ "columns": {
+ "6a63eb28-dbd8-406f-83b1-190909e7997a": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 5 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "f925b265-0368-4070-9b44-dfee175035b0",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ },
+ "f925b265-0368-4070-9b44-dfee175035b0": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Total costs",
+ "operationType": "sum",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.billing.pretax_cost"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "hide",
+ "groups": [
+ "6a63eb28-dbd8-406f-83b1-190909e7997a"
+ ],
+ "layerId": "55c730ae-441d-4ba7-9642-4d559fc71334",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metric": "f925b265-0368-4070-9b44-dfee175035b0",
+ "nestedLegend": false,
+ "numberDisplay": "percent"
+ }
+ ],
+ "shape": "donut"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 16,
- "i": "f6b54b8f-b9e5-4c20-9e4c-8f83935ca739",
+ "i": "227b905d-e912-4f72-ae00-bdfde0e180df",
"w": 17,
"x": 31,
- "y": 5
+ "y": 0
},
- "panelIndex": "f6b54b8f-b9e5-4c20-9e4c-8f83935ca739",
- "panelRefName": "panel_f6b54b8f-b9e5-4c20-9e4c-8f83935ca739",
+ "panelIndex": "227b905d-e912-4f72-ae00-bdfde0e180df",
"title": "Resources",
- "type": "visualization",
- "version": "8.0.0-SNAPSHOT"
+ "type": "lens",
+ "version": "8.3.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-0542e158-84da-47c7-aae6-a492f8cd9913",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-0dc3a5de-8297-4425-9c43-f5d0f882e5fe",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "0542e158-84da-47c7-aae6-a492f8cd9913": {
+ "columnOrder": [
+ "034b7608-d122-4932-9d69-616244bcfbba",
+ "7fce3008-7471-42ec-8cd2-bb4d8a1ab36d"
+ ],
+ "columns": {
+ "034b7608-d122-4932-9d69-616244bcfbba": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "azure.billing.usage_date",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "24h"
+ },
+ "scale": "interval",
+ "sourceField": "azure.billing.usage_date"
+ },
+ "7fce3008-7471-42ec-8cd2-bb4d8a1ab36d": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "azure.billing.actual_cost: *"
+ },
+ "isBucketed": false,
+ "label": "Actual costs",
+ "operationType": "last_value",
+ "params": {
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ },
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "azure.billing.actual_cost"
+ }
+ },
+ "incompleteColumns": {}
+ },
+ "0dc3a5de-8297-4425-9c43-f5d0f882e5fe": {
+ "columnOrder": [
+ "54788367-b900-4bc6-8cbf-2c2e7cd65a15",
+ "6912e4d6-f28b-4ece-a495-3fe6972c0499"
+ ],
+ "columns": {
+ "54788367-b900-4bc6-8cbf-2c2e7cd65a15": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "azure.billing.usage_date",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "24h"
+ },
+ "scale": "interval",
+ "sourceField": "azure.billing.usage_date"
+ },
+ "6912e4d6-f28b-4ece-a495-3fe6972c0499": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "azure.billing.forecast_cost: *"
+ },
+ "isBucketed": false,
+ "label": "Forecast costs",
+ "operationType": "last_value",
+ "params": {
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ },
+ "sortField": "@timestamp"
+ },
+ "scale": "ratio",
+ "sourceField": "azure.billing.forecast_cost"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0.7,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "7fce3008-7471-42ec-8cd2-bb4d8a1ab36d"
+ ],
+ "layerId": "0542e158-84da-47c7-aae6-a492f8cd9913",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "area",
+ "xAccessor": "034b7608-d122-4932-9d69-616244bcfbba",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(25,77,51,1)",
+ "forAccessor": "7fce3008-7471-42ec-8cd2-bb4d8a1ab36d"
+ }
+ ]
+ },
+ {
+ "accessors": [
+ "6912e4d6-f28b-4ece-a495-3fe6972c0499"
+ ],
+ "layerId": "0dc3a5de-8297-4425-9c43-f5d0f882e5fe",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "area",
+ "xAccessor": "54788367-b900-4bc6-8cbf-2c2e7cd65a15",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(104,188,0,1)",
+ "forAccessor": "6912e4d6-f28b-4ece-a495-3fe6972c0499"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 17,
"i": "323f890e-c4d6-4c84-a3d8-f3d4277d3c2f",
"w": 48,
"x": 0,
- "y": 21
+ "y": 16
},
"panelIndex": "323f890e-c4d6-4c84-a3d8-f3d4277d3c2f",
- "panelRefName": "panel_323f890e-c4d6-4c84-a3d8-f3d4277d3c2f",
"title": "Forecast",
- "type": "visualization",
- "version": "8.0.0-SNAPSHOT"
+ "type": "lens",
+ "version": "8.3.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-c5eed79c-ba72-464b-bca3-127247296a65",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "c5eed79c-ba72-464b-bca3-127247296a65": {
+ "columnOrder": [
+ "55213fc7-2095-427a-a223-0f6e7c74e41e",
+ "77c34830-ab51-456f-8e09-e79eb3dd38f1"
+ ],
+ "columns": {
+ "55213fc7-2095-427a-a223-0f6e7c74e41e": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "azure.billing.usage_start",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "24h"
+ },
+ "scale": "interval",
+ "sourceField": "azure.billing.usage_start"
+ },
+ "77c34830-ab51-456f-8e09-e79eb3dd38f1": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Usage Details",
+ "operationType": "sum",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.billing.pretax_cost"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0.5,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "77c34830-ab51-456f-8e09-e79eb3dd38f1"
+ ],
+ "layerId": "c5eed79c-ba72-464b-bca3-127247296a65",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "bar",
+ "xAccessor": "55213fc7-2095-427a-a223-0f6e7c74e41e",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(22,165,165,1)",
+ "forAccessor": "77c34830-ab51-456f-8e09-e79eb3dd38f1"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 15,
"i": "fb121db4-1343-4e4d-b1a3-e3f3531ae045",
"w": 48,
"x": 0,
- "y": 38
+ "y": 33
},
"panelIndex": "fb121db4-1343-4e4d-b1a3-e3f3531ae045",
- "panelRefName": "panel_fb121db4-1343-4e4d-b1a3-e3f3531ae045",
"title": "Daily usage",
- "type": "visualization",
- "version": "8.0.0-SNAPSHOT"
+ "type": "lens",
+ "version": "8.3.0"
}
],
"timeRestore": false,
"title": "[Azure Billing] Billing overview",
"version": 1
},
- "coreMigrationVersion": "8.0.0",
+ "coreMigrationVersion": "8.3.0",
"id": "azure_billing-d3efeb30-c1c7-11ea-b7e7-0f48178cdb3c",
"migrationVersion": {
- "dashboard": "7.14.0"
+ "dashboard": "8.3.0"
},
"references": [
{
- "id": "azure_billing-82a51dd0-c1d7-11ea-b7e7-0f48178cdb3c",
- "name": "3202a4c8-ed88-4592-9d39-73846426413b:panel_3202a4c8-ed88-4592-9d39-73846426413b",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "85f7953a-8355-4b7d-b429-daf792f0aa00:indexpattern-datasource-layer-55c730ae-441d-4ba7-9642-4d559fc71334",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "d855962c-ebf7-482c-b66c-8c37f66c479b:indexpattern-datasource-layer-55c730ae-441d-4ba7-9642-4d559fc71334",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "227b905d-e912-4f72-ae00-bdfde0e180df:indexpattern-datasource-layer-55c730ae-441d-4ba7-9642-4d559fc71334",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "323f890e-c4d6-4c84-a3d8-f3d4277d3c2f:indexpattern-datasource-layer-0542e158-84da-47c7-aae6-a492f8cd9913",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "323f890e-c4d6-4c84-a3d8-f3d4277d3c2f:indexpattern-datasource-layer-0dc3a5de-8297-4425-9c43-f5d0f882e5fe",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "fb121db4-1343-4e4d-b1a3-e3f3531ae045:indexpattern-datasource-layer-c5eed79c-ba72-464b-bca3-127247296a65",
+ "type": "index-pattern"
},
{
- "id": "azure_billing-6ffa7e20-c1da-11ea-b7e7-0f48178cdb3c",
- "name": "c18f8802-6189-4966-abe5-30bf2c7c6d63:panel_c18f8802-6189-4966-abe5-30bf2c7c6d63",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_3983c316-b2b5-40cb-8a49-1a4b17e7868b:optionsListDataView",
+ "type": "index-pattern"
},
{
- "id": "azure_billing-b18053b0-c1da-11ea-b7e7-0f48178cdb3c",
- "name": "0a93b125-de04-466e-a1d0-7b56d1b31b52:panel_0a93b125-de04-466e-a1d0-7b56d1b31b52",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_37e30ae0-44c5-406d-8211-429d57e67eff:optionsListDataView",
+ "type": "index-pattern"
},
{
- "id": "azure_billing-c8016f70-c1da-11ea-b7e7-0f48178cdb3c",
- "name": "f6b54b8f-b9e5-4c20-9e4c-8f83935ca739:panel_f6b54b8f-b9e5-4c20-9e4c-8f83935ca739",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_0bf3bd17-49f6-4c1b-b4a9-afe2d4577aed:optionsListDataView",
+ "type": "index-pattern"
},
{
- "id": "azure_billing-9142aca0-c1c7-11ea-b7e7-0f48178cdb3c",
- "name": "323f890e-c4d6-4c84-a3d8-f3d4277d3c2f:panel_323f890e-c4d6-4c84-a3d8-f3d4277d3c2f",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_caf9e826-fb3c-47bb-a533-8ede2b34b7b7:optionsListDataView",
+ "type": "index-pattern"
},
{
- "id": "azure_billing-05d5b3e0-c1c9-11ea-b7e7-0f48178cdb3c",
- "name": "fb121db4-1343-4e4d-b1a3-e3f3531ae045:panel_fb121db4-1343-4e4d-b1a3-e3f3531ae045",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_ee85a301-febf-4d9c-90b2-d414fcdb73e5:optionsListDataView",
+ "type": "index-pattern"
}
],
- "type": "dashboard",
- "updated_at": "2021-08-04T16:30:43.912Z",
- "version": "WzM0OTksMV0="
+ "type": "dashboard"
}
\ No newline at end of file
diff --git a/packages/azure_billing/kibana/visualization/azure_billing-05d5b3e0-c1c9-11ea-b7e7-0f48178cdb3c.json b/packages/azure_billing/kibana/visualization/azure_billing-05d5b3e0-c1c9-11ea-b7e7-0f48178cdb3c.json
deleted file mode 100644
index cc5418cd914..00000000000
--- a/packages/azure_billing/kibana/visualization/azure_billing-05d5b3e0-c1c9-11ea-b7e7-0f48178cdb3c.json
+++ /dev/null
@@ -1,91 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Usage Details [Azure Billing]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_position": "left",
- "axis_scale": "normal",
- "background_color_rules": [
- {
- "id": "1f64e4e0-c1c7-11ea-879f-d1f118e66220"
- }
- ],
- "bar_color_rules": [
- {
- "id": "20dbcd70-c1c7-11ea-879f-d1f118e66220"
- }
- ],
- "drop_last_bucket": 1,
- "gauge_color_rules": [
- {
- "id": "22692430-c1c7-11ea-879f-d1f118e66220"
- }
- ],
- "gauge_inner_width": 10,
- "gauge_style": "half",
- "gauge_width": 10,
- "id": "61ca57f0-469d-11e7-af02-69e470af7417",
- "index_pattern": "metrics-*",
- "interval": "24h",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "bar",
- "color": "rgba(22,165,165,1)",
- "fill": "0.5",
- "formatter": "number",
- "id": "d09632c0-c120-11ea-b262-d3ff1f3885f8",
- "label": "Usage Details",
- "line_width": "2",
- "metrics": [
- {
- "agg_with": "sum",
- "field": "azure.billing.pretax_cost",
- "id": "d09632c1-c120-11ea-b262-d3ff1f3885f8",
- "order": "desc",
- "order_by": "@timestamp",
- "size": 1,
- "type": "sum"
- }
- ],
- "offset_time": "",
- "point_size": 1,
- "separate_axis": 0,
- "split_color_mode": "kibana",
- "split_mode": "everything",
- "stacked": "none",
- "steps": 0,
- "type": "timeseries",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "azure.billing.usage_start",
- "tooltip_mode": "show_all",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "Usage Details [Azure Billing]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "8.0.0",
- "id": "azure_billing-05d5b3e0-c1c9-11ea-b7e7-0f48178cdb3c",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization",
- "updated_at": "2021-08-04T16:30:43.912Z",
- "version": "WzM1MDUsMV0="
-}
\ No newline at end of file
diff --git a/packages/azure_billing/kibana/visualization/azure_billing-6ffa7e20-c1da-11ea-b7e7-0f48178cdb3c.json b/packages/azure_billing/kibana/visualization/azure_billing-6ffa7e20-c1da-11ea-b7e7-0f48178cdb3c.json
deleted file mode 100644
index f7d53366d5c..00000000000
--- a/packages/azure_billing/kibana/visualization/azure_billing-6ffa7e20-c1da-11ea-b7e7-0f48178cdb3c.json
+++ /dev/null
@@ -1,83 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [],
- "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "title": "Billing subscriptions [Azure Billing]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [
- {
- "enabled": true,
- "id": "1",
- "params": {
- "customLabel": "Total costs",
- "field": "azure.billing.pretax_cost"
- },
- "schema": "metric",
- "type": "sum"
- },
- {
- "enabled": true,
- "id": "2",
- "params": {
- "field": "azure.subscription_id",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "1",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 5
- },
- "schema": "segment",
- "type": "terms"
- }
- ],
- "params": {
- "addLegend": true,
- "addTooltip": true,
- "distinctColors": true,
- "isDonut": true,
- "labels": {
- "last_level": true,
- "show": false,
- "truncate": 100,
- "values": true
- },
- "legendPosition": "right",
- "palette": {
- "name": "kibana_palette",
- "type": "palette"
- },
- "type": "pie"
- },
- "title": "Billing subscriptions [Azure Billing]",
- "type": "pie"
- }
- },
- "coreMigrationVersion": "8.0.0",
- "id": "azure_billing-6ffa7e20-c1da-11ea-b7e7-0f48178cdb3c",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [
- {
- "id": "metrics-*",
- "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
- "type": "index-pattern"
- }
- ],
- "type": "visualization",
- "updated_at": "2021-08-04T16:30:43.912Z",
- "version": "WzM1MDEsMV0="
-}
\ No newline at end of file
diff --git a/packages/azure_billing/kibana/visualization/azure_billing-82a51dd0-c1d7-11ea-b7e7-0f48178cdb3c.json b/packages/azure_billing/kibana/visualization/azure_billing-82a51dd0-c1d7-11ea-b7e7-0f48178cdb3c.json
deleted file mode 100644
index 6c324c7e55c..00000000000
--- a/packages/azure_billing/kibana/visualization/azure_billing-82a51dd0-c1d7-11ea-b7e7-0f48178cdb3c.json
+++ /dev/null
@@ -1,139 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "title": "Billing Filters [Azure Billing]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "controls": [
- {
- "fieldName": "azure.billing.department_name",
- "id": "1594294278147",
- "indexPatternRefName": "control_0_index_pattern",
- "label": "Department",
- "options": {
- "dynamicOptions": true,
- "multiselect": true,
- "order": "desc",
- "size": 5,
- "type": "terms"
- },
- "parent": "",
- "type": "list"
- },
- {
- "fieldName": "azure.billing.account_name",
- "id": "1594294329560",
- "indexPatternRefName": "control_1_index_pattern",
- "label": "Account",
- "options": {
- "dynamicOptions": true,
- "multiselect": true,
- "order": "desc",
- "size": 5,
- "type": "terms"
- },
- "parent": "",
- "type": "list"
- },
- {
- "fieldName": "azure.subscription_id",
- "id": "1549397251041",
- "indexPatternRefName": "control_2_index_pattern",
- "label": "Subscription",
- "options": {
- "dynamicOptions": true,
- "multiselect": false,
- "order": "desc",
- "size": 5,
- "type": "terms"
- },
- "parent": "",
- "type": "list"
- },
- {
- "fieldName": "azure.resource.group",
- "id": "1549512142947",
- "indexPatternRefName": "control_3_index_pattern",
- "label": "Resource Group",
- "options": {
- "dynamicOptions": true,
- "multiselect": true,
- "order": "desc",
- "size": 5,
- "type": "terms"
- },
- "parent": "",
- "type": "list"
- },
- {
- "fieldName": "azure.resource.name",
- "id": "1578578146383",
- "indexPatternRefName": "control_4_index_pattern",
- "label": "Resource Name",
- "options": {
- "dynamicOptions": true,
- "multiselect": true,
- "order": "desc",
- "size": 5,
- "type": "terms"
- },
- "parent": "",
- "type": "list"
- }
- ],
- "pinFilters": false,
- "updateFiltersOnChange": true,
- "useTimeFilter": false
- },
- "title": "Billing Filters [Azure Billing]",
- "type": "input_control_vis"
- }
- },
- "coreMigrationVersion": "8.0.0",
- "id": "azure_billing-82a51dd0-c1d7-11ea-b7e7-0f48178cdb3c",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [
- {
- "id": "metrics-*",
- "name": "control_0_index_pattern",
- "type": "index-pattern"
- },
- {
- "id": "metrics-*",
- "name": "control_1_index_pattern",
- "type": "index-pattern"
- },
- {
- "id": "metrics-*",
- "name": "control_2_index_pattern",
- "type": "index-pattern"
- },
- {
- "id": "metrics-*",
- "name": "control_3_index_pattern",
- "type": "index-pattern"
- },
- {
- "id": "metrics-*",
- "name": "control_4_index_pattern",
- "type": "index-pattern"
- }
- ],
- "type": "visualization",
- "updated_at": "2021-08-04T16:30:43.912Z",
- "version": "WzM1MDAsMV0="
-}
\ No newline at end of file
diff --git a/packages/azure_billing/kibana/visualization/azure_billing-9142aca0-c1c7-11ea-b7e7-0f48178cdb3c.json b/packages/azure_billing/kibana/visualization/azure_billing-9142aca0-c1c7-11ea-b7e7-0f48178cdb3c.json
deleted file mode 100644
index 76a66e5b1b0..00000000000
--- a/packages/azure_billing/kibana/visualization/azure_billing-9142aca0-c1c7-11ea-b7e7-0f48178cdb3c.json
+++ /dev/null
@@ -1,123 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Charges Forecast [Azure Billing]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_position": "left",
- "axis_scale": "normal",
- "background_color_rules": [
- {
- "id": "1f64e4e0-c1c7-11ea-879f-d1f118e66220"
- }
- ],
- "bar_color_rules": [
- {
- "id": "20dbcd70-c1c7-11ea-879f-d1f118e66220"
- }
- ],
- "drop_last_bucket": 1,
- "gauge_color_rules": [
- {
- "id": "22692430-c1c7-11ea-879f-d1f118e66220"
- }
- ],
- "gauge_inner_width": 10,
- "gauge_style": "half",
- "gauge_width": 10,
- "id": "61ca57f0-469d-11e7-af02-69e470af7417",
- "index_pattern": "metrics-*",
- "interval": "24h",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(25,77,51,1)",
- "fill": "0.7",
- "formatter": "number",
- "hide_in_legend": 0,
- "id": "61ca57f1-469d-11e7-af02-69e470af7417",
- "label": "Actual costs",
- "line_width": 1,
- "metrics": [
- {
- "agg_with": "avg",
- "field": "azure.billing.actual_cost",
- "id": "61ca57f2-469d-11e7-af02-69e470af7417",
- "order": "desc",
- "order_by": "@timestamp",
- "size": 1,
- "type": "top_hit"
- }
- ],
- "override_index_pattern": 0,
- "point_size": 1,
- "separate_axis": 0,
- "split_color_mode": "kibana",
- "split_mode": "everything",
- "stacked": "none",
- "steps": 1,
- "terms_field": "azure.billing.usage_date",
- "type": "timeseries",
- "value_template": "{{value}}"
- },
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(104,188,0,1)",
- "fill": "0.5",
- "formatter": "number",
- "id": "d09632c0-c120-11ea-b262-d3ff1f3885f8",
- "label": "Forecast costs",
- "line_width": "2",
- "metrics": [
- {
- "agg_with": "avg",
- "field": "azure.billing.forecast_cost",
- "id": "d09632c1-c120-11ea-b262-d3ff1f3885f8",
- "order": "desc",
- "order_by": "@timestamp",
- "size": 1,
- "type": "top_hit"
- }
- ],
- "offset_time": "",
- "point_size": 1,
- "separate_axis": 0,
- "split_color_mode": "kibana",
- "split_mode": "everything",
- "stacked": "none",
- "steps": 0,
- "type": "timeseries",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "azure.billing.usage_date",
- "tooltip_mode": "show_all",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "Charges Forecast [Azure Billing]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "8.0.0",
- "id": "azure_billing-9142aca0-c1c7-11ea-b7e7-0f48178cdb3c",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization",
- "updated_at": "2021-08-04T16:30:43.912Z",
- "version": "WzM1MDQsMV0="
-}
\ No newline at end of file
diff --git a/packages/azure_billing/kibana/visualization/azure_billing-b18053b0-c1da-11ea-b7e7-0f48178cdb3c.json b/packages/azure_billing/kibana/visualization/azure_billing-b18053b0-c1da-11ea-b7e7-0f48178cdb3c.json
deleted file mode 100644
index 85642f61995..00000000000
--- a/packages/azure_billing/kibana/visualization/azure_billing-b18053b0-c1da-11ea-b7e7-0f48178cdb3c.json
+++ /dev/null
@@ -1,84 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [],
- "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "title": "Billing resource groups [Azure Billing]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [
- {
- "enabled": true,
- "id": "1",
- "params": {
- "customLabel": "Total costs",
- "field": "azure.billing.pretax_cost"
- },
- "schema": "metric",
- "type": "sum"
- },
- {
- "enabled": true,
- "id": "2",
- "params": {
- "field": "azure.resource.group",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "1",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 5
- },
- "schema": "segment",
- "type": "terms"
- }
- ],
- "params": {
- "addLegend": true,
- "addTooltip": true,
- "distinctColors": true,
- "isDonut": true,
- "labels": {
- "last_level": true,
- "show": false,
- "truncate": 100,
- "values": true
- },
- "legendPosition": "right",
- "palette": {
- "name": "kibana_palette",
- "type": "palette"
- },
- "row": true,
- "type": "pie"
- },
- "title": "Billing resource groups [Azure Billing]",
- "type": "pie"
- }
- },
- "coreMigrationVersion": "8.0.0",
- "id": "azure_billing-b18053b0-c1da-11ea-b7e7-0f48178cdb3c",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [
- {
- "id": "metrics-*",
- "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
- "type": "index-pattern"
- }
- ],
- "type": "visualization",
- "updated_at": "2021-08-04T16:30:43.912Z",
- "version": "WzM1MDIsMV0="
-}
\ No newline at end of file
diff --git a/packages/azure_billing/kibana/visualization/azure_billing-c8016f70-c1da-11ea-b7e7-0f48178cdb3c.json b/packages/azure_billing/kibana/visualization/azure_billing-c8016f70-c1da-11ea-b7e7-0f48178cdb3c.json
deleted file mode 100644
index 7106b9032ed..00000000000
--- a/packages/azure_billing/kibana/visualization/azure_billing-c8016f70-c1da-11ea-b7e7-0f48178cdb3c.json
+++ /dev/null
@@ -1,84 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [],
- "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "title": "Billing resource names [Azure Billing]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [
- {
- "enabled": true,
- "id": "1",
- "params": {
- "customLabel": "Total costs",
- "field": "azure.billing.pretax_cost"
- },
- "schema": "metric",
- "type": "sum"
- },
- {
- "enabled": true,
- "id": "2",
- "params": {
- "field": "azure.resource.name",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "1",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 5
- },
- "schema": "segment",
- "type": "terms"
- }
- ],
- "params": {
- "addLegend": true,
- "addTooltip": true,
- "distinctColors": true,
- "isDonut": true,
- "labels": {
- "last_level": true,
- "show": false,
- "truncate": 100,
- "values": true
- },
- "legendPosition": "right",
- "palette": {
- "name": "kibana_palette",
- "type": "palette"
- },
- "row": true,
- "type": "pie"
- },
- "title": "Billing resource names [Azure Billing]",
- "type": "pie"
- }
- },
- "coreMigrationVersion": "8.0.0",
- "id": "azure_billing-c8016f70-c1da-11ea-b7e7-0f48178cdb3c",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [
- {
- "id": "metrics-*",
- "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
- "type": "index-pattern"
- }
- ],
- "type": "visualization",
- "updated_at": "2021-08-04T16:30:43.912Z",
- "version": "WzM1MDMsMV0="
-}
\ No newline at end of file
diff --git a/packages/azure_billing/manifest.yml b/packages/azure_billing/manifest.yml
index cd7898e7fd2..63ae560d91d 100644
--- a/packages/azure_billing/manifest.yml
+++ b/packages/azure_billing/manifest.yml
@@ -1,7 +1,6 @@
name: azure_billing
title: Azure Billing Metrics
-version: 1.1.2
-release: ga
+version: 1.2.0
description: Collect billing metrics with Elastic Agent.
type: integration
icons:
@@ -14,13 +13,13 @@ screenshots:
title: App State Overview
size: 5120x2562
type: image/png
-format_version: 1.0.0
-license: basic
+format_version: 2.9.0
categories:
- observability
- azure
conditions:
- kibana.version: "^7.15.0 || ^8.0.0"
+ kibana.version: "^8.3.0"
+ elastic.subscription: "basic"
vars:
- name: client_id
type: text
diff --git a/packages/azure_blob_storage/_dev/build/build.yml b/packages/azure_blob_storage/_dev/build/build.yml
index 84034dcea1e..c1af686e524 100644
--- a/packages/azure_blob_storage/_dev/build/build.yml
+++ b/packages/azure_blob_storage/_dev/build/build.yml
@@ -1,4 +1,4 @@
dependencies:
ecs:
- reference: git@v8.8.0
+ reference: git@v8.9.0
import_mappings: true
diff --git a/packages/azure_blob_storage/changelog.yml b/packages/azure_blob_storage/changelog.yml
index 2ed54ad794f..5fca66792cb 100644
--- a/packages/azure_blob_storage/changelog.yml
+++ b/packages/azure_blob_storage/changelog.yml
@@ -1,3 +1,18 @@
+- version: 0.7.0
+ changes:
+ - description: "The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest."
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7883
+- version: "0.6.0"
+ changes:
+ - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7789
+- version: "0.5.0"
+ changes:
+ - description: Update package to ECS 8.9.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7107
- version: "0.4.0"
changes:
- description: Update package to ECS 8.8.0.
diff --git a/packages/azure_blob_storage/kibana/tags.yml b/packages/azure_blob_storage/kibana/tags.yml
new file mode 100644
index 00000000000..47f20a8f551
--- /dev/null
+++ b/packages/azure_blob_storage/kibana/tags.yml
@@ -0,0 +1,4 @@
+- text: Security Solution
+ asset_types:
+ - dashboard
+ - search
diff --git a/packages/azure_blob_storage/manifest.yml b/packages/azure_blob_storage/manifest.yml
index a2710b4f928..9b28b2895a5 100644
--- a/packages/azure_blob_storage/manifest.yml
+++ b/packages/azure_blob_storage/manifest.yml
@@ -1,11 +1,12 @@
-format_version: 2.7.0
+format_version: "3.0.0"
name: azure_blob_storage
title: Custom Azure Blob Storage Input
description: Collect JSON data from configured Azure Blob Storage Container with Elastic Agent.
type: integration
-version: "0.4.0"
+version: "0.7.0"
conditions:
- kibana.version: "^8.6.2"
+ kibana:
+ version: "^8.6.2"
categories:
- custom
- cloud
@@ -22,3 +23,4 @@ icons:
type: "image/svg+xml"
owner:
github: elastic/security-external-integrations
+ type: elastic
diff --git a/packages/azure_frontdoor/_dev/build/build.yml b/packages/azure_frontdoor/_dev/build/build.yml
index 074278e5b1f..c8eeec8cacf 100644
--- a/packages/azure_frontdoor/_dev/build/build.yml
+++ b/packages/azure_frontdoor/_dev/build/build.yml
@@ -1,3 +1,3 @@
dependencies:
ecs:
- reference: git@v8.8.0
+ reference: git@v8.9.0
diff --git a/packages/azure_frontdoor/changelog.yml b/packages/azure_frontdoor/changelog.yml
index 93745091b00..4435ceb2ab1 100644
--- a/packages/azure_frontdoor/changelog.yml
+++ b/packages/azure_frontdoor/changelog.yml
@@ -1,3 +1,13 @@
+- version: "1.2.0"
+ changes:
+ - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7789
+- version: "1.1.0"
+ changes:
+ - description: Update package to ECS 8.9.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7107
- version: "1.0.0"
changes:
- description: Release Azure Frontdoor as GA.
diff --git a/packages/azure_frontdoor/data_stream/access/_dev/test/pipeline/test-fdaccess.log-expected.json b/packages/azure_frontdoor/data_stream/access/_dev/test/pipeline/test-fdaccess.log-expected.json
index 13cee92bcfd..514e24805af 100644
--- a/packages/azure_frontdoor/data_stream/access/_dev/test/pipeline/test-fdaccess.log-expected.json
+++ b/packages/azure_frontdoor/data_stream/access/_dev/test/pipeline/test-fdaccess.log-expected.json
@@ -30,7 +30,7 @@
"provider": "azure"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -129,7 +129,7 @@
"provider": "azure"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -222,7 +222,7 @@
"provider": "azure"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
diff --git a/packages/azure_frontdoor/data_stream/access/elasticsearch/ingest_pipeline/default.yml b/packages/azure_frontdoor/data_stream/access/elasticsearch/ingest_pipeline/default.yml
index 788b675d01d..350b11f5514 100644
--- a/packages/azure_frontdoor/data_stream/access/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/azure_frontdoor/data_stream/access/elasticsearch/ingest_pipeline/default.yml
@@ -3,7 +3,7 @@ description: Pipeline for processing azure frontdoor access logs
processors:
- set:
field: ecs.version
- value: "8.8.0"
+ value: "8.9.0"
- set:
field: event.category
value: [network]
diff --git a/packages/azure_frontdoor/data_stream/access/sample_event.json b/packages/azure_frontdoor/data_stream/access/sample_event.json
index 1ecb1f8fc58..3974ff97482 100644
--- a/packages/azure_frontdoor/data_stream/access/sample_event.json
+++ b/packages/azure_frontdoor/data_stream/access/sample_event.json
@@ -40,7 +40,7 @@
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "d7426e8a-1535-4d9a-8f1e-1d5eab23567b",
diff --git a/packages/azure_frontdoor/data_stream/waf/_dev/test/pipeline/test-fdwaf.log-expected.json b/packages/azure_frontdoor/data_stream/waf/_dev/test/pipeline/test-fdwaf.log-expected.json
index 61b72e9de45..ec56e62a852 100644
--- a/packages/azure_frontdoor/data_stream/waf/_dev/test/pipeline/test-fdwaf.log-expected.json
+++ b/packages/azure_frontdoor/data_stream/waf/_dev/test/pipeline/test-fdwaf.log-expected.json
@@ -24,7 +24,7 @@
"provider": "azure"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Log",
@@ -91,7 +91,7 @@
"provider": "azure"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Block",
diff --git a/packages/azure_frontdoor/data_stream/waf/elasticsearch/ingest_pipeline/default.yml b/packages/azure_frontdoor/data_stream/waf/elasticsearch/ingest_pipeline/default.yml
index 977c9d9d553..1059c648071 100644
--- a/packages/azure_frontdoor/data_stream/waf/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/azure_frontdoor/data_stream/waf/elasticsearch/ingest_pipeline/default.yml
@@ -3,7 +3,7 @@ description: Pipeline for processing azure frontdoor waf logs
processors:
- set:
field: ecs.version
- value: "8.8.0"
+ value: "8.9.0"
- set:
field: event.category
value: [network]
diff --git a/packages/azure_frontdoor/data_stream/waf/sample_event.json b/packages/azure_frontdoor/data_stream/waf/sample_event.json
index 84d78cafaa0..098db5b58ff 100644
--- a/packages/azure_frontdoor/data_stream/waf/sample_event.json
+++ b/packages/azure_frontdoor/data_stream/waf/sample_event.json
@@ -34,7 +34,7 @@
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "96bfc189-b7b0-43a7-8d45-a95fdac6425b",
diff --git a/packages/azure_frontdoor/docs/README.md b/packages/azure_frontdoor/docs/README.md
index e1cdb166c63..825c50e470a 100644
--- a/packages/azure_frontdoor/docs/README.md
+++ b/packages/azure_frontdoor/docs/README.md
@@ -109,10 +109,10 @@ Users can also use this in case of a Hybrid Cloud model, where one may define th
| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
-| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date |
| event.id | Unique ID to describe the event. | keyword |
| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
-| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword |
| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
| file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword |
| file.size | File size in bytes. Only relevant when `file.type` is "file". | long |
@@ -241,10 +241,10 @@ Users can also use this in case of a Hybrid Cloud model, where one may define th
| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
-| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date |
| event.id | Unique ID to describe the event. | keyword |
| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
-| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword |
| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
| file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword |
| file.size | File size in bytes. Only relevant when `file.type` is "file". | long |
diff --git a/packages/azure_frontdoor/kibana/tags.yml b/packages/azure_frontdoor/kibana/tags.yml
new file mode 100644
index 00000000000..47f20a8f551
--- /dev/null
+++ b/packages/azure_frontdoor/kibana/tags.yml
@@ -0,0 +1,4 @@
+- text: Security Solution
+ asset_types:
+ - dashboard
+ - search
diff --git a/packages/azure_frontdoor/manifest.yml b/packages/azure_frontdoor/manifest.yml
index 25b862bcace..5d08fc3ab1e 100644
--- a/packages/azure_frontdoor/manifest.yml
+++ b/packages/azure_frontdoor/manifest.yml
@@ -1,7 +1,7 @@
-format_version: 2.7.0
+format_version: 2.11.0
name: azure_frontdoor
title: "Azure Frontdoor"
-version: "1.0.0"
+version: "1.2.0"
description: "This Elastic integration collects logs from Azure Frontdoor."
type: integration
categories:
diff --git a/packages/azure_functions/LICENSE.txt b/packages/azure_functions/LICENSE.txt
new file mode 100644
index 00000000000..809108b857f
--- /dev/null
+++ b/packages/azure_functions/LICENSE.txt
@@ -0,0 +1,93 @@
+Elastic License 2.0
+
+URL: https://www.elastic.co/licensing/elastic-license
+
+## Acceptance
+
+By using the software, you agree to all of the terms and conditions below.
+
+## Copyright License
+
+The licensor grants you a non-exclusive, royalty-free, worldwide,
+non-sublicensable, non-transferable license to use, copy, distribute, make
+available, and prepare derivative works of the software, in each case subject to
+the limitations and conditions below.
+
+## Limitations
+
+You may not provide the software to third parties as a hosted or managed
+service, where the service provides users with access to any substantial set of
+the features or functionality of the software.
+
+You may not move, change, disable, or circumvent the license key functionality
+in the software, and you may not remove or obscure any functionality in the
+software that is protected by the license key.
+
+You may not alter, remove, or obscure any licensing, copyright, or other notices
+of the licensor in the software. Any use of the licensor’s trademarks is subject
+to applicable law.
+
+## Patents
+
+The licensor grants you a license, under any patent claims the licensor can
+license, or becomes able to license, to make, have made, use, sell, offer for
+sale, import and have imported the software, in each case subject to the
+limitations and conditions in this license. This license does not cover any
+patent claims that you cause to be infringed by modifications or additions to
+the software. If you or your company make any written claim that the software
+infringes or contributes to infringement of any patent, your patent license for
+the software granted under these terms ends immediately. If your company makes
+such a claim, your patent license ends immediately for work on behalf of your
+company.
+
+## Notices
+
+You must ensure that anyone who gets a copy of any part of the software from you
+also gets a copy of these terms.
+
+If you modify the software, you must include in any modified copies of the
+software prominent notices stating that you have modified the software.
+
+## No Other Rights
+
+These terms do not imply any licenses other than those expressly granted in
+these terms.
+
+## Termination
+
+If you use the software in violation of these terms, such use is not licensed,
+and your licenses will automatically terminate. If the licensor provides you
+with a notice of your violation, and you cease all violation of this license no
+later than 30 days after you receive that notice, your licenses will be
+reinstated retroactively. However, if you violate these terms after such
+reinstatement, any additional violation of these terms will cause your licenses
+to terminate automatically and permanently.
+
+## No Liability
+
+*As far as the law allows, the software comes as is, without any warranty or
+condition, and the licensor will not be liable to you for any damages arising
+out of these terms or the use or nature of the software, under any kind of
+legal claim.*
+
+## Definitions
+
+The **licensor** is the entity offering these terms, and the **software** is the
+software the licensor makes available under these terms, including any portion
+of it.
+
+**you** refers to the individual or entity agreeing to these terms.
+
+**your company** is any legal entity, sole proprietorship, or other kind of
+organization that you work for, plus all organizations that have control over,
+are under the control of, or are under common control with that
+organization. **control** means ownership of substantially all the assets of an
+entity, or the power to direct its management and policies by vote, contract, or
+otherwise. Control can be direct or indirect.
+
+**your licenses** are all the licenses granted to you for the software under
+these terms.
+
+**use** means anything you do with the software requiring one of your licenses.
+
+**trademark** means trademarks, service marks, and similar rights.
diff --git a/packages/azure_functions/_dev/build/build.yml b/packages/azure_functions/_dev/build/build.yml
new file mode 100644
index 00000000000..47cbed9fed8
--- /dev/null
+++ b/packages/azure_functions/_dev/build/build.yml
@@ -0,0 +1,3 @@
+dependencies:
+ ecs:
+ reference: git@v8.0.0
diff --git a/packages/azure_functions/_dev/build/docs/README.md b/packages/azure_functions/_dev/build/docs/README.md
new file mode 100644
index 00000000000..42c03120057
--- /dev/null
+++ b/packages/azure_functions/_dev/build/docs/README.md
@@ -0,0 +1,204 @@
+# Azure Functions
+
+The Azure Functions integration allows you to monitor Azure Functions. Azure Functions is an event-driven, serverless compute platform that helps you develop more efficiently using the programming language of your choice. Triggers cause a function to run. A trigger defines how a function is invoked and a function must have exactly one trigger.
+
+Use this integration to build web APIs, respond to database changes, process IoT streams, manage message queues, and more. Refer common [Azure Functions scenarios](https://learn.microsoft.com/en-us/azure/azure-functions/functions-scenarios?pivots=programming-language-csharp) for more information.
+
+
+## Data streams
+The Azure Functions integration contains two data streams: [Function App Logs](#logs) and [Metrics](#metrics)
+
+### Logs
+
+Supported log categories:
+
+| Log Category | Description |
+|:----------------------------:|:------------------------------------------------------------------------------------------------------------------------------------:|
+| Functionapplogs | Function app logs. |
+
+
+#### Requirements and setup
+
+Refer to the [Azure Logs](https://docs.elastic.co/integrations/azure) page for more information about setting up and using this integration.
+
+#### Configuration options
+`eventhub` :
+ _string_
+An Event Hub is a fully managed, real-time data ingestion service. Elastic recommends using only letters, numbers, and the hyphen (-) character for Event Hub names to maximize compatibility. You can use existing Event Hubs having underscores (_) in the Event Hub name; in this case, the integration will replace underscores with hyphens (-) when it uses the Event Hub name to create dependent Azure resources behind the scenes (e.g., the storage account container to store Event Hub consumer offsets). Elastic also recommends using a separate event hub for each log type as the field mappings of each log type differ.
+Default value `insights-operational-logs`.
+
+`consumer_group` :
+_string_
+ The publish/subscribe mechanism of Event Hubs is enabled through consumer groups. A consumer group is a view (state, position, or offset) of an entire event hub. Consumer groups enable multiple consuming applications to each have a separate view of the event stream, and to read the stream independently at their own pace and with their own offsets.
+Default value: `$Default`
+
+`connection_string` :
+_string_
+The connection string is required to communicate with Event Hubs, see steps [here](https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string).
+
+A Blob Storage account is required in order to store/retrieve/update the offset or state of the eventhub messages. This means that after stopping the Azure logs package it can start back up at the spot that it stopped processing messages.
+
+`storage_account` :
+_string_
+The name of the storage account where the state/offsets will be stored and updated.
+
+`storage_account_key` :
+_string_
+The storage account key, this key will be used to authorize access to data in your storage account.
+
+`storage_account_container` :
+_string_
+The storage account container where the integration stores the checkpoint data for the consumer group. It is an advanced option to use with extreme care. You MUST use a dedicated storage account container for each Azure log type (activity, sign-in, audit logs, and others). DO NOT REUSE the same container name for more than one Azure log type. See [Container Names](https://docs.microsoft.com/en-us/rest/api/storageservices/naming-and-referencing-containers--blobs--and-metadata#container-names) for details on naming rules from Microsoft. The integration generates a default container name if not specified.
+
+`resource_manager_endpoint` :
+_string_
+Optional, by default we are using the Azure public environment, to override, users can provide a specific resource manager endpoint in order to use a different Azure environment.
+
+Resource manager endpoints:
+
+```text
+# Azure ChinaCloud
+https://management.chinacloudapi.cn/
+
+# Azure GermanCloud
+https://management.microsoftazure.de/
+
+# Azure PublicCloud
+https://management.azure.com/
+
+# Azure USGovernmentCloud
+https://management.usgovcloudapi.net/
+```
+
+{{event "functionapplogs"}}
+
+{{fields "functionapplogs"}}
+
+### Metrics
+**Metrics** give you insight into the performance of your Azure Function Apps. The integration includes an out-of-the-box dashboard for visualising the monitoring data generated by apps hosted in Azure Functions.
+
+#### Requirements
+
+To use this integration you will need:
+
+* **Azure App Registration**: You need to set up an Azure App Registration to allow the Agent to access the Azure APIs. The App Registration requires the Monitoring Reader role to access to be able to collect metrics from Function Apps. See more details in the Setup section.
+* **Elasticsearch and Kibana**: You need Elasticsearch to store and search your data and Kibana to visualize and manage it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, the [Native Azure Integration](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/elastic.elasticsearch?tab=Overview), or self-manage the Elastic Stack on your hardware.
+
+#### Setup
+
+
+```text
+ ┌────────────────────┐ ┌─────────┐ ┌─-─────────────────────┐
+ │ │ │ │ │ azure.functions │
+ │ Azure APIs │──────▶│ Agent │──────▶│ <> │
+ │ │ │ │ │ │
+ └────────────────────┘ └─────────┘ └───-───────────────────┘
+```
+
+Elastic Agent needs an App Registration to access Azure on your behalf to collect data using the Azure REST APIs. App Registrations are required to access Azure APIs programmatically.
+
+To start collecting data with this integration, you need to:
+
+* Set up a new Azure app registration by registering an app, adding credentials, and assigning an appropriate role.
+* Specify integration [settings](#main-options) in Kibana, which will determine how the integration will access the Azure APIs.
+
+#### Register a new app
+
+To create a new app registration:
+
+1. Sign in to the [Azure Portal](https://portal.azure.com/).
+2. Search for and select **Azure Active Directory**.
+3. Under **Manage**, select **App registrations** > **New registration**.
+4. Enter a display _Name_ for your application (for example, "elastic-agent").
+5. Specify who can use the application.
+6. Don't enter anything for _Redirect URI_. This is optional and the agent doesn't use it.
+7. Select **Register** to complete the initial app registration.
+
+Take note of the **Application (client) ID**, which you will use later when specifying the **Client ID** in the integration settings.
+
+#### Add credentials
+
+Credentials allow your application to access Azure APIs and authenticate itself, requiring no interaction from a user at runtime.
+
+This integration uses Client Secrets to prove its identity.
+
+1. In the [Azure Portal](https://portal.azure.com/), select the application you created in the previous section.
+2. Select **Certificates & secrets** > **Client secrets** > **New client secret**.
+3. Add a description (for example, "Elastic Agent client secrets").
+4. Select an expiration for the secret or specify a custom lifetime.
+5. Select **Add**.
+
+Take note of the content in the **Value** column in the **Client secrets** table, which you will use later when specifying a **Client Secret** in the integration settings. **This secret value is never displayed again after you leave this page.** Record the secret's value in a safe place.
+
+#### Assign role
+
+1. In the [Azure Portal](https://portal.azure.com/), search for and select **Subscriptions**.
+2. Select the subscription to assign the application.
+3. Select **Access control (IAM)**.
+4. Select **Add** > **Add role assignment** to open the _Add role assignment page_.
+5. In the **Role** tab, search and select the role **Monitoring Reader**.
+6. Select the **Next** button to move to the **Members** tab.
+7. Select **Assign access to** > **User, group, or service principal**, and select **Select members**. This page does not display Azure AD applications in the available options by default.
+8. To find your application, search by name (for example, "elastic-agent") and select it from the list.
+9. Click the **Select** button.
+10. Then click the **Review + assign** button.
+
+Take note of the following values, which you will use later when specifying settings.
+
+* `Subscription ID`: use the content of the "Subscription ID" you selected.
+* `Tenant ID`: use the "Tenant ID" from the Azure Active Directory you use.
+
+Your App Registration is now ready to be used with the Elastic Agent.
+
+#### Additional Resources
+
+If you want to learn more about this process, you can read these two general guides from Microsoft:
+
+* [Quickstart: Register an application with the Microsoft identity platform](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app)
+* [Use the portal to create an Azure AD application and service principal that can access resources](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal)
+
+#### Main options
+
+The settings' main section contains all the options needed to access the Azure APIs and collect the Azure Functions metrics data. You will now use all the values from [App registration](#register-a-new-app) including:
+
+`Client ID` _string_
+: The unique identifier of the App Registration (sometimes referred to as Application ID).
+
+`Client Secret` _string_
+: The client secret for authentication.
+
+`Subscription ID` _string_
+: The unique identifier for the Azure subscription. You can provide just one subscription ID. The Agent uses this ID to access Azure APIs.
+
+`Tenant ID` _string_
+: The unique identifier of the Azure Active Directory's Tenant ID.
+
+#### Advanced options
+
+There are two additional advanced options:
+
+`Resource Manager Endpoint` _string_
+: Optional. By default, the integration uses the Azure public environment. To override, users can provide a specific resource manager endpoint to use a different Azure environment.
+
+Examples:
+
+* `https://management.chinacloudapi.cn` for Azure ChinaCloud
+* `https://management.microsoftazure.de` for Azure GermanCloud
+* `https://management.azure.com` for Azure PublicCloud
+* `https://management.usgovcloudapi.net` for Azure USGovernmentCloud
+
+`Active Directory Endpoint` _string_
+: Optional. By default, the integration uses the associated Active Directory Endpoint. To override, users can provide a specific active directory endpoint to use a different Azure environment.
+
+Examples:
+
+* `https://login.chinacloudapi.cn` for Azure ChinaCloud
+* `https://login.microsoftonline.de` for Azure GermanCloud
+* `https://login.microsoftonline.com` for Azure PublicCloud
+* `https://login.microsoftonline.us` for Azure USGovernmentCloud
+
+#### Metrics Reference
+
+{{event "metrics"}}
+
+{{fields "metrics"}}
diff --git a/packages/azure_functions/changelog.yml b/packages/azure_functions/changelog.yml
new file mode 100644
index 00000000000..b32204fde0b
--- /dev/null
+++ b/packages/azure_functions/changelog.yml
@@ -0,0 +1,11 @@
+# newer versions go on top
+- version: "0.1.0"
+ changes:
+ - description: Add Azure Functions metrics data stream
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7130
+- version: "0.0.1"
+ changes:
+ - description: Add Azure Functions logs data stream
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6417
diff --git a/packages/azure_functions/data_stream/functionapplogs/_dev/test/pipeline/test-azure-functions-error-raw.log b/packages/azure_functions/data_stream/functionapplogs/_dev/test/pipeline/test-azure-functions-error-raw.log
new file mode 100644
index 00000000000..b316ff83cd2
--- /dev/null
+++ b/packages/azure_functions/data_stream/functionapplogs/_dev/test/pipeline/test-azure-functions-error-raw.log
@@ -0,0 +1 @@
+{"time":"2023-06-07T11:33:11Z","resourceId":"/SUBSCRIPTIONS/12CABCB4-86E8-404F-A3D2-1DC9982F45CA/RESOURCEGROUPS/TEST-RG/PROVIDERS/MICROSOFT.WEB/SITES/TEST-FUNCTION","category":"FunctionAppLogs","operationName":"Microsoft.Web/sites/functions/log","level":"Error","location":"East US","properties":{"appName":"mbranca-test-function","roleInstance":"54108609-638217294083255145","message":"Executed Functions.hello (Failed, Id=3a4b2e78-0549-4ebc-ba4c-ee9a6bc9a04e, Duration=16ms)","category":"Function.hello","hostVersion":"4.21.3.3","functionInvocationId":"3a4b2e78-0549-4ebc-ba4c-ee9a6bc9a04e","functionName":"Functions.hello","hostInstanceId":"8699ec76-436a-43e2-a811-371c8e1472d7","level":"Error","levelId":4,"processId":64,"exceptionDetails":"Microsoft.Azure.WebJobs.Host.FunctionInvocationException : Exception while executing function: Functions.hello ---> Microsoft.Azure.WebJobs.Script.Workers.Rpc.RpcException : Result: Failure\nException: Exception: Ka-booom!\nStack: File \"/azure-functions-host/workers/python/3.9/LINUX/X64/azure_functions_worker/dispatcher.py\", line 479, in _handle__invocation_request\n call_result = await self._loop.run_in_executor(\n File \"/usr/local/lib/python3.9/concurrent/futures/thread.py\", line 58, in run\n result = self.fn(*self.args, **self.kwargs)\n File \"/azure-functions-host/workers/python/3.9/LINUX/X64/azure_functions_worker/dispatcher.py\", line 752, in _run_sync_func\n return ExtensionManager.get_sync_invocation_wrapper(context,\n File \"/azure-functions-host/workers/python/3.9/LINUX/X64/azure_functions_worker/extension.py\", line 215, in _raw_invocation_wrapper\n result = function(**args)\n File \"/home/site/wwwroot/hello/__init__.py\", line 22, in main\n raise Exception(\"Ka-booom!\")\n\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\n at async Microsoft.Azure.WebJobs.Script.Description.WorkerFunctionInvoker.InvokeCore(Object[] parameters,FunctionInvocationContext context) at /src/azure-functions-host/src/WebJobs.Script/Description/Workers/WorkerFunctionInvoker.cs : 101\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\n at async Microsoft.Azure.WebJobs.Script.Description.FunctionInvokerBase.Invoke(Object[] parameters) at /src/azure-functions-host/src/WebJobs.Script/Description/FunctionInvokerBase.cs : 82\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\n at async Microsoft.Azure.WebJobs.Script.Description.FunctionGenerator.Coerce[T](Task`1 src) at /src/azure-functions-host/src/WebJobs.Script/Description/FunctionGenerator.cs : 225\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\n at async Microsoft.Azure.WebJobs.Host.Executors.FunctionInvoker`2.InvokeAsync[TReflected,TReturnValue](Object instance,Object[] arguments) at D:\\a\\_work\\1\\s\\src\\Microsoft.Azure.WebJobs.Host\\Executors\\FunctionInvoker.cs : 52\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\n at async Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.InvokeWithTimeoutAsync(IFunctionInvoker invoker,ParameterHelper parameterHelper,CancellationTokenSource timeoutTokenSource,CancellationTokenSource functionCancellationTokenSource,Boolean throwOnTimeout,TimeSpan timerInterval,IFunctionInstance instance) at D:\\a\\_work\\1\\s\\src\\Microsoft.Azure.WebJobs.Host\\Executors\\FunctionExecutor.cs : 581\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\n at async Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.ExecuteWithWatchersAsync(IFunctionInstanceEx instance,ParameterHelper parameterHelper,ILogger logger,CancellationTokenSource functionCancellationTokenSource) at D:\\a\\_work\\1\\s\\src\\Microsoft.Azure.WebJobs.Host\\Executors\\FunctionExecutor.cs : 527\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\n at async Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.ExecuteWithLoggingAsync(IFunctionInstanceEx instance,FunctionStartedMessage message,FunctionInstanceLogEntry instanceLogEntry,ParameterHelper parameterHelper,ILogger logger,CancellationToken cancellationToken) at D:\\a\\_work\\1\\s\\src\\Microsoft.Azure.WebJobs.Host\\Executors\\FunctionExecutor.cs : 306\n End of inner exception\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\n at async Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.ExecuteWithLoggingAsync(IFunctionInstanceEx instance,FunctionStartedMessage message,FunctionInstanceLogEntry instanceLogEntry,ParameterHelper parameterHelper,ILogger logger,CancellationToken cancellationToken) at D:\\a\\_work\\1\\s\\src\\Microsoft.Azure.WebJobs.Host\\Executors\\FunctionExecutor.cs : 352\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\n at async Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.TryExecuteAsync(IFunctionInstance functionInstance,CancellationToken cancellationToken) at D:\\a\\_work\\1\\s\\src\\Microsoft.Azure.WebJobs.Host\\Executors\\FunctionExecutor.cs : 108","exceptionMessage":"Result: Failure\nException: Exception: Ka-booom!\nStack: File \"/azure-functions-host/workers/python/3.9/LINUX/X64/azure_functions_worker/dispatcher.py\", line 479, in _handle__invocation_request\n call_result = await self._loop.run_in_executor(\n File \"/usr/local/lib/python3.9/concurrent/futures/thread.py\", line 58, in run\n result = self.fn(*self.args, **self.kwargs)\n File \"/azure-functions-host/workers/python/3.9/LINUX/X64/azure_functions_worker/dispatcher.py\", line 752, in _run_sync_func\n return ExtensionManager.get_sync_invocation_wrapper(context,\n File \"/azure-functions-host/workers/python/3.9/LINUX/X64/azure_functions_worker/extension.py\", line 215, in _raw_invocation_wrapper\n result = function(**args)\n File \"/home/site/wwwroot/hello/__init__.py\", line 22, in main\n raise Exception(\"Ka-booom!\")\n","exceptionType":"Microsoft.Azure.WebJobs.Script.Workers.Rpc.RpcException","eventId":3,"eventName":"FunctionCompleted"}}
\ No newline at end of file
diff --git a/packages/azure_functions/data_stream/functionapplogs/_dev/test/pipeline/test-azure-functions-error-raw.log-expected.json b/packages/azure_functions/data_stream/functionapplogs/_dev/test/pipeline/test-azure-functions-error-raw.log-expected.json
new file mode 100644
index 00000000000..6e6ff04875e
--- /dev/null
+++ b/packages/azure_functions/data_stream/functionapplogs/_dev/test/pipeline/test-azure-functions-error-raw.log-expected.json
@@ -0,0 +1,56 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2023-06-07T11:33:11.000Z",
+ "azure": {
+ "category": "FunctionAppLogs",
+ "function": {
+ "app_name": "mbranca-test-function",
+ "category": "Function.hello",
+ "event_id": 3,
+ "event_name": "FunctionCompleted",
+ "exception_details": "Microsoft.Azure.WebJobs.Host.FunctionInvocationException : Exception while executing function: Functions.hello ---\u003e Microsoft.Azure.WebJobs.Script.Workers.Rpc.RpcException : Result: Failure\nException: Exception: Ka-booom!\nStack: File \"/azure-functions-host/workers/python/3.9/LINUX/X64/azure_functions_worker/dispatcher.py\", line 479, in _handle__invocation_request\n call_result = await self._loop.run_in_executor(\n File \"/usr/local/lib/python3.9/concurrent/futures/thread.py\", line 58, in run\n result = self.fn(*self.args, **self.kwargs)\n File \"/azure-functions-host/workers/python/3.9/LINUX/X64/azure_functions_worker/dispatcher.py\", line 752, in _run_sync_func\n return ExtensionManager.get_sync_invocation_wrapper(context,\n File \"/azure-functions-host/workers/python/3.9/LINUX/X64/azure_functions_worker/extension.py\", line 215, in _raw_invocation_wrapper\n result = function(**args)\n File \"/home/site/wwwroot/hello/__init__.py\", line 22, in main\n raise Exception(\"Ka-booom!\")\n\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\n at async Microsoft.Azure.WebJobs.Script.Description.WorkerFunctionInvoker.InvokeCore(Object[] parameters,FunctionInvocationContext context) at /src/azure-functions-host/src/WebJobs.Script/Description/Workers/WorkerFunctionInvoker.cs : 101\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\n at async Microsoft.Azure.WebJobs.Script.Description.FunctionInvokerBase.Invoke(Object[] parameters) at /src/azure-functions-host/src/WebJobs.Script/Description/FunctionInvokerBase.cs : 82\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\n at async Microsoft.Azure.WebJobs.Script.Description.FunctionGenerator.Coerce[T](Task`1 src) at /src/azure-functions-host/src/WebJobs.Script/Description/FunctionGenerator.cs : 225\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\n at async Microsoft.Azure.WebJobs.Host.Executors.FunctionInvoker`2.InvokeAsync[TReflected,TReturnValue](Object instance,Object[] arguments) at D:\\a\\_work\\1\\s\\src\\Microsoft.Azure.WebJobs.Host\\Executors\\FunctionInvoker.cs : 52\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\n at async Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.InvokeWithTimeoutAsync(IFunctionInvoker invoker,ParameterHelper parameterHelper,CancellationTokenSource timeoutTokenSource,CancellationTokenSource functionCancellationTokenSource,Boolean throwOnTimeout,TimeSpan timerInterval,IFunctionInstance instance) at D:\\a\\_work\\1\\s\\src\\Microsoft.Azure.WebJobs.Host\\Executors\\FunctionExecutor.cs : 581\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\n at async Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.ExecuteWithWatchersAsync(IFunctionInstanceEx instance,ParameterHelper parameterHelper,ILogger logger,CancellationTokenSource functionCancellationTokenSource) at D:\\a\\_work\\1\\s\\src\\Microsoft.Azure.WebJobs.Host\\Executors\\FunctionExecutor.cs : 527\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\n at async Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.ExecuteWithLoggingAsync(IFunctionInstanceEx instance,FunctionStartedMessage message,FunctionInstanceLogEntry instanceLogEntry,ParameterHelper parameterHelper,ILogger logger,CancellationToken cancellationToken) at D:\\a\\_work\\1\\s\\src\\Microsoft.Azure.WebJobs.Host\\Executors\\FunctionExecutor.cs : 306\n End of inner exception\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\n at async Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.ExecuteWithLoggingAsync(IFunctionInstanceEx instance,FunctionStartedMessage message,FunctionInstanceLogEntry instanceLogEntry,ParameterHelper parameterHelper,ILogger logger,CancellationToken cancellationToken) at D:\\a\\_work\\1\\s\\src\\Microsoft.Azure.WebJobs.Host\\Executors\\FunctionExecutor.cs : 352\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\n at async Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.TryExecuteAsync(IFunctionInstance functionInstance,CancellationToken cancellationToken) at D:\\a\\_work\\1\\s\\src\\Microsoft.Azure.WebJobs.Host\\Executors\\FunctionExecutor.cs : 108",
+ "exception_message": "Result: Failure\nException: Exception: Ka-booom!\nStack: File \"/azure-functions-host/workers/python/3.9/LINUX/X64/azure_functions_worker/dispatcher.py\", line 479, in _handle__invocation_request\n call_result = await self._loop.run_in_executor(\n File \"/usr/local/lib/python3.9/concurrent/futures/thread.py\", line 58, in run\n result = self.fn(*self.args, **self.kwargs)\n File \"/azure-functions-host/workers/python/3.9/LINUX/X64/azure_functions_worker/dispatcher.py\", line 752, in _run_sync_func\n return ExtensionManager.get_sync_invocation_wrapper(context,\n File \"/azure-functions-host/workers/python/3.9/LINUX/X64/azure_functions_worker/extension.py\", line 215, in _raw_invocation_wrapper\n result = function(**args)\n File \"/home/site/wwwroot/hello/__init__.py\", line 22, in main\n raise Exception(\"Ka-booom!\")\n",
+ "exception_type": "Microsoft.Azure.WebJobs.Script.Workers.Rpc.RpcException",
+ "host_instance_id": "8699ec76-436a-43e2-a811-371c8e1472d7",
+ "host_version": "4.21.3.3",
+ "invocation_id": "3a4b2e78-0549-4ebc-ba4c-ee9a6bc9a04e",
+ "level": "Error",
+ "level_id": 4,
+ "message": "Executed Functions.hello (Failed, Id=3a4b2e78-0549-4ebc-ba4c-ee9a6bc9a04e, Duration=16ms)",
+ "name": "Functions.hello",
+ "process_id": 64,
+ "role_instance": "54108609-638217294083255145"
+ },
+ "operation_name": "Microsoft.Web/sites/functions/log",
+ "resource": {
+ "group": "TEST-RG",
+ "id": "/SUBSCRIPTIONS/12CABCB4-86E8-404F-A3D2-1DC9982F45CA/RESOURCEGROUPS/TEST-RG/PROVIDERS/MICROSOFT.WEB/SITES/TEST-FUNCTION",
+ "name": "TEST-FUNCTION",
+ "provider": "MICROSOFT.WEB/SITES"
+ },
+ "subscription_id": "12CABCB4-86E8-404F-A3D2-1DC9982F45CA"
+ },
+ "cloud": {
+ "account": {
+ "id": "12CABCB4-86E8-404F-A3D2-1DC9982F45CA"
+ },
+ "provider": "azure"
+ },
+ "ecs": {
+ "version": "8.8.0"
+ },
+ "event": {
+ "original": "{\"time\":\"2023-06-07T11:33:11Z\",\"resourceId\":\"/SUBSCRIPTIONS/12CABCB4-86E8-404F-A3D2-1DC9982F45CA/RESOURCEGROUPS/TEST-RG/PROVIDERS/MICROSOFT.WEB/SITES/TEST-FUNCTION\",\"category\":\"FunctionAppLogs\",\"operationName\":\"Microsoft.Web/sites/functions/log\",\"level\":\"Error\",\"location\":\"East US\",\"properties\":{\"appName\":\"mbranca-test-function\",\"roleInstance\":\"54108609-638217294083255145\",\"message\":\"Executed Functions.hello (Failed, Id=3a4b2e78-0549-4ebc-ba4c-ee9a6bc9a04e, Duration=16ms)\",\"category\":\"Function.hello\",\"hostVersion\":\"4.21.3.3\",\"functionInvocationId\":\"3a4b2e78-0549-4ebc-ba4c-ee9a6bc9a04e\",\"functionName\":\"Functions.hello\",\"hostInstanceId\":\"8699ec76-436a-43e2-a811-371c8e1472d7\",\"level\":\"Error\",\"levelId\":4,\"processId\":64,\"exceptionDetails\":\"Microsoft.Azure.WebJobs.Host.FunctionInvocationException : Exception while executing function: Functions.hello ---\u003e Microsoft.Azure.WebJobs.Script.Workers.Rpc.RpcException : Result: Failure\\nException: Exception: Ka-booom!\\nStack: File \\\"/azure-functions-host/workers/python/3.9/LINUX/X64/azure_functions_worker/dispatcher.py\\\", line 479, in _handle__invocation_request\\n call_result = await self._loop.run_in_executor(\\n File \\\"/usr/local/lib/python3.9/concurrent/futures/thread.py\\\", line 58, in run\\n result = self.fn(*self.args, **self.kwargs)\\n File \\\"/azure-functions-host/workers/python/3.9/LINUX/X64/azure_functions_worker/dispatcher.py\\\", line 752, in _run_sync_func\\n return ExtensionManager.get_sync_invocation_wrapper(context,\\n File \\\"/azure-functions-host/workers/python/3.9/LINUX/X64/azure_functions_worker/extension.py\\\", line 215, in _raw_invocation_wrapper\\n result = function(**args)\\n File \\\"/home/site/wwwroot/hello/__init__.py\\\", line 22, in main\\n raise Exception(\\\"Ka-booom!\\\")\\n\\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\\n at async Microsoft.Azure.WebJobs.Script.Description.WorkerFunctionInvoker.InvokeCore(Object[] parameters,FunctionInvocationContext context) at /src/azure-functions-host/src/WebJobs.Script/Description/Workers/WorkerFunctionInvoker.cs : 101\\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\\n at async Microsoft.Azure.WebJobs.Script.Description.FunctionInvokerBase.Invoke(Object[] parameters) at /src/azure-functions-host/src/WebJobs.Script/Description/FunctionInvokerBase.cs : 82\\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\\n at async Microsoft.Azure.WebJobs.Script.Description.FunctionGenerator.Coerce[T](Task`1 src) at /src/azure-functions-host/src/WebJobs.Script/Description/FunctionGenerator.cs : 225\\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\\n at async Microsoft.Azure.WebJobs.Host.Executors.FunctionInvoker`2.InvokeAsync[TReflected,TReturnValue](Object instance,Object[] arguments) at D:\\\\a\\\\_work\\\\1\\\\s\\\\src\\\\Microsoft.Azure.WebJobs.Host\\\\Executors\\\\FunctionInvoker.cs : 52\\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\\n at async Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.InvokeWithTimeoutAsync(IFunctionInvoker invoker,ParameterHelper parameterHelper,CancellationTokenSource timeoutTokenSource,CancellationTokenSource functionCancellationTokenSource,Boolean throwOnTimeout,TimeSpan timerInterval,IFunctionInstance instance) at D:\\\\a\\\\_work\\\\1\\\\s\\\\src\\\\Microsoft.Azure.WebJobs.Host\\\\Executors\\\\FunctionExecutor.cs : 581\\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\\n at async Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.ExecuteWithWatchersAsync(IFunctionInstanceEx instance,ParameterHelper parameterHelper,ILogger logger,CancellationTokenSource functionCancellationTokenSource) at D:\\\\a\\\\_work\\\\1\\\\s\\\\src\\\\Microsoft.Azure.WebJobs.Host\\\\Executors\\\\FunctionExecutor.cs : 527\\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\\n at async Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.ExecuteWithLoggingAsync(IFunctionInstanceEx instance,FunctionStartedMessage message,FunctionInstanceLogEntry instanceLogEntry,ParameterHelper parameterHelper,ILogger logger,CancellationToken cancellationToken) at D:\\\\a\\\\_work\\\\1\\\\s\\\\src\\\\Microsoft.Azure.WebJobs.Host\\\\Executors\\\\FunctionExecutor.cs : 306\\n End of inner exception\\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\\n at async Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.ExecuteWithLoggingAsync(IFunctionInstanceEx instance,FunctionStartedMessage message,FunctionInstanceLogEntry instanceLogEntry,ParameterHelper parameterHelper,ILogger logger,CancellationToken cancellationToken) at D:\\\\a\\\\_work\\\\1\\\\s\\\\src\\\\Microsoft.Azure.WebJobs.Host\\\\Executors\\\\FunctionExecutor.cs : 352\\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\\n at async Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.TryExecuteAsync(IFunctionInstance functionInstance,CancellationToken cancellationToken) at D:\\\\a\\\\_work\\\\1\\\\s\\\\src\\\\Microsoft.Azure.WebJobs.Host\\\\Executors\\\\FunctionExecutor.cs : 108\",\"exceptionMessage\":\"Result: Failure\\nException: Exception: Ka-booom!\\nStack: File \\\"/azure-functions-host/workers/python/3.9/LINUX/X64/azure_functions_worker/dispatcher.py\\\", line 479, in _handle__invocation_request\\n call_result = await self._loop.run_in_executor(\\n File \\\"/usr/local/lib/python3.9/concurrent/futures/thread.py\\\", line 58, in run\\n result = self.fn(*self.args, **self.kwargs)\\n File \\\"/azure-functions-host/workers/python/3.9/LINUX/X64/azure_functions_worker/dispatcher.py\\\", line 752, in _run_sync_func\\n return ExtensionManager.get_sync_invocation_wrapper(context,\\n File \\\"/azure-functions-host/workers/python/3.9/LINUX/X64/azure_functions_worker/extension.py\\\", line 215, in _raw_invocation_wrapper\\n result = function(**args)\\n File \\\"/home/site/wwwroot/hello/__init__.py\\\", line 22, in main\\n raise Exception(\\\"Ka-booom!\\\")\\n\",\"exceptionType\":\"Microsoft.Azure.WebJobs.Script.Workers.Rpc.RpcException\",\"eventId\":3,\"eventName\":\"FunctionCompleted\"}}"
+ },
+ "observer": {
+ "product": "Azure Functions",
+ "type": "functions",
+ "vendor": "Azure"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/azure_functions/data_stream/functionapplogs/_dev/test/pipeline/test-azure-functions-raw.log b/packages/azure_functions/data_stream/functionapplogs/_dev/test/pipeline/test-azure-functions-raw.log
new file mode 100644
index 00000000000..775330393e4
--- /dev/null
+++ b/packages/azure_functions/data_stream/functionapplogs/_dev/test/pipeline/test-azure-functions-raw.log
@@ -0,0 +1 @@
+{"time":"2023-05-23T20:11:59Z","resourceId":"/SUBSCRIPTIONS/12CABCB4-86E8-404F-A3D2-1DC9982F45CA/RESOURCEGROUPS/TEST-RG/PROVIDERS/MICROSOFT.WEB/SITES/TEST-FUNCTION","category":"FunctionAppLogs","operationName":"Microsoft.Web/sites/functions/log","level":"Informational","location":"East US","properties":{"appName":"test-function","roleInstance":"54108609-638204200593759681","message":"Executing Functions.hello (Reason=This function was programmatically called via the host APIs., Id=d878e365-b3d6-4796-9292-7500acd0c677)","category":"Function.hello","hostVersion":"4.19.2.2","functionInvocationId":"d878e365-b3d6-4796-9292-7500acd0c677","functionName":"Functions.hello","hostInstanceId":"bb84c437-4c26-4d0b-a06d-7fc2f16976e3","level":"Information","levelId":2,"processId":67,"eventId":1,"eventName":"FunctionStarted"}}
\ No newline at end of file
diff --git a/packages/azure_functions/data_stream/functionapplogs/_dev/test/pipeline/test-azure-functions-raw.log-expected.json b/packages/azure_functions/data_stream/functionapplogs/_dev/test/pipeline/test-azure-functions-raw.log-expected.json
new file mode 100644
index 00000000000..d2d387f78ad
--- /dev/null
+++ b/packages/azure_functions/data_stream/functionapplogs/_dev/test/pipeline/test-azure-functions-raw.log-expected.json
@@ -0,0 +1,53 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2023-05-23T20:11:59.000Z",
+ "azure": {
+ "category": "FunctionAppLogs",
+ "function": {
+ "app_name": "test-function",
+ "category": "Function.hello",
+ "event_id": 1,
+ "event_name": "FunctionStarted",
+ "host_instance_id": "bb84c437-4c26-4d0b-a06d-7fc2f16976e3",
+ "host_version": "4.19.2.2",
+ "invocation_id": "d878e365-b3d6-4796-9292-7500acd0c677",
+ "level": "Information",
+ "level_id": 2,
+ "message": "Executing Functions.hello (Reason=This function was programmatically called via the host APIs., Id=d878e365-b3d6-4796-9292-7500acd0c677)",
+ "name": "Functions.hello",
+ "process_id": 67,
+ "role_instance": "54108609-638204200593759681"
+ },
+ "operation_name": "Microsoft.Web/sites/functions/log",
+ "resource": {
+ "group": "TEST-RG",
+ "id": "/SUBSCRIPTIONS/12CABCB4-86E8-404F-A3D2-1DC9982F45CA/RESOURCEGROUPS/TEST-RG/PROVIDERS/MICROSOFT.WEB/SITES/TEST-FUNCTION",
+ "name": "TEST-FUNCTION",
+ "provider": "MICROSOFT.WEB/SITES"
+ },
+ "subscription_id": "12CABCB4-86E8-404F-A3D2-1DC9982F45CA"
+ },
+ "cloud": {
+ "account": {
+ "id": "12CABCB4-86E8-404F-A3D2-1DC9982F45CA"
+ },
+ "provider": "azure"
+ },
+ "ecs": {
+ "version": "8.8.0"
+ },
+ "event": {
+ "original": "{\"time\":\"2023-05-23T20:11:59Z\",\"resourceId\":\"/SUBSCRIPTIONS/12CABCB4-86E8-404F-A3D2-1DC9982F45CA/RESOURCEGROUPS/TEST-RG/PROVIDERS/MICROSOFT.WEB/SITES/TEST-FUNCTION\",\"category\":\"FunctionAppLogs\",\"operationName\":\"Microsoft.Web/sites/functions/log\",\"level\":\"Informational\",\"location\":\"East US\",\"properties\":{\"appName\":\"test-function\",\"roleInstance\":\"54108609-638204200593759681\",\"message\":\"Executing Functions.hello (Reason=This function was programmatically called via the host APIs., Id=d878e365-b3d6-4796-9292-7500acd0c677)\",\"category\":\"Function.hello\",\"hostVersion\":\"4.19.2.2\",\"functionInvocationId\":\"d878e365-b3d6-4796-9292-7500acd0c677\",\"functionName\":\"Functions.hello\",\"hostInstanceId\":\"bb84c437-4c26-4d0b-a06d-7fc2f16976e3\",\"level\":\"Information\",\"levelId\":2,\"processId\":67,\"eventId\":1,\"eventName\":\"FunctionStarted\"}}"
+ },
+ "observer": {
+ "product": "Azure Functions",
+ "type": "functions",
+ "vendor": "Azure"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/azure_functions/data_stream/functionapplogs/_dev/test/pipeline/test-common-config.yml b/packages/azure_functions/data_stream/functionapplogs/_dev/test/pipeline/test-common-config.yml
new file mode 100644
index 00000000000..4da22641654
--- /dev/null
+++ b/packages/azure_functions/data_stream/functionapplogs/_dev/test/pipeline/test-common-config.yml
@@ -0,0 +1,3 @@
+fields:
+ tags:
+ - preserve_original_event
diff --git a/packages/azure_functions/data_stream/functionapplogs/agent/stream/azure-eventhub.yml.hbs b/packages/azure_functions/data_stream/functionapplogs/agent/stream/azure-eventhub.yml.hbs
new file mode 100644
index 00000000000..c19cad5fd98
--- /dev/null
+++ b/packages/azure_functions/data_stream/functionapplogs/agent/stream/azure-eventhub.yml.hbs
@@ -0,0 +1,46 @@
+{{#if connection_string}}
+connection_string: {{connection_string}}
+{{/if}}
+{{#if storage_account_container }}
+storage_account_container: {{storage_account_container}}
+{{else}}
+{{#if eventhub}}
+storage_account_container: filebeat-functionlogs-{{eventhub}}
+{{/if}}
+{{/if}}
+{{#if eventhub}}
+eventhub: {{eventhub}}
+{{/if}}
+{{#if consumer_group}}
+consumer_group: {{consumer_group}}
+{{/if}}
+{{#if storage_account}}
+storage_account: {{storage_account}}
+{{/if}}
+{{#if storage_account_key}}
+storage_account_key: {{storage_account_key}}
+{{/if}}
+{{#if resource_manager_endpoint}}
+resource_manager_endpoint: {{resource_manager_endpoint}}
+{{/if}}
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
+sanitize_options:
+{{#if sanitize_singlequotes}}
+ - SINGLE_QUOTES
+{{/if}}
+{{#if sanitize_newlines}}
+ - NEW_LINES
+{{/if}}
diff --git a/packages/azure_functions/data_stream/functionapplogs/agent/stream/stream.yml.hbs b/packages/azure_functions/data_stream/functionapplogs/agent/stream/stream.yml.hbs
new file mode 100644
index 00000000000..d0bec8af049
--- /dev/null
+++ b/packages/azure_functions/data_stream/functionapplogs/agent/stream/stream.yml.hbs
@@ -0,0 +1,19 @@
+paths:
+{{#each paths as |path|}}
+ - {{path}}
+{{/each}}
+exclude_files: [".gz$"]
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/packages/azure_functions/data_stream/functionapplogs/elasticsearch/ingest_pipeline/azure-shared-pipeline.yml b/packages/azure_functions/data_stream/functionapplogs/elasticsearch/ingest_pipeline/azure-shared-pipeline.yml
new file mode 100644
index 00000000000..4aedfe2d61d
--- /dev/null
+++ b/packages/azure_functions/data_stream/functionapplogs/elasticsearch/ingest_pipeline/azure-shared-pipeline.yml
@@ -0,0 +1,33 @@
+---
+description: Pipeline for parsing Azure shared log fields.
+processors:
+ - set:
+ field: cloud.provider
+ value: azure
+ - grok:
+ field: azure.resource_id
+ if: 'ctx.azure?.subscription_id == null'
+ patterns:
+ - (?i)/subscriptions/%{SUBID:azure.subscription_id}/resourceGroups/%{GROUPID:azure.resource.group}/providers/%{PROVIDERNAME:azure.resource.provider}/%{NAME:azure.resource.name}
+ pattern_definitions:
+ SUBID: (\{){0,1}[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}(\}){0,1}
+ GROUPID: .+
+ PROVIDERNAME: ([A-Za-z])\w+.([A-Za-z])\w+/([A-Za-z])\w+.
+ NAME: .+$
+ ignore_failure: false
+ - rename:
+ field: azure.resource_id
+ target_field: azure.resource.id
+ ignore_missing: true
+ - lowercase:
+ field: event.outcome
+ ignore_missing: true
+ - set:
+ field: cloud.account.id
+ copy_from: azure.subscription_id
+ ignore_empty_value: true
+on_failure:
+ - set:
+ field: error.message
+ value: '{{ _ingest.on_failure_message }}'
+
diff --git a/packages/azure_functions/data_stream/functionapplogs/elasticsearch/ingest_pipeline/default.yml b/packages/azure_functions/data_stream/functionapplogs/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 00000000000..7f03f972f1e
--- /dev/null
+++ b/packages/azure_functions/data_stream/functionapplogs/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,157 @@
+---
+description: Pipeline for processing Azure Function logs.
+processors:
+ - set:
+ field: ecs.version
+ value: '8.8.0'
+ - rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ if: 'ctx.event?.original == null'
+ description: 'Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document.'
+ - remove:
+ field: message
+ ignore_missing: true
+ if: 'ctx.event?.original != null'
+ description: 'The `message` field is no longer required if the document has an `event.original` field.'
+
+ # Converts the JSON string in the event.original field into a structured JSON object
+ - json:
+ field: event.original
+ target_field: json
+ on_failure:
+ - set:
+ field: error.message
+ value: 'Received invalid JSON from the Azure Function service. Unable to parse the source log message'
+ ignore_failure: true
+ - date:
+ field: json.time
+ target_field: '@timestamp'
+ ignore_failure: true
+ formats:
+ - ISO8601
+ if: ctx.json?.time != null
+ - rename:
+ field: json.category
+ target_field: azure.category
+ ignore_missing: true
+ - rename:
+ field: json.resourceId
+ target_field: azure.resource_id
+ ignore_missing: true
+ - rename:
+ field: json.operationName
+ target_field: azure.operation_name
+ ignore_missing: true
+ - rename:
+ field: json.properties.level
+ target_field: azure.function.level
+ ignore_missing: true
+ - rename:
+ field: json.properties.levelId
+ target_field: azure.function.level_id
+ ignore_missing: true
+ - rename:
+ field: json.properties.appName
+ target_field: azure.function.app_name
+ ignore_missing: true
+ - rename:
+ field: json.properties.category
+ target_field: azure.function.category
+ ignore_missing: true
+ - rename:
+ field: json.properties.roleInstance
+ target_field: azure.function.role_instance
+ ignore_missing: true
+ - rename:
+ field: json.properties.hostVersion
+ target_field: azure.function.host_version
+ ignore_missing: true
+ - rename:
+ field: json.properties.functionInvocationId
+ target_field: azure.function.invocation_id
+ ignore_missing: true
+ - rename:
+ field: json.properties.functionName
+ target_field: azure.function.name
+ ignore_missing: true
+ - rename:
+ field: json.properties.hostInstanceId
+ target_field: azure.function.host_instance_id
+ ignore_missing: true
+ - rename:
+ field: json.properties.processId
+ target_field: azure.function.process_id
+ ignore_missing: true
+ - rename:
+ field: json.properties.eventName
+ target_field: azure.function.event_name
+ ignore_missing: true
+ - rename:
+ field: json.properties.eventId
+ target_field: azure.function.event_id
+ ignore_missing: true
+ - rename:
+ field: json.properties.message
+ target_field: azure.function.message
+ ignore_missing: true
+ - set:
+ field: observer.type
+ value: functions
+ - set:
+ field: observer.vendor
+ value: Azure
+ - set:
+ field: observer.product
+ value: "Azure Functions"
+ - rename:
+ field: json.properties.exceptionDetails
+ target_field: azure.function.exception_details
+ ignore_missing: true
+ - rename:
+ field: json.properties.exceptionMessage
+ target_field: azure.function.exception_message
+ ignore_missing: true
+ - rename:
+ field: json.properties.exceptionType
+ target_field: azure.function.exception_type
+ ignore_missing: true
+ - remove:
+ field:
+ - json
+ ignore_missing: true
+ - pipeline:
+ name: '{{ IngestPipeline "azure-shared-pipeline" }}'
+ - remove:
+ field: event.original
+ if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))
+ ignore_failure: true
+ ignore_missing: true
+ - script:
+ description: Drops null/empty values recursively.
+ lang: painless
+ source: |
+ boolean dropEmptyFields(Object object) {
+ if (object == null || object == "") {
+ return true;
+ } else if (object instanceof Map) {
+ ((Map) object).values().removeIf(value -> dropEmptyFields(value));
+ return (((Map) object).size() == 0);
+ } else if (object instanceof List) {
+ ((List) object).removeIf(value -> dropEmptyFields(value));
+ return (((List) object).length == 0);
+ }
+ return false;
+ }
+ dropEmptyFields(ctx);
+on_failure:
+ - append:
+ field: error.message
+ value: "{{ _ingest.on_failure_message }} {{ _ingest.on_failure_processor_type }}"
+ - remove:
+ field:
+ - json
+ - _conf
+ - message
+ ignore_missing: true
diff --git a/packages/azure_functions/data_stream/functionapplogs/fields/base-fields.yml b/packages/azure_functions/data_stream/functionapplogs/fields/base-fields.yml
new file mode 100644
index 00000000000..a9a65458fc5
--- /dev/null
+++ b/packages/azure_functions/data_stream/functionapplogs/fields/base-fields.yml
@@ -0,0 +1,21 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset name.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: dataset.type
+ type: constant_keyword
+ description: Dataset type.
+- name: dataset.name
+ type: constant_keyword
+ description: Dataset name.
+- name: dataset.namespace
+ type: constant_keyword
+ description: Dataset namespace.
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
diff --git a/packages/azure_functions/data_stream/functionapplogs/fields/ecs.yml b/packages/azure_functions/data_stream/functionapplogs/fields/ecs.yml
new file mode 100644
index 00000000000..aace162dae1
--- /dev/null
+++ b/packages/azure_functions/data_stream/functionapplogs/fields/ecs.yml
@@ -0,0 +1,40 @@
+- name: cloud.account.id
+ external: ecs
+- name: cloud.provider
+ external: ecs
+- name: ecs.version
+ external: ecs
+- name: observer.product
+ external: ecs
+- name: observer.type
+ external: ecs
+- name: observer.vendor
+ external: ecs
+- name: observer.name
+ external: ecs
+- name: tags
+ external: ecs
+- name: message
+ external: ecs
+- name: event.id
+ external: ecs
+- name: event.duration
+ external: ecs
+- name: event.original
+ external: ecs
+- name: event.type
+ external: ecs
+- name: event.action
+ external: ecs
+- name: event.kind
+ external: ecs
+- name: event.category
+ external: ecs
+- name: event.code
+ external: ecs
+- name: error.message
+ external: ecs
+- name: error.stack_trace
+ external: ecs
+- name: error.type
+ external: ecs
diff --git a/packages/azure_functions/data_stream/functionapplogs/fields/fields.yml b/packages/azure_functions/data_stream/functionapplogs/fields/fields.yml
new file mode 100644
index 00000000000..4aa70058c4f
--- /dev/null
+++ b/packages/azure_functions/data_stream/functionapplogs/fields/fields.yml
@@ -0,0 +1,60 @@
+- name: azure
+ type: group
+ fields:
+ - name: category
+ type: keyword
+ description: The log category name.
+ - name: operation_name
+ type: keyword
+ description: The operation name.
+ - name: function
+ type: group
+ fields:
+ - name: app_name
+ type: keyword
+ description: The Function application name.
+ - name: category
+ type: keyword
+ description: The category of the operation.
+ - name: role_instance
+ type: keyword
+ description: The role instance ID.
+ - name: name
+ type: keyword
+ description: The name of the function that logged the message.
+ - name: message
+ type: keyword
+ description: The log message.
+ - name: host_version
+ type: keyword
+ description: The Functions host version.
+ - name: invocation_id
+ type: keyword
+ description: The invocation ID that logged the message.
+ - name: host_instance_id
+ type: keyword
+ description: The host instance ID.
+ - name: process_id
+ type: long
+ description: The process ID.
+ - name: event_id
+ type: long
+ description: The event ID.
+ - name: event_name
+ type: keyword
+ description: The event name.
+ - name: exception_details
+ type: match_only_text
+ description: The exception details. This includes the exception type, message, and stack trace.
+ - name: exception_message
+ type: match_only_text
+ description: The exception message.
+ - name: exception_type
+ type: keyword
+ description: The exception type.
+ - name: level
+ type: keyword
+ description: The log level. Valid values are Trace, Debug, Information, Warning, Error, or Critical.
+ - name: level_id
+ type: long
+ description: The integer value of the log level. Valid values are 0 (Trace), 1 (Debug), 2 (Information), 3 (Warning), 4 (Error), or 5 (Critical).
diff --git a/packages/azure_functions/data_stream/functionapplogs/fields/package-fields.yml b/packages/azure_functions/data_stream/functionapplogs/fields/package-fields.yml
new file mode 100644
index 00000000000..6d9f4ccb2a7
--- /dev/null
+++ b/packages/azure_functions/data_stream/functionapplogs/fields/package-fields.yml
@@ -0,0 +1,30 @@
+- name: azure
+ type: group
+ fields:
+ - name: subscription_id
+ type: keyword
+ description: |
+ Azure subscription ID
+ - name: tenant_id
+ type: keyword
+ description: |
+ tenant ID
+ - name: resource
+ type: group
+ fields:
+ - name: id
+ type: keyword
+ description: |
+ Resource ID
+ - name: group
+ type: keyword
+ description: |
+ Azure Resource group
+ - name: name
+ type: keyword
+ description: |
+ Name
+ - name: provider
+ type: keyword
+ description: |
+ Resource type/namespace
diff --git a/packages/azure_functions/data_stream/functionapplogs/manifest.yml b/packages/azure_functions/data_stream/functionapplogs/manifest.yml
new file mode 100644
index 00000000000..757eec822bd
--- /dev/null
+++ b/packages/azure_functions/data_stream/functionapplogs/manifest.yml
@@ -0,0 +1,98 @@
+title: Collect Azure Functions logs
+type: logs
+streams:
+ - input: "azure-eventhub"
+ enabled: false
+ template_path: "azure-eventhub.yml.hbs"
+ title: Azure Functions logs
+ description: Collect Azure Functions logs using azure-eventhub input
+ vars:
+ - name: eventhub
+ type: text
+ title: Event Hub
+ multi: false
+ required: true
+ show_user: true
+ description: >-
+ Elastic recommends using one event hub for each integration. Visit [Create an event hub](https://docs.elastic.co/integrations/azure#create-an-event-hub) to learn more. Use event hub names up to 30 characters long to avoid compatibility issues.
+ - name: consumer_group
+ type: text
+ title: Consumer Group
+ multi: false
+ required: true
+ show_user: true
+ default: $Default
+ - name: connection_string
+ type: password
+ title: Connection String
+ multi: false
+ required: true
+ show_user: true
+ description: >-
+ The connection string required to communicate with Event Hubs. See [Get an Event Hubs connection string](https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string) to learn more.
+ - name: storage_account
+ type: text
+ title: Storage Account
+ multi: false
+ required: true
+ show_user: true
+ description: >-
+ The name of the storage account where the consumer group's state/offsets will be stored and updated.
+ - name: storage_account_key
+ type: password
+ title: Storage Account Key
+ multi: false
+ required: true
+ show_user: true
+ description: >-
+ The storage account key, this key will be used to authorize access to data in your storage account.
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: storage_account_container
+ type: text
+ title: Storage Account Container
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ The storage account container where the integration stores the checkpoint data for the consumer group. It is an advanced option to use with extreme care. You MUST use a dedicated storage account container for each Azure log type (activity, sign-in, audit logs, and others). DO NOT REUSE the same container name for more than one Azure log type. See [Container Names](https://docs.microsoft.com/en-us/rest/api/storageservices/naming-and-referencing-containers--blobs--and-metadata#container-names) for details on naming rules from Microsoft. The integration generates a default container name if not specified.
+
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - azure-functions
+ - forwarded
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >-
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.
+ - name: sanitize_newlines
+ title: Sanitize New Lines
+ description: Removes new lines in logs to ensure proper formatting of JSON data and avoid parsing issues during processing.
+ type: bool
+ show_user: false
+ multi: false
+ required: false
+ default: false
+ - name: sanitize_singlequotes
+ title: Sanitize Single Quotes
+ description: Replaces single quotes with double quotes (single quotes inside double quotes are omitted) in logs to ensure proper formatting of JSON data and avoid parsing issues during processing.
+ type: bool
+ show_user: false
+ multi: false
+ required: false
+ default: true
diff --git a/packages/azure_functions/data_stream/functionapplogs/sample_event.json b/packages/azure_functions/data_stream/functionapplogs/sample_event.json
new file mode 100644
index 00000000000..ee4b4de8c87
--- /dev/null
+++ b/packages/azure_functions/data_stream/functionapplogs/sample_event.json
@@ -0,0 +1,48 @@
+{
+ "@timestamp": "2023-05-23T20:11:59.000Z",
+ "azure": {
+ "category": "FunctionAppLogs",
+ "function": {
+ "app_name": "test-function",
+ "category": "Function.hello",
+ "event_name": "FunctionStarted",
+ "invocation_id": "d878e365-b3d6-4796-9292-7500acd0c677",
+ "name": "Functions.hello",
+ "host_instance_id": "bb84c437-4c26-4d0b-a06d-7fc2f16976e3",
+ "host_version": "4.19.2.2",
+ "level": "Information",
+ "level_id": 2,
+ "message": "Executing Functions.hello (Reason=This function was programmatically called via the host APIs., Id=d878e365-b3d6-4796-9292-7500acd0c677)",
+ "process_id": 67,
+ "role_instance": "54108609-638204200593759681"
+ },
+ "operation_name": "Microsoft.Web/sites/functions/log",
+ "resource": {
+ "group": "TEST-RG",
+ "id": "/SUBSCRIPTIONS/12CABCB4-86E8-404F-A3D2-1DC9982F45CA/RESOURCEGROUPS/TEST-RG/PROVIDERS/MICROSOFT.WEB/SITES/TEST-FUNCTION",
+ "name": "TEST-FUNCTION",
+ "provider": "MICROSOFT.WEB/SITES"
+ },
+ "subscription_id": "12CABCB4-86E8-404F-A3D2-1DC9982F45CA"
+ },
+ "cloud": {
+ "account": {
+ "id": "12CABCB4-86E8-404F-A3D2-1DC9982F45CA"
+ },
+ "provider": "azure"
+ },
+ "ecs": {
+ "version": "8.7.0"
+ },
+ "event": {
+ "original": "{\"time\":\"2023-05-23T20:11:59Z\",\"resourceId\":\"/SUBSCRIPTIONS/12CABCB4-86E8-404F-A3D2-1DC9982F45CA/RESOURCEGROUPS/TEST-RG/PROVIDERS/MICROSOFT.WEB/SITES/TEST-FUNCTION\",\"category\":\"FunctionAppLogs\",\"operationName\":\"Microsoft.Web/sites/functions/log\",\"level\":\"Informational\",\"location\":\"East US\",\"properties\":{\"appName\":\"test-function\",\"roleInstance\":\"54108609-638204200593759681\",\"message\":\"Executing Functions.hello (Reason=This function was programmatically called via the host APIs., Id=d878e365-b3d6-4796-9292-7500acd0c677)\",\"category\":\"Function.hello\",\"hostVersion\":\"4.19.2.2\",\"functionInvocationId\":\"d878e365-b3d6-4796-9292-7500acd0c677\",\"functionName\":\"Functions.hello\",\"hostInstanceId\":\"bb84c437-4c26-4d0b-a06d-7fc2f16976e3\",\"level\":\"Information\",\"levelId\":2,\"processId\":67,\"eventId\":1,\"eventName\":\"FunctionStarted\"}}"
+ },
+ "observer": {
+ "product": "Azure Functions",
+ "type": "functions",
+ "vendor": "Azure"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+}
\ No newline at end of file
diff --git a/packages/azure_functions/data_stream/metrics/agent/stream/stream.yml.hbs b/packages/azure_functions/data_stream/metrics/agent/stream/stream.yml.hbs
new file mode 100644
index 00000000000..00b15b7c114
--- /dev/null
+++ b/packages/azure_functions/data_stream/metrics/agent/stream/stream.yml.hbs
@@ -0,0 +1,70 @@
+metricsets: ["monitor"]
+default_resource_type: "Microsoft.Web/sites"
+add_cloud_metadata: true
+period: {{period}}
+{{#if client_id}}
+client_id: {{client_id}}
+{{/if}}
+{{#if client_secret}}
+client_secret: {{client_secret}}
+{{/if}}
+{{#if tenant_id}}
+tenant_id: {{tenant_id}}
+{{/if}}
+{{#if subscription_id}}
+subscription_id: {{subscription_id}}
+{{/if}}
+{{#if refresh_list_interval}}
+refresh_list_interval: {{refresh_list_interval}}
+{{/if}}
+{{#if resource_manager_endpoint}}
+resource_manager_endpoint: {{resource_manager_endpoint}}
+{{/if}}
+{{#if active_directory_endpoint}}
+active_directory_endpoint: {{active_directory_endpoint}}
+{{/if}}
+
+resources:
+{{#if resource_groups}}
+{{#each resource_groups}}
+ - resource_group: "{{this}}"
+ resource_type: "Microsoft.Web/sites"
+ metrics:
+ - name: ["FunctionExecutionCount", "FunctionExecutionUnits", "AppConnections", "AverageMemoryWorkingSet", "BytesReceived", "BytesSent", "CurrentAssemblies", "Gen0Collections", "Gen1Collections", "Gen2Collections", "Handles", "HealthCheckStatus", "Http2xx", "Http3xx", "Http4xx", "Http5xx", "HttpResponseTime", "IoOtherBytesPerSecond", "IoOtherOperationsPerSecond", "IoReadBytesPerSecond", "IoReadOperationsPerSecond", "IoWriteBytesPerSecond", "IoWriteOperationsPerSecond", "MemoryWorkingSet", "Requests", "RequestsInApplicationQueue", "Threads", "TotalAppDomains", "TotalAppDomainsUnloaded"]
+ namespace: "Microsoft.Web/sites"
+ timegrain: "PT5M"
+ ignore_unsupported: true
+ - name: ["FileSystemUsage"]
+ namespace: "Microsoft.Web/sites"
+ timegrain: "PT6H"
+ ignore_unsupported: true
+{{/each}}
+{{/if}}
+{{#if resource_ids}}
+{{#each resource_ids}}
+ - resource_id: "{{this}}"
+ metrics:
+ - name: ["FunctionExecutionCount", "FunctionExecutionUnits", "AppConnections", "AverageMemoryWorkingSet", "BytesReceived", "BytesSent", "CurrentAssemblies", "Gen0Collections", "Gen1Collections", "Gen2Collections", "Handles", "HealthCheckStatus", "Http2xx", "Http3xx", "Http4xx", "Http5xx", "HttpResponseTime", "IoOtherBytesPerSecond", "IoOtherOperationsPerSecond", "IoReadBytesPerSecond", "IoReadOperationsPerSecond", "IoWriteBytesPerSecond", "IoWriteOperationsPerSecond", "MemoryWorkingSet", "Requests", "RequestsInApplicationQueue", "Threads", "TotalAppDomains", "TotalAppDomainsUnloaded"]
+ namespace: "Microsoft.Web/sites"
+ timegrain: "PT5M"
+ ignore_unsupported: true
+ - name: ["FileSystemUsage"]
+ namespace: "Microsoft.Web/sites"
+ timegrain: "PT6H"
+ ignore_unsupported: true
+{{/each}}
+{{/if}}
+{{#unless resource_ids }}
+ {{#unless resource_groups }}
+ - resource_query: "resourceType eq 'Microsoft.Web/sites'"
+ metrics:
+ - name: ["FunctionExecutionCount", "FunctionExecutionUnits", "AppConnections", "AverageMemoryWorkingSet", "BytesReceived", "BytesSent", "CurrentAssemblies", "Gen0Collections", "Gen1Collections", "Gen2Collections", "Handles", "HealthCheckStatus", "Http2xx", "Http3xx", "Http4xx", "Http5xx", "HttpResponseTime", "IoOtherBytesPerSecond", "IoOtherOperationsPerSecond", "IoReadBytesPerSecond", "IoReadOperationsPerSecond", "IoWriteBytesPerSecond", "IoWriteOperationsPerSecond", "MemoryWorkingSet", "Requests", "RequestsInApplicationQueue", "Threads", "TotalAppDomains", "TotalAppDomainsUnloaded"]
+ namespace: "Microsoft.Web/sites"
+ timegrain: "PT5M"
+ ignore_unsupported: true
+ - name: ["FileSystemUsage"]
+ namespace: "Microsoft.Web/sites"
+ timegrain: "PT6H"
+ ignore_unsupported: true
+ {{/unless}}
+{{/unless}}
\ No newline at end of file
diff --git a/packages/azure_functions/data_stream/metrics/elasticsearch/ingest_pipeline/default.yml b/packages/azure_functions/data_stream/metrics/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 00000000000..5a83050ef5c
--- /dev/null
+++ b/packages/azure_functions/data_stream/metrics/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,17 @@
+---
+description: Pipeline for parsing Azure Functions metrics.
+processors:
+ - set:
+ field: ecs.version
+ value: '8.8.0'
+ - rename:
+ field: azure.monitor
+ target_field: azure.functions
+ ignore_missing: true
+on_failure:
+ - set:
+ field: event.kind
+ value: pipeline_error
+ - append:
+ field: error.message
+ value: '{{ _ingest.on_failure_message }}'
diff --git a/packages/azure_functions/data_stream/metrics/fields/agent.yml b/packages/azure_functions/data_stream/metrics/fields/agent.yml
new file mode 100644
index 00000000000..2db0bb802e6
--- /dev/null
+++ b/packages/azure_functions/data_stream/metrics/fields/agent.yml
@@ -0,0 +1,183 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
diff --git a/packages/azure_functions/data_stream/metrics/fields/base-fields.yml b/packages/azure_functions/data_stream/metrics/fields/base-fields.yml
new file mode 100644
index 00000000000..a9a65458fc5
--- /dev/null
+++ b/packages/azure_functions/data_stream/metrics/fields/base-fields.yml
@@ -0,0 +1,21 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset name.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: dataset.type
+ type: constant_keyword
+ description: Dataset type.
+- name: dataset.name
+ type: constant_keyword
+ description: Dataset name.
+- name: dataset.namespace
+ type: constant_keyword
+ description: Dataset namespace.
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
diff --git a/packages/azure_functions/data_stream/metrics/fields/ecs.yml b/packages/azure_functions/data_stream/metrics/fields/ecs.yml
new file mode 100644
index 00000000000..d4e75a6085c
--- /dev/null
+++ b/packages/azure_functions/data_stream/metrics/fields/ecs.yml
@@ -0,0 +1,16 @@
+- name: ecs.version
+ external: ecs
+- name: service.address
+ external: ecs
+- name: service.type
+ external: ecs
+- name: container.id
+ external: ecs
+- name: container.name
+ external: ecs
+- name: container.runtime
+ external: ecs
+- name: container.image.name
+ external: ecs
+- name: host
+ external: ecs
diff --git a/packages/azure_functions/data_stream/metrics/fields/fields.yml b/packages/azure_functions/data_stream/metrics/fields/fields.yml
new file mode 100644
index 00000000000..cf3551233a6
--- /dev/null
+++ b/packages/azure_functions/data_stream/metrics/fields/fields.yml
@@ -0,0 +1,134 @@
+- name: azure.functions
+ type: group
+ fields:
+ - name: function_execution_count.total
+ type: long
+ description: Function Execution Count. For FunctionApps only.
+ metric_type: counter
+ - name: function_execution_units.total
+ type: long
+ description: Function Execution Units. For FunctionApps only.
+ metric_type: counter
+ - name: average_memory_working_set.avg
+ type: long
+ description: The average amount of memory used by the app, in MiB. For WebApps and FunctionApps.
+ unit: byte
+ metric_type: gauge
+ - name: app_connections.avg
+ type: long
+ description: The number of bound sockets existing in the sandbox (w3wp.exe and its child processes). A bound socket is created by calling bind()/connect() APIs and remains until said socket is closed with CloseHandle()/closesocket(). For WebApps and FunctionApps..
+ metric_type: counter
+ - name: current_assemblies.avg
+ type: long
+ description: The current number of Assemblies loaded across all AppDomains in this application.
+ metric_type: gauge
+ - name: bytes_received.total
+ type: long
+ description: The amount of incoming bandwidth consumed by the app, in MiB.
+ unit: byte
+ metric_type: gauge
+ - name: bytes_sent.total
+ type: long
+ description: The amount of outgoing bandwidth consumed by the app, in MiB.
+ unit: byte
+ metric_type: gauge
+ - name: file_system_usage.avg
+ type: long
+ description: Percentage of filesystem quota consumed by the app.
+ unit: byte
+ metric_type: gauge
+ - name: gen_0_collections.total
+ type: long
+ description: The number of times the generation 0 objects are garbage collected since the start of the app process. Higher generation GCs include all lower generation GCs.
+ metric_type: counter
+ - name: gen_1_collections.total
+ type: long
+ description: The number of times the generation 1 objects are garbage collected since the start of the app process. Higher generation GCs include all lower generation GCs.
+ metric_type: counter
+ - name: gen_2_collections.total
+ type: long
+ description: The number of times the generation 2 objects are garbage collected since the start of the app process. Higher generation GCs include all lower generation GCs.
+ metric_type: counter
+ - name: handles.avg
+ type: long
+ description: The total number of handles currently open by the app process.
+ metric_type: counter
+ - name: health_check_status.avg
+ type: long
+ description: Health check status.
+ metric_type: gauge
+ - name: http2xx.total
+ type: long
+ description: The count of requests resulting in an HTTP status code >= 200 but < 300.
+ metric_type: counter
+ - name: http3xx.total
+ type: long
+ description: The count of requests resulting in an HTTP status code >= 300 but < 400.
+ metric_type: counter
+ - name: http4xx.total
+ type: long
+ description: The count of requests resulting in an HTTP status code >= 400 but < 500.
+ metric_type: counter
+ - name: http5xx.total
+ type: long
+ description: The count of requests resulting in an HTTP status code >= 500 but < 600.
+ metric_type: counter
+ - name: io_other_bytes_per_second.total
+ type: long
+ description: The rate at which the app process is issuing bytes to I/O operations that don't involve data, such as control operations. Shown as bytespersecond.
+ metric_type: gauge
+ - name: io_other_operations_per_second.total
+ type: long
+ description: The rate at which the app process is issuing I/O operations that aren't read or write operations. Shown as bytespersecond.
+ metric_type: gauge
+ - name: io_read_bytes_per_second.total
+ type: long
+ description: The rate at which the app process is reading bytes from I/O operations. Shown as bytespersecond.
+ metric_type: gauge
+ - name: io_read_operations_per_second.total
+ type: long
+ description: The rate at which the app process is issuing read I/O operations. Shown as bytespersecond.
+ metric_type: gauge
+ - name: io_write_bytes_per_second.total
+ type: long
+ description: The rate at which the app process is writing bytes to I/O operations. Shown as bytespersecond.
+ metric_type: gauge
+ - name: io_write_operations_per_second.total
+ type: long
+ description: The rate at which the app process is issuing write I/O operations. Shown as bytespersecond.
+ metric_type: gauge
+ - name: memory_working_set.avg
+ type: long
+ description: The current amount of memory used by the app, in MiB.
+ unit: byte
+ metric_type: gauge
+ - name: private_bytes.avg
+ type: long
+ description: Private Bytes is the current size, in bytes, of memory that the app process has allocated that can't be shared with other processes.
+ unit: byte
+ metric_type: gauge
+ - name: requests.total
+ type: long
+ description: The total number of requests regardless of their resulting HTTP status code.
+ metric_type: counter
+ - name: http_response_time.avg
+ type: long
+ description: The time taken for the app to serve requests, in seconds.
+ unit: s
+ metric_type: gauge
+ - name: requests_inapplication_queue.avg
+ type: long
+ description: The number of requests in the application request queue.
+ metric_type: counter
+ - name: threads.avg
+ type: long
+ description: The number of threads currently active in the app process.
+ metric_type: gauge
+ - name: total_app_domains.avg
+ type: long
+ description: The current number of AppDomains loaded in this application.
+ metric_type: gauge
+ - name: total_app_domains_unloaded.avg
+ type: long
+ description: The total number of AppDomains unloaded since the start of the application.
+ metric_type: gauge
diff --git a/packages/azure_functions/data_stream/metrics/fields/package-fields.yml b/packages/azure_functions/data_stream/metrics/fields/package-fields.yml
new file mode 100644
index 00000000000..e8e62b31885
--- /dev/null
+++ b/packages/azure_functions/data_stream/metrics/fields/package-fields.yml
@@ -0,0 +1,64 @@
+- name: azure
+ type: group
+ description: ""
+ fields:
+ - name: timegrain
+ type: keyword
+ description: >
+ The Azure metric timegrain
+
+ - name: resource
+ type: group
+ description: >
+ The resource specified
+
+ fields:
+ - name: type
+ type: keyword
+ description: >
+ The type of the resource
+
+ - name: name
+ type: keyword
+ description: >
+ The name of the resource
+
+ - name: id
+ type: keyword
+ description: >
+ The id of the resource
+
+ - name: group
+ type: keyword
+ description: >
+ The resource group
+
+ - name: tags.*
+ type: object
+ object_type: keyword
+ object_type_mapping_type: "*"
+ description: >
+ Azure resource tags.
+
+ - name: namespace
+ type: keyword
+ description: >
+ The namespace selected
+
+ - name: subscription_id
+ type: keyword
+ description: >
+ The subscription ID
+
+ - name: application_id
+ type: keyword
+ description: >
+ The application ID
+
+ - name: dimensions.*
+ type: object
+ object_type: keyword
+ object_type_mapping_type: "*"
+ description: >
+ Azure metric dimensions.
+
diff --git a/packages/azure_functions/data_stream/metrics/manifest.yml b/packages/azure_functions/data_stream/metrics/manifest.yml
new file mode 100644
index 00000000000..c3dd002f4ae
--- /dev/null
+++ b/packages/azure_functions/data_stream/metrics/manifest.yml
@@ -0,0 +1,59 @@
+type: metrics
+title: Azure Functions App Metrics
+dataset: azure.function
+streams:
+ - input: azure/metrics
+ title: Azure Functions App
+ description: Collect Azure Functions App metrics
+ enabled: false
+ vars:
+ - name: client_id
+ type: text
+ title: Client ID
+ multi: false
+ required: true
+ show_user: true
+ - name: client_secret
+ type: text
+ title: Client Secret
+ multi: false
+ required: true
+ show_user: true
+ - name: tenant_id
+ type: text
+ title: Tenant ID
+ multi: false
+ required: true
+ show_user: true
+ - name: subscription_id
+ type: text
+ title: Subscription ID
+ multi: false
+ required: true
+ show_user: true
+ - name: period
+ type: text
+ title: Period
+ multi: false
+ required: true
+ show_user: true
+ default: 300s
+ - name: resource_groups
+ type: text
+ title: Resource Groups
+ multi: true
+ required: false
+ show_user: true
+ - name: resource_ids
+ type: text
+ title: Resource IDs
+ multi: true
+ required: false
+ show_user: true
+ - name: refresh_list_interval
+ type: text
+ title: Refresh list interval
+ multi: false
+ required: false
+ show_user: true
+ default: 600s
diff --git a/packages/azure_functions/data_stream/metrics/sample_event.json b/packages/azure_functions/data_stream/metrics/sample_event.json
new file mode 100644
index 00000000000..9e4f76f8bb9
--- /dev/null
+++ b/packages/azure_functions/data_stream/metrics/sample_event.json
@@ -0,0 +1,144 @@
+{
+ "agent": {
+ "name": "docker-fleet-agent",
+ "id": "ae16c4cf-2550-452a-860d-cef5e5182e94",
+ "type": "metricbeat",
+ "ephemeral_id": "7511408f-f109-4e34-a405-98ad479fc097",
+ "version": "8.7.1"
+ },
+ "@timestamp": "2023-08-23T12:20:00.000Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "data_stream": {
+ "namespace": "default",
+ "type": "metrics",
+ "dataset": "azure.function"
+ },
+ "service": {
+ "type": "azure"
+ },
+ "host": {
+ "hostname": "docker-fleet-agent",
+ "os": {
+ "kernel": "5.15.49-linuxkit",
+ "codename": "focal",
+ "name": "Ubuntu",
+ "family": "debian",
+ "type": "linux",
+ "version": "20.04.6 LTS (Focal Fossa)",
+ "platform": "ubuntu"
+ },
+ "containerized": false,
+ "ip": [
+ "172.19.0.9"
+ ],
+ "name": "docker-fleet-agent",
+ "id": "fd2c4b0943e444508c12855a04d117c7",
+ "mac": [
+ "02-42-AC-13-00-09"
+ ],
+ "architecture": "x86_64"
+ },
+ "elastic_agent": {
+ "id": "ae16c4cf-2550-452a-860d-cef5e5182e94",
+ "version": "8.7.1",
+ "snapshot": false
+ },
+ "metricset": {
+ "period": 300000,
+ "name": "monitor"
+ },
+ "event": {
+ "duration": 42827917228,
+ "agent_id_status": "verified",
+ "ingested": "2023-08-23T12:25:34Z",
+ "module": "azure",
+ "dataset": "azure.function"
+ },
+ "azure": {
+ "subscription_id": "12hjkls-78tyu-404f-a3d2-1dc9982f45ds",
+ "timegrain": "PT5M",
+ "functions": {
+ "handles": {
+ "avg": 0
+ },
+ "app_connections": {
+ "avg": 0
+ },
+ "total_app_domains": {
+ "avg": 0
+ },
+ "http_response_time": {
+ "avg": 0.02796875
+ },
+ "bytes_received": {
+ "total": 28804
+ },
+ "average_memory_working_set": {
+ "avg": 328533059.5
+ },
+ "requests": {
+ "total": 32
+ },
+ "bytes_sent": {
+ "total": 8192
+ },
+ "requests_inapplication_queue": {
+ "avg": 0
+ },
+ "memory_working_set": {
+ "avg": 328533059.5
+ },
+ "io_write_bytes_per_second": {
+ "total": 0
+ },
+ "io_other_bytes_per_second": {
+ "total": 0
+ },
+ "total_app_domains_unloaded": {
+ "avg": 0
+ },
+ "io_other_operations_per_second": {
+ "total": 0
+ },
+ "io_read_bytes_per_second": {
+ "total": 31879
+ },
+ "function_execution_units": {
+ "total": 0
+ },
+ "io_read_operations_per_second": {
+ "total": 0
+ },
+ "http2xx": {
+ "total": 16
+ },
+ "http3xx": {
+ "total": 0
+ },
+ "http4xx": {
+ "total": 0
+ },
+ "io_write_operations_per_second": {
+ "total": 0
+ },
+ "function_execution_count": {
+ "total": 0
+ },
+ "http5xx": {
+ "total": 16
+ }
+ },
+ "resource": {
+ "name": "return-of-the-jedi",
+ "id": "/subscriptions/12hjkls-78tyu-404f-a3d2-1dc9982f45ds/resourceGroups/test-rg/providers/Microsoft.Web/sites/return-of-the-jedi",
+ "type": "Microsoft.Web/sites",
+ "group": "test-rg",
+ "tags": {
+ "hidden-link: /app-insights-resource-id": "/subscriptions/12hjkls-78tyu-404f-a3d2-1dc9982f45ds/resourceGroups/test-rg/providers/Microsoft.Insights/components/return-of-the-jedi"
+ }
+ },
+ "namespace": "Microsoft.Web/sites"
+ }
+}
\ No newline at end of file
diff --git a/packages/azure_functions/docs/README.md b/packages/azure_functions/docs/README.md
new file mode 100644
index 00000000000..4b98112820e
--- /dev/null
+++ b/packages/azure_functions/docs/README.md
@@ -0,0 +1,545 @@
+# Azure Functions
+
+The Azure Functions integration allows you to monitor Azure Functions. Azure Functions is an event-driven, serverless compute platform that helps you develop more efficiently using the programming language of your choice. Triggers cause a function to run. A trigger defines how a function is invoked and a function must have exactly one trigger.
+
+Use this integration to build web APIs, respond to database changes, process IoT streams, manage message queues, and more. Refer common [Azure Functions scenarios](https://learn.microsoft.com/en-us/azure/azure-functions/functions-scenarios?pivots=programming-language-csharp) for more information.
+
+
+## Data streams
+The Azure Functions integration contains two data streams: [Function App Logs](#logs) and [Metrics](#metrics)
+
+### Logs
+
+Supported log categories:
+
+| Log Category | Description |
+|:----------------------------:|:------------------------------------------------------------------------------------------------------------------------------------:|
+| Functionapplogs | Function app logs. |
+
+
+#### Requirements and setup
+
+Refer to the [Azure Logs](https://docs.elastic.co/integrations/azure) page for more information about setting up and using this integration.
+
+#### Configuration options
+`eventhub` :
+ _string_
+An Event Hub is a fully managed, real-time data ingestion service. Elastic recommends using only letters, numbers, and the hyphen (-) character for Event Hub names to maximize compatibility. You can use existing Event Hubs having underscores (_) in the Event Hub name; in this case, the integration will replace underscores with hyphens (-) when it uses the Event Hub name to create dependent Azure resources behind the scenes (e.g., the storage account container to store Event Hub consumer offsets). Elastic also recommends using a separate event hub for each log type as the field mappings of each log type differ.
+Default value `insights-operational-logs`.
+
+`consumer_group` :
+_string_
+ The publish/subscribe mechanism of Event Hubs is enabled through consumer groups. A consumer group is a view (state, position, or offset) of an entire event hub. Consumer groups enable multiple consuming applications to each have a separate view of the event stream, and to read the stream independently at their own pace and with their own offsets.
+Default value: `$Default`
+
+`connection_string` :
+_string_
+The connection string is required to communicate with Event Hubs, see steps [here](https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string).
+
+A Blob Storage account is required in order to store/retrieve/update the offset or state of the eventhub messages. This means that after stopping the Azure logs package it can start back up at the spot that it stopped processing messages.
+
+`storage_account` :
+_string_
+The name of the storage account where the state/offsets will be stored and updated.
+
+`storage_account_key` :
+_string_
+The storage account key, this key will be used to authorize access to data in your storage account.
+
+`storage_account_container` :
+_string_
+The storage account container where the integration stores the checkpoint data for the consumer group. It is an advanced option to use with extreme care. You MUST use a dedicated storage account container for each Azure log type (activity, sign-in, audit logs, and others). DO NOT REUSE the same container name for more than one Azure log type. See [Container Names](https://docs.microsoft.com/en-us/rest/api/storageservices/naming-and-referencing-containers--blobs--and-metadata#container-names) for details on naming rules from Microsoft. The integration generates a default container name if not specified.
+
+`resource_manager_endpoint` :
+_string_
+Optional, by default we are using the Azure public environment, to override, users can provide a specific resource manager endpoint in order to use a different Azure environment.
+
+Resource manager endpoints:
+
+```text
+# Azure ChinaCloud
+https://management.chinacloudapi.cn/
+
+# Azure GermanCloud
+https://management.microsoftazure.de/
+
+# Azure PublicCloud
+https://management.azure.com/
+
+# Azure USGovernmentCloud
+https://management.usgovcloudapi.net/
+```
+
+An example event for `functionapplogs` looks as following:
+
+```json
+{
+ "@timestamp": "2023-05-23T20:11:59.000Z",
+ "azure": {
+ "category": "FunctionAppLogs",
+ "function": {
+ "app_name": "test-function",
+ "category": "Function.hello",
+ "event_name": "FunctionStarted",
+ "invocation_id": "d878e365-b3d6-4796-9292-7500acd0c677",
+ "name": "Functions.hello",
+ "host_instance_id": "bb84c437-4c26-4d0b-a06d-7fc2f16976e3",
+ "host_version": "4.19.2.2",
+ "level": "Information",
+ "level_id": 2,
+ "message": "Executing Functions.hello (Reason=This function was programmatically called via the host APIs., Id=d878e365-b3d6-4796-9292-7500acd0c677)",
+ "process_id": 67,
+ "role_instance": "54108609-638204200593759681"
+ },
+ "operation_name": "Microsoft.Web/sites/functions/log",
+ "resource": {
+ "group": "TEST-RG",
+ "id": "/SUBSCRIPTIONS/12CABCB4-86E8-404F-A3D2-1DC9982F45CA/RESOURCEGROUPS/TEST-RG/PROVIDERS/MICROSOFT.WEB/SITES/TEST-FUNCTION",
+ "name": "TEST-FUNCTION",
+ "provider": "MICROSOFT.WEB/SITES"
+ },
+ "subscription_id": "12CABCB4-86E8-404F-A3D2-1DC9982F45CA"
+ },
+ "cloud": {
+ "account": {
+ "id": "12CABCB4-86E8-404F-A3D2-1DC9982F45CA"
+ },
+ "provider": "azure"
+ },
+ "ecs": {
+ "version": "8.7.0"
+ },
+ "event": {
+ "original": "{\"time\":\"2023-05-23T20:11:59Z\",\"resourceId\":\"/SUBSCRIPTIONS/12CABCB4-86E8-404F-A3D2-1DC9982F45CA/RESOURCEGROUPS/TEST-RG/PROVIDERS/MICROSOFT.WEB/SITES/TEST-FUNCTION\",\"category\":\"FunctionAppLogs\",\"operationName\":\"Microsoft.Web/sites/functions/log\",\"level\":\"Informational\",\"location\":\"East US\",\"properties\":{\"appName\":\"test-function\",\"roleInstance\":\"54108609-638204200593759681\",\"message\":\"Executing Functions.hello (Reason=This function was programmatically called via the host APIs., Id=d878e365-b3d6-4796-9292-7500acd0c677)\",\"category\":\"Function.hello\",\"hostVersion\":\"4.19.2.2\",\"functionInvocationId\":\"d878e365-b3d6-4796-9292-7500acd0c677\",\"functionName\":\"Functions.hello\",\"hostInstanceId\":\"bb84c437-4c26-4d0b-a06d-7fc2f16976e3\",\"level\":\"Information\",\"levelId\":2,\"processId\":67,\"eventId\":1,\"eventName\":\"FunctionStarted\"}}"
+ },
+ "observer": {
+ "product": "Azure Functions",
+ "type": "functions",
+ "vendor": "Azure"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| azure.category | The log category name. | keyword |
+| azure.function.app_name | The Function application name. | keyword |
+| azure.function.category | The category of the operation. | keyword |
+| azure.function.event_id | The event ID. | long |
+| azure.function.event_name | The event name. | keyword |
+| azure.function.exception_details | The exception details. This includes the exception type, message, and stack trace. | match_only_text |
+| azure.function.exception_message | The exception message. | match_only_text |
+| azure.function.exception_type | The exception type. | keyword |
+| azure.function.host_instance_id | The host instance ID. | keyword |
+| azure.function.host_version | The Functions host version. | keyword |
+| azure.function.invocation_id | The invocation ID that logged the message. | keyword |
+| azure.function.level | The log level. Valid values are Trace, Debug, Information, Warning, Error, or Critical. | keyword |
+| azure.function.level_id | The integer value of the log level. Valid values are 0 (Trace), 1 (Debug), 2 (Information), 3 (Warning), 4 (Error), or 5 (Critical). | long |
+| azure.function.message | The log message. | keyword |
+| azure.function.name | The name of the function that logged the message. | keyword |
+| azure.function.process_id | The process ID. | long |
+| azure.function.role_instance | The role instance ID. | keyword |
+| azure.operation_name | The operation name. | keyword |
+| azure.resource.group | Azure Resource group | keyword |
+| azure.resource.id | Resource ID | keyword |
+| azure.resource.name | Name | keyword |
+| azure.resource.provider | Resource type/namespace | keyword |
+| azure.subscription_id | Azure subscription ID | keyword |
+| azure.tenant_id | tenant ID | keyword |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| data_stream.dataset | Data stream dataset name. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| dataset.name | Dataset name. | constant_keyword |
+| dataset.namespace | Dataset namespace. | constant_keyword |
+| dataset.type | Dataset type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
+| error.stack_trace | The stack trace of this error in plain text. | wildcard |
+| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text |
+| error.type | The type of the error, for example the class name of the exception. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
+| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long |
+| event.id | Unique ID to describe the event. | keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword |
+| observer.product | The product name of the observer. | keyword |
+| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword |
+| observer.vendor | Vendor name of the observer. | keyword |
+| tags | List of keywords used to tag each event. | keyword |
+
+
+### Metrics
+**Metrics** give you insight into the performance of your Azure Function Apps. The integration includes an out-of-the-box dashboard for visualising the monitoring data generated by apps hosted in Azure Functions.
+
+#### Requirements
+
+To use this integration you will need:
+
+* **Azure App Registration**: You need to set up an Azure App Registration to allow the Agent to access the Azure APIs. The App Registration requires the Monitoring Reader role to access to be able to collect metrics from Function Apps. See more details in the Setup section.
+* **Elasticsearch and Kibana**: You need Elasticsearch to store and search your data and Kibana to visualize and manage it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, the [Native Azure Integration](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/elastic.elasticsearch?tab=Overview), or self-manage the Elastic Stack on your hardware.
+
+#### Setup
+
+
+```text
+ ┌────────────────────┐ ┌─────────┐ ┌─-─────────────────────┐
+ │ │ │ │ │ azure.functions │
+ │ Azure APIs │──────▶│ Agent │──────▶│ <> │
+ │ │ │ │ │ │
+ └────────────────────┘ └─────────┘ └───-───────────────────┘
+```
+
+Elastic Agent needs an App Registration to access Azure on your behalf to collect data using the Azure REST APIs. App Registrations are required to access Azure APIs programmatically.
+
+To start collecting data with this integration, you need to:
+
+* Set up a new Azure app registration by registering an app, adding credentials, and assigning an appropriate role.
+* Specify integration [settings](#main-options) in Kibana, which will determine how the integration will access the Azure APIs.
+
+#### Register a new app
+
+To create a new app registration:
+
+1. Sign in to the [Azure Portal](https://portal.azure.com/).
+2. Search for and select **Azure Active Directory**.
+3. Under **Manage**, select **App registrations** > **New registration**.
+4. Enter a display _Name_ for your application (for example, "elastic-agent").
+5. Specify who can use the application.
+6. Don't enter anything for _Redirect URI_. This is optional and the agent doesn't use it.
+7. Select **Register** to complete the initial app registration.
+
+Take note of the **Application (client) ID**, which you will use later when specifying the **Client ID** in the integration settings.
+
+#### Add credentials
+
+Credentials allow your application to access Azure APIs and authenticate itself, requiring no interaction from a user at runtime.
+
+This integration uses Client Secrets to prove its identity.
+
+1. In the [Azure Portal](https://portal.azure.com/), select the application you created in the previous section.
+2. Select **Certificates & secrets** > **Client secrets** > **New client secret**.
+3. Add a description (for example, "Elastic Agent client secrets").
+4. Select an expiration for the secret or specify a custom lifetime.
+5. Select **Add**.
+
+Take note of the content in the **Value** column in the **Client secrets** table, which you will use later when specifying a **Client Secret** in the integration settings. **This secret value is never displayed again after you leave this page.** Record the secret's value in a safe place.
+
+#### Assign role
+
+1. In the [Azure Portal](https://portal.azure.com/), search for and select **Subscriptions**.
+2. Select the subscription to assign the application.
+3. Select **Access control (IAM)**.
+4. Select **Add** > **Add role assignment** to open the _Add role assignment page_.
+5. In the **Role** tab, search and select the role **Monitoring Reader**.
+6. Select the **Next** button to move to the **Members** tab.
+7. Select **Assign access to** > **User, group, or service principal**, and select **Select members**. This page does not display Azure AD applications in the available options by default.
+8. To find your application, search by name (for example, "elastic-agent") and select it from the list.
+9. Click the **Select** button.
+10. Then click the **Review + assign** button.
+
+Take note of the following values, which you will use later when specifying settings.
+
+* `Subscription ID`: use the content of the "Subscription ID" you selected.
+* `Tenant ID`: use the "Tenant ID" from the Azure Active Directory you use.
+
+Your App Registration is now ready to be used with the Elastic Agent.
+
+#### Additional Resources
+
+If you want to learn more about this process, you can read these two general guides from Microsoft:
+
+* [Quickstart: Register an application with the Microsoft identity platform](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app)
+* [Use the portal to create an Azure AD application and service principal that can access resources](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal)
+
+#### Main options
+
+The settings' main section contains all the options needed to access the Azure APIs and collect the Azure Functions metrics data. You will now use all the values from [App registration](#register-a-new-app) including:
+
+`Client ID` _string_
+: The unique identifier of the App Registration (sometimes referred to as Application ID).
+
+`Client Secret` _string_
+: The client secret for authentication.
+
+`Subscription ID` _string_
+: The unique identifier for the Azure subscription. You can provide just one subscription ID. The Agent uses this ID to access Azure APIs.
+
+`Tenant ID` _string_
+: The unique identifier of the Azure Active Directory's Tenant ID.
+
+#### Advanced options
+
+There are two additional advanced options:
+
+`Resource Manager Endpoint` _string_
+: Optional. By default, the integration uses the Azure public environment. To override, users can provide a specific resource manager endpoint to use a different Azure environment.
+
+Examples:
+
+* `https://management.chinacloudapi.cn` for Azure ChinaCloud
+* `https://management.microsoftazure.de` for Azure GermanCloud
+* `https://management.azure.com` for Azure PublicCloud
+* `https://management.usgovcloudapi.net` for Azure USGovernmentCloud
+
+`Active Directory Endpoint` _string_
+: Optional. By default, the integration uses the associated Active Directory Endpoint. To override, users can provide a specific active directory endpoint to use a different Azure environment.
+
+Examples:
+
+* `https://login.chinacloudapi.cn` for Azure ChinaCloud
+* `https://login.microsoftonline.de` for Azure GermanCloud
+* `https://login.microsoftonline.com` for Azure PublicCloud
+* `https://login.microsoftonline.us` for Azure USGovernmentCloud
+
+#### Metrics Reference
+
+An example event for `metrics` looks as following:
+
+```json
+{
+ "agent": {
+ "name": "docker-fleet-agent",
+ "id": "ae16c4cf-2550-452a-860d-cef5e5182e94",
+ "type": "metricbeat",
+ "ephemeral_id": "7511408f-f109-4e34-a405-98ad479fc097",
+ "version": "8.7.1"
+ },
+ "@timestamp": "2023-08-23T12:20:00.000Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "data_stream": {
+ "namespace": "default",
+ "type": "metrics",
+ "dataset": "azure.function"
+ },
+ "service": {
+ "type": "azure"
+ },
+ "host": {
+ "hostname": "docker-fleet-agent",
+ "os": {
+ "kernel": "5.15.49-linuxkit",
+ "codename": "focal",
+ "name": "Ubuntu",
+ "family": "debian",
+ "type": "linux",
+ "version": "20.04.6 LTS (Focal Fossa)",
+ "platform": "ubuntu"
+ },
+ "containerized": false,
+ "ip": [
+ "172.19.0.9"
+ ],
+ "name": "docker-fleet-agent",
+ "id": "fd2c4b0943e444508c12855a04d117c7",
+ "mac": [
+ "02-42-AC-13-00-09"
+ ],
+ "architecture": "x86_64"
+ },
+ "elastic_agent": {
+ "id": "ae16c4cf-2550-452a-860d-cef5e5182e94",
+ "version": "8.7.1",
+ "snapshot": false
+ },
+ "metricset": {
+ "period": 300000,
+ "name": "monitor"
+ },
+ "event": {
+ "duration": 42827917228,
+ "agent_id_status": "verified",
+ "ingested": "2023-08-23T12:25:34Z",
+ "module": "azure",
+ "dataset": "azure.function"
+ },
+ "azure": {
+ "subscription_id": "12hjkls-78tyu-404f-a3d2-1dc9982f45ds",
+ "timegrain": "PT5M",
+ "functions": {
+ "handles": {
+ "avg": 0
+ },
+ "app_connections": {
+ "avg": 0
+ },
+ "total_app_domains": {
+ "avg": 0
+ },
+ "http_response_time": {
+ "avg": 0.02796875
+ },
+ "bytes_received": {
+ "total": 28804
+ },
+ "average_memory_working_set": {
+ "avg": 328533059.5
+ },
+ "requests": {
+ "total": 32
+ },
+ "bytes_sent": {
+ "total": 8192
+ },
+ "requests_inapplication_queue": {
+ "avg": 0
+ },
+ "memory_working_set": {
+ "avg": 328533059.5
+ },
+ "io_write_bytes_per_second": {
+ "total": 0
+ },
+ "io_other_bytes_per_second": {
+ "total": 0
+ },
+ "total_app_domains_unloaded": {
+ "avg": 0
+ },
+ "io_other_operations_per_second": {
+ "total": 0
+ },
+ "io_read_bytes_per_second": {
+ "total": 31879
+ },
+ "function_execution_units": {
+ "total": 0
+ },
+ "io_read_operations_per_second": {
+ "total": 0
+ },
+ "http2xx": {
+ "total": 16
+ },
+ "http3xx": {
+ "total": 0
+ },
+ "http4xx": {
+ "total": 0
+ },
+ "io_write_operations_per_second": {
+ "total": 0
+ },
+ "function_execution_count": {
+ "total": 0
+ },
+ "http5xx": {
+ "total": 16
+ }
+ },
+ "resource": {
+ "name": "return-of-the-jedi",
+ "id": "/subscriptions/12hjkls-78tyu-404f-a3d2-1dc9982f45ds/resourceGroups/test-rg/providers/Microsoft.Web/sites/return-of-the-jedi",
+ "type": "Microsoft.Web/sites",
+ "group": "test-rg",
+ "tags": {
+ "hidden-link: /app-insights-resource-id": "/subscriptions/12hjkls-78tyu-404f-a3d2-1dc9982f45ds/resourceGroups/test-rg/providers/Microsoft.Insights/components/return-of-the-jedi"
+ }
+ },
+ "namespace": "Microsoft.Web/sites"
+ }
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type | Unit | Metric Type |
+|---|---|---|---|---|
+| @timestamp | Event timestamp. | date | | |
+| azure.application_id | The application ID | keyword | | |
+| azure.dimensions.\* | Azure metric dimensions. | object | | |
+| azure.functions.app_connections.avg | The number of bound sockets existing in the sandbox (w3wp.exe and its child processes). A bound socket is created by calling bind()/connect() APIs and remains until said socket is closed with CloseHandle()/closesocket(). For WebApps and FunctionApps.. | long | | counter |
+| azure.functions.average_memory_working_set.avg | The average amount of memory used by the app, in MiB. For WebApps and FunctionApps. | long | byte | gauge |
+| azure.functions.bytes_received.total | The amount of incoming bandwidth consumed by the app, in MiB. | long | byte | gauge |
+| azure.functions.bytes_sent.total | The amount of outgoing bandwidth consumed by the app, in MiB. | long | byte | gauge |
+| azure.functions.current_assemblies.avg | The current number of Assemblies loaded across all AppDomains in this application. | long | | gauge |
+| azure.functions.file_system_usage.avg | Percentage of filesystem quota consumed by the app. | long | byte | gauge |
+| azure.functions.function_execution_count.total | Function Execution Count. For FunctionApps only. | long | | counter |
+| azure.functions.function_execution_units.total | Function Execution Units. For FunctionApps only. | long | | counter |
+| azure.functions.gen_0_collections.total | The number of times the generation 0 objects are garbage collected since the start of the app process. Higher generation GCs include all lower generation GCs. | long | | counter |
+| azure.functions.gen_1_collections.total | The number of times the generation 1 objects are garbage collected since the start of the app process. Higher generation GCs include all lower generation GCs. | long | | counter |
+| azure.functions.gen_2_collections.total | The number of times the generation 2 objects are garbage collected since the start of the app process. Higher generation GCs include all lower generation GCs. | long | | counter |
+| azure.functions.handles.avg | The total number of handles currently open by the app process. | long | | counter |
+| azure.functions.health_check_status.avg | Health check status. | long | | gauge |
+| azure.functions.http2xx.total | The count of requests resulting in an HTTP status code \>= 200 but \< 300. | long | | counter |
+| azure.functions.http3xx.total | The count of requests resulting in an HTTP status code \>= 300 but \< 400. | long | | counter |
+| azure.functions.http4xx.total | The count of requests resulting in an HTTP status code \>= 400 but \< 500. | long | | counter |
+| azure.functions.http5xx.total | The count of requests resulting in an HTTP status code \>= 500 but \< 600. | long | | counter |
+| azure.functions.http_response_time.avg | The time taken for the app to serve requests, in seconds. | long | s | gauge |
+| azure.functions.io_other_bytes_per_second.total | The rate at which the app process is issuing bytes to I/O operations that don't involve data, such as control operations. Shown as bytespersecond. | long | | gauge |
+| azure.functions.io_other_operations_per_second.total | The rate at which the app process is issuing I/O operations that aren't read or write operations. Shown as bytespersecond. | long | | gauge |
+| azure.functions.io_read_bytes_per_second.total | The rate at which the app process is reading bytes from I/O operations. Shown as bytespersecond. | long | | gauge |
+| azure.functions.io_read_operations_per_second.total | The rate at which the app process is issuing read I/O operations. Shown as bytespersecond. | long | | gauge |
+| azure.functions.io_write_bytes_per_second.total | The rate at which the app process is writing bytes to I/O operations. Shown as bytespersecond. | long | | gauge |
+| azure.functions.io_write_operations_per_second.total | The rate at which the app process is issuing write I/O operations. Shown as bytespersecond. | long | | gauge |
+| azure.functions.memory_working_set.avg | The current amount of memory used by the app, in MiB. | long | byte | gauge |
+| azure.functions.private_bytes.avg | Private Bytes is the current size, in bytes, of memory that the app process has allocated that can't be shared with other processes. | long | byte | gauge |
+| azure.functions.requests.total | The total number of requests regardless of their resulting HTTP status code. | long | | counter |
+| azure.functions.requests_inapplication_queue.avg | The number of requests in the application request queue. | long | | counter |
+| azure.functions.threads.avg | The number of threads currently active in the app process. | long | | gauge |
+| azure.functions.total_app_domains.avg | The current number of AppDomains loaded in this application. | long | | gauge |
+| azure.functions.total_app_domains_unloaded.avg | The total number of AppDomains unloaded since the start of the application. | long | | gauge |
+| azure.namespace | The namespace selected | keyword | | |
+| azure.resource.group | The resource group | keyword | | |
+| azure.resource.id | The id of the resource | keyword | | |
+| azure.resource.name | The name of the resource | keyword | | |
+| azure.resource.tags.\* | Azure resource tags. | object | | |
+| azure.resource.type | The type of the resource | keyword | | |
+| azure.subscription_id | The subscription ID | keyword | | |
+| azure.timegrain | The Azure metric timegrain | keyword | | |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword | | |
+| cloud.image.id | Image ID for the cloud instance. | keyword | | |
+| cloud.instance.id | Instance ID of the host machine. | keyword | | |
+| cloud.instance.name | Instance name of the host machine. | keyword | | |
+| cloud.machine.type | Machine type of the host machine. | keyword | | |
+| cloud.project.id | Name of the project in Google Cloud. | keyword | | |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | |
+| cloud.region | Region in which this host is running. | keyword | | |
+| container.id | Unique container id. | keyword | | |
+| container.image.name | Name of the image the container was built on. | keyword | | |
+| container.labels | Image labels. | object | | |
+| container.name | Container name. | keyword | | |
+| container.runtime | Runtime managing this container. | keyword | | |
+| data_stream.dataset | Data stream dataset name. | constant_keyword | | |
+| data_stream.namespace | Data stream namespace. | constant_keyword | | |
+| data_stream.type | Data stream type. | constant_keyword | | |
+| dataset.name | Dataset name. | constant_keyword | | |
+| dataset.namespace | Dataset namespace. | constant_keyword | | |
+| dataset.type | Dataset type. | constant_keyword | | |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | |
+| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | |
+| host.architecture | Operating system architecture. | keyword | | |
+| host.containerized | If the host is a container. | boolean | | |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | |
+| host.ip | Host ip addresses. | ip | | |
+| host.mac | Host mac addresses. | keyword | | |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | |
+| host.os.build | OS build information. | keyword | | |
+| host.os.codename | OS codename, if any. | keyword | | |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword | | |
+| host.os.name | Operating system name, without the version. | keyword | | |
+| host.os.name.text | Multi-field of `host.os.name`. | text | | |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | |
+| host.os.version | Operating system version as a raw string. | keyword | | |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | |
+| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | |
+| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | |
+
diff --git a/packages/azure_functions/img/azure-functions-icon.svg b/packages/azure_functions/img/azure-functions-icon.svg
new file mode 100644
index 00000000000..9face30fb9e
--- /dev/null
+++ b/packages/azure_functions/img/azure-functions-icon.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/packages/azure_functions/img/azure-functions-overview1.png b/packages/azure_functions/img/azure-functions-overview1.png
new file mode 100644
index 00000000000..47a3d61496b
Binary files /dev/null and b/packages/azure_functions/img/azure-functions-overview1.png differ
diff --git a/packages/azure_functions/img/azure-functions-overview2.png b/packages/azure_functions/img/azure-functions-overview2.png
new file mode 100644
index 00000000000..1dd590be74a
Binary files /dev/null and b/packages/azure_functions/img/azure-functions-overview2.png differ
diff --git a/packages/azure_functions/img/azure-functions-overview3.png b/packages/azure_functions/img/azure-functions-overview3.png
new file mode 100644
index 00000000000..3d22d27980b
Binary files /dev/null and b/packages/azure_functions/img/azure-functions-overview3.png differ
diff --git a/packages/azure_functions/kibana/dashboard/azure_functions-5b40c9c0-33d4-11ee-8d85-2d7adebebd1b.json b/packages/azure_functions/kibana/dashboard/azure_functions-5b40c9c0-33d4-11ee-8d85-2d7adebebd1b.json
new file mode 100644
index 00000000000..8789e027f33
--- /dev/null
+++ b/packages/azure_functions/kibana/dashboard/azure_functions-5b40c9c0-33d4-11ee-8d85-2d7adebebd1b.json
@@ -0,0 +1,2317 @@
+{
+ "attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
+ "panelsJSON": "{\"ff8243f3-9c96-4cb0-b703-0af0107bc8f7\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":false,\"width\":\"medium\",\"explicitInput\":{\"id\":\"ff8243f3-9c96-4cb0-b703-0af0107bc8f7\",\"fieldName\":\"azure.resource.name\",\"title\":\"Filter by Function App\",\"enhancements\":{},\"selectedOptions\":[]}},\"bebd2bf5-eb88-4157-b86b-e6fd9e322b13\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":false,\"width\":\"medium\",\"explicitInput\":{\"id\":\"bebd2bf5-eb88-4157-b86b-e6fd9e322b13\",\"fieldName\":\"azure.resource.group\",\"title\":\"Filter by resource group\",\"enhancements\":{}}}}"
+ },
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "optionsJSON": {
+ "hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "useMargins": true
+ },
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-f6c3c469-2e64-4120-b144-997fb70575e2",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "f6c3c469-2e64-4120-b144-997fb70575e2": {
+ "columnOrder": [
+ "b0f015a9-aab1-4b26-b28f-65ce55f354de"
+ ],
+ "columns": {
+ "b0f015a9-aab1-4b26-b28f-65ce55f354de": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Active Function Apps",
+ "operationType": "unique_count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.resource.name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layerId": "f6c3c469-2e64-4120-b144-997fb70575e2",
+ "layerType": "data",
+ "metricAccessor": "b0f015a9-aab1-4b26-b28f-65ce55f354de",
+ "showBar": false
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": true
+ },
+ "gridData": {
+ "h": 6,
+ "i": "58a522e8-acf6-4ad1-a5cc-a699ce9c26c0",
+ "w": 10,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "58a522e8-acf6-4ad1-a5cc-a699ce9c26c0",
+ "title": "Number of Active Function Apps",
+ "type": "lens",
+ "version": "8.7.1"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "Health Check Status indicates if there are any unhealthy instances and if they need replacing. A value of 100 means all instances of the App reported a healthy status. ",
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-113434b9-c581-4b79-9344-13864154c598",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "60014cf3-d9b4-46e8-ae69-999d31086fbc",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "113434b9-c581-4b79-9344-13864154c598": {
+ "columnOrder": [
+ "68c19ae2-0676-4b4a-90e7-c60d2ca556ac",
+ "8952901b-a1b3-4bb5-9605-c68a31cef340",
+ "6439d7ec-458f-4daf-a97a-101e6f025660"
+ ],
+ "columns": {
+ "6439d7ec-458f-4daf-a97a-101e6f025660": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "azure.functions.health_check_status.avg: *"
+ },
+ "isBucketed": false,
+ "label": "ExecutionCount",
+ "operationType": "sum",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.functions.function_execution_count.total"
+ },
+ "68c19ae2-0676-4b4a-90e7-c60d2ca556ac": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "6439d7ec-458f-4daf-a97a-101e6f025660",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ },
+ "8952901b-a1b3-4bb5-9605-c68a31cef340": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": "azure.functions.health_check_status.avg: *",
+ "disabled": false,
+ "index": "60014cf3-d9b4-46e8-ae69-999d31086fbc",
+ "key": "query",
+ "negate": false,
+ "type": "custom",
+ "value": "{\"bool\":{\"filter\":[{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"exists\":{\"field\":\"azure.functions.health_check_status.avg\"}}]}}],\"must\":[],\"must_not\":[],\"should\":[]}}"
+ },
+ "query": {
+ "bool": {
+ "filter": [
+ {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "exists": {
+ "field": "azure.functions.health_check_status.avg"
+ }
+ }
+ ]
+ }
+ }
+ ],
+ "must": [],
+ "must_not": [],
+ "should": []
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": false,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "6439d7ec-458f-4daf-a97a-101e6f025660"
+ ],
+ "layerId": "113434b9-c581-4b79-9344-13864154c598",
+ "layerType": "data",
+ "seriesType": "line",
+ "splitAccessor": "68c19ae2-0676-4b4a-90e7-c60d2ca556ac",
+ "xAccessor": "8952901b-a1b3-4bb5-9605-c68a31cef340"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "bottom"
+ },
+ "preferredSeriesType": "line",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "description": "Captures the number of execution of the function app. ",
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "b9d5606f-9607-4c90-a75f-c2857b266bfa",
+ "w": 15,
+ "x": 10,
+ "y": 0
+ },
+ "panelIndex": "b9d5606f-9607-4c90-a75f-c2857b266bfa",
+ "title": "Function Execution Count by Function Apps",
+ "type": "lens",
+ "version": "8.7.1"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-8e323fe9-19c2-405d-bbf6-ba61dc9a190f",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "8e323fe9-19c2-405d-bbf6-ba61dc9a190f": {
+ "columnOrder": [
+ "c4d0be17-9d74-468d-8e55-a064664300d1",
+ "2cbcc3e5-5848-4a88-910b-7c845618ae2e",
+ "b37bb938-9515-453c-a5ff-f384a7351317",
+ "b37bb938-9515-453c-a5ff-f384a7351317X1",
+ "b37bb938-9515-453c-a5ff-f384a7351317X0",
+ "b37bb938-9515-453c-a5ff-f384a7351317X2"
+ ],
+ "columns": {
+ "2cbcc3e5-5848-4a88-910b-7c845618ae2e": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Total number of invocations",
+ "operationType": "sum",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.functions.requests.total"
+ },
+ "b37bb938-9515-453c-a5ff-f384a7351317": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Success Percentage",
+ "operationType": "formula",
+ "params": {
+ "format": {
+ "id": "percent",
+ "params": {
+ "decimals": 2
+ }
+ },
+ "formula": "sum(azure.functions.http2xx.total) / sum(azure.functions.requests.total) ",
+ "isFormulaBroken": false
+ },
+ "references": [
+ "b37bb938-9515-453c-a5ff-f384a7351317X2"
+ ],
+ "scale": "ratio"
+ },
+ "b37bb938-9515-453c-a5ff-f384a7351317X0": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of Success Percentage",
+ "operationType": "sum",
+ "params": {
+ "emptyAsNull": false
+ },
+ "scale": "ratio",
+ "sourceField": "azure.functions.http2xx.total"
+ },
+ "b37bb938-9515-453c-a5ff-f384a7351317X1": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of Success Percentage",
+ "operationType": "sum",
+ "params": {
+ "emptyAsNull": false
+ },
+ "scale": "ratio",
+ "sourceField": "azure.functions.requests.total"
+ },
+ "b37bb938-9515-453c-a5ff-f384a7351317X2": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of Success Percentage",
+ "operationType": "math",
+ "params": {
+ "tinymathAst": {
+ "args": [
+ "b37bb938-9515-453c-a5ff-f384a7351317X0",
+ "b37bb938-9515-453c-a5ff-f384a7351317X1"
+ ],
+ "location": {
+ "max": 73,
+ "min": 0
+ },
+ "name": "divide",
+ "text": "sum(azure.functions.http2xx.total) / sum(azure.functions.requests.total) ",
+ "type": "function"
+ }
+ },
+ "references": [
+ "b37bb938-9515-453c-a5ff-f384a7351317X0",
+ "b37bb938-9515-453c-a5ff-f384a7351317X1"
+ ],
+ "scale": "ratio"
+ },
+ "c4d0be17-9d74-468d-8e55-a064664300d1": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 Function Apps",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "2cbcc3e5-5848-4a88-910b-7c845618ae2e",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "c4d0be17-9d74-468d-8e55-a064664300d1",
+ "isTransposed": false
+ },
+ {
+ "alignment": "left",
+ "colorMode": "cell",
+ "columnId": "2cbcc3e5-5848-4a88-910b-7c845618ae2e",
+ "isTransposed": false,
+ "palette": {
+ "name": "positive",
+ "params": {
+ "stops": [
+ {
+ "color": "#d6e9e4",
+ "stop": 20
+ },
+ {
+ "color": "#aed3ca",
+ "stop": 40
+ },
+ {
+ "color": "#85bdb1",
+ "stop": 60
+ },
+ {
+ "color": "#5aa898",
+ "stop": 80
+ },
+ {
+ "color": "#209280",
+ "stop": 100
+ }
+ ]
+ },
+ "type": "palette"
+ },
+ "summaryRow": "none"
+ },
+ {
+ "alignment": "left",
+ "columnId": "b37bb938-9515-453c-a5ff-f384a7351317",
+ "isTransposed": false
+ }
+ ],
+ "layerId": "8e323fe9-19c2-405d-bbf6-ba61dc9a190f",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "description": "Shows the number of successful invocations as a percentage of the total invocations per function app. ",
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "44c459b4-623b-4534-ba78-8904669ae9cb",
+ "w": 23,
+ "x": 25,
+ "y": 0
+ },
+ "panelIndex": "44c459b4-623b-4534-ba78-8904669ae9cb",
+ "title": "Success Rate",
+ "type": "lens",
+ "version": "8.7.1"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-b0c25d59-67fb-4970-8b15-1da58db41925",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "b0c25d59-67fb-4970-8b15-1da58db41925": {
+ "columnOrder": [
+ "87ec7063-bff9-4d15-87e7-8f1da7b3f12b",
+ "bf6104e4-667c-4384-b819-842c52698256"
+ ],
+ "columns": {
+ "87ec7063-bff9-4d15-87e7-8f1da7b3f12b": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": false,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "bf6104e4-667c-4384-b819-842c52698256",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ },
+ "bf6104e4-667c-4384-b819-842c52698256": {
+ "customLabel": false,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Sum of azure.functions.requests.total",
+ "operationType": "sum",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.functions.requests.total"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "layerId": "b0c25d59-67fb-4970-8b15-1da58db41925",
+ "layerType": "data",
+ "legendDisplay": "default",
+ "legendPosition": "right",
+ "metrics": [
+ "bf6104e4-667c-4384-b819-842c52698256"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "87ec7063-bff9-4d15-87e7-8f1da7b3f12b"
+ ]
+ }
+ ],
+ "shape": "donut"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 9,
+ "i": "9196bdde-1f73-46f5-97f6-09db15a28b61",
+ "w": 10,
+ "x": 0,
+ "y": 6
+ },
+ "panelIndex": "9196bdde-1f73-46f5-97f6-09db15a28b61",
+ "title": "Total Number of Invocations across Function Apps",
+ "type": "lens",
+ "version": "8.7.1"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "Number of Function invocations that resulted in a HTTP 2xx response code",
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-4689dc73-dc78-4c03-b975-62264d68c33b",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "4689dc73-dc78-4c03-b975-62264d68c33b": {
+ "columnOrder": [
+ "cb555077-660a-4e41-8974-9ad2d8e3b235",
+ "a3e51351-a9f0-414d-857e-d908e3919b15",
+ "a074efc1-3210-40c8-af5b-ba97da2de1ac"
+ ],
+ "columns": {
+ "a074efc1-3210-40c8-af5b-ba97da2de1ac": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Sum of azure.functions.http2xx.total",
+ "operationType": "sum",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.functions.http2xx.total"
+ },
+ "a3e51351-a9f0-414d-857e-d908e3919b15": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "cb555077-660a-4e41-8974-9ad2d8e3b235": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "a074efc1-3210-40c8-af5b-ba97da2de1ac",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": false,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "a074efc1-3210-40c8-af5b-ba97da2de1ac"
+ ],
+ "layerId": "4689dc73-dc78-4c03-b975-62264d68c33b",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar",
+ "showGridlines": false,
+ "splitAccessor": "cb555077-660a-4e41-8974-9ad2d8e3b235",
+ "xAccessor": "a3e51351-a9f0-414d-857e-d908e3919b15"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "bottom"
+ },
+ "preferredSeriesType": "bar",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 14,
+ "i": "5430e8a9-47ae-4c82-96b7-b0287026409f",
+ "w": 16,
+ "x": 0,
+ "y": 15
+ },
+ "panelIndex": "5430e8a9-47ae-4c82-96b7-b0287026409f",
+ "title": "HTTP 2xx Responses",
+ "type": "lens",
+ "version": "8.7.1"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-54edca01-9fb6-444a-8d98-ddb0ff36f9be",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "54edca01-9fb6-444a-8d98-ddb0ff36f9be": {
+ "columnOrder": [
+ "6eddce7c-5301-479c-ab7b-8c574999c145",
+ "38a86941-b5ec-4a83-9684-0f70bb14a361",
+ "94937bdd-d5bb-469e-83b9-89e34f3a4614"
+ ],
+ "columns": {
+ "38a86941-b5ec-4a83-9684-0f70bb14a361": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "6eddce7c-5301-479c-ab7b-8c574999c145": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "94937bdd-d5bb-469e-83b9-89e34f3a4614",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ },
+ "94937bdd-d5bb-469e-83b9-89e34f3a4614": {
+ "customLabel": false,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Sum of azure.functions.http4xx.total",
+ "operationType": "sum",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.functions.http4xx.total"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": false,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "94937bdd-d5bb-469e-83b9-89e34f3a4614"
+ ],
+ "layerId": "54edca01-9fb6-444a-8d98-ddb0ff36f9be",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar",
+ "showGridlines": false,
+ "splitAccessor": "6eddce7c-5301-479c-ab7b-8c574999c145",
+ "xAccessor": "38a86941-b5ec-4a83-9684-0f70bb14a361"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "bottom"
+ },
+ "preferredSeriesType": "bar",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "description": "Number of Function invocations that resulted in a HTTP 2xx response code",
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 14,
+ "i": "7a4bc820-cc0e-40fb-9aee-83ccf7615fa2",
+ "w": 16,
+ "x": 16,
+ "y": 15
+ },
+ "panelIndex": "7a4bc820-cc0e-40fb-9aee-83ccf7615fa2",
+ "title": "HTTP 4xx Responses",
+ "type": "lens",
+ "version": "8.7.1"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "Number of server errors or exceptions. ",
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-419ba4b9-c54a-4e44-b7dc-475a2b04e4a8",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "419ba4b9-c54a-4e44-b7dc-475a2b04e4a8": {
+ "columnOrder": [
+ "ed0b46b6-3210-492d-b67b-027e0b427588",
+ "f4765a92-4ba2-4936-afa3-7e8648c99a8d",
+ "8d98f3f5-27bb-4ad2-82ec-277d763ab9cc"
+ ],
+ "columns": {
+ "8d98f3f5-27bb-4ad2-82ec-277d763ab9cc": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Sum of azure.functions.http5xx.total",
+ "operationType": "sum",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.functions.http5xx.total"
+ },
+ "ed0b46b6-3210-492d-b67b-027e0b427588": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "8d98f3f5-27bb-4ad2-82ec-277d763ab9cc",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ },
+ "f4765a92-4ba2-4936-afa3-7e8648c99a8d": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": false,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "8d98f3f5-27bb-4ad2-82ec-277d763ab9cc"
+ ],
+ "layerId": "419ba4b9-c54a-4e44-b7dc-475a2b04e4a8",
+ "layerType": "data",
+ "seriesType": "bar",
+ "splitAccessor": "ed0b46b6-3210-492d-b67b-027e0b427588",
+ "xAccessor": "f4765a92-4ba2-4936-afa3-7e8648c99a8d"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "bottom"
+ },
+ "preferredSeriesType": "bar",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 14,
+ "i": "266a1bc1-c35b-4959-96c1-5d799a98754c",
+ "w": 16,
+ "x": 32,
+ "y": 15
+ },
+ "panelIndex": "266a1bc1-c35b-4959-96c1-5d799a98754c",
+ "title": "HTTP 5xx Error Responses",
+ "type": "lens",
+ "version": "8.7.1"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "The time taken for the app to serve requests.",
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-8d0f0cfa-b115-4100-ba7e-1cadee108055",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "8d0f0cfa-b115-4100-ba7e-1cadee108055": {
+ "columnOrder": [
+ "ae3ff95a-e30f-4e6d-a3c0-d589a984b82f",
+ "234483e9-2403-442e-bb76-d6315e2517af",
+ "bde63578-63d7-43ab-ad04-0b810b2f4033"
+ ],
+ "columns": {
+ "234483e9-2403-442e-bb76-d6315e2517af": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "ae3ff95a-e30f-4e6d-a3c0-d589a984b82f": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "bde63578-63d7-43ab-ad04-0b810b2f4033",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ },
+ "bde63578-63d7-43ab-ad04-0b810b2f4033": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Average of azure.functions.http_response_time.avg",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.functions.http_response_time.avg"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": false,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "bde63578-63d7-43ab-ad04-0b810b2f4033"
+ ],
+ "layerId": "8d0f0cfa-b115-4100-ba7e-1cadee108055",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "line",
+ "showGridlines": false,
+ "splitAccessor": "ae3ff95a-e30f-4e6d-a3c0-d589a984b82f",
+ "xAccessor": "234483e9-2403-442e-bb76-d6315e2517af"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "bottom"
+ },
+ "preferredSeriesType": "line",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "description": "The time taken for the app to serve requests.",
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "5ef0d281-2eff-415a-ac37-d778985db835",
+ "w": 24,
+ "x": 0,
+ "y": 29
+ },
+ "panelIndex": "5ef0d281-2eff-415a-ac37-d778985db835",
+ "title": "Averave Response Time(in seconds)",
+ "type": "lens",
+ "version": "8.7.1"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "The current amount of memory used by the app. ",
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-750303c4-2d5f-4b67-8018-cba6ccc3e3f8",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "750303c4-2d5f-4b67-8018-cba6ccc3e3f8": {
+ "columnOrder": [
+ "6a78eb36-cec6-41f4-bda8-c88c3fdabe7f",
+ "03e43362-ec04-4c0a-8cdf-0bd29107feee",
+ "1d2a33f9-47f5-4483-bd25-bf258b7fe434"
+ ],
+ "columns": {
+ "03e43362-ec04-4c0a-8cdf-0bd29107feee": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "1d2a33f9-47f5-4483-bd25-bf258b7fe434": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Average of azure.functions.average_memory_working_set.avg",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.functions.average_memory_working_set.avg"
+ },
+ "6a78eb36-cec6-41f4-bda8-c88c3fdabe7f": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "1d2a33f9-47f5-4483-bd25-bf258b7fe434",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": false,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "1d2a33f9-47f5-4483-bd25-bf258b7fe434"
+ ],
+ "layerId": "750303c4-2d5f-4b67-8018-cba6ccc3e3f8",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "area",
+ "showGridlines": false,
+ "splitAccessor": "6a78eb36-cec6-41f4-bda8-c88c3fdabe7f",
+ "xAccessor": "03e43362-ec04-4c0a-8cdf-0bd29107feee"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "bottom"
+ },
+ "preferredSeriesType": "area",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "description": "The current amount of memory used by the app. ",
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "4f589bdd-7bbf-4b5e-88f7-68272155780d",
+ "w": 24,
+ "x": 24,
+ "y": 29
+ },
+ "panelIndex": "4f589bdd-7bbf-4b5e-88f7-68272155780d",
+ "title": "Memory Working Set by Function Apps",
+ "type": "lens",
+ "version": "8.7.1"
+ },
+ {
+ "embeddableConfig": {
+ "description": "The amount of incoming bandwidth consumed by the app. ",
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "96b12503-3f63-4f80-9419-f8d25b7356fc",
+ "w": 24,
+ "x": 0,
+ "y": 44
+ },
+ "panelIndex": "96b12503-3f63-4f80-9419-f8d25b7356fc",
+ "panelRefName": "panel_96b12503-3f63-4f80-9419-f8d25b7356fc",
+ "title": "Top 10 Function Apps by Bytes Received ",
+ "type": "lens",
+ "version": "8.7.1"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "The amount of outgoing bandwidth sent by the app. ",
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-fa95f5df-3ddf-44ed-88b8-793641935e0a",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "fa95f5df-3ddf-44ed-88b8-793641935e0a": {
+ "columnOrder": [
+ "a3174d15-f56d-4533-b4e8-2006a55c51d4",
+ "4a76dd12-cd30-4e95-8b20-015379b31cf4",
+ "6d32a3d7-e8d2-4061-9d93-eeca1d25d957"
+ ],
+ "columns": {
+ "4a76dd12-cd30-4e95-8b20-015379b31cf4": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "6d32a3d7-e8d2-4061-9d93-eeca1d25d957": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Sum of azure.functions.bytes_sent.total",
+ "operationType": "sum",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.functions.bytes_sent.total"
+ },
+ "a3174d15-f56d-4533-b4e8-2006a55c51d4": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "6d32a3d7-e8d2-4061-9d93-eeca1d25d957",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": false,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "6d32a3d7-e8d2-4061-9d93-eeca1d25d957"
+ ],
+ "layerId": "fa95f5df-3ddf-44ed-88b8-793641935e0a",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "line",
+ "showGridlines": false,
+ "splitAccessor": "a3174d15-f56d-4533-b4e8-2006a55c51d4",
+ "xAccessor": "4a76dd12-cd30-4e95-8b20-015379b31cf4"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "bottom"
+ },
+ "preferredSeriesType": "line",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "description": "The amount of outgoing bandwidth sent by the app. ",
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "578f6fe3-6edb-4678-b13c-1e9510f1942b",
+ "w": 24,
+ "x": 24,
+ "y": 44
+ },
+ "panelIndex": "578f6fe3-6edb-4678-b13c-1e9510f1942b",
+ "title": "Top 10 Function Apps by Bytes Sent ",
+ "type": "lens",
+ "version": "8.7.1"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "The rate at which the app process is reading bytes from I/O operation",
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-cc027ebf-f1dc-44ef-8907-7b7a407a7fe0",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "cc027ebf-f1dc-44ef-8907-7b7a407a7fe0": {
+ "columnOrder": [
+ "d3c92de9-3de0-4478-a4a6-432e2c42c0ab",
+ "10d4106f-6c96-4dc2-8866-3f1fe7e81898",
+ "755983df-cc70-41bc-88d7-56ae24060492"
+ ],
+ "columns": {
+ "10d4106f-6c96-4dc2-8866-3f1fe7e81898": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "755983df-cc70-41bc-88d7-56ae24060492": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Sum of azure.functions.io_read_bytes_per_second.total",
+ "operationType": "sum",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.functions.io_read_bytes_per_second.total"
+ },
+ "d3c92de9-3de0-4478-a4a6-432e2c42c0ab": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "755983df-cc70-41bc-88d7-56ae24060492",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": false,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "755983df-cc70-41bc-88d7-56ae24060492"
+ ],
+ "layerId": "cc027ebf-f1dc-44ef-8907-7b7a407a7fe0",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar",
+ "showGridlines": false,
+ "splitAccessor": "d3c92de9-3de0-4478-a4a6-432e2c42c0ab",
+ "xAccessor": "10d4106f-6c96-4dc2-8866-3f1fe7e81898"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "bottom"
+ },
+ "preferredSeriesType": "bar",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "description": "The rate at which the app process is reading bytes from I/O operation",
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "f7c59600-cc99-4d51-b8f8-20976818476a",
+ "w": 24,
+ "x": 0,
+ "y": 59
+ },
+ "panelIndex": "f7c59600-cc99-4d51-b8f8-20976818476a",
+ "title": "IO Read Bytes Per Second",
+ "type": "lens",
+ "version": "8.7.1"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "The rate at which the app process is writing bytes to I/O operations.",
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-0efd9b40-6f73-459b-8a6d-22bb9ea9f8f5",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "0efd9b40-6f73-459b-8a6d-22bb9ea9f8f5": {
+ "columnOrder": [
+ "bf621d88-b10b-4d8b-86fc-33034ed0fdc9",
+ "e2344323-fc84-49dc-9a63-ff7cc0ac618a",
+ "017dace0-c878-45e7-8d98-bfba5bdade86"
+ ],
+ "columns": {
+ "017dace0-c878-45e7-8d98-bfba5bdade86": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Sum of azure.functions.io_write_bytes_per_second.total",
+ "operationType": "sum",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.functions.io_write_bytes_per_second.total"
+ },
+ "bf621d88-b10b-4d8b-86fc-33034ed0fdc9": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "017dace0-c878-45e7-8d98-bfba5bdade86",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ },
+ "e2344323-fc84-49dc-9a63-ff7cc0ac618a": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": false,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "017dace0-c878-45e7-8d98-bfba5bdade86"
+ ],
+ "layerId": "0efd9b40-6f73-459b-8a6d-22bb9ea9f8f5",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_stacked",
+ "showGridlines": false,
+ "splitAccessor": "bf621d88-b10b-4d8b-86fc-33034ed0fdc9",
+ "xAccessor": "e2344323-fc84-49dc-9a63-ff7cc0ac618a"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "bottom"
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "description": "The rate at which the app process is writing bytes to I/O operations.",
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "ba3dfc7e-d929-4dac-ba7e-d979652ec83a",
+ "w": 24,
+ "x": 24,
+ "y": 59
+ },
+ "panelIndex": "ba3dfc7e-d929-4dac-ba7e-d979652ec83a",
+ "title": "IO Write Bytes Per Second",
+ "type": "lens",
+ "version": "8.7.1"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "The rate at which the app process is issuing read I/O operations.",
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-e16f3e88-0dc5-490a-b45d-86b3dbd359a3",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "e16f3e88-0dc5-490a-b45d-86b3dbd359a3": {
+ "columnOrder": [
+ "c5f39387-452a-4a77-8c48-831ecf41d972",
+ "d59f84c1-e509-4b82-bb73-8b30500124ec",
+ "32a41b5b-b737-4fd0-8b22-4a009d9c5555"
+ ],
+ "columns": {
+ "32a41b5b-b737-4fd0-8b22-4a009d9c5555": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Sum of azure.functions.io_read_operations_per_second.total",
+ "operationType": "sum",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 0,
+ "suffix": "/s"
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.functions.io_read_operations_per_second.total"
+ },
+ "c5f39387-452a-4a77-8c48-831ecf41d972": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "32a41b5b-b737-4fd0-8b22-4a009d9c5555",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ },
+ "d59f84c1-e509-4b82-bb73-8b30500124ec": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": false,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "32a41b5b-b737-4fd0-8b22-4a009d9c5555"
+ ],
+ "layerId": "e16f3e88-0dc5-490a-b45d-86b3dbd359a3",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "line",
+ "showGridlines": false,
+ "splitAccessor": "c5f39387-452a-4a77-8c48-831ecf41d972",
+ "xAccessor": "d59f84c1-e509-4b82-bb73-8b30500124ec"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "bottom"
+ },
+ "preferredSeriesType": "line",
+ "showCurrentTimeMarker": false,
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "description": "The rate at which the app process is issuing read I/O operations.",
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "dc27d0ce-7296-4640-8bcd-d23a8f4830ab",
+ "w": 24,
+ "x": 0,
+ "y": 74
+ },
+ "panelIndex": "dc27d0ce-7296-4640-8bcd-d23a8f4830ab",
+ "title": "IO Read Operations Per Second",
+ "type": "lens",
+ "version": "8.7.1"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "description": "The rate at which the app process is issuing wite I/O operations.",
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-effd480b-5d45-4c7e-9883-114e91117829",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "effd480b-5d45-4c7e-9883-114e91117829": {
+ "columnOrder": [
+ "62dfa6f9-8995-4b01-8038-0a32c921ce4e",
+ "fb0c0a99-931d-407b-90e1-a7695f4e877a",
+ "4ff3447e-d940-4369-8cec-7f6ef83dd20f"
+ ],
+ "columns": {
+ "4ff3447e-d940-4369-8cec-7f6ef83dd20f": {
+ "customLabel": false,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Sum of azure.functions.io_write_operations_per_second.total",
+ "operationType": "sum",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 0,
+ "suffix": "/s"
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.functions.io_write_operations_per_second.total"
+ },
+ "62dfa6f9-8995-4b01-8038-0a32c921ce4e": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "4ff3447e-d940-4369-8cec-7f6ef83dd20f",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ },
+ "fb0c0a99-931d-407b-90e1-a7695f4e877a": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": false,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "4ff3447e-d940-4369-8cec-7f6ef83dd20f"
+ ],
+ "layerId": "effd480b-5d45-4c7e-9883-114e91117829",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "line",
+ "showGridlines": false,
+ "splitAccessor": "62dfa6f9-8995-4b01-8038-0a32c921ce4e",
+ "xAccessor": "fb0c0a99-931d-407b-90e1-a7695f4e877a"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "bottom"
+ },
+ "preferredSeriesType": "line",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "description": "The rate at which the app process is issuing wite I/O operations.",
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "f907a3c8-a7aa-4cb8-8708-e316bb3cdeb6",
+ "w": 24,
+ "x": 24,
+ "y": 74
+ },
+ "panelIndex": "f907a3c8-a7aa-4cb8-8708-e316bb3cdeb6",
+ "title": "IO Write Operations Per Second",
+ "type": "lens",
+ "version": "8.7.1"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[Azure Functions] Overview",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.7.1",
+ "created_at": "2023-08-25T09:01:59.889Z",
+ "id": "azure_functions-5b40c9c0-33d4-11ee-8d85-2d7adebebd1b",
+ "migrationVersion": {
+ "dashboard": "8.7.0"
+ },
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "58a522e8-acf6-4ad1-a5cc-a699ce9c26c0:indexpattern-datasource-layer-f6c3c469-2e64-4120-b144-997fb70575e2",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "b9d5606f-9607-4c90-a75f-c2857b266bfa:indexpattern-datasource-layer-113434b9-c581-4b79-9344-13864154c598",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "b9d5606f-9607-4c90-a75f-c2857b266bfa:60014cf3-d9b4-46e8-ae69-999d31086fbc",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "44c459b4-623b-4534-ba78-8904669ae9cb:indexpattern-datasource-layer-8e323fe9-19c2-405d-bbf6-ba61dc9a190f",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "9196bdde-1f73-46f5-97f6-09db15a28b61:indexpattern-datasource-layer-b0c25d59-67fb-4970-8b15-1da58db41925",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "5430e8a9-47ae-4c82-96b7-b0287026409f:indexpattern-datasource-layer-4689dc73-dc78-4c03-b975-62264d68c33b",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "7a4bc820-cc0e-40fb-9aee-83ccf7615fa2:indexpattern-datasource-layer-54edca01-9fb6-444a-8d98-ddb0ff36f9be",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "266a1bc1-c35b-4959-96c1-5d799a98754c:indexpattern-datasource-layer-419ba4b9-c54a-4e44-b7dc-475a2b04e4a8",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "5ef0d281-2eff-415a-ac37-d778985db835:indexpattern-datasource-layer-8d0f0cfa-b115-4100-ba7e-1cadee108055",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "4f589bdd-7bbf-4b5e-88f7-68272155780d:indexpattern-datasource-layer-750303c4-2d5f-4b67-8018-cba6ccc3e3f8",
+ "type": "index-pattern"
+ },
+ {
+ "id": "azure_functions-7f0826e0-33b2-11ee-8d85-2d7adebebd1b",
+ "name": "96b12503-3f63-4f80-9419-f8d25b7356fc:panel_96b12503-3f63-4f80-9419-f8d25b7356fc",
+ "type": "lens"
+ },
+ {
+ "id": "metrics-*",
+ "name": "578f6fe3-6edb-4678-b13c-1e9510f1942b:indexpattern-datasource-layer-fa95f5df-3ddf-44ed-88b8-793641935e0a",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "f7c59600-cc99-4d51-b8f8-20976818476a:indexpattern-datasource-layer-cc027ebf-f1dc-44ef-8907-7b7a407a7fe0",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "ba3dfc7e-d929-4dac-ba7e-d979652ec83a:indexpattern-datasource-layer-0efd9b40-6f73-459b-8a6d-22bb9ea9f8f5",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "dc27d0ce-7296-4640-8bcd-d23a8f4830ab:indexpattern-datasource-layer-e16f3e88-0dc5-490a-b45d-86b3dbd359a3",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "f907a3c8-a7aa-4cb8-8708-e316bb3cdeb6:indexpattern-datasource-layer-effd480b-5d45-4c7e-9883-114e91117829",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "controlGroup_ff8243f3-9c96-4cb0-b703-0af0107bc8f7:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "controlGroup_bebd2bf5-eb88-4157-b86b-e6fd9e322b13:optionsListDataView",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/azure_functions/kibana/lens/azure_functions-1e62d580-3491-11ee-8d85-2d7adebebd1b.json b/packages/azure_functions/kibana/lens/azure_functions-1e62d580-3491-11ee-8d85-2d7adebebd1b.json
new file mode 100644
index 00000000000..b3216f8e59d
--- /dev/null
+++ b/packages/azure_functions/kibana/lens/azure_functions-1e62d580-3491-11ee-8d85-2d7adebebd1b.json
@@ -0,0 +1,186 @@
+{
+ "attributes": {
+ "description": "",
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "59e32faf-6efe-4b99-806e-0022e95bfe71": {
+ "columnOrder": [
+ "b6caccad-3379-41e0-a011-efd0aa4c0268",
+ "de1705b8-3559-46ee-be47-0998ab9e9ce0",
+ "51003b73-f78c-4ed2-8e9a-d5e6d7d23239"
+ ],
+ "columns": {
+ "51003b73-f78c-4ed2-8e9a-d5e6d7d23239": {
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": "azure.metrics.http_response_time.avg: *"
+ },
+ "isBucketed": false,
+ "label": "Average of azure.functions.http_response_time.avg",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.functions.http_response_time.avg"
+ },
+ "b6caccad-3379-41e0-a011-efd0aa4c0268": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "51003b73-f78c-4ed2-8e9a-d5e6d7d23239",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ },
+ "de1705b8-3559-46ee-be47-0998ab9e9ce0": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": "azure.metrics.http_response_time.avg: *",
+ "disabled": false,
+ "index": "0b109d13-9358-4287-8292-7924e980f073",
+ "key": "query",
+ "negate": false,
+ "type": "custom",
+ "value": "{\"bool\":{\"filter\":[{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"exists\":{\"field\":\"azure.metrics.http_response_time.avg\"}}]}}],\"must\":[],\"must_not\":[],\"should\":[]}}"
+ },
+ "query": {
+ "bool": {
+ "filter": [
+ {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "exists": {
+ "field": "azure.metrics.http_response_time.avg"
+ }
+ }
+ ]
+ }
+ }
+ ],
+ "must": [],
+ "must_not": [],
+ "should": []
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": "data_stream.dataset : \"azure.function\" "
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": false,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "51003b73-f78c-4ed2-8e9a-d5e6d7d23239"
+ ],
+ "collapseFn": "",
+ "layerId": "59e32faf-6efe-4b99-806e-0022e95bfe71",
+ "layerType": "data",
+ "seriesType": "line",
+ "splitAccessor": "b6caccad-3379-41e0-a011-efd0aa4c0268",
+ "xAccessor": "de1705b8-3559-46ee-be47-0998ab9e9ce0"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "bottom"
+ },
+ "preferredSeriesType": "line",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "Response time",
+ "visualizationType": "lnsXY"
+ },
+ "coreMigrationVersion": "8.7.1",
+ "created_at": "2023-08-13T19:12:36.830Z",
+ "id": "azure_functions-1e62d580-3491-11ee-8d85-2d7adebebd1b",
+ "migrationVersion": {
+ "lens": "8.6.0"
+ },
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-59e32faf-6efe-4b99-806e-0022e95bfe71",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "0b109d13-9358-4287-8292-7924e980f073",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "lens"
+}
\ No newline at end of file
diff --git a/packages/azure_functions/kibana/lens/azure_functions-7f0826e0-33b2-11ee-8d85-2d7adebebd1b.json b/packages/azure_functions/kibana/lens/azure_functions-7f0826e0-33b2-11ee-8d85-2d7adebebd1b.json
new file mode 100644
index 00000000000..7540ae1ae4f
--- /dev/null
+++ b/packages/azure_functions/kibana/lens/azure_functions-7f0826e0-33b2-11ee-8d85-2d7adebebd1b.json
@@ -0,0 +1,147 @@
+{
+ "attributes": {
+ "description": "",
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "5e26da41-85b9-4f3d-b666-9b027f19f4c0": {
+ "columnOrder": [
+ "e3e826ac-4145-4caa-97c7-0074740c3bde",
+ "4d55692b-10e3-4d58-8bc0-2973e9d8bd58",
+ "f807ce10-f26f-4f0a-a838-2baea3bb5ac2"
+ ],
+ "columns": {
+ "4d55692b-10e3-4d58-8bc0-2973e9d8bd58": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "e3e826ac-4145-4caa-97c7-0074740c3bde": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "f807ce10-f26f-4f0a-a838-2baea3bb5ac2",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ },
+ "f807ce10-f26f-4f0a-a838-2baea3bb5ac2": {
+ "customLabel": false,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Sum of azure.functions.bytes_received.total",
+ "operationType": "sum",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.functions.bytes_received.total"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": "data_stream.dataset : \"azure.function\" "
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": false,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "f807ce10-f26f-4f0a-a838-2baea3bb5ac2"
+ ],
+ "layerId": "5e26da41-85b9-4f3d-b666-9b027f19f4c0",
+ "layerType": "data",
+ "seriesType": "line",
+ "splitAccessor": "e3e826ac-4145-4caa-97c7-0074740c3bde",
+ "xAccessor": "4d55692b-10e3-4d58-8bc0-2973e9d8bd58"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "bottom"
+ },
+ "preferredSeriesType": "line",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "Bytes Received",
+ "visualizationType": "lnsXY"
+ },
+ "coreMigrationVersion": "8.7.1",
+ "created_at": "2023-08-25T08:51:40.052Z",
+ "id": "azure_functions-7f0826e0-33b2-11ee-8d85-2d7adebebd1b",
+ "migrationVersion": {
+ "lens": "8.6.0"
+ },
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-5e26da41-85b9-4f3d-b666-9b027f19f4c0",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "lens"
+}
\ No newline at end of file
diff --git a/packages/azure_functions/manifest.yml b/packages/azure_functions/manifest.yml
new file mode 100644
index 00000000000..6df9a58e63b
--- /dev/null
+++ b/packages/azure_functions/manifest.yml
@@ -0,0 +1,60 @@
+format_version: 2.5.1
+name: azure_functions
+title: "Azure Functions"
+version: 0.1.0
+source:
+ license: "Elastic-2.0"
+description: "Get metrics and logs from Azure Functions"
+type: integration
+categories:
+ - azure
+ - cloud
+conditions:
+ kibana.version: "^8.8.1"
+ elastic.subscription: "basic"
+vars:
+ - name: resource_manager_endpoint
+ type: text
+ title: Resource Manager Endpoint
+ multi: false
+ required: false
+ show_user: true
+icons:
+ - src: /img/azure-functions-icon.svg
+ title: Azure Functions logo
+ size: 32x32
+ type: image/svg+xml
+screenshots:
+ - src: /img/azure-functions-overview1.png
+ title: Azure Functions Overview dashboard
+ size: 600x600
+ type: image/png
+ - src: /img/azure-functions-overview2.png
+ title: Azure Functions Overview dashboard
+ size: 600x600
+ type: image/png
+ - src: /img/azure-functions-overview3.png
+ title: Azure Functions Overview dashboard
+ size: 600x600
+ type: image/png
+policy_templates:
+ - name: azure_functions
+ title: Azure Functions logs and metrics
+ description: Azure Functions logs and metrics with Elastic Agent.
+ data_streams:
+ - functionapplogs
+ - metrics
+ categories:
+ - azure
+ - cloud
+ inputs:
+ - type: "azure-eventhub"
+ title: "Collect Azure Functions logs from Event Hub"
+ description: "Collecting Functions logs from Azure (input: azure-eventhub)"
+ input_group: logs
+ - type: "azure/metrics"
+ title: "Collect Azure Functions metrics"
+ description: "Collecting Azure Functions metrics"
+ input_group: metrics
+owner:
+ github: elastic/obs-infraobs-integrations
diff --git a/packages/azure_metrics/changelog.yml b/packages/azure_metrics/changelog.yml
index 8c9732228a1..dc40e1598d4 100644
--- a/packages/azure_metrics/changelog.yml
+++ b/packages/azure_metrics/changelog.yml
@@ -1,3 +1,138 @@
+- version: "1.0.43"
+ changes:
+ - description: Migrate File Storage Overview dashboard to lens.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7692
+- version: "1.0.42"
+ changes:
+ - description: Migrate Table Storage Overview dashboard to lens.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7690
+- version: "1.0.41"
+ changes:
+ - description: Migrate Queue Storage Overview dashboard to lens.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7662
+- version: "1.0.40"
+ changes:
+ - description: Add dimension and metric_type metadata to the database_account datastream
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7503
+- version: "1.0.39"
+ changes:
+ - description: Remove region dimension in the database_account datastream
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7725
+- version: "1.0.38"
+ changes:
+ - description: Migrate Compute VMs Overview dashboard to lens.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7508
+- version: "1.0.37"
+ changes:
+ - description: Migrate Storage Overview dashboard to lens.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7691
+- version: "1.0.36"
+ changes:
+ - description: Migrate Container Instance Overview dashboard to lens.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7638
+- version: "1.0.35"
+ changes:
+ - description: Normalize the azure.dimentions.status field value to lowercase. Values from Azure come in lowercase and capitalized versions (e.g., True/true/False/false).
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7551
+- version: "1.0.34"
+ changes:
+ - description: Add dimension and metric_type metadata to the monitor datastream
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7473
+- version: "1.0.33"
+ changes:
+ - description: Add missing region dimension, remove outdated azure metrics for the database_account datastream
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7502
+- version: "1.0.32"
+ changes:
+ - description: Migrate Container Registry Overview dashboard to lens.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7563
+- version: "1.0.31"
+ changes:
+ - description: Migrate Compute VM Guest Memory & Process Metrics Compute VM dashboard to lens.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7557
+- version: "1.0.30"
+ changes:
+ - description: Migrate Compute VM Guest ASP.NET & Sql Server dashboard to lens.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7562
+- version: "1.0.29"
+ changes:
+ - description: Migrate Compute VM Guest Linux Metrics Overview dashboard to lens.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7558
+- version: "1.0.28"
+ changes:
+ - description: Add dimension and metric_type metadata to the compute_vm datastream
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7293
+- version: "1.0.27"
+ changes:
+ - description: Migrate Container Service Overview dashboard to lens.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7529
+- version: "1.0.26"
+ changes:
+ - description: Migrate VM Scale Sets Overview dashboard to lens.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7496
+- version: "1.0.25"
+ changes:
+ - description: Migrate Database Account Overview dashboard to lens.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7428
+- version: "1.0.24"
+ changes:
+ - description: Fix the metrics field name in the container instance datastream.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7445
+- version: "1.0.23"
+ changes:
+ - description: Add dimension and metric_type metadata to the compute_vm_scaleset datastream
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7177
+- version: "1.0.22"
+ changes:
+ - description: Add dimension and metric_type metadata to the container_registry datastream
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7155
+- version: "1.0.21"
+ changes:
+ - description: Migrate the visualizations to by value in dashboards to minimize the saved object clutter and reduce time to load.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7320
+- version: "1.0.20"
+ changes:
+ - description: Add missing azure dimensions to the container_registry and compute_vm_scaleset datastreams
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7314
+- version: "1.0.19"
+ changes:
+ - description: Add dimension and metric_type metadata to the container_service datastream
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7139
+- version: "1.0.18"
+ changes:
+ - description: Add missing azure dimensions to the kube_pod_status_phase and kube_pod_status_ready metrics
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7245
+- version: "1.0.17"
+ changes:
+ - description: Add dimension and metric_type metadata to the container_instance datastream
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7127
- version: "1.0.16"
changes:
- description: Added categories and/or subcategories.
diff --git a/packages/azure_metrics/data_stream/compute_vm/fields/agent.yml b/packages/azure_metrics/data_stream/compute_vm/fields/agent.yml
index da4e652c53b..cdfd49b5f89 100644
--- a/packages/azure_metrics/data_stream/compute_vm/fields/agent.yml
+++ b/packages/azure_metrics/data_stream/compute_vm/fields/agent.yml
@@ -22,6 +22,7 @@
- name: instance.id
level: extended
type: keyword
+ dimension: true
ignore_above: 1024
description: Instance ID of the host machine.
example: i-1234567890abcdef0
@@ -45,6 +46,7 @@
- name: region
level: extended
type: keyword
+ dimension: true
ignore_above: 1024
description: Region in which this host is running.
example: us-east-1
@@ -62,26 +64,11 @@
These fields help correlate data based containers from any runtime.'
type: group
fields:
- - name: id
- level: core
- type: keyword
- ignore_above: 1024
- description: Unique container id.
- - name: image.name
- level: extended
- type: keyword
- ignore_above: 1024
- description: Name of the image the container was built on.
- name: labels
level: extended
type: object
object_type: keyword
description: Image labels.
- - name: name
- level: extended
- type: keyword
- ignore_above: 1024
- description: Container name.
- name: host
title: Host
group: 2
diff --git a/packages/azure_metrics/data_stream/compute_vm/fields/ecs.yml b/packages/azure_metrics/data_stream/compute_vm/fields/ecs.yml
index c9ba9972270..0ef9d19c59d 100644
--- a/packages/azure_metrics/data_stream/compute_vm/fields/ecs.yml
+++ b/packages/azure_metrics/data_stream/compute_vm/fields/ecs.yml
@@ -15,3 +15,6 @@
external: ecs
- name: host
external: ecs
+- name: agent.id
+ external: ecs
+ dimension: true
diff --git a/packages/azure_metrics/data_stream/compute_vm/fields/fields.yml b/packages/azure_metrics/data_stream/compute_vm/fields/fields.yml
index 57966df6285..f1c3268f59a 100644
--- a/packages/azure_metrics/data_stream/compute_vm/fields/fields.yml
+++ b/packages/azure_metrics/data_stream/compute_vm/fields/fields.yml
@@ -2,5 +2,6 @@
type: object
object_type: float
object_type_mapping_type: "*"
+ metric_type: gauge
description: >-
- compute_vm
+ Returned compute_vm metrics
diff --git a/packages/azure_metrics/data_stream/compute_vm/fields/package-fields.yml b/packages/azure_metrics/data_stream/compute_vm/fields/package-fields.yml
index 28fa99283bd..e8599123a21 100644
--- a/packages/azure_metrics/data_stream/compute_vm/fields/package-fields.yml
+++ b/packages/azure_metrics/data_stream/compute_vm/fields/package-fields.yml
@@ -3,6 +3,7 @@
description: ""
fields:
- name: timegrain
+ dimension: true
type: keyword
description: >
The Azure metric timegrain
@@ -25,6 +26,7 @@
- name: id
type: keyword
+ dimension: true
description: >
The id of the resource
@@ -41,6 +43,7 @@
Azure resource tags.
- name: namespace
+ dimension: true
type: keyword
description: >
The namespace selected
@@ -55,17 +58,26 @@
description: >
The application ID
- - name: dimensions.*
- type: object
- object_type: keyword
- object_type_mapping_type: "*"
- description: >
- Azure metric dimensions.
-
- - name: metrics.*.*
- type: object
- object_type: float
- object_type_mapping_type: "*"
- description: >
- Metrics returned.
-
+ - name: dimensions
+ type: group
+ fields:
+ - name: device
+ type: keyword
+ dimension: true
+ description: Name of the device of the linux instance, eg. sda2
+ - name: host
+ type: keyword
+ dimension: true
+ description: Name of the linux host
+ - name: name
+ type: keyword
+ dimension: true
+ description: Name of the device of the linux instance
+ - name: interface
+ type: keyword
+ dimension: true
+ description: Name of the network interface on the linux instance
+ - name: cpu
+ type: keyword
+ dimension: true
+ description: Cpu core on the linux instance
diff --git a/packages/azure_metrics/data_stream/compute_vm_scaleset/agent/stream/stream.yml.hbs b/packages/azure_metrics/data_stream/compute_vm_scaleset/agent/stream/stream.yml.hbs
index 3111686d215..2e1da9624aa 100644
--- a/packages/azure_metrics/data_stream/compute_vm_scaleset/agent/stream/stream.yml.hbs
+++ b/packages/azure_metrics/data_stream/compute_vm_scaleset/agent/stream/stream.yml.hbs
@@ -34,9 +34,8 @@ resources:
namespace: "Microsoft.Compute/virtualMachineScaleSets"
timegrain: "PT5M"
ignore_unsupported: true
- - name: ["Available Memory Bytes", "Percentage CPU", "Disk Read Bytes", "Disk Write Bytes", "Disk Read Operations/Sec", "Disk Write Operations/Sec", "Data Disk Read Bytes/sec", "Data Disk Write Bytes/sec", "Network Out Total",
- "Network In Total", "Data Disk Read Operations/Sec", "Data Disk Write Operations/Sec", "Data Disk Queue Depth", "Data Disk Bandwidth Consumed Percentage",
- "Outbound Flows Maximum Creation Rate", "Inbound Flows Maximum Creation Rate", "Outbound Flows", "Inbound Flows",
+ - name: ["Available Memory Bytes", "Percentage CPU", "Disk Read Bytes", "Disk Write Bytes", "Disk Read Operations/Sec", "Disk Write Operations/Sec", "Network Out Total",
+ "Network In Total", "Outbound Flows Maximum Creation Rate", "Inbound Flows Maximum Creation Rate", "Outbound Flows", "Inbound Flows",
"OS Disk Queue Depth", "OS Disk Write Operations/Sec", "OS Disk Read Operations/Sec", "OS Disk Write Bytes/sec", "OS Disk Read Bytes/sec"]
namespace: "Microsoft.Compute/virtualMachineScaleSets"
ignore_unsupported: true
@@ -44,6 +43,15 @@ resources:
dimensions:
- name: "VMName"
value: "*"
+ - name: ["Data Disk Read Bytes/sec", "Data Disk Write Bytes/sec", "Data Disk Read Operations/Sec", "Data Disk Write Operations/Sec", "Data Disk Queue Depth", "Data Disk Bandwidth Consumed Percentage"]
+ namespace: "Microsoft.Compute/virtualMachineScaleSets"
+ ignore_unsupported: true
+ timegrain: "PT5M"
+ dimensions:
+ - name: "VMName"
+ value: "*"
+ - name: "LUN"
+ value: "*"
- name: ["Memory\\Commit Limit", "Memory\\Committed Bytes", "Memory\\% Committed Bytes In Use", "Memory\\Available Bytes"]
namespace: "Azure.VM.Windows.GuestMetrics"
timegrain: "PT5M"
@@ -61,16 +69,24 @@ resources:
namespace: "Microsoft.Compute/virtualMachineScaleSets"
timegrain: "PT5M"
ignore_unsupported: true
- - name: ["Available Memory Bytes", "Percentage CPU", "Disk Read Bytes", "Disk Write Bytes", "Disk Read Operations/Sec", "Disk Write Operations/Sec", "Data Disk Read Bytes/sec", "Data Disk Write Bytes/sec", "Network Out Total",
- "Network In Total", "Data Disk Read Operations/Sec", "Data Disk Write Operations/Sec", "Data Disk Queue Depth", "Data Disk Bandwidth Consumed Percentage",
- "Outbound Flows Maximum Creation Rate", "Inbound Flows Maximum Creation Rate", "Outbound Flows", "Inbound Flows",
- "OS Disk Queue Depth", "OS Disk Write Operations/Sec", "OS Disk Read Operations/Sec", "OS Disk Write Bytes/sec", "OS Disk Read Bytes/sec"]
+ - name: ["Available Memory Bytes", "Percentage CPU", "Disk Read Bytes", "Disk Write Bytes", "Disk Read Operations/Sec", "Disk Write Operations/Sec", "Network Out Total",
+ "Network In Total", "Outbound Flows Maximum Creation Rate", "Inbound Flows Maximum Creation Rate", "Outbound Flows", "Inbound Flows",
+ "OS Disk Queue Depth", "OS Disk Write Operations/Sec", "OS Disk Read Operations/Sec", "OS Disk Write Bytes/sec", "OS Disk Read Bytes/sec"]
namespace: "Microsoft.Compute/virtualMachineScaleSets"
ignore_unsupported: true
timegrain: "PT5M"
dimensions:
- name: "VMName"
value: "*"
+ - name: ["Data Disk Read Bytes/sec", "Data Disk Write Bytes/sec", "Data Disk Read Operations/Sec", "Data Disk Write Operations/Sec", "Data Disk Queue Depth", "Data Disk Bandwidth Consumed Percentage"]
+ namespace: "Microsoft.Compute/virtualMachineScaleSets"
+ ignore_unsupported: true
+ timegrain: "PT5M"
+ dimensions:
+ - name: "VMName"
+ value: "*"
+ - name: "LUN"
+ value: "*"
- name: ["Memory\\Commit Limit", "Memory\\Committed Bytes", "Memory\\% Committed Bytes In Use", "Memory\\Available Bytes"]
namespace: "Azure.VM.Windows.GuestMetrics"
timegrain: "PT5M"
@@ -88,16 +104,24 @@ resources:
namespace: "Microsoft.Compute/virtualMachineScaleSets"
timegrain: "PT5M"
ignore_unsupported: true
- - name: ["Available Memory Bytes", "Percentage CPU", "Disk Read Bytes", "Disk Write Bytes", "Disk Read Operations/Sec", "Disk Write Operations/Sec", "Data Disk Read Bytes/sec", "Data Disk Write Bytes/sec", "Network Out Total",
- "Network In Total", "Data Disk Read Operations/Sec", "Data Disk Write Operations/Sec", "Data Disk Queue Depth", "Data Disk Bandwidth Consumed Percentage",
- "Outbound Flows Maximum Creation Rate", "Inbound Flows Maximum Creation Rate", "Outbound Flows", "Inbound Flows",
- "OS Disk Queue Depth", "OS Disk Write Operations/Sec", "OS Disk Read Operations/Sec", "OS Disk Write Bytes/sec", "OS Disk Read Bytes/sec"]
+ - name: ["Available Memory Bytes", "Percentage CPU", "Disk Read Bytes", "Disk Write Bytes", "Disk Read Operations/Sec", "Disk Write Operations/Sec", "Network Out Total",
+ "Network In Total", "Outbound Flows Maximum Creation Rate", "Inbound Flows Maximum Creation Rate", "Outbound Flows", "Inbound Flows",
+ "OS Disk Queue Depth", "OS Disk Write Operations/Sec", "OS Disk Read Operations/Sec", "OS Disk Write Bytes/sec", "OS Disk Read Bytes/sec"]
namespace: "Microsoft.Compute/virtualMachineScaleSets"
ignore_unsupported: true
timegrain: "PT5M"
dimensions:
- name: "VMName"
value: "*"
+ - name: ["Data Disk Read Bytes/sec", "Data Disk Write Bytes/sec", "Data Disk Read Operations/Sec", "Data Disk Write Operations/Sec", "Data Disk Queue Depth", "Data Disk Bandwidth Consumed Percentage"]
+ namespace: "Microsoft.Compute/virtualMachineScaleSets"
+ ignore_unsupported: true
+ timegrain: "PT5M"
+ dimensions:
+ - name: "VMName"
+ value: "*"
+ - name: "LUN"
+ value: "*"
- name: ["Memory\\Commit Limit", "Memory\\Committed Bytes", "Memory\\% Committed Bytes In Use", "Memory\\Available Bytes"]
namespace: "Azure.VM.Windows.GuestMetrics"
timegrain: "PT5M"
diff --git a/packages/azure_metrics/data_stream/compute_vm_scaleset/fields/agent.yml b/packages/azure_metrics/data_stream/compute_vm_scaleset/fields/agent.yml
index da4e652c53b..ae1966205ad 100644
--- a/packages/azure_metrics/data_stream/compute_vm_scaleset/fields/agent.yml
+++ b/packages/azure_metrics/data_stream/compute_vm_scaleset/fields/agent.yml
@@ -48,6 +48,7 @@
ignore_above: 1024
description: Region in which this host is running.
example: us-east-1
+ dimension: true
- name: project.id
type: keyword
description: Name of the project in Google Cloud.
@@ -62,26 +63,11 @@
These fields help correlate data based containers from any runtime.'
type: group
fields:
- - name: id
- level: core
- type: keyword
- ignore_above: 1024
- description: Unique container id.
- - name: image.name
- level: extended
- type: keyword
- ignore_above: 1024
- description: Name of the image the container was built on.
- name: labels
level: extended
type: object
object_type: keyword
description: Image labels.
- - name: name
- level: extended
- type: keyword
- ignore_above: 1024
- description: Container name.
- name: host
title: Host
group: 2
diff --git a/packages/azure_metrics/data_stream/compute_vm_scaleset/fields/ecs.yml b/packages/azure_metrics/data_stream/compute_vm_scaleset/fields/ecs.yml
index c9ba9972270..0ef9d19c59d 100644
--- a/packages/azure_metrics/data_stream/compute_vm_scaleset/fields/ecs.yml
+++ b/packages/azure_metrics/data_stream/compute_vm_scaleset/fields/ecs.yml
@@ -15,3 +15,6 @@
external: ecs
- name: host
external: ecs
+- name: agent.id
+ external: ecs
+ dimension: true
diff --git a/packages/azure_metrics/data_stream/compute_vm_scaleset/fields/fields.yml b/packages/azure_metrics/data_stream/compute_vm_scaleset/fields/fields.yml
index f79d4ed50ad..8ab44d8386c 100644
--- a/packages/azure_metrics/data_stream/compute_vm_scaleset/fields/fields.yml
+++ b/packages/azure_metrics/data_stream/compute_vm_scaleset/fields/fields.yml
@@ -1,7 +1,128 @@
-- name: azure.compute_vm_scaleset.*.*
- type: object
- object_type: float
- object_type_mapping_type: "*"
- description: >
- compute_vm_scaleset
-
+- name: azure.compute_vm_scaleset
+ type: group
+ fields:
+ - name: cpu_credits_remaining.avg
+ type: float
+ metric_type: gauge
+ description: Total number of credits available to burst. Only available on B-series burstable VMs
+ - name: cpu_credits_consumed.avg
+ type: float
+ metric_type: gauge
+ description: Total number of credits consumed by the Virtual Machine. Only available on B-series burstable VMs
+ - name: available_memory_bytes.avg
+ type: float
+ unit: byte
+ metric_type: gauge
+ description: Amount of physical memory, in bytes, immediately available for allocation to a process or for system use in the Virtual Machine
+ - name: percentage_cpu.avg
+ type: float
+ unit: percent
+ metric_type: gauge
+ description: The percentage of allocated compute units that are currently in use by the Virtual Machine(s)
+ - name: disk_read_bytes.total
+ type: float
+ unit: byte
+ metric_type: gauge
+ description: Bytes read from disk during monitoring period
+ - name: disk_write_bytes.total
+ type: float
+ unit: byte
+ metric_type: gauge
+ description: Bytes written to disk during monitoring period
+ - name: disk_read_operations_per_sec.avg
+ type: float
+ metric_type: gauge
+ description: Disk Read IOPS
+ - name: disk_write_operations_per_sec.avg
+ type: float
+ metric_type: gauge
+ description: Disk Write IOPS
+ - name: data_disk_read_bytes_per_sec.avg
+ type: float
+ metric_type: gauge
+ description: Bytes/Sec read from a single disk during monitoring period
+ - name: data_disk_write_bytes_per_sec.avg
+ type: float
+ metric_type: gauge
+ description: Bytes/Sec written to a single disk during monitoring period
+ - name: network_out_total.total
+ type: float
+ metric_type: gauge
+ description: The number of bytes out on all network interfaces by the Virtual Machine(s) (Outgoing Traffic)
+ - name: network_in_total.total
+ type: float
+ metric_type: gauge
+ description: The number of bytes received on all network interfaces by the Virtual Machine(s) (Incoming Traffic)
+ - name: data_disk_read_operations_per_sec.avg
+ type: float
+ metric_type: gauge
+ description: Read IOPS from a single disk during monitoring period
+ - name: data_disk_write_operations_per_sec.avg
+ type: float
+ metric_type: gauge
+ description: Write IOPS from a single disk during monitoring period
+ - name: data_disk_queue_depth.avg
+ type: float
+ metric_type: gauge
+ description: Data Disk Queue Depth(or Queue Length)
+ - name: data_disk_bandwidth_consumed_percentage.avg
+ type: float
+ unit: percent
+ metric_type: gauge
+ description: Percentage of data disk bandwidth consumed per minute
+ - name: outbound_flows_maximum_creation_rate.avg
+ type: float
+ metric_type: gauge
+ description: The maximum creation rate of outbound flows (traffic going out of the VM)
+ - name: inbound_flows_maximum_creation_rate.avg
+ type: float
+ metric_type: gauge
+ description: The maximum creation rate of inbound flows (traffic going into the VM)
+ - name: outbound_flows.avg
+ type: float
+ metric_type: gauge
+ description: Outbound Flows are number of current flows in the outbound direction (traffic going out of the VM)
+ - name: inbound_flows.avg
+ type: float
+ metric_type: gauge
+ description: Inbound Flows are number of current flows in the inbound direction (traffic going into the VM)
+ - name: os_disk_queue_depth.avg
+ type: float
+ metric_type: gauge
+ description: OS Disk Queue Depth(or Queue Length)
+ - name: os_disk_write_operations_per_sec.avg
+ type: float
+ metric_type: gauge
+ description: Write IOPS from a single disk during monitoring period for OS disk
+ - name: os_disk_read_operations_per_sec.avg
+ type: float
+ metric_type: gauge
+ description: Read IOPS from a single disk during monitoring period for OS disk
+ - name: os_disk_write_bytes_per_sec.avg
+ type: float
+ metric_type: gauge
+ description: Bytes/Sec written to a single disk during monitoring period for OS disk
+ - name: os_disk_read_bytes_per_sec.avg
+ type: float
+ metric_type: gauge
+ description: Bytes/Sec read from a single disk during monitoring period for OS disk
+ - name: memory_commit_limit.avg
+ unit: byte
+ type: float
+ metric_type: gauge
+ description: Memory commit limit
+ - name: memory_committed_bytes.avg
+ unit: byte
+ type: float
+ metric_type: gauge
+ description: Committed Bytes is the amount of committed virtual memory, in bytes. Committed memory is the physical memory which has space reserved on the disk paging file(s). There can be one or more paging files on each physical drive. This counter displays the last observed value only.
+ - name: memory_pct_committed_bytes_in_use.avg
+ type: float
+ unit: percent
+ metric_type: gauge
+ description: Committed Bytes In Use is the ratio of Memory \ Committed Bytes to the Memory \ Commit Limit. Committed memory is the physical memory in use for which space has been reserved in the paging file should it need to be written to disk. The commit limit is determined by the size of the paging file. If the paging file is enlarged, the commit limit increases, and the ratio is reduced). This value displays the current percentage value only.
+ - name: memory_available_bytes.avg
+ unit: byte
+ type: float
+ metric_type: gauge
+ description: Available Bytes is the amount of physical memory, in bytes, immediately available for allocation to a process or for system use. It is equal to the sum of memory assigned to the standby (cached), free and zero page lists.
diff --git a/packages/azure_metrics/data_stream/compute_vm_scaleset/fields/package-fields.yml b/packages/azure_metrics/data_stream/compute_vm_scaleset/fields/package-fields.yml
index 28fa99283bd..02b1fa45f43 100644
--- a/packages/azure_metrics/data_stream/compute_vm_scaleset/fields/package-fields.yml
+++ b/packages/azure_metrics/data_stream/compute_vm_scaleset/fields/package-fields.yml
@@ -3,6 +3,7 @@
description: ""
fields:
- name: timegrain
+ dimension: true
type: keyword
description: >
The Azure metric timegrain
@@ -25,6 +26,7 @@
- name: id
type: keyword
+ dimension: true
description: >
The id of the resource
@@ -55,17 +57,18 @@
description: >
The application ID
- - name: dimensions.*
- type: object
- object_type: keyword
- object_type_mapping_type: "*"
- description: >
- Azure metric dimensions.
-
- - name: metrics.*.*
- type: object
- object_type: float
- object_type_mapping_type: "*"
- description: >
- Metrics returned.
-
+ - name: dimensions
+ type: group
+ fields:
+ - name: "vmname"
+ type: keyword
+ dimension: true
+ description: The VM name
+ - name: "virtual_machine"
+ type: keyword
+ dimension: true
+ description: The VM name
+ - name: "lun"
+ type: keyword
+ dimension: true
+ description: Logical Unit Number is a number that is used to identify a specific storage device
diff --git a/packages/azure_metrics/data_stream/container_instance/_dev/test/pipeline/test-azure-metrics-container-instance.json b/packages/azure_metrics/data_stream/container_instance/_dev/test/pipeline/test-azure-metrics-container-instance.json
index 1ae15e04e3c..4bb2ad2e279 100644
--- a/packages/azure_metrics/data_stream/container_instance/_dev/test/pipeline/test-azure-metrics-container-instance.json
+++ b/packages/azure_metrics/data_stream/container_instance/_dev/test/pipeline/test-azure-metrics-container-instance.json
@@ -50,7 +50,7 @@
"azure": {
"subscription_id": "70bd6e77-4b1e-4835-8896-db77b8eef364",
"timegrain": "PT5M",
- "monitor": {
+ "metrics": {
"network_bytes_transmitted_per_second": {
"avg": 0
},
diff --git a/packages/azure_metrics/data_stream/container_instance/elasticsearch/ingest_pipeline/default.yml b/packages/azure_metrics/data_stream/container_instance/elasticsearch/ingest_pipeline/default.yml
index bfbbac4471d..37126d4a4f5 100644
--- a/packages/azure_metrics/data_stream/container_instance/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/azure_metrics/data_stream/container_instance/elasticsearch/ingest_pipeline/default.yml
@@ -5,7 +5,7 @@ processors:
field: ecs.version
value: "8.0.0"
- rename:
- field: azure.monitor
+ field: azure.metrics
target_field: azure.container_instance
ignore_missing: true
on_failure:
diff --git a/packages/azure_metrics/data_stream/container_instance/fields/agent.yml b/packages/azure_metrics/data_stream/container_instance/fields/agent.yml
index da4e652c53b..ae1966205ad 100644
--- a/packages/azure_metrics/data_stream/container_instance/fields/agent.yml
+++ b/packages/azure_metrics/data_stream/container_instance/fields/agent.yml
@@ -48,6 +48,7 @@
ignore_above: 1024
description: Region in which this host is running.
example: us-east-1
+ dimension: true
- name: project.id
type: keyword
description: Name of the project in Google Cloud.
@@ -62,26 +63,11 @@
These fields help correlate data based containers from any runtime.'
type: group
fields:
- - name: id
- level: core
- type: keyword
- ignore_above: 1024
- description: Unique container id.
- - name: image.name
- level: extended
- type: keyword
- ignore_above: 1024
- description: Name of the image the container was built on.
- name: labels
level: extended
type: object
object_type: keyword
description: Image labels.
- - name: name
- level: extended
- type: keyword
- ignore_above: 1024
- description: Container name.
- name: host
title: Host
group: 2
diff --git a/packages/azure_metrics/data_stream/container_instance/fields/ecs.yml b/packages/azure_metrics/data_stream/container_instance/fields/ecs.yml
index c9ba9972270..0ef9d19c59d 100644
--- a/packages/azure_metrics/data_stream/container_instance/fields/ecs.yml
+++ b/packages/azure_metrics/data_stream/container_instance/fields/ecs.yml
@@ -15,3 +15,6 @@
external: ecs
- name: host
external: ecs
+- name: agent.id
+ external: ecs
+ dimension: true
diff --git a/packages/azure_metrics/data_stream/container_instance/fields/fields.yml b/packages/azure_metrics/data_stream/container_instance/fields/fields.yml
index a8b40675349..0aadce33131 100644
--- a/packages/azure_metrics/data_stream/container_instance/fields/fields.yml
+++ b/packages/azure_metrics/data_stream/container_instance/fields/fields.yml
@@ -1,7 +1,34 @@
-- name: azure.container_instance.*.*
- type: object
- object_type: float
- object_type_mapping_type: "*"
- description: >
- container instance
-
+- name: azure.container_instance
+ type: group
+ fields:
+ - name: cpu_usage.avg
+ type: float
+ metric_type: gauge
+ description: CPU usage on all cores in millicores.
+ - name: memory_usage.avg
+ type: float
+ metric_type: gauge
+ unit: byte
+ description: Total memory usage in byte.
+ - name: network_bytes_received_per_second.avg
+ type: float
+ metric_type: gauge
+ unit: byte
+ description: The network bytes received per second.
+ - name: network_bytes_transmitted_per_second.avg
+ type: float
+ metric_type: gauge
+ unit: byte
+ description: The network bytes transmitted per second.
+- name: azure.metrics.cpu_usage.avg
+ type: alias
+ path: azure.container_instance.cpu_usage.avg
+- name: azure.metrics.memory_usage.avg
+ type: alias
+ path: azure.container_instance.memory_usage.avg
+- name: azure.metrics.network_bytes_received_per_second.avg
+ type: alias
+ path: azure.container_instance.network_bytes_received_per_second.avg
+- name: azure.metrics.network_bytes_transmitted_per_second.avg
+ type: alias
+ path: azure.container_instance.network_bytes_transmitted_per_second.avg
diff --git a/packages/azure_metrics/data_stream/container_instance/fields/package-fields.yml b/packages/azure_metrics/data_stream/container_instance/fields/package-fields.yml
index 28fa99283bd..6b49881a897 100644
--- a/packages/azure_metrics/data_stream/container_instance/fields/package-fields.yml
+++ b/packages/azure_metrics/data_stream/container_instance/fields/package-fields.yml
@@ -2,7 +2,9 @@
type: group
description: ""
fields:
+ # Reason to add as a dimension field: the same metric can be pulled multiple times, but with the different granularity
- name: timegrain
+ dimension: true
type: keyword
description: >
The Azure metric timegrain
@@ -23,8 +25,11 @@
description: >
The name of the resource
+ # Reason to add as a dimension field: it is an unique global resource identifier in the region
+ # format: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}
- name: id
type: keyword
+ dimension: true
description: >
The id of the resource
@@ -55,17 +60,32 @@
description: >
The application ID
- - name: dimensions.*
- type: object
- object_type: keyword
- object_type_mapping_type: "*"
- description: >
- Azure metric dimensions.
-
- - name: metrics.*.*
- type: object
- object_type: float
- object_type_mapping_type: "*"
- description: >
- Metrics returned.
-
+ - name: dimensions
+ type: group
+ fields:
+ - name: container_name
+ type: keyword
+ dimension: true
+ description: The container name
+ - name: metrics
+ type: group
+ fields:
+ - name: cpu_usage.avg
+ type: float
+ metric_type: gauge
+ description: CPU usage on all cores in millicores.
+ - name: memory_usage.avg
+ type: float
+ metric_type: gauge
+ unit: byte
+ description: Total memory usage in byte.
+ - name: network_bytes_received_per_second.avg
+ type: float
+ metric_type: gauge
+ unit: byte
+ description: The network bytes received per second.
+ - name: network_bytes_transmitted_per_second.avg
+ type: float
+ metric_type: gauge
+ unit: byte
+ description: The network bytes transmitted per second.
diff --git a/packages/azure_metrics/data_stream/container_registry/agent/stream/stream.yml.hbs b/packages/azure_metrics/data_stream/container_registry/agent/stream/stream.yml.hbs
index 620ac99cc75..41f6c868428 100644
--- a/packages/azure_metrics/data_stream/container_registry/agent/stream/stream.yml.hbs
+++ b/packages/azure_metrics/data_stream/container_registry/agent/stream/stream.yml.hbs
@@ -33,7 +33,10 @@ resources:
timegrain: "PT5M"
- name: ["StorageUsed"]
namespace: "Microsoft.ContainerRegistry/registries"
- timegrain: "PT1H"
+ timegrain: "PT1H"
+ dimensions:
+ - name: "Geolocation"
+ value: "*"
{{/each}}
{{/if}}
{{#if resource_ids}}
@@ -47,6 +50,9 @@ resources:
- name: ["StorageUsed"]
namespace: "Microsoft.ContainerRegistry/registries"
timegrain: "PT1H"
+ dimensions:
+ - name: "Geolocation"
+ value: "*"
{{/each}}
{{/if}}
@@ -64,6 +70,9 @@ resources:
timegrain: "PT5M"
- name: ["StorageUsed"]
namespace: "Microsoft.ContainerRegistry/registries"
- timegrain: "PT1H"
+ timegrain: "PT1H"
+ dimensions:
+ - name: "Geolocation"
+ value: "*"
{{/unless}}
-{{/unless}}
\ No newline at end of file
+{{/unless}}
diff --git a/packages/azure_metrics/data_stream/container_registry/fields/agent.yml b/packages/azure_metrics/data_stream/container_registry/fields/agent.yml
index da4e652c53b..ae1966205ad 100644
--- a/packages/azure_metrics/data_stream/container_registry/fields/agent.yml
+++ b/packages/azure_metrics/data_stream/container_registry/fields/agent.yml
@@ -48,6 +48,7 @@
ignore_above: 1024
description: Region in which this host is running.
example: us-east-1
+ dimension: true
- name: project.id
type: keyword
description: Name of the project in Google Cloud.
@@ -62,26 +63,11 @@
These fields help correlate data based containers from any runtime.'
type: group
fields:
- - name: id
- level: core
- type: keyword
- ignore_above: 1024
- description: Unique container id.
- - name: image.name
- level: extended
- type: keyword
- ignore_above: 1024
- description: Name of the image the container was built on.
- name: labels
level: extended
type: object
object_type: keyword
description: Image labels.
- - name: name
- level: extended
- type: keyword
- ignore_above: 1024
- description: Container name.
- name: host
title: Host
group: 2
diff --git a/packages/azure_metrics/data_stream/container_registry/fields/ecs.yml b/packages/azure_metrics/data_stream/container_registry/fields/ecs.yml
index c9ba9972270..0ef9d19c59d 100644
--- a/packages/azure_metrics/data_stream/container_registry/fields/ecs.yml
+++ b/packages/azure_metrics/data_stream/container_registry/fields/ecs.yml
@@ -15,3 +15,6 @@
external: ecs
- name: host
external: ecs
+- name: agent.id
+ external: ecs
+ dimension: true
diff --git a/packages/azure_metrics/data_stream/container_registry/fields/fields.yml b/packages/azure_metrics/data_stream/container_registry/fields/fields.yml
index 2126ed6bdbf..9af75a0c2bb 100644
--- a/packages/azure_metrics/data_stream/container_registry/fields/fields.yml
+++ b/packages/azure_metrics/data_stream/container_registry/fields/fields.yml
@@ -1,7 +1,34 @@
-- name: azure.container_registry.*.*
- type: object
- object_type: float
- object_type_mapping_type: "*"
- description: >
- container registry
-
+- name: azure.container_registry
+ type: group
+ fields:
+ - name: successful_pull_count.total
+ type: float
+ metric_type: gauge
+ description: Number of successful image pulls
+ - name: successful_push_count.total
+ type: float
+ metric_type: gauge
+ description: Number of successful image pushes
+ - name: total_pull_count.total
+ type: float
+ metric_type: gauge
+ description: Number of image pulls in total
+ - name: total_push_count.total
+ type: float
+ metric_type: gauge
+ description: Number of image pushes in total
+ - name: run_duration.total
+ type: float
+ metric_type: gauge
+ unit: ms
+ description: ACR tasks run duration in milliseconds
+ - name: agent_pool_cpu_time.total
+ type: float
+ metric_type: gauge
+ unis: s
+ description: AgentPool CPU Time in seconds
+ - name: storage_used.avg
+ type: float
+ metric_type: gauge
+ unit: byte
+ description: The amount of storage used by the container registry. For a registry account, it's the sum of capacity used by all the repositories within a registry. It's sum of capacity used by shared layers, manifest files, and replica copies in each of its repositories.
diff --git a/packages/azure_metrics/data_stream/container_registry/fields/package-fields.yml b/packages/azure_metrics/data_stream/container_registry/fields/package-fields.yml
index 28fa99283bd..3dc39b31b4b 100644
--- a/packages/azure_metrics/data_stream/container_registry/fields/package-fields.yml
+++ b/packages/azure_metrics/data_stream/container_registry/fields/package-fields.yml
@@ -4,6 +4,7 @@
fields:
- name: timegrain
type: keyword
+ dimension: true
description: >
The Azure metric timegrain
@@ -25,6 +26,7 @@
- name: id
type: keyword
+ dimension: true
description: >
The id of the resource
@@ -55,17 +57,10 @@
description: >
The application ID
- - name: dimensions.*
- type: object
- object_type: keyword
- object_type_mapping_type: "*"
- description: >
- Azure metric dimensions.
-
- - name: metrics.*.*
- type: object
- object_type: float
- object_type_mapping_type: "*"
- description: >
- Metrics returned.
-
+ - name: dimensions
+ type: group
+ fields:
+ - name: "geolocation"
+ type: keyword
+ dimension: true
+ description: Geolocation of the container registry
diff --git a/packages/azure_metrics/data_stream/container_service/_dev/test/pipeline/test-azure-container-service.json b/packages/azure_metrics/data_stream/container_service/_dev/test/pipeline/test-azure-container-service.json
new file mode 100644
index 00000000000..18c57694440
--- /dev/null
+++ b/packages/azure_metrics/data_stream/container_service/_dev/test/pipeline/test-azure-container-service.json
@@ -0,0 +1,109 @@
+{
+ "events": [
+ {
+ "cloud": {
+ "provider": "azure",
+ "region": "eastus"
+ },
+ "agent": {
+ "name": "nuc",
+ "id": "07a32214-3f86-4708-b777-0a6b6704cede",
+ "ephemeral_id": "31e495a5-0448-493f-9edb-6c6c236821ed",
+ "type": "metricbeat",
+ "version": "8.6.2"
+ },
+ "@timestamp": "2023-08-27T17:52:00.000Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "service": {
+ "type": "azure"
+ },
+ "data_stream": {
+ "namespace": "default",
+ "type": "metrics",
+ "dataset": "azure.container_service"
+ },
+ "elastic_agent": {
+ "id": "07a32214-3f86-4708-b777-0a6b6704cede",
+ "version": "8.6.2",
+ "snapshot": false
+ },
+ "host": {
+ "hostname": "nuc",
+ "os": {
+ "kernel": "5.15.0-52-generic",
+ "codename": "focal",
+ "name": "Ubuntu",
+ "type": "linux",
+ "family": "debian",
+ "version": "20.04.6 LTS (Focal Fossa)",
+ "platform": "ubuntu"
+ },
+ "containerized": false,
+ "ip": [
+ "10.0.4.95",
+ "fd9e:5faf:a45e:4bdc:2569:fc55:7ac4:e2aa",
+ "fd9e:5faf:a45e:4bdc:f2f7:f043:7ff6:7c1",
+ "fd9e:5faf:a45e:4bdc:e079:d89c:d3a7:201c",
+ "fd9e:5faf:a45e:4bdc:a259:581f:d58b:c4fa",
+ "fd9e:5faf:a45e:4bdc:430e:e01f:a39c:f9df",
+ "fd9e:5faf:a45e:4bdc:7fc9:94ef:e42f:f37c",
+ "fd9e:5faf:a45e:4bdc:3408:7540:8aca:3575",
+ "fd9e:5faf:a45e:4bdc:513b:644e:d740:ecb4",
+ "fe80::2712:5fda:480a:f33a",
+ "172.17.0.1",
+ "fe80::42:81ff:fe96:c5ac",
+ "172.27.0.1",
+ "fe80::42:71ff:fe31:ec12",
+ "fe80::6864:14ff:fec8:2034"
+ ],
+ "name": "nuc",
+ "id": "edc1194d71414665a9facb567d76caea",
+ "mac": [
+ "02-42-71-31-EC-12",
+ "02-42-81-96-C5-AC",
+ "6A-64-14-C8-20-34",
+ "80-86-F2-96-BD-5B",
+ "C0-3F-D5-69-24-DC"
+ ],
+ "architecture": "x86_64"
+ },
+ "metricset": {
+ "period": 300000,
+ "name": "monitor"
+ },
+ "event": {
+ "duration": 6338886808,
+ "agent_id_status": "verified",
+ "ingested": "2023-08-27T17:57:19Z",
+ "module": "azure",
+ "dataset": "azure.container_service"
+ },
+ "azure": {
+ "subscription_id": "a2960656-390f-47b5-a154-b048d34ab096",
+ "timegrain": "PT5M",
+ "container_service": {
+ "kube_node_status_condition": {
+ "avg": 1
+ }
+ },
+ "resource": {
+ "name": "test",
+ "id": "/subscriptions/a2960656-390f-47b5-a154-b048d34ab096/resourceGroups/test_group/providers/Microsoft.ContainerService/managedClusters/test",
+ "type": "Microsoft.ContainerService/managedClusters",
+ "group": "test_group",
+ "tags": {
+ "custodian_status": "Resource does not meet policy: delete@2023/09/26"
+ }
+ },
+ "namespace": "Microsoft.ContainerService/managedClusters",
+ "dimensions": {
+ "node": "aks-agentpool-12628255-vmss000002",
+ "condition": "KubeletProblem",
+ "status": "False"
+ }
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/azure_metrics/data_stream/container_service/_dev/test/pipeline/test-azure-container-service.json-expected.json b/packages/azure_metrics/data_stream/container_service/_dev/test/pipeline/test-azure-container-service.json-expected.json
new file mode 100644
index 00000000000..b3d6388c9f5
--- /dev/null
+++ b/packages/azure_metrics/data_stream/container_service/_dev/test/pipeline/test-azure-container-service.json-expected.json
@@ -0,0 +1,109 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2023-08-27T17:52:00.000Z",
+ "agent": {
+ "ephemeral_id": "31e495a5-0448-493f-9edb-6c6c236821ed",
+ "id": "07a32214-3f86-4708-b777-0a6b6704cede",
+ "name": "nuc",
+ "type": "metricbeat",
+ "version": "8.6.2"
+ },
+ "azure": {
+ "container_service": {
+ "kube_node_status_condition": {
+ "avg": 1
+ }
+ },
+ "dimensions": {
+ "condition": "KubeletProblem",
+ "node": "aks-agentpool-12628255-vmss000002",
+ "status": "false"
+ },
+ "namespace": "Microsoft.ContainerService/managedClusters",
+ "resource": {
+ "group": "test_group",
+ "id": "/subscriptions/a2960656-390f-47b5-a154-b048d34ab096/resourceGroups/test_group/providers/Microsoft.ContainerService/managedClusters/test",
+ "name": "test",
+ "tags": {
+ "custodian_status": "Resource does not meet policy: delete@2023/09/26"
+ },
+ "type": "Microsoft.ContainerService/managedClusters"
+ },
+ "subscription_id": "a2960656-390f-47b5-a154-b048d34ab096",
+ "timegrain": "PT5M"
+ },
+ "cloud": {
+ "provider": "azure",
+ "region": "eastus"
+ },
+ "data_stream": {
+ "dataset": "azure.container_service",
+ "namespace": "default",
+ "type": "metrics"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "elastic_agent": {
+ "id": "07a32214-3f86-4708-b777-0a6b6704cede",
+ "snapshot": false,
+ "version": "8.6.2"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "dataset": "azure.container_service",
+ "duration": 6338886808,
+ "ingested": "2023-08-27T17:57:19Z",
+ "module": "azure"
+ },
+ "host": {
+ "architecture": "x86_64",
+ "containerized": false,
+ "hostname": "nuc",
+ "id": "edc1194d71414665a9facb567d76caea",
+ "ip": [
+ "10.0.4.95",
+ "fd9e:5faf:a45e:4bdc:2569:fc55:7ac4:e2aa",
+ "fd9e:5faf:a45e:4bdc:f2f7:f043:7ff6:7c1",
+ "fd9e:5faf:a45e:4bdc:e079:d89c:d3a7:201c",
+ "fd9e:5faf:a45e:4bdc:a259:581f:d58b:c4fa",
+ "fd9e:5faf:a45e:4bdc:430e:e01f:a39c:f9df",
+ "fd9e:5faf:a45e:4bdc:7fc9:94ef:e42f:f37c",
+ "fd9e:5faf:a45e:4bdc:3408:7540:8aca:3575",
+ "fd9e:5faf:a45e:4bdc:513b:644e:d740:ecb4",
+ "fe80::2712:5fda:480a:f33a",
+ "172.17.0.1",
+ "fe80::42:81ff:fe96:c5ac",
+ "172.27.0.1",
+ "fe80::42:71ff:fe31:ec12",
+ "fe80::6864:14ff:fec8:2034"
+ ],
+ "mac": [
+ "02-42-71-31-EC-12",
+ "02-42-81-96-C5-AC",
+ "6A-64-14-C8-20-34",
+ "80-86-F2-96-BD-5B",
+ "C0-3F-D5-69-24-DC"
+ ],
+ "name": "nuc",
+ "os": {
+ "codename": "focal",
+ "family": "debian",
+ "kernel": "5.15.0-52-generic",
+ "name": "Ubuntu",
+ "platform": "ubuntu",
+ "type": "linux",
+ "version": "20.04.6 LTS (Focal Fossa)"
+ }
+ },
+ "metricset": {
+ "name": "monitor",
+ "period": 300000
+ },
+ "service": {
+ "type": "azure"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/azure_metrics/data_stream/container_service/agent/stream/stream.yml.hbs b/packages/azure_metrics/data_stream/container_service/agent/stream/stream.yml.hbs
index 9ac3a4ace24..2f0eda75a2d 100644
--- a/packages/azure_metrics/data_stream/container_service/agent/stream/stream.yml.hbs
+++ b/packages/azure_metrics/data_stream/container_service/agent/stream/stream.yml.hbs
@@ -43,13 +43,28 @@ resources:
namespace: "Microsoft.ContainerService/managedClusters"
ignore_unsupported: true
timegrain: "PT5M"
- - name: ["kube_pod_status_ready", "kube_pod_status_phase"]
+ - name: ["kube_pod_status_ready"]
namespace: "Microsoft.ContainerService/managedClusters"
ignore_unsupported: true
timegrain: "PT5M"
dimensions:
- name: "pod"
- value: "*"
+ value: "*"
+ - name: "namespace"
+ value: "*"
+ - name: "condition"
+ value: "*"
+ - name: ["kube_pod_status_phase"]
+ namespace: "Microsoft.ContainerService/managedClusters"
+ ignore_unsupported: true
+ timegrain: "PT5M"
+ dimensions:
+ - name: "pod"
+ value: "*"
+ - name: "namespace"
+ value: "*"
+ - name: "phase"
+ value: "*"
{{/each}}
{{/if}}
{{#if resource_ids}}
@@ -71,13 +86,28 @@ resources:
namespace: "Microsoft.ContainerService/managedClusters"
ignore_unsupported: true
timegrain: "PT5M"
- - name: ["kube_pod_status_ready", "kube_pod_status_phase"]
+ - name: ["kube_pod_status_ready"]
namespace: "Microsoft.ContainerService/managedClusters"
ignore_unsupported: true
timegrain: "PT5M"
dimensions:
- name: "pod"
value: "*"
+ - name: "namespace"
+ value: "*"
+ - name: "condition"
+ value: "*"
+ - name: ["kube_pod_status_phase"]
+ namespace: "Microsoft.ContainerService/managedClusters"
+ ignore_unsupported: true
+ timegrain: "PT5M"
+ dimensions:
+ - name: "pod"
+ value: "*"
+ - name: "namespace"
+ value: "*"
+ - name: "phase"
+ value: "*"
{{/each}}
{{/if}}
@@ -105,12 +135,27 @@ resources:
namespace: "Microsoft.ContainerService/managedClusters"
ignore_unsupported: true
timegrain: "PT5M"
- - name: ["kube_pod_status_ready", "kube_pod_status_phase"]
+ - name: ["kube_pod_status_ready"]
namespace: "Microsoft.ContainerService/managedClusters"
ignore_unsupported: true
timegrain: "PT5M"
dimensions:
- name: "pod"
- value: "*"
+ value: "*"
+ - name: "namespace"
+ value: "*"
+ - name: "condition"
+ value: "*"
+ - name: ["kube_pod_status_phase"]
+ namespace: "Microsoft.ContainerService/managedClusters"
+ ignore_unsupported: true
+ timegrain: "PT5M"
+ dimensions:
+ - name: "pod"
+ value: "*"
+ - name: "namespace"
+ value: "*"
+ - name: "phase"
+ value: "*"
{{/unless}}
-{{/unless}}
\ No newline at end of file
+{{/unless}}
diff --git a/packages/azure_metrics/data_stream/container_service/elasticsearch/ingest_pipeline/default.yml b/packages/azure_metrics/data_stream/container_service/elasticsearch/ingest_pipeline/default.yml
index e8f65cbc194..c8ae46bc311 100644
--- a/packages/azure_metrics/data_stream/container_service/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/azure_metrics/data_stream/container_service/elasticsearch/ingest_pipeline/default.yml
@@ -4,6 +4,10 @@ processors:
- set:
field: ecs.version
value: "8.0.0"
+ - lowercase:
+ field: azure.dimensions.status
+ ignore_missing: true
+ description: Normalize the `azure.dimentions.status` field value to lowercase. Values from Azure come in lowercase and capitalized versions (e.g., True/true/False/false).
- rename:
field: azure.metrics
target_field: azure.container_service
diff --git a/packages/azure_metrics/data_stream/container_service/fields/agent.yml b/packages/azure_metrics/data_stream/container_service/fields/agent.yml
index da4e652c53b..ae1966205ad 100644
--- a/packages/azure_metrics/data_stream/container_service/fields/agent.yml
+++ b/packages/azure_metrics/data_stream/container_service/fields/agent.yml
@@ -48,6 +48,7 @@
ignore_above: 1024
description: Region in which this host is running.
example: us-east-1
+ dimension: true
- name: project.id
type: keyword
description: Name of the project in Google Cloud.
@@ -62,26 +63,11 @@
These fields help correlate data based containers from any runtime.'
type: group
fields:
- - name: id
- level: core
- type: keyword
- ignore_above: 1024
- description: Unique container id.
- - name: image.name
- level: extended
- type: keyword
- ignore_above: 1024
- description: Name of the image the container was built on.
- name: labels
level: extended
type: object
object_type: keyword
description: Image labels.
- - name: name
- level: extended
- type: keyword
- ignore_above: 1024
- description: Container name.
- name: host
title: Host
group: 2
diff --git a/packages/azure_metrics/data_stream/container_service/fields/ecs.yml b/packages/azure_metrics/data_stream/container_service/fields/ecs.yml
index c9ba9972270..0ef9d19c59d 100644
--- a/packages/azure_metrics/data_stream/container_service/fields/ecs.yml
+++ b/packages/azure_metrics/data_stream/container_service/fields/ecs.yml
@@ -15,3 +15,6 @@
external: ecs
- name: host
external: ecs
+- name: agent.id
+ external: ecs
+ dimension: true
diff --git a/packages/azure_metrics/data_stream/container_service/fields/fields.yml b/packages/azure_metrics/data_stream/container_service/fields/fields.yml
index 00416225f87..85d3cd25f33 100644
--- a/packages/azure_metrics/data_stream/container_service/fields/fields.yml
+++ b/packages/azure_metrics/data_stream/container_service/fields/fields.yml
@@ -1,7 +1,23 @@
-- name: azure.container_service.*.*
- type: object
- object_type: float
- object_type_mapping_type: "*"
- description: >
- container service
-
+- name: azure.container_service
+ type: group
+ fields:
+ - name: kube_node_status_condition.avg
+ type: float
+ metric_type: gauge
+ description: Statuses for various node conditions
+ - name: kube_node_status_allocatable_cpu_cores.avg
+ type: float
+ metric_type: gauge
+ description: Total number of available cpu cores in a managed cluster
+ - name: kube_node_status_allocatable_memory_bytes.avg
+ type: float
+ metric_type: gauge
+ description: Total amount of available memory in a managed cluster
+ - name: kube_pod_status_ready.avg
+ type: float
+ metric_type: gauge
+ description: Number of pods in Ready state
+ - name: kube_pod_status_phase.avg
+ type: float
+ metric_type: gauge
+ description: Number of pods by phase
diff --git a/packages/azure_metrics/data_stream/container_service/fields/package-fields.yml b/packages/azure_metrics/data_stream/container_service/fields/package-fields.yml
index 28fa99283bd..052de7832b1 100644
--- a/packages/azure_metrics/data_stream/container_service/fields/package-fields.yml
+++ b/packages/azure_metrics/data_stream/container_service/fields/package-fields.yml
@@ -4,6 +4,7 @@
fields:
- name: timegrain
type: keyword
+ dimension: true
description: >
The Azure metric timegrain
@@ -25,6 +26,7 @@
- name: id
type: keyword
+ dimension: true
description: >
The id of the resource
@@ -55,17 +57,29 @@
description: >
The application ID
- - name: dimensions.*
- type: object
- object_type: keyword
- object_type_mapping_type: "*"
- description: >
- Azure metric dimensions.
-
- - name: metrics.*.*
- type: object
- object_type: float
- object_type_mapping_type: "*"
- description: >
- Metrics returned.
-
+ - name: dimensions
+ type: group
+ fields:
+ - name: node
+ type: keyword
+ dimension: true
+ description: Node name
+ - name: status
+ type: keyword
+ description: Statuses for various node conditions
+ - name: condition
+ type: keyword
+ dimension: true
+ description: Pod or Node conditions
+ - name: pod
+ type: keyword
+ dimension: true
+ description: Pod name
+ - name: namespace
+ type: keyword
+ dimension: true
+ description: Pod namespace
+ - name: phase
+ type: keyword
+ dimension: true
+ description: Pod phase
diff --git a/packages/azure_metrics/data_stream/database_account/agent/stream/stream.yml.hbs b/packages/azure_metrics/data_stream/database_account/agent/stream/stream.yml.hbs
index c53e27efd9d..b0be4ccb8ca 100644
--- a/packages/azure_metrics/data_stream/database_account/agent/stream/stream.yml.hbs
+++ b/packages/azure_metrics/data_stream/database_account/agent/stream/stream.yml.hbs
@@ -31,14 +31,22 @@ resources:
- name: ["AddRegion", "RemoveRegion", "UpdateAccountReplicationSettings", "UpdateAccountNetworkSettings", "UpdateAccountKeys", "ServiceAvailability", "ReplicationLatency",
"RegionFailover", "DeleteAccount", "CreateAccount", "UpdateDiagnosticsSettings"]
namespace: "Microsoft.DocumentDb/databaseAccounts"
- - name: ["AvailableStorage", "DataUsage","DocumentCount", "DocumentQuota", "IndexUsage", "MetadataRequests", "MongoRequestCharge", "MongoRequests", "MongoRequestsCount",
- "MongoRequestsInsert", "MongoRequestsDelete", "MongoRequestsQuery", "MongoRequestsUpdate","ProvisionedThroughput", "NormalizedRUConsumption"]
+ - name: ["AvailableStorage", "DataUsage","DocumentCount", "DocumentQuota", "IndexUsage", "MetadataRequests", "MongoRequestCharge", "NormalizedRUConsumption", "ProvisionedThroughput"]
namespace: "Microsoft.DocumentDb/databaseAccounts"
ignore_unsupported: true
timegrain: "PT5M"
dimensions:
- name: "DatabaseName"
value: "*"
+ - name: ["MongoRequests"]
+ namespace: "Microsoft.DocumentDb/databaseAccounts"
+ ignore_unsupported: true
+ timegrain: "PT5M"
+ dimensions:
+ - name: "DatabaseName"
+ value: "*"
+ - name: "CommandName"
+ value: "*"
- name: ["TotalRequestUnits", "TotalRequests"]
namespace: "Microsoft.DocumentDb/databaseAccounts"
ignore_unsupported: true
@@ -63,9 +71,9 @@ resources:
- name: "ClosureReason"
value: "*"
- name: [ "GremlinDatabaseDelete", "GremlinDatabaseThroughputUpdate", "GremlinDatabaseUpdate", "GremlinGraphDelete","GremlinGraphThroughputUpdate", "GremlinGraphUpdate",
- "MongoCollectionDelete", "MongoCollectionThroughputUpdate", "MongoCollectionUpdate", "MongoDBDatabaseUpdate", "MongoDatabaseDelete", "MongoDatabaseThroughputUpdate",
- "CassandraKeyspaceDelete", "CassandraKeyspaceThroughputUpdate", "CassandraKeyspaceUpdate","CassandraTableDelete", "CassandraTableThroughputUpdate", "CassandraTableUpdate",
- "SqlContainerDelete", "SqlContainerThroughputUpdate", "SqlContainerUpdate", "SqlDatabaseDelete", "SqlDatabaseThroughputUpdate", "SqlDatabaseUpdate", "TableTableDelete",
+ "MongoCollectionDelete", "MongoCollectionThroughputUpdate", "MongoCollectionUpdate", "MongoDBDatabaseUpdate", "MongoDatabaseDelete", "MongoDatabaseThroughputUpdate",
+ "CassandraKeyspaceDelete", "CassandraKeyspaceThroughputUpdate", "CassandraKeyspaceUpdate","CassandraTableDelete", "CassandraTableThroughputUpdate", "CassandraTableUpdate",
+ "SqlContainerDelete", "SqlContainerThroughputUpdate", "SqlContainerUpdate", "SqlDatabaseDelete", "SqlDatabaseThroughputUpdate", "SqlDatabaseUpdate", "TableTableDelete",
"TableTableThroughputUpdate","TableTableUpdate"]
namespace: "Microsoft.DocumentDb/databaseAccounts"
ignore_unsupported: true
@@ -81,14 +89,22 @@ resources:
- name: ["AddRegion", "RemoveRegion", "UpdateAccountReplicationSettings", "UpdateAccountNetworkSettings", "UpdateAccountKeys", "ServiceAvailability", "ReplicationLatency",
"RegionFailover", "DeleteAccount", "CreateAccount", "UpdateDiagnosticsSettings"]
namespace: "Microsoft.DocumentDb/databaseAccounts"
- - name: ["AvailableStorage", "DataUsage","DocumentCount", "DocumentQuota", "IndexUsage", "MetadataRequests", "MongoRequestCharge", "MongoRequests", "MongoRequestsCount",
- "MongoRequestsInsert", "MongoRequestsDelete", "MongoRequestsQuery", "MongoRequestsUpdate","ProvisionedThroughput", "NormalizedRUConsumption"]
+ - name: ["AvailableStorage", "DataUsage","DocumentCount", "DocumentQuota", "IndexUsage", "MetadataRequests", "MongoRequestCharge", "NormalizedRUConsumption", "ProvisionedThroughput"]
namespace: "Microsoft.DocumentDb/databaseAccounts"
ignore_unsupported: true
timegrain: "PT5M"
dimensions:
- name: "DatabaseName"
value: "*"
+ - name: ["MongoRequests"]
+ namespace: "Microsoft.DocumentDb/databaseAccounts"
+ ignore_unsupported: true
+ timegrain: "PT5M"
+ dimensions:
+ - name: "DatabaseName"
+ value: "*"
+ - name: "CommandName"
+ value: "*"
- name: ["TotalRequestUnits", "TotalRequests"]
namespace: "Microsoft.DocumentDb/databaseAccounts"
ignore_unsupported: true
@@ -137,14 +153,22 @@ resources:
- name: ["AddRegion", "RemoveRegion", "UpdateAccountReplicationSettings", "UpdateAccountNetworkSettings", "UpdateAccountKeys", "ServiceAvailability", "ReplicationLatency",
"RegionFailover", "DeleteAccount", "CreateAccount", "UpdateDiagnosticsSettings"]
namespace: "Microsoft.DocumentDb/databaseAccounts"
- - name: ["AvailableStorage", "DataUsage","DocumentCount", "DocumentQuota", "IndexUsage", "MetadataRequests", "MongoRequestCharge", "MongoRequests", "MongoRequestsCount",
- "MongoRequestsInsert", "MongoRequestsDelete", "MongoRequestsQuery", "MongoRequestsUpdate","ProvisionedThroughput", "NormalizedRUConsumption"]
+ - name: ["AvailableStorage", "DataUsage","DocumentCount", "DocumentQuota", "IndexUsage", "MetadataRequests", "MongoRequestCharge", "NormalizedRUConsumption", "ProvisionedThroughput"]
namespace: "Microsoft.DocumentDb/databaseAccounts"
ignore_unsupported: true
timegrain: "PT5M"
dimensions:
- name: "DatabaseName"
value: "*"
+ - name: ["MongoRequests"]
+ namespace: "Microsoft.DocumentDb/databaseAccounts"
+ ignore_unsupported: true
+ timegrain: "PT5M"
+ dimensions:
+ - name: "DatabaseName"
+ value: "*"
+ - name: "CommandName"
+ value: "*"
- name: ["TotalRequestUnits", "TotalRequests"]
namespace: "Microsoft.DocumentDb/databaseAccounts"
ignore_unsupported: true
@@ -169,9 +193,9 @@ resources:
- name: "ClosureReason"
value: "*"
- name: [ "GremlinDatabaseDelete", "GremlinDatabaseThroughputUpdate", "GremlinDatabaseUpdate", "GremlinGraphDelete","GremlinGraphThroughputUpdate", "GremlinGraphUpdate",
- "MongoCollectionDelete", "MongoCollectionThroughputUpdate", "MongoCollectionUpdate", "MongoDBDatabaseUpdate", "MongoDatabaseDelete", "MongoDatabaseThroughputUpdate",
- "CassandraKeyspaceDelete", "CassandraKeyspaceThroughputUpdate", "CassandraKeyspaceUpdate","CassandraTableDelete", "CassandraTableThroughputUpdate", "CassandraTableUpdate",
- "SqlContainerDelete", "SqlContainerThroughputUpdate", "SqlContainerUpdate", "SqlDatabaseDelete", "SqlDatabaseThroughputUpdate", "SqlDatabaseUpdate", "TableTableDelete",
+ "MongoCollectionDelete", "MongoCollectionThroughputUpdate", "MongoCollectionUpdate", "MongoDBDatabaseUpdate", "MongoDatabaseDelete", "MongoDatabaseThroughputUpdate",
+ "CassandraKeyspaceDelete", "CassandraKeyspaceThroughputUpdate", "CassandraKeyspaceUpdate","CassandraTableDelete", "CassandraTableThroughputUpdate", "CassandraTableUpdate",
+ "SqlContainerDelete", "SqlContainerThroughputUpdate", "SqlContainerUpdate", "SqlDatabaseDelete", "SqlDatabaseThroughputUpdate", "SqlDatabaseUpdate", "TableTableDelete",
"TableTableThroughputUpdate","TableTableUpdate"]
namespace: "Microsoft.DocumentDb/databaseAccounts"
ignore_unsupported: true
@@ -179,4 +203,4 @@ resources:
- name: "ResourceName"
value: "*"
{{/unless}}
-{{/unless}}
\ No newline at end of file
+{{/unless}}
diff --git a/packages/azure_metrics/data_stream/database_account/fields/agent.yml b/packages/azure_metrics/data_stream/database_account/fields/agent.yml
index da4e652c53b..ae1966205ad 100644
--- a/packages/azure_metrics/data_stream/database_account/fields/agent.yml
+++ b/packages/azure_metrics/data_stream/database_account/fields/agent.yml
@@ -48,6 +48,7 @@
ignore_above: 1024
description: Region in which this host is running.
example: us-east-1
+ dimension: true
- name: project.id
type: keyword
description: Name of the project in Google Cloud.
@@ -62,26 +63,11 @@
These fields help correlate data based containers from any runtime.'
type: group
fields:
- - name: id
- level: core
- type: keyword
- ignore_above: 1024
- description: Unique container id.
- - name: image.name
- level: extended
- type: keyword
- ignore_above: 1024
- description: Name of the image the container was built on.
- name: labels
level: extended
type: object
object_type: keyword
description: Image labels.
- - name: name
- level: extended
- type: keyword
- ignore_above: 1024
- description: Container name.
- name: host
title: Host
group: 2
diff --git a/packages/azure_metrics/data_stream/database_account/fields/ecs.yml b/packages/azure_metrics/data_stream/database_account/fields/ecs.yml
index c9ba9972270..0ef9d19c59d 100644
--- a/packages/azure_metrics/data_stream/database_account/fields/ecs.yml
+++ b/packages/azure_metrics/data_stream/database_account/fields/ecs.yml
@@ -15,3 +15,6 @@
external: ecs
- name: host
external: ecs
+- name: agent.id
+ external: ecs
+ dimension: true
diff --git a/packages/azure_metrics/data_stream/database_account/fields/fields.yml b/packages/azure_metrics/data_stream/database_account/fields/fields.yml
index a8400067249..ad51dd58927 100644
--- a/packages/azure_metrics/data_stream/database_account/fields/fields.yml
+++ b/packages/azure_metrics/data_stream/database_account/fields/fields.yml
@@ -2,6 +2,7 @@
type: object
object_type: float
object_type_mapping_type: "*"
+ metric_type: gauge
description: >
database account
diff --git a/packages/azure_metrics/data_stream/database_account/fields/package-fields.yml b/packages/azure_metrics/data_stream/database_account/fields/package-fields.yml
index 28fa99283bd..da50e10ea75 100644
--- a/packages/azure_metrics/data_stream/database_account/fields/package-fields.yml
+++ b/packages/azure_metrics/data_stream/database_account/fields/package-fields.yml
@@ -4,6 +4,7 @@
fields:
- name: timegrain
type: keyword
+ dimension: true
description: >
The Azure metric timegrain
@@ -24,6 +25,7 @@
The name of the resource
- name: id
+ dimension: true
type: keyword
description: >
The id of the resource
@@ -42,6 +44,7 @@
- name: namespace
type: keyword
+ dimension: true
description: >
The namespace selected
@@ -55,17 +58,24 @@
description: >
The application ID
- - name: dimensions.*
- type: object
- object_type: keyword
- object_type_mapping_type: "*"
- description: >
- Azure metric dimensions.
-
- - name: metrics.*.*
- type: object
- object_type: float
- object_type_mapping_type: "*"
- description: >
- Metrics returned.
-
+ - name: dimensions
+ type: group
+ fields:
+ - name: database_name
+ type: keyword
+ dimension: true
+ description: Database name
+ - name: command_name
+ type: keyword
+ dimension: true
+ description: Mongo requests command name
+ - name: resource_name
+ type: keyword
+ dimension: true
+ description: Name of the resource
+ - name: closure_reason
+ type: keyword
+ description: Reason of the Cassandra Connection Closures
+ - name: status_code
+ type: keyword
+ description: Status code of the made to database requests
diff --git a/packages/azure_metrics/data_stream/monitor/elasticsearch/ingest_pipeline/default.yml b/packages/azure_metrics/data_stream/monitor/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 00000000000..29ef1822ab8
--- /dev/null
+++ b/packages/azure_metrics/data_stream/monitor/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,14 @@
+---
+description: Pipeline for parsing azure monitor metrics.
+processors:
+ - fingerprint:
+ fields: ["azure.dimensions"]
+ target_field: 'azure.dimensions.fingerprint'
+ ignore_missing: true
+on_failure:
+ - set:
+ field: event.kind
+ value: pipeline_error
+ - set:
+ field: error.message
+ value: '{{{ _ingest.on_failure_message }}}'
diff --git a/packages/azure_metrics/data_stream/monitor/fields/agent.yml b/packages/azure_metrics/data_stream/monitor/fields/agent.yml
index da4e652c53b..ae1966205ad 100644
--- a/packages/azure_metrics/data_stream/monitor/fields/agent.yml
+++ b/packages/azure_metrics/data_stream/monitor/fields/agent.yml
@@ -48,6 +48,7 @@
ignore_above: 1024
description: Region in which this host is running.
example: us-east-1
+ dimension: true
- name: project.id
type: keyword
description: Name of the project in Google Cloud.
@@ -62,26 +63,11 @@
These fields help correlate data based containers from any runtime.'
type: group
fields:
- - name: id
- level: core
- type: keyword
- ignore_above: 1024
- description: Unique container id.
- - name: image.name
- level: extended
- type: keyword
- ignore_above: 1024
- description: Name of the image the container was built on.
- name: labels
level: extended
type: object
object_type: keyword
description: Image labels.
- - name: name
- level: extended
- type: keyword
- ignore_above: 1024
- description: Container name.
- name: host
title: Host
group: 2
diff --git a/packages/azure_metrics/data_stream/monitor/fields/ecs.yml b/packages/azure_metrics/data_stream/monitor/fields/ecs.yml
index c9ba9972270..0ef9d19c59d 100644
--- a/packages/azure_metrics/data_stream/monitor/fields/ecs.yml
+++ b/packages/azure_metrics/data_stream/monitor/fields/ecs.yml
@@ -15,3 +15,6 @@
external: ecs
- name: host
external: ecs
+- name: agent.id
+ external: ecs
+ dimension: true
diff --git a/packages/azure_metrics/data_stream/monitor/fields/fields.yml b/packages/azure_metrics/data_stream/monitor/fields/fields.yml
deleted file mode 100644
index 6ca122a221a..00000000000
--- a/packages/azure_metrics/data_stream/monitor/fields/fields.yml
+++ /dev/null
@@ -1,5 +0,0 @@
-- name: azure.monitor
- type: group
- description: >
- monitor
-
diff --git a/packages/azure_metrics/data_stream/monitor/fields/package-fields.yml b/packages/azure_metrics/data_stream/monitor/fields/package-fields.yml
index 28fa99283bd..c81ec39f1f9 100644
--- a/packages/azure_metrics/data_stream/monitor/fields/package-fields.yml
+++ b/packages/azure_metrics/data_stream/monitor/fields/package-fields.yml
@@ -4,6 +4,7 @@
fields:
- name: timegrain
type: keyword
+ dimension: true
description: >
The Azure metric timegrain
@@ -25,6 +26,7 @@
- name: id
type: keyword
+ dimension: true
description: >
The id of the resource
@@ -42,6 +44,7 @@
- name: namespace
type: keyword
+ dimension: true
description: >
The namespace selected
@@ -62,10 +65,17 @@
description: >
Azure metric dimensions.
+ - name: dimensions.fingerprint
+ type: keyword
+ description: |
+ Autogenerated ID representing the fingerprint of the azure.dimensions object
+ dimension: true
+
- name: metrics.*.*
type: object
object_type: float
object_type_mapping_type: "*"
+ metric_type: gauge
description: >
Metrics returned.
diff --git a/packages/azure_metrics/docs/README.md b/packages/azure_metrics/docs/README.md
index 15ef445b01f..282fc407ec3 100644
--- a/packages/azure_metrics/docs/README.md
+++ b/packages/azure_metrics/docs/README.md
@@ -57,61 +57,63 @@ aggregation list, namespaces and metric dimensions. The monitor metrics will hav
**Exported fields**
-| Field | Description | Type |
-|---|---|---|
-| @timestamp | Event timestamp. | date |
-| azure.application_id | The application ID | keyword |
-| azure.dimensions.\* | Azure metric dimensions. | object |
-| azure.metrics.\*.\* | Metrics returned. | object |
-| azure.namespace | The namespace selected | keyword |
-| azure.resource.group | The resource group | keyword |
-| azure.resource.id | The id of the resource | keyword |
-| azure.resource.name | The name of the resource | keyword |
-| azure.resource.tags.\* | Azure resource tags. | object |
-| azure.resource.type | The type of the resource | keyword |
-| azure.subscription_id | The subscription ID | keyword |
-| azure.timegrain | The Azure metric timegrain | keyword |
-| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
-| cloud.availability_zone | Availability zone in which this host is running. | keyword |
-| cloud.image.id | Image ID for the cloud instance. | keyword |
-| cloud.instance.id | Instance ID of the host machine. | keyword |
-| cloud.instance.name | Instance name of the host machine. | keyword |
-| cloud.machine.type | Machine type of the host machine. | keyword |
-| cloud.project.id | Name of the project in Google Cloud. | keyword |
-| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
-| cloud.region | Region in which this host is running. | keyword |
-| container.id | Unique container id. | keyword |
-| container.image.name | Name of the image the container was built on. | keyword |
-| container.labels | Image labels. | object |
-| container.name | Container name. | keyword |
-| container.runtime | Runtime managing this container. | keyword |
-| data_stream.dataset | Data stream dataset name. | constant_keyword |
-| data_stream.namespace | Data stream namespace. | constant_keyword |
-| data_stream.type | Data stream type. | constant_keyword |
-| dataset.name | Dataset name. | constant_keyword |
-| dataset.namespace | Dataset namespace. | constant_keyword |
-| dataset.type | Dataset type. | constant_keyword |
-| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
-| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group |
-| host.architecture | Operating system architecture. | keyword |
-| host.containerized | If the host is a container. | boolean |
-| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
-| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
-| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
-| host.ip | Host ip addresses. | ip |
-| host.mac | Host mac addresses. | keyword |
-| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
-| host.os.build | OS build information. | keyword |
-| host.os.codename | OS codename, if any. | keyword |
-| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
-| host.os.kernel | Operating system kernel version as a raw string. | keyword |
-| host.os.name | Operating system name, without the version. | keyword |
-| host.os.name.text | Multi-field of `host.os.name`. | text |
-| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
-| host.os.version | Operating system version as a raw string. | keyword |
-| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
-| service.address | Service address | keyword |
-| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword |
+| Field | Description | Type | Metric Type |
+|---|---|---|---|
+| @timestamp | Event timestamp. | date | |
+| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | |
+| azure.application_id | The application ID | keyword | |
+| azure.dimensions.\* | Azure metric dimensions. | object | |
+| azure.dimensions.fingerprint | Autogenerated ID representing the fingerprint of the azure.dimensions object | keyword | |
+| azure.metrics.\*.\* | Metrics returned. | object | gauge |
+| azure.namespace | The namespace selected | keyword | |
+| azure.resource.group | The resource group | keyword | |
+| azure.resource.id | The id of the resource | keyword | |
+| azure.resource.name | The name of the resource | keyword | |
+| azure.resource.tags.\* | Azure resource tags. | object | |
+| azure.resource.type | The type of the resource | keyword | |
+| azure.subscription_id | The subscription ID | keyword | |
+| azure.timegrain | The Azure metric timegrain | keyword | |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword | |
+| cloud.image.id | Image ID for the cloud instance. | keyword | |
+| cloud.instance.id | Instance ID of the host machine. | keyword | |
+| cloud.instance.name | Instance name of the host machine. | keyword | |
+| cloud.machine.type | Machine type of the host machine. | keyword | |
+| cloud.project.id | Name of the project in Google Cloud. | keyword | |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | |
+| cloud.region | Region in which this host is running. | keyword | |
+| container.id | Unique container id. | keyword | |
+| container.image.name | Name of the image the container was built on. | keyword | |
+| container.labels | Image labels. | object | |
+| container.name | Container name. | keyword | |
+| container.runtime | Runtime managing this container. | keyword | |
+| data_stream.dataset | Data stream dataset name. | constant_keyword | |
+| data_stream.namespace | Data stream namespace. | constant_keyword | |
+| data_stream.type | Data stream type. | constant_keyword | |
+| dataset.name | Dataset name. | constant_keyword | |
+| dataset.namespace | Dataset namespace. | constant_keyword | |
+| dataset.type | Dataset type. | constant_keyword | |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | |
+| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | |
+| host.architecture | Operating system architecture. | keyword | |
+| host.containerized | If the host is a container. | boolean | |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | |
+| host.ip | Host ip addresses. | ip | |
+| host.mac | Host mac addresses. | keyword | |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | |
+| host.os.build | OS build information. | keyword | |
+| host.os.codename | OS codename, if any. | keyword | |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword | |
+| host.os.name | Operating system name, without the version. | keyword | |
+| host.os.name.text | Multi-field of `host.os.name`. | text | |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | |
+| host.os.version | Operating system version as a raw string. | keyword | |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | |
+| service.address | Service address | keyword | |
+| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | |
`compute_vm`
@@ -120,62 +122,66 @@ so the `period` for `compute_vm` should be `300s` or multiples of `300s`.
**Exported fields**
-| Field | Description | Type |
-|---|---|---|
-| @timestamp | Event timestamp. | date |
-| azure.application_id | The application ID | keyword |
-| azure.compute_vm.\*.\* | compute_vm | object |
-| azure.dimensions.\* | Azure metric dimensions. | object |
-| azure.metrics.\*.\* | Metrics returned. | object |
-| azure.namespace | The namespace selected | keyword |
-| azure.resource.group | The resource group | keyword |
-| azure.resource.id | The id of the resource | keyword |
-| azure.resource.name | The name of the resource | keyword |
-| azure.resource.tags.\* | Azure resource tags. | object |
-| azure.resource.type | The type of the resource | keyword |
-| azure.subscription_id | The subscription ID | keyword |
-| azure.timegrain | The Azure metric timegrain | keyword |
-| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
-| cloud.availability_zone | Availability zone in which this host is running. | keyword |
-| cloud.image.id | Image ID for the cloud instance. | keyword |
-| cloud.instance.id | Instance ID of the host machine. | keyword |
-| cloud.instance.name | Instance name of the host machine. | keyword |
-| cloud.machine.type | Machine type of the host machine. | keyword |
-| cloud.project.id | Name of the project in Google Cloud. | keyword |
-| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
-| cloud.region | Region in which this host is running. | keyword |
-| container.id | Unique container id. | keyword |
-| container.image.name | Name of the image the container was built on. | keyword |
-| container.labels | Image labels. | object |
-| container.name | Container name. | keyword |
-| container.runtime | Runtime managing this container. | keyword |
-| data_stream.dataset | Data stream dataset name. | constant_keyword |
-| data_stream.namespace | Data stream namespace. | constant_keyword |
-| data_stream.type | Data stream type. | constant_keyword |
-| dataset.name | Dataset name. | constant_keyword |
-| dataset.namespace | Dataset namespace. | constant_keyword |
-| dataset.type | Dataset type. | constant_keyword |
-| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
-| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group |
-| host.architecture | Operating system architecture. | keyword |
-| host.containerized | If the host is a container. | boolean |
-| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
-| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
-| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
-| host.ip | Host ip addresses. | ip |
-| host.mac | Host mac addresses. | keyword |
-| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
-| host.os.build | OS build information. | keyword |
-| host.os.codename | OS codename, if any. | keyword |
-| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
-| host.os.kernel | Operating system kernel version as a raw string. | keyword |
-| host.os.name | Operating system name, without the version. | keyword |
-| host.os.name.text | Multi-field of `host.os.name`. | text |
-| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
-| host.os.version | Operating system version as a raw string. | keyword |
-| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
-| service.address | Service address | keyword |
-| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword |
+| Field | Description | Type | Metric Type |
+|---|---|---|---|
+| @timestamp | Event timestamp. | date | |
+| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | |
+| azure.application_id | The application ID | keyword | |
+| azure.compute_vm.\*.\* | Returned compute_vm metrics | object | gauge |
+| azure.dimensions.cpu | Cpu core on the linux instance | keyword | |
+| azure.dimensions.device | Name of the device of the linux instance, eg. sda2 | keyword | |
+| azure.dimensions.host | Name of the linux host | keyword | |
+| azure.dimensions.interface | Name of the network interface on the linux instance | keyword | |
+| azure.dimensions.name | Name of the device of the linux instance | keyword | |
+| azure.namespace | The namespace selected | keyword | |
+| azure.resource.group | The resource group | keyword | |
+| azure.resource.id | The id of the resource | keyword | |
+| azure.resource.name | The name of the resource | keyword | |
+| azure.resource.tags.\* | Azure resource tags. | object | |
+| azure.resource.type | The type of the resource | keyword | |
+| azure.subscription_id | The subscription ID | keyword | |
+| azure.timegrain | The Azure metric timegrain | keyword | |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword | |
+| cloud.image.id | Image ID for the cloud instance. | keyword | |
+| cloud.instance.id | Instance ID of the host machine. | keyword | |
+| cloud.instance.name | Instance name of the host machine. | keyword | |
+| cloud.machine.type | Machine type of the host machine. | keyword | |
+| cloud.project.id | Name of the project in Google Cloud. | keyword | |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | |
+| cloud.region | Region in which this host is running. | keyword | |
+| container.id | Unique container id. | keyword | |
+| container.image.name | Name of the image the container was built on. | keyword | |
+| container.labels | Image labels. | object | |
+| container.name | Container name. | keyword | |
+| container.runtime | Runtime managing this container. | keyword | |
+| data_stream.dataset | Data stream dataset name. | constant_keyword | |
+| data_stream.namespace | Data stream namespace. | constant_keyword | |
+| data_stream.type | Data stream type. | constant_keyword | |
+| dataset.name | Dataset name. | constant_keyword | |
+| dataset.namespace | Dataset namespace. | constant_keyword | |
+| dataset.type | Dataset type. | constant_keyword | |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | |
+| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | |
+| host.architecture | Operating system architecture. | keyword | |
+| host.containerized | If the host is a container. | boolean | |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | |
+| host.ip | Host ip addresses. | ip | |
+| host.mac | Host mac addresses. | keyword | |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | |
+| host.os.build | OS build information. | keyword | |
+| host.os.codename | OS codename, if any. | keyword | |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword | |
+| host.os.name | Operating system name, without the version. | keyword | |
+| host.os.name.text | Multi-field of `host.os.name`. | text | |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | |
+| host.os.version | Operating system version as a raw string. | keyword | |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | |
+| service.address | Service address | keyword | |
+| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | |
`compute_vm_scaleset`
@@ -184,62 +190,92 @@ so the `period` for `compute_vm_scaleset` should be `300s` or multiples of `300s
**Exported fields**
-| Field | Description | Type |
-|---|---|---|
-| @timestamp | Event timestamp. | date |
-| azure.application_id | The application ID | keyword |
-| azure.compute_vm_scaleset.\*.\* | compute_vm_scaleset | object |
-| azure.dimensions.\* | Azure metric dimensions. | object |
-| azure.metrics.\*.\* | Metrics returned. | object |
-| azure.namespace | The namespace selected | keyword |
-| azure.resource.group | The resource group | keyword |
-| azure.resource.id | The id of the resource | keyword |
-| azure.resource.name | The name of the resource | keyword |
-| azure.resource.tags.\* | Azure resource tags. | object |
-| azure.resource.type | The type of the resource | keyword |
-| azure.subscription_id | The subscription ID | keyword |
-| azure.timegrain | The Azure metric timegrain | keyword |
-| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
-| cloud.availability_zone | Availability zone in which this host is running. | keyword |
-| cloud.image.id | Image ID for the cloud instance. | keyword |
-| cloud.instance.id | Instance ID of the host machine. | keyword |
-| cloud.instance.name | Instance name of the host machine. | keyword |
-| cloud.machine.type | Machine type of the host machine. | keyword |
-| cloud.project.id | Name of the project in Google Cloud. | keyword |
-| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
-| cloud.region | Region in which this host is running. | keyword |
-| container.id | Unique container id. | keyword |
-| container.image.name | Name of the image the container was built on. | keyword |
-| container.labels | Image labels. | object |
-| container.name | Container name. | keyword |
-| container.runtime | Runtime managing this container. | keyword |
-| data_stream.dataset | Data stream dataset name. | constant_keyword |
-| data_stream.namespace | Data stream namespace. | constant_keyword |
-| data_stream.type | Data stream type. | constant_keyword |
-| dataset.name | Dataset name. | constant_keyword |
-| dataset.namespace | Dataset namespace. | constant_keyword |
-| dataset.type | Dataset type. | constant_keyword |
-| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
-| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group |
-| host.architecture | Operating system architecture. | keyword |
-| host.containerized | If the host is a container. | boolean |
-| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
-| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
-| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
-| host.ip | Host ip addresses. | ip |
-| host.mac | Host mac addresses. | keyword |
-| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
-| host.os.build | OS build information. | keyword |
-| host.os.codename | OS codename, if any. | keyword |
-| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
-| host.os.kernel | Operating system kernel version as a raw string. | keyword |
-| host.os.name | Operating system name, without the version. | keyword |
-| host.os.name.text | Multi-field of `host.os.name`. | text |
-| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
-| host.os.version | Operating system version as a raw string. | keyword |
-| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
-| service.address | Service address | keyword |
-| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword |
+| Field | Description | Type | Unit | Metric Type |
+|---|---|---|---|---|
+| @timestamp | Event timestamp. | date | | |
+| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | |
+| azure.application_id | The application ID | keyword | | |
+| azure.compute_vm_scaleset.available_memory_bytes.avg | Amount of physical memory, in bytes, immediately available for allocation to a process or for system use in the Virtual Machine | float | byte | gauge |
+| azure.compute_vm_scaleset.cpu_credits_consumed.avg | Total number of credits consumed by the Virtual Machine. Only available on B-series burstable VMs | float | | gauge |
+| azure.compute_vm_scaleset.cpu_credits_remaining.avg | Total number of credits available to burst. Only available on B-series burstable VMs | float | | gauge |
+| azure.compute_vm_scaleset.data_disk_bandwidth_consumed_percentage.avg | Percentage of data disk bandwidth consumed per minute | float | percent | gauge |
+| azure.compute_vm_scaleset.data_disk_queue_depth.avg | Data Disk Queue Depth(or Queue Length) | float | | gauge |
+| azure.compute_vm_scaleset.data_disk_read_bytes_per_sec.avg | Bytes/Sec read from a single disk during monitoring period | float | | gauge |
+| azure.compute_vm_scaleset.data_disk_read_operations_per_sec.avg | Read IOPS from a single disk during monitoring period | float | | gauge |
+| azure.compute_vm_scaleset.data_disk_write_bytes_per_sec.avg | Bytes/Sec written to a single disk during monitoring period | float | | gauge |
+| azure.compute_vm_scaleset.data_disk_write_operations_per_sec.avg | Write IOPS from a single disk during monitoring period | float | | gauge |
+| azure.compute_vm_scaleset.disk_read_bytes.total | Bytes read from disk during monitoring period | float | byte | gauge |
+| azure.compute_vm_scaleset.disk_read_operations_per_sec.avg | Disk Read IOPS | float | | gauge |
+| azure.compute_vm_scaleset.disk_write_bytes.total | Bytes written to disk during monitoring period | float | byte | gauge |
+| azure.compute_vm_scaleset.disk_write_operations_per_sec.avg | Disk Write IOPS | float | | gauge |
+| azure.compute_vm_scaleset.inbound_flows.avg | Inbound Flows are number of current flows in the inbound direction (traffic going into the VM) | float | | gauge |
+| azure.compute_vm_scaleset.inbound_flows_maximum_creation_rate.avg | The maximum creation rate of inbound flows (traffic going into the VM) | float | | gauge |
+| azure.compute_vm_scaleset.memory_available_bytes.avg | Available Bytes is the amount of physical memory, in bytes, immediately available for allocation to a process or for system use. It is equal to the sum of memory assigned to the standby (cached), free and zero page lists. | float | byte | gauge |
+| azure.compute_vm_scaleset.memory_commit_limit.avg | Memory commit limit | float | byte | gauge |
+| azure.compute_vm_scaleset.memory_committed_bytes.avg | Committed Bytes is the amount of committed virtual memory, in bytes. Committed memory is the physical memory which has space reserved on the disk paging file(s). There can be one or more paging files on each physical drive. This counter displays the last observed value only. | float | byte | gauge |
+| azure.compute_vm_scaleset.memory_pct_committed_bytes_in_use.avg | Committed Bytes In Use is the ratio of Memory \ Committed Bytes to the Memory \ Commit Limit. Committed memory is the physical memory in use for which space has been reserved in the paging file should it need to be written to disk. The commit limit is determined by the size of the paging file. If the paging file is enlarged, the commit limit increases, and the ratio is reduced). This value displays the current percentage value only. | float | percent | gauge |
+| azure.compute_vm_scaleset.network_in_total.total | The number of bytes received on all network interfaces by the Virtual Machine(s) (Incoming Traffic) | float | | gauge |
+| azure.compute_vm_scaleset.network_out_total.total | The number of bytes out on all network interfaces by the Virtual Machine(s) (Outgoing Traffic) | float | | gauge |
+| azure.compute_vm_scaleset.os_disk_queue_depth.avg | OS Disk Queue Depth(or Queue Length) | float | | gauge |
+| azure.compute_vm_scaleset.os_disk_read_bytes_per_sec.avg | Bytes/Sec read from a single disk during monitoring period for OS disk | float | | gauge |
+| azure.compute_vm_scaleset.os_disk_read_operations_per_sec.avg | Read IOPS from a single disk during monitoring period for OS disk | float | | gauge |
+| azure.compute_vm_scaleset.os_disk_write_bytes_per_sec.avg | Bytes/Sec written to a single disk during monitoring period for OS disk | float | | gauge |
+| azure.compute_vm_scaleset.os_disk_write_operations_per_sec.avg | Write IOPS from a single disk during monitoring period for OS disk | float | | gauge |
+| azure.compute_vm_scaleset.outbound_flows.avg | Outbound Flows are number of current flows in the outbound direction (traffic going out of the VM) | float | | gauge |
+| azure.compute_vm_scaleset.outbound_flows_maximum_creation_rate.avg | The maximum creation rate of outbound flows (traffic going out of the VM) | float | | gauge |
+| azure.compute_vm_scaleset.percentage_cpu.avg | The percentage of allocated compute units that are currently in use by the Virtual Machine(s) | float | percent | gauge |
+| azure.dimensions.lun | Logical Unit Number is a number that is used to identify a specific storage device | keyword | | |
+| azure.dimensions.virtual_machine | The VM name | keyword | | |
+| azure.dimensions.vmname | The VM name | keyword | | |
+| azure.namespace | The namespace selected | keyword | | |
+| azure.resource.group | The resource group | keyword | | |
+| azure.resource.id | The id of the resource | keyword | | |
+| azure.resource.name | The name of the resource | keyword | | |
+| azure.resource.tags.\* | Azure resource tags. | object | | |
+| azure.resource.type | The type of the resource | keyword | | |
+| azure.subscription_id | The subscription ID | keyword | | |
+| azure.timegrain | The Azure metric timegrain | keyword | | |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword | | |
+| cloud.image.id | Image ID for the cloud instance. | keyword | | |
+| cloud.instance.id | Instance ID of the host machine. | keyword | | |
+| cloud.instance.name | Instance name of the host machine. | keyword | | |
+| cloud.machine.type | Machine type of the host machine. | keyword | | |
+| cloud.project.id | Name of the project in Google Cloud. | keyword | | |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | |
+| cloud.region | Region in which this host is running. | keyword | | |
+| container.id | Unique container id. | keyword | | |
+| container.image.name | Name of the image the container was built on. | keyword | | |
+| container.labels | Image labels. | object | | |
+| container.name | Container name. | keyword | | |
+| container.runtime | Runtime managing this container. | keyword | | |
+| data_stream.dataset | Data stream dataset name. | constant_keyword | | |
+| data_stream.namespace | Data stream namespace. | constant_keyword | | |
+| data_stream.type | Data stream type. | constant_keyword | | |
+| dataset.name | Dataset name. | constant_keyword | | |
+| dataset.namespace | Dataset namespace. | constant_keyword | | |
+| dataset.type | Dataset type. | constant_keyword | | |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | |
+| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | |
+| host.architecture | Operating system architecture. | keyword | | |
+| host.containerized | If the host is a container. | boolean | | |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | |
+| host.ip | Host ip addresses. | ip | | |
+| host.mac | Host mac addresses. | keyword | | |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | |
+| host.os.build | OS build information. | keyword | | |
+| host.os.codename | OS codename, if any. | keyword | | |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword | | |
+| host.os.name | Operating system name, without the version. | keyword | | |
+| host.os.name.text | Multi-field of `host.os.name`. | text | | |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | |
+| host.os.version | Operating system version as a raw string. | keyword | | |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | |
+| service.address | Service address | keyword | | |
+| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | |
`storage_account`
@@ -312,62 +348,69 @@ so the `period` for `container_instance` should be `300s` or multiples of `300s`
**Exported fields**
-| Field | Description | Type |
-|---|---|---|
-| @timestamp | Event timestamp. | date |
-| azure.application_id | The application ID | keyword |
-| azure.container_instance.\*.\* | container instance | object |
-| azure.dimensions.\* | Azure metric dimensions. | object |
-| azure.metrics.\*.\* | Metrics returned. | object |
-| azure.namespace | The namespace selected | keyword |
-| azure.resource.group | The resource group | keyword |
-| azure.resource.id | The id of the resource | keyword |
-| azure.resource.name | The name of the resource | keyword |
-| azure.resource.tags.\* | Azure resource tags. | object |
-| azure.resource.type | The type of the resource | keyword |
-| azure.subscription_id | The subscription ID | keyword |
-| azure.timegrain | The Azure metric timegrain | keyword |
-| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
-| cloud.availability_zone | Availability zone in which this host is running. | keyword |
-| cloud.image.id | Image ID for the cloud instance. | keyword |
-| cloud.instance.id | Instance ID of the host machine. | keyword |
-| cloud.instance.name | Instance name of the host machine. | keyword |
-| cloud.machine.type | Machine type of the host machine. | keyword |
-| cloud.project.id | Name of the project in Google Cloud. | keyword |
-| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
-| cloud.region | Region in which this host is running. | keyword |
-| container.id | Unique container id. | keyword |
-| container.image.name | Name of the image the container was built on. | keyword |
-| container.labels | Image labels. | object |
-| container.name | Container name. | keyword |
-| container.runtime | Runtime managing this container. | keyword |
-| data_stream.dataset | Data stream dataset name. | constant_keyword |
-| data_stream.namespace | Data stream namespace. | constant_keyword |
-| data_stream.type | Data stream type. | constant_keyword |
-| dataset.name | Dataset name. | constant_keyword |
-| dataset.namespace | Dataset namespace. | constant_keyword |
-| dataset.type | Dataset type. | constant_keyword |
-| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
-| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group |
-| host.architecture | Operating system architecture. | keyword |
-| host.containerized | If the host is a container. | boolean |
-| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
-| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
-| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
-| host.ip | Host ip addresses. | ip |
-| host.mac | Host mac addresses. | keyword |
-| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
-| host.os.build | OS build information. | keyword |
-| host.os.codename | OS codename, if any. | keyword |
-| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
-| host.os.kernel | Operating system kernel version as a raw string. | keyword |
-| host.os.name | Operating system name, without the version. | keyword |
-| host.os.name.text | Multi-field of `host.os.name`. | text |
-| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
-| host.os.version | Operating system version as a raw string. | keyword |
-| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
-| service.address | Service address | keyword |
-| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword |
+| Field | Description | Type | Unit | Metric Type |
+|---|---|---|---|---|
+| @timestamp | Event timestamp. | date | | |
+| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | |
+| azure.application_id | The application ID | keyword | | |
+| azure.container_instance.cpu_usage.avg | CPU usage on all cores in millicores. | float | | gauge |
+| azure.container_instance.memory_usage.avg | Total memory usage in byte. | float | byte | gauge |
+| azure.container_instance.network_bytes_received_per_second.avg | The network bytes received per second. | float | byte | gauge |
+| azure.container_instance.network_bytes_transmitted_per_second.avg | The network bytes transmitted per second. | float | byte | gauge |
+| azure.dimensions.container_name | The container name | keyword | | |
+| azure.metrics.cpu_usage.avg | CPU usage on all cores in millicores. | float | | gauge |
+| azure.metrics.memory_usage.avg | | alias | | |
+| azure.metrics.network_bytes_received_per_second.avg | | alias | | |
+| azure.metrics.network_bytes_transmitted_per_second.avg | | alias | | |
+| azure.namespace | The namespace selected | keyword | | |
+| azure.resource.group | The resource group | keyword | | |
+| azure.resource.id | The id of the resource | keyword | | |
+| azure.resource.name | The name of the resource | keyword | | |
+| azure.resource.tags.\* | Azure resource tags. | object | | |
+| azure.resource.type | The type of the resource | keyword | | |
+| azure.subscription_id | The subscription ID | keyword | | |
+| azure.timegrain | The Azure metric timegrain | keyword | | |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword | | |
+| cloud.image.id | Image ID for the cloud instance. | keyword | | |
+| cloud.instance.id | Instance ID of the host machine. | keyword | | |
+| cloud.instance.name | Instance name of the host machine. | keyword | | |
+| cloud.machine.type | Machine type of the host machine. | keyword | | |
+| cloud.project.id | Name of the project in Google Cloud. | keyword | | |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | |
+| cloud.region | Region in which this host is running. | keyword | | |
+| container.id | Unique container id. | keyword | | |
+| container.image.name | Name of the image the container was built on. | keyword | | |
+| container.labels | Image labels. | object | | |
+| container.name | Container name. | keyword | | |
+| container.runtime | Runtime managing this container. | keyword | | |
+| data_stream.dataset | Data stream dataset name. | constant_keyword | | |
+| data_stream.namespace | Data stream namespace. | constant_keyword | | |
+| data_stream.type | Data stream type. | constant_keyword | | |
+| dataset.name | Dataset name. | constant_keyword | | |
+| dataset.namespace | Dataset namespace. | constant_keyword | | |
+| dataset.type | Dataset type. | constant_keyword | | |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | |
+| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | |
+| host.architecture | Operating system architecture. | keyword | | |
+| host.containerized | If the host is a container. | boolean | | |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | |
+| host.ip | Host ip addresses. | ip | | |
+| host.mac | Host mac addresses. | keyword | | |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | |
+| host.os.build | OS build information. | keyword | | |
+| host.os.codename | OS codename, if any. | keyword | | |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword | | |
+| host.os.name | Operating system name, without the version. | keyword | | |
+| host.os.name.text | Multi-field of `host.os.name`. | text | | |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | |
+| host.os.version | Operating system version as a raw string. | keyword | | |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | |
+| service.address | Service address | keyword | | |
+| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | |
`container_registry`
@@ -376,62 +419,68 @@ so the `period` for `container_registry` should be `300s` or multiples of `300s`
**Exported fields**
-| Field | Description | Type |
-|---|---|---|
-| @timestamp | Event timestamp. | date |
-| azure.application_id | The application ID | keyword |
-| azure.container_registry.\*.\* | container registry | object |
-| azure.dimensions.\* | Azure metric dimensions. | object |
-| azure.metrics.\*.\* | Metrics returned. | object |
-| azure.namespace | The namespace selected | keyword |
-| azure.resource.group | The resource group | keyword |
-| azure.resource.id | The id of the resource | keyword |
-| azure.resource.name | The name of the resource | keyword |
-| azure.resource.tags.\* | Azure resource tags. | object |
-| azure.resource.type | The type of the resource | keyword |
-| azure.subscription_id | The subscription ID | keyword |
-| azure.timegrain | The Azure metric timegrain | keyword |
-| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
-| cloud.availability_zone | Availability zone in which this host is running. | keyword |
-| cloud.image.id | Image ID for the cloud instance. | keyword |
-| cloud.instance.id | Instance ID of the host machine. | keyword |
-| cloud.instance.name | Instance name of the host machine. | keyword |
-| cloud.machine.type | Machine type of the host machine. | keyword |
-| cloud.project.id | Name of the project in Google Cloud. | keyword |
-| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
-| cloud.region | Region in which this host is running. | keyword |
-| container.id | Unique container id. | keyword |
-| container.image.name | Name of the image the container was built on. | keyword |
-| container.labels | Image labels. | object |
-| container.name | Container name. | keyword |
-| container.runtime | Runtime managing this container. | keyword |
-| data_stream.dataset | Data stream dataset name. | constant_keyword |
-| data_stream.namespace | Data stream namespace. | constant_keyword |
-| data_stream.type | Data stream type. | constant_keyword |
-| dataset.name | Dataset name. | constant_keyword |
-| dataset.namespace | Dataset namespace. | constant_keyword |
-| dataset.type | Dataset type. | constant_keyword |
-| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
-| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group |
-| host.architecture | Operating system architecture. | keyword |
-| host.containerized | If the host is a container. | boolean |
-| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
-| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
-| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
-| host.ip | Host ip addresses. | ip |
-| host.mac | Host mac addresses. | keyword |
-| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
-| host.os.build | OS build information. | keyword |
-| host.os.codename | OS codename, if any. | keyword |
-| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
-| host.os.kernel | Operating system kernel version as a raw string. | keyword |
-| host.os.name | Operating system name, without the version. | keyword |
-| host.os.name.text | Multi-field of `host.os.name`. | text |
-| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
-| host.os.version | Operating system version as a raw string. | keyword |
-| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
-| service.address | Service address | keyword |
-| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword |
+| Field | Description | Type | Unit | Metric Type |
+|---|---|---|---|---|
+| @timestamp | Event timestamp. | date | | |
+| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | |
+| azure.application_id | The application ID | keyword | | |
+| azure.container_registry.agent_pool_cpu_time.total | AgentPool CPU Time in seconds | float | | gauge |
+| azure.container_registry.run_duration.total | ACR tasks run duration in milliseconds | float | ms | gauge |
+| azure.container_registry.storage_used.avg | The amount of storage used by the container registry. For a registry account, it's the sum of capacity used by all the repositories within a registry. It's sum of capacity used by shared layers, manifest files, and replica copies in each of its repositories. | float | byte | gauge |
+| azure.container_registry.successful_pull_count.total | Number of successful image pulls | float | | gauge |
+| azure.container_registry.successful_push_count.total | Number of successful image pushes | float | | gauge |
+| azure.container_registry.total_pull_count.total | Number of image pulls in total | float | | gauge |
+| azure.container_registry.total_push_count.total | Number of image pushes in total | float | | gauge |
+| azure.dimensions.geolocation | Geolocation of the container registry | keyword | | |
+| azure.namespace | The namespace selected | keyword | | |
+| azure.resource.group | The resource group | keyword | | |
+| azure.resource.id | The id of the resource | keyword | | |
+| azure.resource.name | The name of the resource | keyword | | |
+| azure.resource.tags.\* | Azure resource tags. | object | | |
+| azure.resource.type | The type of the resource | keyword | | |
+| azure.subscription_id | The subscription ID | keyword | | |
+| azure.timegrain | The Azure metric timegrain | keyword | | |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword | | |
+| cloud.image.id | Image ID for the cloud instance. | keyword | | |
+| cloud.instance.id | Instance ID of the host machine. | keyword | | |
+| cloud.instance.name | Instance name of the host machine. | keyword | | |
+| cloud.machine.type | Machine type of the host machine. | keyword | | |
+| cloud.project.id | Name of the project in Google Cloud. | keyword | | |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | |
+| cloud.region | Region in which this host is running. | keyword | | |
+| container.id | Unique container id. | keyword | | |
+| container.image.name | Name of the image the container was built on. | keyword | | |
+| container.labels | Image labels. | object | | |
+| container.name | Container name. | keyword | | |
+| container.runtime | Runtime managing this container. | keyword | | |
+| data_stream.dataset | Data stream dataset name. | constant_keyword | | |
+| data_stream.namespace | Data stream namespace. | constant_keyword | | |
+| data_stream.type | Data stream type. | constant_keyword | | |
+| dataset.name | Dataset name. | constant_keyword | | |
+| dataset.namespace | Dataset namespace. | constant_keyword | | |
+| dataset.type | Dataset type. | constant_keyword | | |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | |
+| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | |
+| host.architecture | Operating system architecture. | keyword | | |
+| host.containerized | If the host is a container. | boolean | | |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | |
+| host.ip | Host ip addresses. | ip | | |
+| host.mac | Host mac addresses. | keyword | | |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | |
+| host.os.build | OS build information. | keyword | | |
+| host.os.codename | OS codename, if any. | keyword | | |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword | | |
+| host.os.name | Operating system name, without the version. | keyword | | |
+| host.os.name.text | Multi-field of `host.os.name`. | text | | |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | |
+| host.os.version | Operating system version as a raw string. | keyword | | |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | |
+| service.address | Service address | keyword | | |
+| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | |
`container_service`
@@ -440,62 +489,71 @@ so the `period` for `container_service` should be `300s` or multiples of `300s`.
**Exported fields**
-| Field | Description | Type |
-|---|---|---|
-| @timestamp | Event timestamp. | date |
-| azure.application_id | The application ID | keyword |
-| azure.container_service.\*.\* | container service | object |
-| azure.dimensions.\* | Azure metric dimensions. | object |
-| azure.metrics.\*.\* | Metrics returned. | object |
-| azure.namespace | The namespace selected | keyword |
-| azure.resource.group | The resource group | keyword |
-| azure.resource.id | The id of the resource | keyword |
-| azure.resource.name | The name of the resource | keyword |
-| azure.resource.tags.\* | Azure resource tags. | object |
-| azure.resource.type | The type of the resource | keyword |
-| azure.subscription_id | The subscription ID | keyword |
-| azure.timegrain | The Azure metric timegrain | keyword |
-| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
-| cloud.availability_zone | Availability zone in which this host is running. | keyword |
-| cloud.image.id | Image ID for the cloud instance. | keyword |
-| cloud.instance.id | Instance ID of the host machine. | keyword |
-| cloud.instance.name | Instance name of the host machine. | keyword |
-| cloud.machine.type | Machine type of the host machine. | keyword |
-| cloud.project.id | Name of the project in Google Cloud. | keyword |
-| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
-| cloud.region | Region in which this host is running. | keyword |
-| container.id | Unique container id. | keyword |
-| container.image.name | Name of the image the container was built on. | keyword |
-| container.labels | Image labels. | object |
-| container.name | Container name. | keyword |
-| container.runtime | Runtime managing this container. | keyword |
-| data_stream.dataset | Data stream dataset name. | constant_keyword |
-| data_stream.namespace | Data stream namespace. | constant_keyword |
-| data_stream.type | Data stream type. | constant_keyword |
-| dataset.name | Dataset name. | constant_keyword |
-| dataset.namespace | Dataset namespace. | constant_keyword |
-| dataset.type | Dataset type. | constant_keyword |
-| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
-| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group |
-| host.architecture | Operating system architecture. | keyword |
-| host.containerized | If the host is a container. | boolean |
-| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
-| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
-| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
-| host.ip | Host ip addresses. | ip |
-| host.mac | Host mac addresses. | keyword |
-| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
-| host.os.build | OS build information. | keyword |
-| host.os.codename | OS codename, if any. | keyword |
-| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
-| host.os.kernel | Operating system kernel version as a raw string. | keyword |
-| host.os.name | Operating system name, without the version. | keyword |
-| host.os.name.text | Multi-field of `host.os.name`. | text |
-| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
-| host.os.version | Operating system version as a raw string. | keyword |
-| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
-| service.address | Service address | keyword |
-| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword |
+| Field | Description | Type | Metric Type |
+|---|---|---|---|
+| @timestamp | Event timestamp. | date | |
+| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | |
+| azure.application_id | The application ID | keyword | |
+| azure.container_service.kube_node_status_allocatable_cpu_cores.avg | Total number of available cpu cores in a managed cluster | float | gauge |
+| azure.container_service.kube_node_status_allocatable_memory_bytes.avg | Total amount of available memory in a managed cluster | float | gauge |
+| azure.container_service.kube_node_status_condition.avg | Statuses for various node conditions | float | gauge |
+| azure.container_service.kube_pod_status_phase.avg | Number of pods by phase | float | gauge |
+| azure.container_service.kube_pod_status_ready.avg | Number of pods in Ready state | float | gauge |
+| azure.dimensions.condition | Pod or Node conditions | keyword | |
+| azure.dimensions.namespace | Pod namespace | keyword | |
+| azure.dimensions.node | Node name | keyword | |
+| azure.dimensions.phase | Pod phase | keyword | |
+| azure.dimensions.pod | Pod name | keyword | |
+| azure.dimensions.status | Statuses for various node conditions | keyword | |
+| azure.namespace | The namespace selected | keyword | |
+| azure.resource.group | The resource group | keyword | |
+| azure.resource.id | The id of the resource | keyword | |
+| azure.resource.name | The name of the resource | keyword | |
+| azure.resource.tags.\* | Azure resource tags. | object | |
+| azure.resource.type | The type of the resource | keyword | |
+| azure.subscription_id | The subscription ID | keyword | |
+| azure.timegrain | The Azure metric timegrain | keyword | |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword | |
+| cloud.image.id | Image ID for the cloud instance. | keyword | |
+| cloud.instance.id | Instance ID of the host machine. | keyword | |
+| cloud.instance.name | Instance name of the host machine. | keyword | |
+| cloud.machine.type | Machine type of the host machine. | keyword | |
+| cloud.project.id | Name of the project in Google Cloud. | keyword | |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | |
+| cloud.region | Region in which this host is running. | keyword | |
+| container.id | Unique container id. | keyword | |
+| container.image.name | Name of the image the container was built on. | keyword | |
+| container.labels | Image labels. | object | |
+| container.name | Container name. | keyword | |
+| container.runtime | Runtime managing this container. | keyword | |
+| data_stream.dataset | Data stream dataset name. | constant_keyword | |
+| data_stream.namespace | Data stream namespace. | constant_keyword | |
+| data_stream.type | Data stream type. | constant_keyword | |
+| dataset.name | Dataset name. | constant_keyword | |
+| dataset.namespace | Dataset namespace. | constant_keyword | |
+| dataset.type | Dataset type. | constant_keyword | |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | |
+| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | |
+| host.architecture | Operating system architecture. | keyword | |
+| host.containerized | If the host is a container. | boolean | |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | |
+| host.ip | Host ip addresses. | ip | |
+| host.mac | Host mac addresses. | keyword | |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | |
+| host.os.build | OS build information. | keyword | |
+| host.os.codename | OS codename, if any. | keyword | |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword | |
+| host.os.name | Operating system name, without the version. | keyword | |
+| host.os.name.text | Multi-field of `host.os.name`. | text | |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | |
+| host.os.version | Operating system version as a raw string. | keyword | |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | |
+| service.address | Service address | keyword | |
+| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | |
`database_account`
@@ -504,62 +562,66 @@ so the `period` for `database_account` should be `300s` or multiples of `300s`.
**Exported fields**
-| Field | Description | Type |
-|---|---|---|
-| @timestamp | Event timestamp. | date |
-| azure.application_id | The application ID | keyword |
-| azure.database_account.\*.\* | database account | object |
-| azure.dimensions.\* | Azure metric dimensions. | object |
-| azure.metrics.\*.\* | Metrics returned. | object |
-| azure.namespace | The namespace selected | keyword |
-| azure.resource.group | The resource group | keyword |
-| azure.resource.id | The id of the resource | keyword |
-| azure.resource.name | The name of the resource | keyword |
-| azure.resource.tags.\* | Azure resource tags. | object |
-| azure.resource.type | The type of the resource | keyword |
-| azure.subscription_id | The subscription ID | keyword |
-| azure.timegrain | The Azure metric timegrain | keyword |
-| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
-| cloud.availability_zone | Availability zone in which this host is running. | keyword |
-| cloud.image.id | Image ID for the cloud instance. | keyword |
-| cloud.instance.id | Instance ID of the host machine. | keyword |
-| cloud.instance.name | Instance name of the host machine. | keyword |
-| cloud.machine.type | Machine type of the host machine. | keyword |
-| cloud.project.id | Name of the project in Google Cloud. | keyword |
-| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
-| cloud.region | Region in which this host is running. | keyword |
-| container.id | Unique container id. | keyword |
-| container.image.name | Name of the image the container was built on. | keyword |
-| container.labels | Image labels. | object |
-| container.name | Container name. | keyword |
-| container.runtime | Runtime managing this container. | keyword |
-| data_stream.dataset | Data stream dataset name. | constant_keyword |
-| data_stream.namespace | Data stream namespace. | constant_keyword |
-| data_stream.type | Data stream type. | constant_keyword |
-| dataset.name | Dataset name. | constant_keyword |
-| dataset.namespace | Dataset namespace. | constant_keyword |
-| dataset.type | Dataset type. | constant_keyword |
-| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
-| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group |
-| host.architecture | Operating system architecture. | keyword |
-| host.containerized | If the host is a container. | boolean |
-| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
-| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
-| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
-| host.ip | Host ip addresses. | ip |
-| host.mac | Host mac addresses. | keyword |
-| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
-| host.os.build | OS build information. | keyword |
-| host.os.codename | OS codename, if any. | keyword |
-| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
-| host.os.kernel | Operating system kernel version as a raw string. | keyword |
-| host.os.name | Operating system name, without the version. | keyword |
-| host.os.name.text | Multi-field of `host.os.name`. | text |
-| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
-| host.os.version | Operating system version as a raw string. | keyword |
-| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
-| service.address | Service address | keyword |
-| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword |
+| Field | Description | Type | Metric Type |
+|---|---|---|---|
+| @timestamp | Event timestamp. | date | |
+| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | |
+| azure.application_id | The application ID | keyword | |
+| azure.database_account.\*.\* | database account | object | gauge |
+| azure.dimensions.closure_reason | Reason of the Cassandra Connection Closures | keyword | |
+| azure.dimensions.command_name | Mongo requests command name | keyword | |
+| azure.dimensions.database_name | Database name | keyword | |
+| azure.dimensions.resource_name | Name of the resource | keyword | |
+| azure.dimensions.status_code | Status code of the made to database requests | keyword | |
+| azure.namespace | The namespace selected | keyword | |
+| azure.resource.group | The resource group | keyword | |
+| azure.resource.id | The id of the resource | keyword | |
+| azure.resource.name | The name of the resource | keyword | |
+| azure.resource.tags.\* | Azure resource tags. | object | |
+| azure.resource.type | The type of the resource | keyword | |
+| azure.subscription_id | The subscription ID | keyword | |
+| azure.timegrain | The Azure metric timegrain | keyword | |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword | |
+| cloud.image.id | Image ID for the cloud instance. | keyword | |
+| cloud.instance.id | Instance ID of the host machine. | keyword | |
+| cloud.instance.name | Instance name of the host machine. | keyword | |
+| cloud.machine.type | Machine type of the host machine. | keyword | |
+| cloud.project.id | Name of the project in Google Cloud. | keyword | |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | |
+| cloud.region | Region in which this host is running. | keyword | |
+| container.id | Unique container id. | keyword | |
+| container.image.name | Name of the image the container was built on. | keyword | |
+| container.labels | Image labels. | object | |
+| container.name | Container name. | keyword | |
+| container.runtime | Runtime managing this container. | keyword | |
+| data_stream.dataset | Data stream dataset name. | constant_keyword | |
+| data_stream.namespace | Data stream namespace. | constant_keyword | |
+| data_stream.type | Data stream type. | constant_keyword | |
+| dataset.name | Dataset name. | constant_keyword | |
+| dataset.namespace | Dataset namespace. | constant_keyword | |
+| dataset.type | Dataset type. | constant_keyword | |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | |
+| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | |
+| host.architecture | Operating system architecture. | keyword | |
+| host.containerized | If the host is a container. | boolean | |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | |
+| host.ip | Host ip addresses. | ip | |
+| host.mac | Host mac addresses. | keyword | |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | |
+| host.os.build | OS build information. | keyword | |
+| host.os.codename | OS codename, if any. | keyword | |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword | |
+| host.os.name | Operating system name, without the version. | keyword | |
+| host.os.name.text | Multi-field of `host.os.name`. | text | |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | |
+| host.os.version | Operating system version as a raw string. | keyword | |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | |
+| service.address | Service address | keyword | |
+| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | |
## Additional notes about metrics and costs
diff --git a/packages/azure_metrics/docs/compute_vm.md b/packages/azure_metrics/docs/compute_vm.md
index c70b522ffce..2cc28a9d052 100644
--- a/packages/azure_metrics/docs/compute_vm.md
+++ b/packages/azure_metrics/docs/compute_vm.md
@@ -72,59 +72,63 @@ Authentication: Dedicated authentication token will be created and updated regul
**Exported fields**
-| Field | Description | Type |
-|---|---|---|
-| @timestamp | Event timestamp. | date |
-| azure.application_id | The application ID | keyword |
-| azure.compute_vm.\*.\* | compute_vm | object |
-| azure.dimensions.\* | Azure metric dimensions. | object |
-| azure.metrics.\*.\* | Metrics returned. | object |
-| azure.namespace | The namespace selected | keyword |
-| azure.resource.group | The resource group | keyword |
-| azure.resource.id | The id of the resource | keyword |
-| azure.resource.name | The name of the resource | keyword |
-| azure.resource.tags.\* | Azure resource tags. | object |
-| azure.resource.type | The type of the resource | keyword |
-| azure.subscription_id | The subscription ID | keyword |
-| azure.timegrain | The Azure metric timegrain | keyword |
-| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
-| cloud.availability_zone | Availability zone in which this host is running. | keyword |
-| cloud.image.id | Image ID for the cloud instance. | keyword |
-| cloud.instance.id | Instance ID of the host machine. | keyword |
-| cloud.instance.name | Instance name of the host machine. | keyword |
-| cloud.machine.type | Machine type of the host machine. | keyword |
-| cloud.project.id | Name of the project in Google Cloud. | keyword |
-| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
-| cloud.region | Region in which this host is running. | keyword |
-| container.id | Unique container id. | keyword |
-| container.image.name | Name of the image the container was built on. | keyword |
-| container.labels | Image labels. | object |
-| container.name | Container name. | keyword |
-| container.runtime | Runtime managing this container. | keyword |
-| data_stream.dataset | Data stream dataset name. | constant_keyword |
-| data_stream.namespace | Data stream namespace. | constant_keyword |
-| data_stream.type | Data stream type. | constant_keyword |
-| dataset.name | Dataset name. | constant_keyword |
-| dataset.namespace | Dataset namespace. | constant_keyword |
-| dataset.type | Dataset type. | constant_keyword |
-| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
-| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group |
-| host.architecture | Operating system architecture. | keyword |
-| host.containerized | If the host is a container. | boolean |
-| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
-| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
-| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
-| host.ip | Host ip addresses. | ip |
-| host.mac | Host mac addresses. | keyword |
-| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
-| host.os.build | OS build information. | keyword |
-| host.os.codename | OS codename, if any. | keyword |
-| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
-| host.os.kernel | Operating system kernel version as a raw string. | keyword |
-| host.os.name | Operating system name, without the version. | keyword |
-| host.os.name.text | Multi-field of `host.os.name`. | text |
-| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
-| host.os.version | Operating system version as a raw string. | keyword |
-| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
-| service.address | Service address | keyword |
-| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword |
+| Field | Description | Type | Metric Type |
+|---|---|---|---|
+| @timestamp | Event timestamp. | date | |
+| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | |
+| azure.application_id | The application ID | keyword | |
+| azure.compute_vm.\*.\* | Returned compute_vm metrics | object | gauge |
+| azure.dimensions.cpu | Cpu core on the linux instance | keyword | |
+| azure.dimensions.device | Name of the device of the linux instance, eg. sda2 | keyword | |
+| azure.dimensions.host | Name of the linux host | keyword | |
+| azure.dimensions.interface | Name of the network interface on the linux instance | keyword | |
+| azure.dimensions.name | Name of the device of the linux instance | keyword | |
+| azure.namespace | The namespace selected | keyword | |
+| azure.resource.group | The resource group | keyword | |
+| azure.resource.id | The id of the resource | keyword | |
+| azure.resource.name | The name of the resource | keyword | |
+| azure.resource.tags.\* | Azure resource tags. | object | |
+| azure.resource.type | The type of the resource | keyword | |
+| azure.subscription_id | The subscription ID | keyword | |
+| azure.timegrain | The Azure metric timegrain | keyword | |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword | |
+| cloud.image.id | Image ID for the cloud instance. | keyword | |
+| cloud.instance.id | Instance ID of the host machine. | keyword | |
+| cloud.instance.name | Instance name of the host machine. | keyword | |
+| cloud.machine.type | Machine type of the host machine. | keyword | |
+| cloud.project.id | Name of the project in Google Cloud. | keyword | |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | |
+| cloud.region | Region in which this host is running. | keyword | |
+| container.id | Unique container id. | keyword | |
+| container.image.name | Name of the image the container was built on. | keyword | |
+| container.labels | Image labels. | object | |
+| container.name | Container name. | keyword | |
+| container.runtime | Runtime managing this container. | keyword | |
+| data_stream.dataset | Data stream dataset name. | constant_keyword | |
+| data_stream.namespace | Data stream namespace. | constant_keyword | |
+| data_stream.type | Data stream type. | constant_keyword | |
+| dataset.name | Dataset name. | constant_keyword | |
+| dataset.namespace | Dataset namespace. | constant_keyword | |
+| dataset.type | Dataset type. | constant_keyword | |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | |
+| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | |
+| host.architecture | Operating system architecture. | keyword | |
+| host.containerized | If the host is a container. | boolean | |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | |
+| host.ip | Host ip addresses. | ip | |
+| host.mac | Host mac addresses. | keyword | |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | |
+| host.os.build | OS build information. | keyword | |
+| host.os.codename | OS codename, if any. | keyword | |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword | |
+| host.os.name | Operating system name, without the version. | keyword | |
+| host.os.name.text | Multi-field of `host.os.name`. | text | |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | |
+| host.os.version | Operating system version as a raw string. | keyword | |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | |
+| service.address | Service address | keyword | |
+| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | |
diff --git a/packages/azure_metrics/docs/compute_vm_scaleset.md b/packages/azure_metrics/docs/compute_vm_scaleset.md
index d1bfef109b7..08eaa281655 100644
--- a/packages/azure_metrics/docs/compute_vm_scaleset.md
+++ b/packages/azure_metrics/docs/compute_vm_scaleset.md
@@ -69,59 +69,89 @@ Authentication: we are handling authentication on our side (creating/renewing th
**Exported fields**
-| Field | Description | Type |
-|---|---|---|
-| @timestamp | Event timestamp. | date |
-| azure.application_id | The application ID | keyword |
-| azure.compute_vm_scaleset.\*.\* | compute_vm_scaleset | object |
-| azure.dimensions.\* | Azure metric dimensions. | object |
-| azure.metrics.\*.\* | Metrics returned. | object |
-| azure.namespace | The namespace selected | keyword |
-| azure.resource.group | The resource group | keyword |
-| azure.resource.id | The id of the resource | keyword |
-| azure.resource.name | The name of the resource | keyword |
-| azure.resource.tags.\* | Azure resource tags. | object |
-| azure.resource.type | The type of the resource | keyword |
-| azure.subscription_id | The subscription ID | keyword |
-| azure.timegrain | The Azure metric timegrain | keyword |
-| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
-| cloud.availability_zone | Availability zone in which this host is running. | keyword |
-| cloud.image.id | Image ID for the cloud instance. | keyword |
-| cloud.instance.id | Instance ID of the host machine. | keyword |
-| cloud.instance.name | Instance name of the host machine. | keyword |
-| cloud.machine.type | Machine type of the host machine. | keyword |
-| cloud.project.id | Name of the project in Google Cloud. | keyword |
-| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
-| cloud.region | Region in which this host is running. | keyword |
-| container.id | Unique container id. | keyword |
-| container.image.name | Name of the image the container was built on. | keyword |
-| container.labels | Image labels. | object |
-| container.name | Container name. | keyword |
-| container.runtime | Runtime managing this container. | keyword |
-| data_stream.dataset | Data stream dataset name. | constant_keyword |
-| data_stream.namespace | Data stream namespace. | constant_keyword |
-| data_stream.type | Data stream type. | constant_keyword |
-| dataset.name | Dataset name. | constant_keyword |
-| dataset.namespace | Dataset namespace. | constant_keyword |
-| dataset.type | Dataset type. | constant_keyword |
-| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
-| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group |
-| host.architecture | Operating system architecture. | keyword |
-| host.containerized | If the host is a container. | boolean |
-| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
-| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
-| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
-| host.ip | Host ip addresses. | ip |
-| host.mac | Host mac addresses. | keyword |
-| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
-| host.os.build | OS build information. | keyword |
-| host.os.codename | OS codename, if any. | keyword |
-| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
-| host.os.kernel | Operating system kernel version as a raw string. | keyword |
-| host.os.name | Operating system name, without the version. | keyword |
-| host.os.name.text | Multi-field of `host.os.name`. | text |
-| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
-| host.os.version | Operating system version as a raw string. | keyword |
-| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
-| service.address | Service address | keyword |
-| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword |
+| Field | Description | Type | Unit | Metric Type |
+|---|---|---|---|---|
+| @timestamp | Event timestamp. | date | | |
+| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | |
+| azure.application_id | The application ID | keyword | | |
+| azure.compute_vm_scaleset.available_memory_bytes.avg | Amount of physical memory, in bytes, immediately available for allocation to a process or for system use in the Virtual Machine | float | byte | gauge |
+| azure.compute_vm_scaleset.cpu_credits_consumed.avg | Total number of credits consumed by the Virtual Machine. Only available on B-series burstable VMs | float | | gauge |
+| azure.compute_vm_scaleset.cpu_credits_remaining.avg | Total number of credits available to burst. Only available on B-series burstable VMs | float | | gauge |
+| azure.compute_vm_scaleset.data_disk_bandwidth_consumed_percentage.avg | Percentage of data disk bandwidth consumed per minute | float | percent | gauge |
+| azure.compute_vm_scaleset.data_disk_queue_depth.avg | Data Disk Queue Depth(or Queue Length) | float | | gauge |
+| azure.compute_vm_scaleset.data_disk_read_bytes_per_sec.avg | Bytes/Sec read from a single disk during monitoring period | float | | gauge |
+| azure.compute_vm_scaleset.data_disk_read_operations_per_sec.avg | Read IOPS from a single disk during monitoring period | float | | gauge |
+| azure.compute_vm_scaleset.data_disk_write_bytes_per_sec.avg | Bytes/Sec written to a single disk during monitoring period | float | | gauge |
+| azure.compute_vm_scaleset.data_disk_write_operations_per_sec.avg | Write IOPS from a single disk during monitoring period | float | | gauge |
+| azure.compute_vm_scaleset.disk_read_bytes.total | Bytes read from disk during monitoring period | float | byte | gauge |
+| azure.compute_vm_scaleset.disk_read_operations_per_sec.avg | Disk Read IOPS | float | | gauge |
+| azure.compute_vm_scaleset.disk_write_bytes.total | Bytes written to disk during monitoring period | float | byte | gauge |
+| azure.compute_vm_scaleset.disk_write_operations_per_sec.avg | Disk Write IOPS | float | | gauge |
+| azure.compute_vm_scaleset.inbound_flows.avg | Inbound Flows are number of current flows in the inbound direction (traffic going into the VM) | float | | gauge |
+| azure.compute_vm_scaleset.inbound_flows_maximum_creation_rate.avg | The maximum creation rate of inbound flows (traffic going into the VM) | float | | gauge |
+| azure.compute_vm_scaleset.memory_available_bytes.avg | Available Bytes is the amount of physical memory, in bytes, immediately available for allocation to a process or for system use. It is equal to the sum of memory assigned to the standby (cached), free and zero page lists. | float | byte | gauge |
+| azure.compute_vm_scaleset.memory_commit_limit.avg | Memory commit limit | float | byte | gauge |
+| azure.compute_vm_scaleset.memory_committed_bytes.avg | Committed Bytes is the amount of committed virtual memory, in bytes. Committed memory is the physical memory which has space reserved on the disk paging file(s). There can be one or more paging files on each physical drive. This counter displays the last observed value only. | float | byte | gauge |
+| azure.compute_vm_scaleset.memory_pct_committed_bytes_in_use.avg | Committed Bytes In Use is the ratio of Memory \ Committed Bytes to the Memory \ Commit Limit. Committed memory is the physical memory in use for which space has been reserved in the paging file should it need to be written to disk. The commit limit is determined by the size of the paging file. If the paging file is enlarged, the commit limit increases, and the ratio is reduced). This value displays the current percentage value only. | float | percent | gauge |
+| azure.compute_vm_scaleset.network_in_total.total | The number of bytes received on all network interfaces by the Virtual Machine(s) (Incoming Traffic) | float | | gauge |
+| azure.compute_vm_scaleset.network_out_total.total | The number of bytes out on all network interfaces by the Virtual Machine(s) (Outgoing Traffic) | float | | gauge |
+| azure.compute_vm_scaleset.os_disk_queue_depth.avg | OS Disk Queue Depth(or Queue Length) | float | | gauge |
+| azure.compute_vm_scaleset.os_disk_read_bytes_per_sec.avg | Bytes/Sec read from a single disk during monitoring period for OS disk | float | | gauge |
+| azure.compute_vm_scaleset.os_disk_read_operations_per_sec.avg | Read IOPS from a single disk during monitoring period for OS disk | float | | gauge |
+| azure.compute_vm_scaleset.os_disk_write_bytes_per_sec.avg | Bytes/Sec written to a single disk during monitoring period for OS disk | float | | gauge |
+| azure.compute_vm_scaleset.os_disk_write_operations_per_sec.avg | Write IOPS from a single disk during monitoring period for OS disk | float | | gauge |
+| azure.compute_vm_scaleset.outbound_flows.avg | Outbound Flows are number of current flows in the outbound direction (traffic going out of the VM) | float | | gauge |
+| azure.compute_vm_scaleset.outbound_flows_maximum_creation_rate.avg | The maximum creation rate of outbound flows (traffic going out of the VM) | float | | gauge |
+| azure.compute_vm_scaleset.percentage_cpu.avg | The percentage of allocated compute units that are currently in use by the Virtual Machine(s) | float | percent | gauge |
+| azure.dimensions.lun | Logical Unit Number is a number that is used to identify a specific storage device | keyword | | |
+| azure.dimensions.virtual_machine | The VM name | keyword | | |
+| azure.dimensions.vmname | The VM name | keyword | | |
+| azure.namespace | The namespace selected | keyword | | |
+| azure.resource.group | The resource group | keyword | | |
+| azure.resource.id | The id of the resource | keyword | | |
+| azure.resource.name | The name of the resource | keyword | | |
+| azure.resource.tags.\* | Azure resource tags. | object | | |
+| azure.resource.type | The type of the resource | keyword | | |
+| azure.subscription_id | The subscription ID | keyword | | |
+| azure.timegrain | The Azure metric timegrain | keyword | | |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword | | |
+| cloud.image.id | Image ID for the cloud instance. | keyword | | |
+| cloud.instance.id | Instance ID of the host machine. | keyword | | |
+| cloud.instance.name | Instance name of the host machine. | keyword | | |
+| cloud.machine.type | Machine type of the host machine. | keyword | | |
+| cloud.project.id | Name of the project in Google Cloud. | keyword | | |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | |
+| cloud.region | Region in which this host is running. | keyword | | |
+| container.id | Unique container id. | keyword | | |
+| container.image.name | Name of the image the container was built on. | keyword | | |
+| container.labels | Image labels. | object | | |
+| container.name | Container name. | keyword | | |
+| container.runtime | Runtime managing this container. | keyword | | |
+| data_stream.dataset | Data stream dataset name. | constant_keyword | | |
+| data_stream.namespace | Data stream namespace. | constant_keyword | | |
+| data_stream.type | Data stream type. | constant_keyword | | |
+| dataset.name | Dataset name. | constant_keyword | | |
+| dataset.namespace | Dataset namespace. | constant_keyword | | |
+| dataset.type | Dataset type. | constant_keyword | | |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | |
+| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | |
+| host.architecture | Operating system architecture. | keyword | | |
+| host.containerized | If the host is a container. | boolean | | |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | |
+| host.ip | Host ip addresses. | ip | | |
+| host.mac | Host mac addresses. | keyword | | |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | |
+| host.os.build | OS build information. | keyword | | |
+| host.os.codename | OS codename, if any. | keyword | | |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword | | |
+| host.os.name | Operating system name, without the version. | keyword | | |
+| host.os.name.text | Multi-field of `host.os.name`. | text | | |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | |
+| host.os.version | Operating system version as a raw string. | keyword | | |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | |
+| service.address | Service address | keyword | | |
+| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | |
diff --git a/packages/azure_metrics/docs/container_instance.md b/packages/azure_metrics/docs/container_instance.md
index d759bccfa21..7ba464af00d 100644
--- a/packages/azure_metrics/docs/container_instance.md
+++ b/packages/azure_metrics/docs/container_instance.md
@@ -69,59 +69,66 @@ Authentication: we are handling authentication on our side (creating/renewing th
**Exported fields**
-| Field | Description | Type |
-|---|---|---|
-| @timestamp | Event timestamp. | date |
-| azure.application_id | The application ID | keyword |
-| azure.container_instance.\*.\* | container instance | object |
-| azure.dimensions.\* | Azure metric dimensions. | object |
-| azure.metrics.\*.\* | Metrics returned. | object |
-| azure.namespace | The namespace selected | keyword |
-| azure.resource.group | The resource group | keyword |
-| azure.resource.id | The id of the resource | keyword |
-| azure.resource.name | The name of the resource | keyword |
-| azure.resource.tags.\* | Azure resource tags. | object |
-| azure.resource.type | The type of the resource | keyword |
-| azure.subscription_id | The subscription ID | keyword |
-| azure.timegrain | The Azure metric timegrain | keyword |
-| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
-| cloud.availability_zone | Availability zone in which this host is running. | keyword |
-| cloud.image.id | Image ID for the cloud instance. | keyword |
-| cloud.instance.id | Instance ID of the host machine. | keyword |
-| cloud.instance.name | Instance name of the host machine. | keyword |
-| cloud.machine.type | Machine type of the host machine. | keyword |
-| cloud.project.id | Name of the project in Google Cloud. | keyword |
-| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
-| cloud.region | Region in which this host is running. | keyword |
-| container.id | Unique container id. | keyword |
-| container.image.name | Name of the image the container was built on. | keyword |
-| container.labels | Image labels. | object |
-| container.name | Container name. | keyword |
-| container.runtime | Runtime managing this container. | keyword |
-| data_stream.dataset | Data stream dataset name. | constant_keyword |
-| data_stream.namespace | Data stream namespace. | constant_keyword |
-| data_stream.type | Data stream type. | constant_keyword |
-| dataset.name | Dataset name. | constant_keyword |
-| dataset.namespace | Dataset namespace. | constant_keyword |
-| dataset.type | Dataset type. | constant_keyword |
-| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
-| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group |
-| host.architecture | Operating system architecture. | keyword |
-| host.containerized | If the host is a container. | boolean |
-| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
-| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
-| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
-| host.ip | Host ip addresses. | ip |
-| host.mac | Host mac addresses. | keyword |
-| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
-| host.os.build | OS build information. | keyword |
-| host.os.codename | OS codename, if any. | keyword |
-| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
-| host.os.kernel | Operating system kernel version as a raw string. | keyword |
-| host.os.name | Operating system name, without the version. | keyword |
-| host.os.name.text | Multi-field of `host.os.name`. | text |
-| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
-| host.os.version | Operating system version as a raw string. | keyword |
-| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
-| service.address | Service address | keyword |
-| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword |
+| Field | Description | Type | Unit | Metric Type |
+|---|---|---|---|---|
+| @timestamp | Event timestamp. | date | | |
+| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | |
+| azure.application_id | The application ID | keyword | | |
+| azure.container_instance.cpu_usage.avg | CPU usage on all cores in millicores. | float | | gauge |
+| azure.container_instance.memory_usage.avg | Total memory usage in byte. | float | byte | gauge |
+| azure.container_instance.network_bytes_received_per_second.avg | The network bytes received per second. | float | byte | gauge |
+| azure.container_instance.network_bytes_transmitted_per_second.avg | The network bytes transmitted per second. | float | byte | gauge |
+| azure.dimensions.container_name | The container name | keyword | | |
+| azure.metrics.cpu_usage.avg | CPU usage on all cores in millicores. | float | | gauge |
+| azure.metrics.memory_usage.avg | | alias | | |
+| azure.metrics.network_bytes_received_per_second.avg | | alias | | |
+| azure.metrics.network_bytes_transmitted_per_second.avg | | alias | | |
+| azure.namespace | The namespace selected | keyword | | |
+| azure.resource.group | The resource group | keyword | | |
+| azure.resource.id | The id of the resource | keyword | | |
+| azure.resource.name | The name of the resource | keyword | | |
+| azure.resource.tags.\* | Azure resource tags. | object | | |
+| azure.resource.type | The type of the resource | keyword | | |
+| azure.subscription_id | The subscription ID | keyword | | |
+| azure.timegrain | The Azure metric timegrain | keyword | | |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword | | |
+| cloud.image.id | Image ID for the cloud instance. | keyword | | |
+| cloud.instance.id | Instance ID of the host machine. | keyword | | |
+| cloud.instance.name | Instance name of the host machine. | keyword | | |
+| cloud.machine.type | Machine type of the host machine. | keyword | | |
+| cloud.project.id | Name of the project in Google Cloud. | keyword | | |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | |
+| cloud.region | Region in which this host is running. | keyword | | |
+| container.id | Unique container id. | keyword | | |
+| container.image.name | Name of the image the container was built on. | keyword | | |
+| container.labels | Image labels. | object | | |
+| container.name | Container name. | keyword | | |
+| container.runtime | Runtime managing this container. | keyword | | |
+| data_stream.dataset | Data stream dataset name. | constant_keyword | | |
+| data_stream.namespace | Data stream namespace. | constant_keyword | | |
+| data_stream.type | Data stream type. | constant_keyword | | |
+| dataset.name | Dataset name. | constant_keyword | | |
+| dataset.namespace | Dataset namespace. | constant_keyword | | |
+| dataset.type | Dataset type. | constant_keyword | | |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | |
+| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | |
+| host.architecture | Operating system architecture. | keyword | | |
+| host.containerized | If the host is a container. | boolean | | |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | |
+| host.ip | Host ip addresses. | ip | | |
+| host.mac | Host mac addresses. | keyword | | |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | |
+| host.os.build | OS build information. | keyword | | |
+| host.os.codename | OS codename, if any. | keyword | | |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword | | |
+| host.os.name | Operating system name, without the version. | keyword | | |
+| host.os.name.text | Multi-field of `host.os.name`. | text | | |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | |
+| host.os.version | Operating system version as a raw string. | keyword | | |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | |
+| service.address | Service address | keyword | | |
+| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | |
diff --git a/packages/azure_metrics/docs/container_registry.md b/packages/azure_metrics/docs/container_registry.md
index 9d5c074915a..e97c3dbf824 100644
--- a/packages/azure_metrics/docs/container_registry.md
+++ b/packages/azure_metrics/docs/container_registry.md
@@ -69,59 +69,65 @@ Authentication: we are handling authentication on our side (creating/renewing th
**Exported fields**
-| Field | Description | Type |
-|---|---|---|
-| @timestamp | Event timestamp. | date |
-| azure.application_id | The application ID | keyword |
-| azure.container_registry.\*.\* | container registry | object |
-| azure.dimensions.\* | Azure metric dimensions. | object |
-| azure.metrics.\*.\* | Metrics returned. | object |
-| azure.namespace | The namespace selected | keyword |
-| azure.resource.group | The resource group | keyword |
-| azure.resource.id | The id of the resource | keyword |
-| azure.resource.name | The name of the resource | keyword |
-| azure.resource.tags.\* | Azure resource tags. | object |
-| azure.resource.type | The type of the resource | keyword |
-| azure.subscription_id | The subscription ID | keyword |
-| azure.timegrain | The Azure metric timegrain | keyword |
-| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
-| cloud.availability_zone | Availability zone in which this host is running. | keyword |
-| cloud.image.id | Image ID for the cloud instance. | keyword |
-| cloud.instance.id | Instance ID of the host machine. | keyword |
-| cloud.instance.name | Instance name of the host machine. | keyword |
-| cloud.machine.type | Machine type of the host machine. | keyword |
-| cloud.project.id | Name of the project in Google Cloud. | keyword |
-| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
-| cloud.region | Region in which this host is running. | keyword |
-| container.id | Unique container id. | keyword |
-| container.image.name | Name of the image the container was built on. | keyword |
-| container.labels | Image labels. | object |
-| container.name | Container name. | keyword |
-| container.runtime | Runtime managing this container. | keyword |
-| data_stream.dataset | Data stream dataset name. | constant_keyword |
-| data_stream.namespace | Data stream namespace. | constant_keyword |
-| data_stream.type | Data stream type. | constant_keyword |
-| dataset.name | Dataset name. | constant_keyword |
-| dataset.namespace | Dataset namespace. | constant_keyword |
-| dataset.type | Dataset type. | constant_keyword |
-| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
-| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group |
-| host.architecture | Operating system architecture. | keyword |
-| host.containerized | If the host is a container. | boolean |
-| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
-| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
-| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
-| host.ip | Host ip addresses. | ip |
-| host.mac | Host mac addresses. | keyword |
-| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
-| host.os.build | OS build information. | keyword |
-| host.os.codename | OS codename, if any. | keyword |
-| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
-| host.os.kernel | Operating system kernel version as a raw string. | keyword |
-| host.os.name | Operating system name, without the version. | keyword |
-| host.os.name.text | Multi-field of `host.os.name`. | text |
-| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
-| host.os.version | Operating system version as a raw string. | keyword |
-| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
-| service.address | Service address | keyword |
-| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword |
+| Field | Description | Type | Unit | Metric Type |
+|---|---|---|---|---|
+| @timestamp | Event timestamp. | date | | |
+| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | |
+| azure.application_id | The application ID | keyword | | |
+| azure.container_registry.agent_pool_cpu_time.total | AgentPool CPU Time in seconds | float | | gauge |
+| azure.container_registry.run_duration.total | ACR tasks run duration in milliseconds | float | ms | gauge |
+| azure.container_registry.storage_used.avg | The amount of storage used by the container registry. For a registry account, it's the sum of capacity used by all the repositories within a registry. It's sum of capacity used by shared layers, manifest files, and replica copies in each of its repositories. | float | byte | gauge |
+| azure.container_registry.successful_pull_count.total | Number of successful image pulls | float | | gauge |
+| azure.container_registry.successful_push_count.total | Number of successful image pushes | float | | gauge |
+| azure.container_registry.total_pull_count.total | Number of image pulls in total | float | | gauge |
+| azure.container_registry.total_push_count.total | Number of image pushes in total | float | | gauge |
+| azure.dimensions.geolocation | Geolocation of the container registry | keyword | | |
+| azure.namespace | The namespace selected | keyword | | |
+| azure.resource.group | The resource group | keyword | | |
+| azure.resource.id | The id of the resource | keyword | | |
+| azure.resource.name | The name of the resource | keyword | | |
+| azure.resource.tags.\* | Azure resource tags. | object | | |
+| azure.resource.type | The type of the resource | keyword | | |
+| azure.subscription_id | The subscription ID | keyword | | |
+| azure.timegrain | The Azure metric timegrain | keyword | | |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword | | |
+| cloud.image.id | Image ID for the cloud instance. | keyword | | |
+| cloud.instance.id | Instance ID of the host machine. | keyword | | |
+| cloud.instance.name | Instance name of the host machine. | keyword | | |
+| cloud.machine.type | Machine type of the host machine. | keyword | | |
+| cloud.project.id | Name of the project in Google Cloud. | keyword | | |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | |
+| cloud.region | Region in which this host is running. | keyword | | |
+| container.id | Unique container id. | keyword | | |
+| container.image.name | Name of the image the container was built on. | keyword | | |
+| container.labels | Image labels. | object | | |
+| container.name | Container name. | keyword | | |
+| container.runtime | Runtime managing this container. | keyword | | |
+| data_stream.dataset | Data stream dataset name. | constant_keyword | | |
+| data_stream.namespace | Data stream namespace. | constant_keyword | | |
+| data_stream.type | Data stream type. | constant_keyword | | |
+| dataset.name | Dataset name. | constant_keyword | | |
+| dataset.namespace | Dataset namespace. | constant_keyword | | |
+| dataset.type | Dataset type. | constant_keyword | | |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | |
+| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | |
+| host.architecture | Operating system architecture. | keyword | | |
+| host.containerized | If the host is a container. | boolean | | |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | |
+| host.ip | Host ip addresses. | ip | | |
+| host.mac | Host mac addresses. | keyword | | |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | |
+| host.os.build | OS build information. | keyword | | |
+| host.os.codename | OS codename, if any. | keyword | | |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword | | |
+| host.os.name | Operating system name, without the version. | keyword | | |
+| host.os.name.text | Multi-field of `host.os.name`. | text | | |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | |
+| host.os.version | Operating system version as a raw string. | keyword | | |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | |
+| service.address | Service address | keyword | | |
+| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | |
diff --git a/packages/azure_metrics/docs/container_service.md b/packages/azure_metrics/docs/container_service.md
index f901c38c4a2..2b1ca5a7a9a 100644
--- a/packages/azure_metrics/docs/container_service.md
+++ b/packages/azure_metrics/docs/container_service.md
@@ -70,59 +70,68 @@ Authentication: we are handling authentication on our side (creating/renewing th
**Exported fields**
-| Field | Description | Type |
-|---|---|---|
-| @timestamp | Event timestamp. | date |
-| azure.application_id | The application ID | keyword |
-| azure.container_service.\*.\* | container service | object |
-| azure.dimensions.\* | Azure metric dimensions. | object |
-| azure.metrics.\*.\* | Metrics returned. | object |
-| azure.namespace | The namespace selected | keyword |
-| azure.resource.group | The resource group | keyword |
-| azure.resource.id | The id of the resource | keyword |
-| azure.resource.name | The name of the resource | keyword |
-| azure.resource.tags.\* | Azure resource tags. | object |
-| azure.resource.type | The type of the resource | keyword |
-| azure.subscription_id | The subscription ID | keyword |
-| azure.timegrain | The Azure metric timegrain | keyword |
-| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
-| cloud.availability_zone | Availability zone in which this host is running. | keyword |
-| cloud.image.id | Image ID for the cloud instance. | keyword |
-| cloud.instance.id | Instance ID of the host machine. | keyword |
-| cloud.instance.name | Instance name of the host machine. | keyword |
-| cloud.machine.type | Machine type of the host machine. | keyword |
-| cloud.project.id | Name of the project in Google Cloud. | keyword |
-| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
-| cloud.region | Region in which this host is running. | keyword |
-| container.id | Unique container id. | keyword |
-| container.image.name | Name of the image the container was built on. | keyword |
-| container.labels | Image labels. | object |
-| container.name | Container name. | keyword |
-| container.runtime | Runtime managing this container. | keyword |
-| data_stream.dataset | Data stream dataset name. | constant_keyword |
-| data_stream.namespace | Data stream namespace. | constant_keyword |
-| data_stream.type | Data stream type. | constant_keyword |
-| dataset.name | Dataset name. | constant_keyword |
-| dataset.namespace | Dataset namespace. | constant_keyword |
-| dataset.type | Dataset type. | constant_keyword |
-| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
-| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group |
-| host.architecture | Operating system architecture. | keyword |
-| host.containerized | If the host is a container. | boolean |
-| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
-| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
-| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
-| host.ip | Host ip addresses. | ip |
-| host.mac | Host mac addresses. | keyword |
-| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
-| host.os.build | OS build information. | keyword |
-| host.os.codename | OS codename, if any. | keyword |
-| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
-| host.os.kernel | Operating system kernel version as a raw string. | keyword |
-| host.os.name | Operating system name, without the version. | keyword |
-| host.os.name.text | Multi-field of `host.os.name`. | text |
-| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
-| host.os.version | Operating system version as a raw string. | keyword |
-| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
-| service.address | Service address | keyword |
-| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword |
+| Field | Description | Type | Metric Type |
+|---|---|---|---|
+| @timestamp | Event timestamp. | date | |
+| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | |
+| azure.application_id | The application ID | keyword | |
+| azure.container_service.kube_node_status_allocatable_cpu_cores.avg | Total number of available cpu cores in a managed cluster | float | gauge |
+| azure.container_service.kube_node_status_allocatable_memory_bytes.avg | Total amount of available memory in a managed cluster | float | gauge |
+| azure.container_service.kube_node_status_condition.avg | Statuses for various node conditions | float | gauge |
+| azure.container_service.kube_pod_status_phase.avg | Number of pods by phase | float | gauge |
+| azure.container_service.kube_pod_status_ready.avg | Number of pods in Ready state | float | gauge |
+| azure.dimensions.condition | Pod or Node conditions | keyword | |
+| azure.dimensions.namespace | Pod namespace | keyword | |
+| azure.dimensions.node | Node name | keyword | |
+| azure.dimensions.phase | Pod phase | keyword | |
+| azure.dimensions.pod | Pod name | keyword | |
+| azure.dimensions.status | Statuses for various node conditions | keyword | |
+| azure.namespace | The namespace selected | keyword | |
+| azure.resource.group | The resource group | keyword | |
+| azure.resource.id | The id of the resource | keyword | |
+| azure.resource.name | The name of the resource | keyword | |
+| azure.resource.tags.\* | Azure resource tags. | object | |
+| azure.resource.type | The type of the resource | keyword | |
+| azure.subscription_id | The subscription ID | keyword | |
+| azure.timegrain | The Azure metric timegrain | keyword | |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword | |
+| cloud.image.id | Image ID for the cloud instance. | keyword | |
+| cloud.instance.id | Instance ID of the host machine. | keyword | |
+| cloud.instance.name | Instance name of the host machine. | keyword | |
+| cloud.machine.type | Machine type of the host machine. | keyword | |
+| cloud.project.id | Name of the project in Google Cloud. | keyword | |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | |
+| cloud.region | Region in which this host is running. | keyword | |
+| container.id | Unique container id. | keyword | |
+| container.image.name | Name of the image the container was built on. | keyword | |
+| container.labels | Image labels. | object | |
+| container.name | Container name. | keyword | |
+| container.runtime | Runtime managing this container. | keyword | |
+| data_stream.dataset | Data stream dataset name. | constant_keyword | |
+| data_stream.namespace | Data stream namespace. | constant_keyword | |
+| data_stream.type | Data stream type. | constant_keyword | |
+| dataset.name | Dataset name. | constant_keyword | |
+| dataset.namespace | Dataset namespace. | constant_keyword | |
+| dataset.type | Dataset type. | constant_keyword | |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | |
+| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | |
+| host.architecture | Operating system architecture. | keyword | |
+| host.containerized | If the host is a container. | boolean | |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | |
+| host.ip | Host ip addresses. | ip | |
+| host.mac | Host mac addresses. | keyword | |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | |
+| host.os.build | OS build information. | keyword | |
+| host.os.codename | OS codename, if any. | keyword | |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword | |
+| host.os.name | Operating system name, without the version. | keyword | |
+| host.os.name.text | Multi-field of `host.os.name`. | text | |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | |
+| host.os.version | Operating system version as a raw string. | keyword | |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | |
+| service.address | Service address | keyword | |
+| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | |
diff --git a/packages/azure_metrics/docs/database_account.md b/packages/azure_metrics/docs/database_account.md
index 467d282d334..54a2b2cd460 100644
--- a/packages/azure_metrics/docs/database_account.md
+++ b/packages/azure_metrics/docs/database_account.md
@@ -68,59 +68,63 @@ Authentication: we are handling authentication on our side (creating/renewing th
**Exported fields**
-| Field | Description | Type |
-|---|---|---|
-| @timestamp | Event timestamp. | date |
-| azure.application_id | The application ID | keyword |
-| azure.database_account.\*.\* | database account | object |
-| azure.dimensions.\* | Azure metric dimensions. | object |
-| azure.metrics.\*.\* | Metrics returned. | object |
-| azure.namespace | The namespace selected | keyword |
-| azure.resource.group | The resource group | keyword |
-| azure.resource.id | The id of the resource | keyword |
-| azure.resource.name | The name of the resource | keyword |
-| azure.resource.tags.\* | Azure resource tags. | object |
-| azure.resource.type | The type of the resource | keyword |
-| azure.subscription_id | The subscription ID | keyword |
-| azure.timegrain | The Azure metric timegrain | keyword |
-| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
-| cloud.availability_zone | Availability zone in which this host is running. | keyword |
-| cloud.image.id | Image ID for the cloud instance. | keyword |
-| cloud.instance.id | Instance ID of the host machine. | keyword |
-| cloud.instance.name | Instance name of the host machine. | keyword |
-| cloud.machine.type | Machine type of the host machine. | keyword |
-| cloud.project.id | Name of the project in Google Cloud. | keyword |
-| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
-| cloud.region | Region in which this host is running. | keyword |
-| container.id | Unique container id. | keyword |
-| container.image.name | Name of the image the container was built on. | keyword |
-| container.labels | Image labels. | object |
-| container.name | Container name. | keyword |
-| container.runtime | Runtime managing this container. | keyword |
-| data_stream.dataset | Data stream dataset name. | constant_keyword |
-| data_stream.namespace | Data stream namespace. | constant_keyword |
-| data_stream.type | Data stream type. | constant_keyword |
-| dataset.name | Dataset name. | constant_keyword |
-| dataset.namespace | Dataset namespace. | constant_keyword |
-| dataset.type | Dataset type. | constant_keyword |
-| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
-| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group |
-| host.architecture | Operating system architecture. | keyword |
-| host.containerized | If the host is a container. | boolean |
-| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
-| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
-| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
-| host.ip | Host ip addresses. | ip |
-| host.mac | Host mac addresses. | keyword |
-| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
-| host.os.build | OS build information. | keyword |
-| host.os.codename | OS codename, if any. | keyword |
-| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
-| host.os.kernel | Operating system kernel version as a raw string. | keyword |
-| host.os.name | Operating system name, without the version. | keyword |
-| host.os.name.text | Multi-field of `host.os.name`. | text |
-| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
-| host.os.version | Operating system version as a raw string. | keyword |
-| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
-| service.address | Service address | keyword |
-| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword |
+| Field | Description | Type | Metric Type |
+|---|---|---|---|
+| @timestamp | Event timestamp. | date | |
+| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | |
+| azure.application_id | The application ID | keyword | |
+| azure.database_account.\*.\* | database account | object | gauge |
+| azure.dimensions.closure_reason | Reason of the Cassandra Connection Closures | keyword | |
+| azure.dimensions.command_name | Mongo requests command name | keyword | |
+| azure.dimensions.database_name | Database name | keyword | |
+| azure.dimensions.resource_name | Name of the resource | keyword | |
+| azure.dimensions.status_code | Status code of the made to database requests | keyword | |
+| azure.namespace | The namespace selected | keyword | |
+| azure.resource.group | The resource group | keyword | |
+| azure.resource.id | The id of the resource | keyword | |
+| azure.resource.name | The name of the resource | keyword | |
+| azure.resource.tags.\* | Azure resource tags. | object | |
+| azure.resource.type | The type of the resource | keyword | |
+| azure.subscription_id | The subscription ID | keyword | |
+| azure.timegrain | The Azure metric timegrain | keyword | |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword | |
+| cloud.image.id | Image ID for the cloud instance. | keyword | |
+| cloud.instance.id | Instance ID of the host machine. | keyword | |
+| cloud.instance.name | Instance name of the host machine. | keyword | |
+| cloud.machine.type | Machine type of the host machine. | keyword | |
+| cloud.project.id | Name of the project in Google Cloud. | keyword | |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | |
+| cloud.region | Region in which this host is running. | keyword | |
+| container.id | Unique container id. | keyword | |
+| container.image.name | Name of the image the container was built on. | keyword | |
+| container.labels | Image labels. | object | |
+| container.name | Container name. | keyword | |
+| container.runtime | Runtime managing this container. | keyword | |
+| data_stream.dataset | Data stream dataset name. | constant_keyword | |
+| data_stream.namespace | Data stream namespace. | constant_keyword | |
+| data_stream.type | Data stream type. | constant_keyword | |
+| dataset.name | Dataset name. | constant_keyword | |
+| dataset.namespace | Dataset namespace. | constant_keyword | |
+| dataset.type | Dataset type. | constant_keyword | |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | |
+| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | |
+| host.architecture | Operating system architecture. | keyword | |
+| host.containerized | If the host is a container. | boolean | |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | |
+| host.ip | Host ip addresses. | ip | |
+| host.mac | Host mac addresses. | keyword | |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | |
+| host.os.build | OS build information. | keyword | |
+| host.os.codename | OS codename, if any. | keyword | |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword | |
+| host.os.name | Operating system name, without the version. | keyword | |
+| host.os.name.text | Multi-field of `host.os.name`. | text | |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | |
+| host.os.version | Operating system version as a raw string. | keyword | |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | |
+| service.address | Service address | keyword | |
+| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | |
diff --git a/packages/azure_metrics/docs/monitor.md b/packages/azure_metrics/docs/monitor.md
index cb751809953..606dea19317 100644
--- a/packages/azure_metrics/docs/monitor.md
+++ b/packages/azure_metrics/docs/monitor.md
@@ -122,58 +122,60 @@ Authentication: we are handling authentication on our side (creating/renewing th
**Exported fields**
-| Field | Description | Type |
-|---|---|---|
-| @timestamp | Event timestamp. | date |
-| azure.application_id | The application ID | keyword |
-| azure.dimensions.\* | Azure metric dimensions. | object |
-| azure.metrics.\*.\* | Metrics returned. | object |
-| azure.namespace | The namespace selected | keyword |
-| azure.resource.group | The resource group | keyword |
-| azure.resource.id | The id of the resource | keyword |
-| azure.resource.name | The name of the resource | keyword |
-| azure.resource.tags.\* | Azure resource tags. | object |
-| azure.resource.type | The type of the resource | keyword |
-| azure.subscription_id | The subscription ID | keyword |
-| azure.timegrain | The Azure metric timegrain | keyword |
-| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
-| cloud.availability_zone | Availability zone in which this host is running. | keyword |
-| cloud.image.id | Image ID for the cloud instance. | keyword |
-| cloud.instance.id | Instance ID of the host machine. | keyword |
-| cloud.instance.name | Instance name of the host machine. | keyword |
-| cloud.machine.type | Machine type of the host machine. | keyword |
-| cloud.project.id | Name of the project in Google Cloud. | keyword |
-| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
-| cloud.region | Region in which this host is running. | keyword |
-| container.id | Unique container id. | keyword |
-| container.image.name | Name of the image the container was built on. | keyword |
-| container.labels | Image labels. | object |
-| container.name | Container name. | keyword |
-| container.runtime | Runtime managing this container. | keyword |
-| data_stream.dataset | Data stream dataset name. | constant_keyword |
-| data_stream.namespace | Data stream namespace. | constant_keyword |
-| data_stream.type | Data stream type. | constant_keyword |
-| dataset.name | Dataset name. | constant_keyword |
-| dataset.namespace | Dataset namespace. | constant_keyword |
-| dataset.type | Dataset type. | constant_keyword |
-| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
-| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group |
-| host.architecture | Operating system architecture. | keyword |
-| host.containerized | If the host is a container. | boolean |
-| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
-| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
-| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
-| host.ip | Host ip addresses. | ip |
-| host.mac | Host mac addresses. | keyword |
-| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
-| host.os.build | OS build information. | keyword |
-| host.os.codename | OS codename, if any. | keyword |
-| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
-| host.os.kernel | Operating system kernel version as a raw string. | keyword |
-| host.os.name | Operating system name, without the version. | keyword |
-| host.os.name.text | Multi-field of `host.os.name`. | text |
-| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
-| host.os.version | Operating system version as a raw string. | keyword |
-| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
-| service.address | Service address | keyword |
-| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword |
+| Field | Description | Type | Metric Type |
+|---|---|---|---|
+| @timestamp | Event timestamp. | date | |
+| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | |
+| azure.application_id | The application ID | keyword | |
+| azure.dimensions.\* | Azure metric dimensions. | object | |
+| azure.dimensions.fingerprint | Autogenerated ID representing the fingerprint of the azure.dimensions object | keyword | |
+| azure.metrics.\*.\* | Metrics returned. | object | gauge |
+| azure.namespace | The namespace selected | keyword | |
+| azure.resource.group | The resource group | keyword | |
+| azure.resource.id | The id of the resource | keyword | |
+| azure.resource.name | The name of the resource | keyword | |
+| azure.resource.tags.\* | Azure resource tags. | object | |
+| azure.resource.type | The type of the resource | keyword | |
+| azure.subscription_id | The subscription ID | keyword | |
+| azure.timegrain | The Azure metric timegrain | keyword | |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword | |
+| cloud.image.id | Image ID for the cloud instance. | keyword | |
+| cloud.instance.id | Instance ID of the host machine. | keyword | |
+| cloud.instance.name | Instance name of the host machine. | keyword | |
+| cloud.machine.type | Machine type of the host machine. | keyword | |
+| cloud.project.id | Name of the project in Google Cloud. | keyword | |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | |
+| cloud.region | Region in which this host is running. | keyword | |
+| container.id | Unique container id. | keyword | |
+| container.image.name | Name of the image the container was built on. | keyword | |
+| container.labels | Image labels. | object | |
+| container.name | Container name. | keyword | |
+| container.runtime | Runtime managing this container. | keyword | |
+| data_stream.dataset | Data stream dataset name. | constant_keyword | |
+| data_stream.namespace | Data stream namespace. | constant_keyword | |
+| data_stream.type | Data stream type. | constant_keyword | |
+| dataset.name | Dataset name. | constant_keyword | |
+| dataset.namespace | Dataset namespace. | constant_keyword | |
+| dataset.type | Dataset type. | constant_keyword | |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | |
+| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | |
+| host.architecture | Operating system architecture. | keyword | |
+| host.containerized | If the host is a container. | boolean | |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | |
+| host.ip | Host ip addresses. | ip | |
+| host.mac | Host mac addresses. | keyword | |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | |
+| host.os.build | OS build information. | keyword | |
+| host.os.codename | OS codename, if any. | keyword | |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword | |
+| host.os.name | Operating system name, without the version. | keyword | |
+| host.os.name.text | Multi-field of `host.os.name`. | text | |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | |
+| host.os.version | Operating system version as a raw string. | keyword | |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | |
+| service.address | Service address | keyword | |
+| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | |
diff --git a/packages/azure_metrics/img/azure_metrics-container-instance-overview.png b/packages/azure_metrics/img/azure_metrics-container-instance-overview.png
index 8e27f44add5..181dbff17f4 100644
Binary files a/packages/azure_metrics/img/azure_metrics-container-instance-overview.png and b/packages/azure_metrics/img/azure_metrics-container-instance-overview.png differ
diff --git a/packages/azure_metrics/img/azure_metrics-container-registry-overview.png b/packages/azure_metrics/img/azure_metrics-container-registry-overview.png
index cb4d9344a56..23dd803580a 100644
Binary files a/packages/azure_metrics/img/azure_metrics-container-registry-overview.png and b/packages/azure_metrics/img/azure_metrics-container-registry-overview.png differ
diff --git a/packages/azure_metrics/img/azure_metrics-container-service-overview.png b/packages/azure_metrics/img/azure_metrics-container-service-overview.png
index 9893bd75aea..1c629e94467 100644
Binary files a/packages/azure_metrics/img/azure_metrics-container-service-overview.png and b/packages/azure_metrics/img/azure_metrics-container-service-overview.png differ
diff --git a/packages/azure_metrics/img/azure_metrics-database-account-overview.png b/packages/azure_metrics/img/azure_metrics-database-account-overview.png
index d258af4cb31..e0b06dddbea 100644
Binary files a/packages/azure_metrics/img/azure_metrics-database-account-overview.png and b/packages/azure_metrics/img/azure_metrics-database-account-overview.png differ
diff --git a/packages/azure_metrics/img/azure_metrics-storage-account-overview.png b/packages/azure_metrics/img/azure_metrics-storage-account-overview.png
index c815dad06e5..2ac54ab5068 100644
Binary files a/packages/azure_metrics/img/azure_metrics-storage-account-overview.png and b/packages/azure_metrics/img/azure_metrics-storage-account-overview.png differ
diff --git a/packages/azure_metrics/img/azure_metrics-vm-overview.png b/packages/azure_metrics/img/azure_metrics-vm-overview.png
index 48c9494ae3a..1b5422120d8 100644
Binary files a/packages/azure_metrics/img/azure_metrics-vm-overview.png and b/packages/azure_metrics/img/azure_metrics-vm-overview.png differ
diff --git a/packages/azure_metrics/img/azure_metrics-vmss-overview.png b/packages/azure_metrics/img/azure_metrics-vmss-overview.png
index 6b79ebdc128..ec7ac69dc97 100644
Binary files a/packages/azure_metrics/img/azure_metrics-vmss-overview.png and b/packages/azure_metrics/img/azure_metrics-vmss-overview.png differ
diff --git a/packages/azure_metrics/kibana/dashboard/azure_metrics-10efa340-32f8-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/dashboard/azure_metrics-10efa340-32f8-11ea-a83e-25b8612d00cc.json
index 78f63ca7f11..43312596159 100644
--- a/packages/azure_metrics/kibana/dashboard/azure_metrics-10efa340-32f8-11ea-a83e-25b8612d00cc.json
+++ b/packages/azure_metrics/kibana/dashboard/azure_metrics-10efa340-32f8-11ea-a83e-25b8612d00cc.json
@@ -1,7 +1,12 @@
{
"attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
+ "panelsJSON": "{\"13954387-48b2-4103-97e6-1d4ffcf73360\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"13954387-48b2-4103-97e6-1d4ffcf73360\",\"fieldName\":\"azure.subscription_id\",\"title\":\"Subscription\",\"singleSelect\":true,\"enhancements\":{}}},\"14bb75a0-6906-4555-9ed2-7bcd4580d596\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"14bb75a0-6906-4555-9ed2-7bcd4580d596\",\"fieldName\":\"azure.resource.group\",\"title\":\"Resource Group\",\"enhancements\":{}}},\"018c4a7e-7f19-446e-ad9c-445278d027ef\":{\"type\":\"optionsListControl\",\"order\":2,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"018c4a7e-7f19-446e-ad9c-445278d027ef\",\"fieldName\":\"azure.resource.name\",\"title\":\"Resource Name\",\"enhancements\":{}}}}"
+ },
"description": "This dashboard shows metrics for queue storage type in Azure.",
- "hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [
@@ -35,200 +40,1580 @@
},
"optionsJSON": {
"hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
"useMargins": true
},
"panelsJSON": [
{
"embeddableConfig": {
- "enhancements": {}
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "fontSize": 10,
+ "markdown": "### Azure Storage\n\n[Overview](#/dashboard/azure_metrics-1a151f80-32db-11ea-a83e-25b8612d00cc) | [Blob](#/dashboard/azure_metrics-b165ef60-32f7-11ea-a83e-25b8612d00cc) | [File](#/dashboard/azure_metrics-dff7a080-32f7-11ea-a83e-25b8612d00cc) | [Table](#/dashboard/azure_metrics-ff2fe020-32f7-11ea-a83e-25b8612d00cc) | [**Queue**](#/dashboard/azure_metrics-10efa340-32f8-11ea-a83e-25b8612d00cc) ",
+ "openLinksInNewTab": false
+ },
+ "title": "Navigation Queue Storage Overview [Azure Metrics]",
+ "type": "markdown",
+ "uiState": {}
+ }
},
"gridData": {
"h": 5,
"i": "933a427d-a8b7-48ff-ac53-337f32b340ea",
- "w": 9,
+ "w": 48,
"x": 0,
"y": 0
},
"panelIndex": "933a427d-a8b7-48ff-ac53-337f32b340ea",
- "panelRefName": "panel_933a427d-a8b7-48ff-ac53-337f32b340ea",
- "type": "visualization",
- "version": "7.7.0"
- },
- {
- "embeddableConfig": {
- "enhancements": {}
- },
- "gridData": {
- "h": 9,
- "i": "a9456b9b-efa6-410d-a56c-4b66aa8c499e",
- "w": 5,
- "x": 9,
- "y": 0
- },
- "panelIndex": "a9456b9b-efa6-410d-a56c-4b66aa8c499e",
- "panelRefName": "panel_a9456b9b-efa6-410d-a56c-4b66aa8c499e",
- "title": "Availability",
"type": "visualization",
- "version": "7.7.0"
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "4a142156-34f2-44ec-b829-5951ecbb5a8b": {
+ "columnOrder": [
+ "487171cd-7adb-4fe6-ac1b-af81610bb835",
+ "9c38f7a6-3d0e-42ea-818e-c7b3503cac99X0",
+ "9c38f7a6-3d0e-42ea-818e-c7b3503cac99X1",
+ "9c38f7a6-3d0e-42ea-818e-c7b3503cac99"
+ ],
+ "columns": {
+ "487171cd-7adb-4fe6-ac1b-af81610bb835": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "isBucketed": false,
+ "label": "Queue Capacity",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes"
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.queue_capacity.avg"
+ },
+ "9c38f7a6-3d0e-42ea-818e-c7b3503cac99": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "overall_max(average(azure.storage_account.queue_capacity.avg))",
+ "operationType": "formula",
+ "params": {
+ "formula": "overall_max(average(azure.storage_account.queue_capacity.avg))",
+ "isFormulaBroken": false
+ },
+ "references": [
+ "9c38f7a6-3d0e-42ea-818e-c7b3503cac99X1"
+ ],
+ "scale": "ratio"
+ },
+ "9c38f7a6-3d0e-42ea-818e-c7b3503cac99X0": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of overall_max(average(azure.storage_account.queue_capacity.avg))",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": false
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.queue_capacity.avg"
+ },
+ "9c38f7a6-3d0e-42ea-818e-c7b3503cac99X1": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of overall_max(average(azure.storage_account.queue_capacity.avg))",
+ "operationType": "overall_max",
+ "references": [
+ "9c38f7a6-3d0e-42ea-818e-c7b3503cac99X0"
+ ],
+ "scale": "ratio"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-4a142156-34f2-44ec-b829-5951ecbb5a8b",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "#68CCCA",
+ "layerId": "4a142156-34f2-44ec-b829-5951ecbb5a8b",
+ "layerType": "data",
+ "maxAccessor": "9c38f7a6-3d0e-42ea-818e-c7b3503cac99",
+ "metricAccessor": "487171cd-7adb-4fe6-ac1b-af81610bb835"
+ }
+ },
+ "title": "Storage Queue Capacity [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 9,
"i": "0b4107a7-6a3d-4092-9813-00edb56bc838",
"w": 5,
- "x": 14,
- "y": 0
+ "x": 0,
+ "y": 5
},
"panelIndex": "0b4107a7-6a3d-4092-9813-00edb56bc838",
- "panelRefName": "panel_0b4107a7-6a3d-4092-9813-00edb56bc838",
- "type": "visualization",
- "version": "7.7.0"
+ "title": "Storage Queue Capacity [Azure Metrics]",
+ "type": "lens",
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "6809aeba-9935-4a98-91d8-9c78bd0432a1": {
+ "columnOrder": [
+ "72960318-f3b9-47a4-bce5-c75234290760",
+ "4a919315-6965-4448-b506-d4e41d5e4da2X0",
+ "4a919315-6965-4448-b506-d4e41d5e4da2X1",
+ "4a919315-6965-4448-b506-d4e41d5e4da2"
+ ],
+ "columns": {
+ "4a919315-6965-4448-b506-d4e41d5e4da2": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "overall_max(average(azure.storage_account.queue_message_count.avg))",
+ "operationType": "formula",
+ "params": {
+ "formula": "overall_max(average(azure.storage_account.queue_message_count.avg))",
+ "isFormulaBroken": false
+ },
+ "references": [
+ "4a919315-6965-4448-b506-d4e41d5e4da2X1"
+ ],
+ "scale": "ratio"
+ },
+ "4a919315-6965-4448-b506-d4e41d5e4da2X0": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of overall_max(average(azure.storage_account.queue_message_count.avg))",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": false
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.queue_message_count.avg"
+ },
+ "4a919315-6965-4448-b506-d4e41d5e4da2X1": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of overall_max(average(azure.storage_account.queue_message_count.avg))",
+ "operationType": "overall_max",
+ "references": [
+ "4a919315-6965-4448-b506-d4e41d5e4da2X0"
+ ],
+ "scale": "ratio"
+ },
+ "72960318-f3b9-47a4-bce5-c75234290760": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "isBucketed": false,
+ "label": "Queue Message Count",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "number"
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.queue_message_count.avg"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-6809aeba-9935-4a98-91d8-9c78bd0432a1",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "#68CCCA",
+ "layerId": "6809aeba-9935-4a98-91d8-9c78bd0432a1",
+ "layerType": "data",
+ "maxAccessor": "4a919315-6965-4448-b506-d4e41d5e4da2",
+ "metricAccessor": "72960318-f3b9-47a4-bce5-c75234290760"
+ }
+ },
+ "title": "Storage Queue Message Count [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 9,
"i": "cf022a47-2314-4ab6-b397-b1d860944179",
"w": 5,
- "x": 19,
- "y": 0
+ "x": 5,
+ "y": 5
},
"panelIndex": "cf022a47-2314-4ab6-b397-b1d860944179",
- "panelRefName": "panel_cf022a47-2314-4ab6-b397-b1d860944179",
- "type": "visualization",
- "version": "7.7.0"
+ "title": "Storage Queue Message Count [Azure Metrics]",
+ "type": "lens",
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "20a07535-0b51-434a-bf3f-216e2d77c640": {
+ "columnOrder": [
+ "f9be0a93-f211-4823-9f9a-c5162cde988e",
+ "59f2bee0-1a09-4b55-8016-14ee3cd01079X0",
+ "59f2bee0-1a09-4b55-8016-14ee3cd01079X1",
+ "59f2bee0-1a09-4b55-8016-14ee3cd01079"
+ ],
+ "columns": {
+ "59f2bee0-1a09-4b55-8016-14ee3cd01079": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "overall_max(average(azure.storage_account.queue_count.avg))",
+ "operationType": "formula",
+ "params": {
+ "formula": "overall_max(average(azure.storage_account.queue_count.avg))",
+ "isFormulaBroken": false
+ },
+ "references": [
+ "59f2bee0-1a09-4b55-8016-14ee3cd01079X1"
+ ],
+ "scale": "ratio"
+ },
+ "59f2bee0-1a09-4b55-8016-14ee3cd01079X0": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of overall_max(average(azure.storage_account.queue_count.avg))",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": false
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.queue_count.avg"
+ },
+ "59f2bee0-1a09-4b55-8016-14ee3cd01079X1": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of overall_max(average(azure.storage_account.queue_count.avg))",
+ "operationType": "overall_max",
+ "references": [
+ "59f2bee0-1a09-4b55-8016-14ee3cd01079X0"
+ ],
+ "scale": "ratio"
+ },
+ "f9be0a93-f211-4823-9f9a-c5162cde988e": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "isBucketed": false,
+ "label": "Queue Count",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "number"
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.queue_count.avg"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-20a07535-0b51-434a-bf3f-216e2d77c640",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "#A4DD00",
+ "layerId": "20a07535-0b51-434a-bf3f-216e2d77c640",
+ "layerType": "data",
+ "maxAccessor": "59f2bee0-1a09-4b55-8016-14ee3cd01079",
+ "metricAccessor": "f9be0a93-f211-4823-9f9a-c5162cde988e"
+ }
+ },
+ "title": "Storage Queue Count [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 9,
"i": "9d84188c-5a30-41ac-81cc-fe4fed360dd3",
"w": 5,
- "x": 24,
- "y": 0
+ "x": 10,
+ "y": 5
},
"panelIndex": "9d84188c-5a30-41ac-81cc-fe4fed360dd3",
- "panelRefName": "panel_9d84188c-5a30-41ac-81cc-fe4fed360dd3",
- "type": "visualization",
- "version": "7.7.0"
+ "title": "Storage Queue Count [Azure Metrics]",
+ "type": "lens",
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "336ad6f8-dcaa-4246-ac54-acf8af705e33": {
+ "columnOrder": [
+ "97a06a58-d587-41be-b83d-4a8f9fa857fe",
+ "d9e64a9b-a0e7-4f70-932d-50c276e132ed"
+ ],
+ "columns": {
+ "97a06a58-d587-41be-b83d-4a8f9fa857fe": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "d9e64a9b-a0e7-4f70-932d-50c276e132ed": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Availability",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 1,
+ "suffix": " %"
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.availability.avg"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-336ad6f8-dcaa-4246-ac54-acf8af705e33",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0.6,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "d9e64a9b-a0e7-4f70-932d-50c276e132ed"
+ ],
+ "layerId": "336ad6f8-dcaa-4246-ac54-acf8af705e33",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "area",
+ "xAccessor": "97a06a58-d587-41be-b83d-4a8f9fa857fe",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(22,165,165,1)",
+ "forAccessor": "d9e64a9b-a0e7-4f70-932d-50c276e132ed"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": false
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yLeftScale": "linear",
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yRightScale": "linear"
+ }
+ },
+ "title": "Storage Availability [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 9,
- "i": "1d623c03-4d02-4a81-b91e-49e82e112016",
- "w": 19,
- "x": 29,
- "y": 0
+ "i": "a9456b9b-efa6-410d-a56c-4b66aa8c499e",
+ "w": 14,
+ "x": 15,
+ "y": 5
},
- "panelIndex": "1d623c03-4d02-4a81-b91e-49e82e112016",
- "panelRefName": "panel_1d623c03-4d02-4a81-b91e-49e82e112016",
- "title": "Transactions",
- "type": "visualization",
- "version": "7.7.0"
+ "panelIndex": "a9456b9b-efa6-410d-a56c-4b66aa8c499e",
+ "title": "Availability",
+ "type": "lens",
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "ea8a6797-15f7-4055-8e1c-f4ed94ee47cd": {
+ "columnOrder": [
+ "7891073b-e2e2-42bf-9e04-92898b13d112",
+ "232990ac-0ffe-4146-a055-bb5e49130275",
+ "0278faca-0f2b-4d20-b5c0-b99a88b7f5ee"
+ ],
+ "columns": {
+ "0278faca-0f2b-4d20-b5c0-b99a88b7f5ee": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "avg(azure.storage_account.transactions.total)",
+ "operationType": "max",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.transactions.total"
+ },
+ "232990ac-0ffe-4146-a055-bb5e49130275": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.dimensions.response_type",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "0278faca-0f2b-4d20-b5c0-b99a88b7f5ee",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.dimensions.response_type"
+ },
+ "7891073b-e2e2-42bf-9e04-92898b13d112": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-ea8a6797-15f7-4055-8e1c-f4ed94ee47cd",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0.5,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "0278faca-0f2b-4d20-b5c0-b99a88b7f5ee"
+ ],
+ "layerId": "ea8a6797-15f7-4055-8e1c-f4ed94ee47cd",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "bar",
+ "splitAccessor": "232990ac-0ffe-4146-a055-bb5e49130275",
+ "xAccessor": "7891073b-e2e2-42bf-9e04-92898b13d112",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "#3185FC",
+ "forAccessor": "0278faca-0f2b-4d20-b5c0-b99a88b7f5ee"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": false
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yLeftScale": "linear",
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yRightScale": "linear"
+ }
+ },
+ "title": "Storage Transactions [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
- "h": 15,
- "i": "ff6441f8-d66d-4399-bae5-25d3d861b299",
- "w": 9,
- "x": 0,
+ "h": 9,
+ "i": "1d623c03-4d02-4a81-b91e-49e82e112016",
+ "w": 19,
+ "x": 29,
"y": 5
},
- "panelIndex": "ff6441f8-d66d-4399-bae5-25d3d861b299",
- "panelRefName": "panel_ff6441f8-d66d-4399-bae5-25d3d861b299",
- "type": "visualization",
- "version": "7.7.0"
+ "panelIndex": "1d623c03-4d02-4a81-b91e-49e82e112016",
+ "title": "Transactions",
+ "type": "lens",
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "5046ff10-84a8-4c43-b63a-0cfa1cfa8d98": {
+ "columnOrder": [
+ "978ada30-004b-4298-a632-5f45c73f76b1",
+ "4cca678b-0bc1-4121-827a-36bf6d5ddb3a",
+ "27084753-0d21-44c4-9cc8-bb1718d840ed"
+ ],
+ "columns": {
+ "27084753-0d21-44c4-9cc8-bb1718d840ed": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "SuccessServerLatency (ms)",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 1,
+ "suffix": " ms"
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.success_server_latency.avg"
+ },
+ "4cca678b-0bc1-4121-827a-36bf6d5ddb3a": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "978ada30-004b-4298-a632-5f45c73f76b1": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.dimensions.api_name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "27084753-0d21-44c4-9cc8-bb1718d840ed",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.dimensions.api_name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-5046ff10-84a8-4c43-b63a-0cfa1cfa8d98",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0.5,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "27084753-0d21-44c4-9cc8-bb1718d840ed"
+ ],
+ "layerId": "5046ff10-84a8-4c43-b63a-0cfa1cfa8d98",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "bar",
+ "splitAccessor": "978ada30-004b-4298-a632-5f45c73f76b1",
+ "xAccessor": "4cca678b-0bc1-4121-827a-36bf6d5ddb3a",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "#3185FC",
+ "forAccessor": "27084753-0d21-44c4-9cc8-bb1718d840ed"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yLeftScale": "linear",
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yRightScale": "linear"
+ }
+ },
+ "title": "Storage Success Server Latency [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 15,
"i": "87066244-7840-4555-9d12-026d64977f1a",
- "w": 20,
- "x": 9,
- "y": 9
+ "w": 24,
+ "x": 0,
+ "y": 14
},
"panelIndex": "87066244-7840-4555-9d12-026d64977f1a",
- "panelRefName": "panel_87066244-7840-4555-9d12-026d64977f1a",
"title": "Success Server Latency",
- "type": "visualization",
- "version": "7.7.0"
+ "type": "lens",
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "de690d9f-a13b-439c-a945-1d8645c4d058": {
+ "columnOrder": [
+ "e0a385c3-47bd-4871-9279-13d3b48da660",
+ "79a3444f-d7d9-47f9-a36b-7f5c9a53874c",
+ "0629be0e-c959-4df4-89b2-cd98578d8eff"
+ ],
+ "columns": {
+ "0629be0e-c959-4df4-89b2-cd98578d8eff": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Success E2E Latency (ms)",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 1,
+ "suffix": " ms"
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.success_e2elatency.avg"
+ },
+ "79a3444f-d7d9-47f9-a36b-7f5c9a53874c": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "e0a385c3-47bd-4871-9279-13d3b48da660": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.dimensions.api_name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "0629be0e-c959-4df4-89b2-cd98578d8eff",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.dimensions.api_name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-de690d9f-a13b-439c-a945-1d8645c4d058",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0.5,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "0629be0e-c959-4df4-89b2-cd98578d8eff"
+ ],
+ "layerId": "de690d9f-a13b-439c-a945-1d8645c4d058",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "bar",
+ "splitAccessor": "e0a385c3-47bd-4871-9279-13d3b48da660",
+ "xAccessor": "79a3444f-d7d9-47f9-a36b-7f5c9a53874c",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "#3185FC",
+ "forAccessor": "0629be0e-c959-4df4-89b2-cd98578d8eff"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yLeftScale": "linear",
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yRightScale": "linear"
+ }
+ },
+ "title": "Storage Success E2E Latency [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 15,
"i": "756da375-e6a2-4668-af43-0cd294878254",
- "w": 19,
- "x": 29,
- "y": 9
+ "w": 24,
+ "x": 24,
+ "y": 14
},
"panelIndex": "756da375-e6a2-4668-af43-0cd294878254",
- "panelRefName": "panel_756da375-e6a2-4668-af43-0cd294878254",
"title": "Success E2E Latency",
- "type": "visualization",
- "version": "7.7.0"
+ "type": "lens",
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "1bff659c-1808-440a-beae-6d47570c7f40": {
+ "columnOrder": [
+ "4e26ba6c-9473-4c9f-ba92-6a1ac9ff04e0",
+ "908d41f7-b273-433c-a23f-d5d42d3dbf42",
+ "9ff6d2d4-b8ed-49e9-bf07-2482fdbf2db5"
+ ],
+ "columns": {
+ "4e26ba6c-9473-4c9f-ba92-6a1ac9ff04e0": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.dimensions.api_name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "9ff6d2d4-b8ed-49e9-bf07-2482fdbf2db5",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.dimensions.api_name"
+ },
+ "908d41f7-b273-433c-a23f-d5d42d3dbf42": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "9ff6d2d4-b8ed-49e9-bf07-2482fdbf2db5": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "isBucketed": false,
+ "label": "Storage Accounts Egress Total",
+ "operationType": "max",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 1
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.egress.total"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-1bff659c-1808-440a-beae-6d47570c7f40",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "9ff6d2d4-b8ed-49e9-bf07-2482fdbf2db5"
+ ],
+ "layerId": "1bff659c-1808-440a-beae-6d47570c7f40",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "4e26ba6c-9473-4c9f-ba92-6a1ac9ff04e0",
+ "xAccessor": "908d41f7-b273-433c-a23f-d5d42d3dbf42",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(0,149,177,1)",
+ "forAccessor": "9ff6d2d4-b8ed-49e9-bf07-2482fdbf2db5"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yLeftScale": "linear",
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yRightScale": "linear"
+ }
+ },
+ "title": "Storage Account Egress Traffic [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 14,
"i": "a715fafc-ca38-410c-9253-12ba506eabc0",
- "w": 20,
- "x": 9,
- "y": 24
+ "w": 24,
+ "x": 0,
+ "y": 29
},
"panelIndex": "a715fafc-ca38-410c-9253-12ba506eabc0",
- "panelRefName": "panel_a715fafc-ca38-410c-9253-12ba506eabc0",
"title": "Egress Traffic by APIName",
- "type": "visualization",
- "version": "7.7.0"
+ "type": "lens",
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "6695f201-3a69-477d-be45-41b63d483f20": {
+ "columnOrder": [
+ "71fcd84d-98d0-4e88-aec8-6279f7a98146",
+ "40f33636-88f5-4f0c-a98c-887d40b309d9",
+ "e3fd0938-bcfa-4e1f-9036-fd34230f3850"
+ ],
+ "columns": {
+ "40f33636-88f5-4f0c-a98c-887d40b309d9": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "71fcd84d-98d0-4e88-aec8-6279f7a98146": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.dimensions.api_name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "e3fd0938-bcfa-4e1f-9036-fd34230f3850",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.dimensions.api_name"
+ },
+ "e3fd0938-bcfa-4e1f-9036-fd34230f3850": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "isBucketed": false,
+ "label": "Storage Accounts Ingress Total",
+ "operationType": "max",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 1
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.ingress.total"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-6695f201-3a69-477d-be45-41b63d483f20",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "e3fd0938-bcfa-4e1f-9036-fd34230f3850"
+ ],
+ "layerId": "6695f201-3a69-477d-be45-41b63d483f20",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "71fcd84d-98d0-4e88-aec8-6279f7a98146",
+ "xAccessor": "40f33636-88f5-4f0c-a98c-887d40b309d9",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(104,188,0,1)",
+ "forAccessor": "e3fd0938-bcfa-4e1f-9036-fd34230f3850"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yLeftScale": "linear",
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yRightScale": "linear"
+ }
+ },
+ "title": "Storage Account Ingress Traffic [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 14,
"i": "75f72920-be71-47a9-a967-f1c862ab2961",
- "w": 19,
- "x": 29,
- "y": 24
+ "w": 24,
+ "x": 24,
+ "y": 29
},
"panelIndex": "75f72920-be71-47a9-a967-f1c862ab2961",
- "panelRefName": "panel_75f72920-be71-47a9-a967-f1c862ab2961",
"title": "Ingress Traffic by APIName",
- "type": "visualization",
- "version": "7.7.0"
+ "type": "lens",
+ "version": "8.7.0"
}
],
"timeRestore": false,
"title": "[Azure Metrics] Queue Storage Overview",
"version": 1
},
- "coreMigrationVersion": "7.14.0",
+ "coreMigrationVersion": "8.7.0",
+ "created_at": "2023-09-01T11:34:52.555Z",
"id": "azure_metrics-10efa340-32f8-11ea-a83e-25b8612d00cc",
"migrationVersion": {
- "dashboard": "7.14.0"
+ "dashboard": "8.7.0"
},
"references": [
{
@@ -237,59 +1622,19 @@
"type": "index-pattern"
},
{
- "id": "azure_metrics-09f05e00-32f7-11ea-a83e-25b8612d00cc",
- "name": "933a427d-a8b7-48ff-ac53-337f32b340ea:panel_933a427d-a8b7-48ff-ac53-337f32b340ea",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-40dbc0d0-32e3-11ea-a83e-25b8612d00cc",
- "name": "a9456b9b-efa6-410d-a56c-4b66aa8c499e:panel_a9456b9b-efa6-410d-a56c-4b66aa8c499e",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-e159b990-339c-11ea-a83e-25b8612d00cc",
- "name": "0b4107a7-6a3d-4092-9813-00edb56bc838:panel_0b4107a7-6a3d-4092-9813-00edb56bc838",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-2bedaca0-339d-11ea-a83e-25b8612d00cc",
- "name": "cf022a47-2314-4ab6-b397-b1d860944179:panel_cf022a47-2314-4ab6-b397-b1d860944179",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-0241cc10-339d-11ea-a83e-25b8612d00cc",
- "name": "9d84188c-5a30-41ac-81cc-fe4fed360dd3:panel_9d84188c-5a30-41ac-81cc-fe4fed360dd3",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-553f9320-32e9-11ea-a83e-25b8612d00cc",
- "name": "1d623c03-4d02-4a81-b91e-49e82e112016:panel_1d623c03-4d02-4a81-b91e-49e82e112016",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-acced050-32d1-11ea-a83e-25b8612d00cc",
- "name": "ff6441f8-d66d-4399-bae5-25d3d861b299:panel_ff6441f8-d66d-4399-bae5-25d3d861b299",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-81f16b40-32ea-11ea-a83e-25b8612d00cc",
- "name": "87066244-7840-4555-9d12-026d64977f1a:panel_87066244-7840-4555-9d12-026d64977f1a",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-685fbeb0-32eb-11ea-a83e-25b8612d00cc",
- "name": "756da375-e6a2-4668-af43-0cd294878254:panel_756da375-e6a2-4668-af43-0cd294878254",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_13954387-48b2-4103-97e6-1d4ffcf73360:optionsListDataView",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-599c62c0-32d7-11ea-a83e-25b8612d00cc",
- "name": "a715fafc-ca38-410c-9253-12ba506eabc0:panel_a715fafc-ca38-410c-9253-12ba506eabc0",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_14bb75a0-6906-4555-9ed2-7bcd4580d596:optionsListDataView",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-4eaef260-32e1-11ea-a83e-25b8612d00cc",
- "name": "75f72920-be71-47a9-a967-f1c862ab2961:panel_75f72920-be71-47a9-a967-f1c862ab2961",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_018c4a7e-7f19-446e-ad9c-445278d027ef:optionsListDataView",
+ "type": "index-pattern"
}
],
"type": "dashboard"
diff --git a/packages/azure_metrics/kibana/dashboard/azure_metrics-1a151f80-32db-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/dashboard/azure_metrics-1a151f80-32db-11ea-a83e-25b8612d00cc.json
index 45a4e6d3a26..0f5c44c65cc 100644
--- a/packages/azure_metrics/kibana/dashboard/azure_metrics-1a151f80-32db-11ea-a83e-25b8612d00cc.json
+++ b/packages/azure_metrics/kibana/dashboard/azure_metrics-1a151f80-32db-11ea-a83e-25b8612d00cc.json
@@ -1,7 +1,12 @@
{
"attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
+ "panelsJSON": "{\"4d6088e2-f470-4c13-b08f-cf6b06b13c6a\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"4d6088e2-f470-4c13-b08f-cf6b06b13c6a\",\"fieldName\":\"azure.subscription_id\",\"title\":\"Subscription\",\"singleSelect\":true,\"enhancements\":{}}},\"edac4b55-78e4-4252-97eb-bbf610058b43\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"edac4b55-78e4-4252-97eb-bbf610058b43\",\"fieldName\":\"azure.resource.group\",\"title\":\"Resource Group\",\"singleSelect\":false,\"enhancements\":{}}},\"2bbcb2bd-697a-45a2-a463-4da14a9a07d4\":{\"type\":\"optionsListControl\",\"order\":2,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"2bbcb2bd-697a-45a2-a463-4da14a9a07d4\",\"fieldName\":\"azure.resource.name\",\"title\":\"Resource Name\",\"enhancements\":{}}}}"
+ },
"description": "This dashboard shows metrics for different storage types in Azure.",
- "hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [],
@@ -13,278 +18,1769 @@
},
"optionsJSON": {
"hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
"useMargins": true
},
"panelsJSON": [
{
"embeddableConfig": {
- "enhancements": {}
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "fontSize": 10,
+ "markdown": "### Azure Storage\n\n[**Overview**](#/dashboard/azure_metrics-1a151f80-32db-11ea-a83e-25b8612d00cc) | [Blob](#/dashboard/azure_metrics-b165ef60-32f7-11ea-a83e-25b8612d00cc) | [File](#/dashboard/azure_metrics-dff7a080-32f7-11ea-a83e-25b8612d00cc) | [Table](#/dashboard/azure_metrics-ff2fe020-32f7-11ea-a83e-25b8612d00cc) | [Queue](#/dashboard/azure_metrics-10efa340-32f8-11ea-a83e-25b8612d00cc) ",
+ "openLinksInNewTab": false
+ },
+ "title": "Navigation Storage Overview [Azure Metrics]",
+ "type": "markdown",
+ "uiState": {}
+ }
},
"gridData": {
"h": 5,
"i": "3e05fed8-0edd-4973-a640-3499c62b141d",
- "w": 9,
+ "w": 48,
"x": 0,
"y": 0
},
"panelIndex": "3e05fed8-0edd-4973-a640-3499c62b141d",
- "panelRefName": "panel_3e05fed8-0edd-4973-a640-3499c62b141d",
"type": "visualization",
- "version": "7.5.0"
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
- },
- "gridData": {
- "h": 9,
- "i": "a9456b9b-efa6-410d-a56c-4b66aa8c499e",
- "w": 5,
- "x": 9,
- "y": 0
- },
- "panelIndex": "a9456b9b-efa6-410d-a56c-4b66aa8c499e",
- "panelRefName": "panel_a9456b9b-efa6-410d-a56c-4b66aa8c499e",
- "title": "Availability",
- "type": "visualization",
- "version": "7.5.0"
- },
- {
- "embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "e97bc990-7acb-4492-9d3a-10e39fd18b6f": {
+ "columnOrder": [
+ "406fb7d6-7444-44ad-a854-9c6228e79ea9",
+ "a2063525-bfe8-4af3-a408-3b35113a1481X0",
+ "a2063525-bfe8-4af3-a408-3b35113a1481X1",
+ "a2063525-bfe8-4af3-a408-3b35113a1481"
+ ],
+ "columns": {
+ "406fb7d6-7444-44ad-a854-9c6228e79ea9": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "isBucketed": false,
+ "label": "Used Capacity",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes"
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.used_capacity.avg"
+ },
+ "a2063525-bfe8-4af3-a408-3b35113a1481": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "overall_max(average(azure.storage_account.used_capacity.avg))",
+ "operationType": "formula",
+ "params": {
+ "formula": "overall_max(average(azure.storage_account.used_capacity.avg))",
+ "isFormulaBroken": false
+ },
+ "references": [
+ "a2063525-bfe8-4af3-a408-3b35113a1481X1"
+ ],
+ "scale": "ratio"
+ },
+ "a2063525-bfe8-4af3-a408-3b35113a1481X0": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of overall_max(average(azure.storage_account.used_capacity.avg))",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": false
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.used_capacity.avg"
+ },
+ "a2063525-bfe8-4af3-a408-3b35113a1481X1": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of overall_max(average(azure.storage_account.used_capacity.avg))",
+ "operationType": "overall_max",
+ "references": [
+ "a2063525-bfe8-4af3-a408-3b35113a1481X0"
+ ],
+ "scale": "ratio"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-e97bc990-7acb-4492-9d3a-10e39fd18b6f",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "#68CCCA",
+ "layerId": "e97bc990-7acb-4492-9d3a-10e39fd18b6f",
+ "layerType": "data",
+ "maxAccessor": "a2063525-bfe8-4af3-a408-3b35113a1481",
+ "metricAccessor": "406fb7d6-7444-44ad-a854-9c6228e79ea9",
+ "showBar": false
+ }
+ },
+ "title": "Storage Used Capacity [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 9,
"i": "ed66fab5-f4e7-45d9-b27f-2315e0a10850",
"w": 5,
- "x": 14,
- "y": 0
+ "x": 0,
+ "y": 5
},
"panelIndex": "ed66fab5-f4e7-45d9-b27f-2315e0a10850",
- "panelRefName": "panel_ed66fab5-f4e7-45d9-b27f-2315e0a10850",
- "type": "visualization",
- "version": "7.5.0"
+ "title": "Storage Used Capacity [Azure Metrics]",
+ "type": "lens",
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "9b84a8c8-c177-442a-b748-ba0ee3954a67": {
+ "columnOrder": [
+ "e03e47e3-0020-4c01-8a84-7bdc2ac2b89a",
+ "6160382c-270e-42f7-9d4a-f644e4af73a1",
+ "6160382c-270e-42f7-9d4a-f644e4af73a1X0",
+ "6160382c-270e-42f7-9d4a-f644e4af73a1X1"
+ ],
+ "columns": {
+ "6160382c-270e-42f7-9d4a-f644e4af73a1": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "overall_max(average(azure.storage_account.ingress.total))",
+ "operationType": "formula",
+ "params": {
+ "formula": "overall_max(average(azure.storage_account.ingress.total))",
+ "isFormulaBroken": false
+ },
+ "references": [
+ "6160382c-270e-42f7-9d4a-f644e4af73a1X1"
+ ],
+ "scale": "ratio"
+ },
+ "6160382c-270e-42f7-9d4a-f644e4af73a1X0": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of overall_max(average(azure.storage_account.ingress.total))",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": false
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.ingress.total"
+ },
+ "6160382c-270e-42f7-9d4a-f644e4af73a1X1": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of overall_max(average(azure.storage_account.ingress.total))",
+ "operationType": "overall_max",
+ "references": [
+ "6160382c-270e-42f7-9d4a-f644e4af73a1X0"
+ ],
+ "scale": "ratio"
+ },
+ "e03e47e3-0020-4c01-8a84-7bdc2ac2b89a": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "isBucketed": false,
+ "label": "Ingress",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes"
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.ingress.total"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-9b84a8c8-c177-442a-b748-ba0ee3954a67",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "#68CCCA",
+ "layerId": "9b84a8c8-c177-442a-b748-ba0ee3954a67",
+ "layerType": "data",
+ "maxAccessor": "6160382c-270e-42f7-9d4a-f644e4af73a1",
+ "metricAccessor": "e03e47e3-0020-4c01-8a84-7bdc2ac2b89a",
+ "showBar": false
+ }
+ },
+ "title": "Storage Ingress Gauge [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 9,
"i": "71f11ae2-b13c-49b5-ae16-3d6d5e1dacec",
"w": 5,
- "x": 19,
- "y": 0
+ "x": 5,
+ "y": 5
},
"panelIndex": "71f11ae2-b13c-49b5-ae16-3d6d5e1dacec",
- "panelRefName": "panel_71f11ae2-b13c-49b5-ae16-3d6d5e1dacec",
- "type": "visualization",
- "version": "7.5.0"
+ "title": "Storage Ingress Gauge [Azure Metrics]",
+ "type": "lens",
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "5601d2ea-bb1c-4529-9b94-a0ffb06c76d4": {
+ "columnOrder": [
+ "18860bc9-c1b5-47ca-8377-355028ce4e63",
+ "e5b9cf0f-995d-4164-b70b-c3c7d3a28422X0",
+ "e5b9cf0f-995d-4164-b70b-c3c7d3a28422X1",
+ "e5b9cf0f-995d-4164-b70b-c3c7d3a28422"
+ ],
+ "columns": {
+ "18860bc9-c1b5-47ca-8377-355028ce4e63": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "isBucketed": false,
+ "label": "Egress",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes"
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.egress.total"
+ },
+ "e5b9cf0f-995d-4164-b70b-c3c7d3a28422": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "overall_max(average(azure.storage_account.egress.total))",
+ "operationType": "formula",
+ "params": {
+ "formula": "overall_max(average(azure.storage_account.egress.total))",
+ "isFormulaBroken": false
+ },
+ "references": [
+ "e5b9cf0f-995d-4164-b70b-c3c7d3a28422X1"
+ ],
+ "scale": "ratio"
+ },
+ "e5b9cf0f-995d-4164-b70b-c3c7d3a28422X0": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of overall_max(average(azure.storage_account.egress.total))",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": false
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.egress.total"
+ },
+ "e5b9cf0f-995d-4164-b70b-c3c7d3a28422X1": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of overall_max(average(azure.storage_account.egress.total))",
+ "operationType": "overall_max",
+ "references": [
+ "e5b9cf0f-995d-4164-b70b-c3c7d3a28422X0"
+ ],
+ "scale": "ratio"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-5601d2ea-bb1c-4529-9b94-a0ffb06c76d4",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "#68CCCA",
+ "layerId": "5601d2ea-bb1c-4529-9b94-a0ffb06c76d4",
+ "layerType": "data",
+ "maxAccessor": "e5b9cf0f-995d-4164-b70b-c3c7d3a28422",
+ "metricAccessor": "18860bc9-c1b5-47ca-8377-355028ce4e63"
+ }
+ },
+ "title": "Storage Egress Gauge [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 9,
"i": "dae9895e-c53a-4989-bab1-1b7b7c233c56",
"w": 5,
- "x": 24,
- "y": 0
+ "x": 10,
+ "y": 5
},
"panelIndex": "dae9895e-c53a-4989-bab1-1b7b7c233c56",
- "panelRefName": "panel_dae9895e-c53a-4989-bab1-1b7b7c233c56",
- "type": "visualization",
- "version": "7.5.0"
+ "title": "Storage Egress Gauge [Azure Metrics]",
+ "type": "lens",
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "bd22ea55-1fc5-481b-862a-2cd82d75c0d8": {
+ "columnOrder": [
+ "a4707016-e5d1-4f3a-8ba3-6bdefaa9ca69",
+ "0f3a1d5f-a240-422b-aa08-658f47ba2ac6"
+ ],
+ "columns": {
+ "0f3a1d5f-a240-422b-aa08-658f47ba2ac6": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Availability",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 1,
+ "suffix": "%"
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.availability.avg"
+ },
+ "a4707016-e5d1-4f3a-8ba3-6bdefaa9ca69": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-bd22ea55-1fc5-481b-862a-2cd82d75c0d8",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0.6,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "0f3a1d5f-a240-422b-aa08-658f47ba2ac6"
+ ],
+ "layerId": "bd22ea55-1fc5-481b-862a-2cd82d75c0d8",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "area",
+ "xAccessor": "a4707016-e5d1-4f3a-8ba3-6bdefaa9ca69",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(22,165,165,1)",
+ "forAccessor": "0f3a1d5f-a240-422b-aa08-658f47ba2ac6"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": false
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yLeftScale": "linear",
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yRightScale": "linear"
+ }
+ },
+ "title": "Storage Availability [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 9,
- "i": "1d623c03-4d02-4a81-b91e-49e82e112016",
- "w": 19,
- "x": 29,
- "y": 0
+ "i": "a9456b9b-efa6-410d-a56c-4b66aa8c499e",
+ "w": 14,
+ "x": 15,
+ "y": 5
},
- "panelIndex": "1d623c03-4d02-4a81-b91e-49e82e112016",
- "panelRefName": "panel_1d623c03-4d02-4a81-b91e-49e82e112016",
- "title": "Transactions",
- "type": "visualization",
- "version": "7.5.0"
+ "panelIndex": "a9456b9b-efa6-410d-a56c-4b66aa8c499e",
+ "title": "Availability",
+ "type": "lens",
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "122d106a-5ebf-4fb4-9eda-76f7e0b8b27c": {
+ "columnOrder": [
+ "0bd251de-d6a1-47a6-9da9-d26ad4ba955e",
+ "1a1df8e4-d9f5-47b6-8594-0ab0f60e8b07",
+ "b04428d5-eeb1-4e0e-83bd-fc83c6863ca0"
+ ],
+ "columns": {
+ "0bd251de-d6a1-47a6-9da9-d26ad4ba955e": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "1a1df8e4-d9f5-47b6-8594-0ab0f60e8b07": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.dimensions.response_type",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "b04428d5-eeb1-4e0e-83bd-fc83c6863ca0",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.dimensions.response_type"
+ },
+ "b04428d5-eeb1-4e0e-83bd-fc83c6863ca0": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "avg(azure.storage_account.transactions.total)",
+ "operationType": "max",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.transactions.total"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-122d106a-5ebf-4fb4-9eda-76f7e0b8b27c",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0.5,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "b04428d5-eeb1-4e0e-83bd-fc83c6863ca0"
+ ],
+ "layerId": "122d106a-5ebf-4fb4-9eda-76f7e0b8b27c",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "bar",
+ "splitAccessor": "1a1df8e4-d9f5-47b6-8594-0ab0f60e8b07",
+ "xAccessor": "0bd251de-d6a1-47a6-9da9-d26ad4ba955e",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "#3185FC",
+ "forAccessor": "b04428d5-eeb1-4e0e-83bd-fc83c6863ca0"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yLeftScale": "linear",
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yRightScale": "linear"
+ }
+ },
+ "title": "Storage Transactions [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
- "h": 15,
- "i": "ff6441f8-d66d-4399-bae5-25d3d861b299",
- "w": 9,
- "x": 0,
+ "h": 9,
+ "i": "1d623c03-4d02-4a81-b91e-49e82e112016",
+ "w": 19,
+ "x": 29,
"y": 5
},
- "panelIndex": "ff6441f8-d66d-4399-bae5-25d3d861b299",
- "panelRefName": "panel_ff6441f8-d66d-4399-bae5-25d3d861b299",
- "type": "visualization",
- "version": "7.5.0"
+ "panelIndex": "1d623c03-4d02-4a81-b91e-49e82e112016",
+ "title": "Transactions",
+ "type": "lens",
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "7ac323ec-3377-43c3-ba80-c57416ec8fca": {
+ "columnOrder": [
+ "a50e86df-2b20-4f18-9edf-283fe898564a",
+ "0b6693e2-f028-4cef-ae38-a9e3a712c5d1",
+ "490543d6-dc11-4696-8261-fa41d4897288"
+ ],
+ "columns": {
+ "0b6693e2-f028-4cef-ae38-a9e3a712c5d1": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "490543d6-dc11-4696-8261-fa41d4897288": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "SuccessServerLatency (ms)",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 1,
+ "suffix": " ms"
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.success_server_latency.avg"
+ },
+ "a50e86df-2b20-4f18-9edf-283fe898564a": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.dimensions.api_name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "490543d6-dc11-4696-8261-fa41d4897288",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.dimensions.api_name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-7ac323ec-3377-43c3-ba80-c57416ec8fca",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0.5,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "490543d6-dc11-4696-8261-fa41d4897288"
+ ],
+ "layerId": "7ac323ec-3377-43c3-ba80-c57416ec8fca",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "bar",
+ "splitAccessor": "a50e86df-2b20-4f18-9edf-283fe898564a",
+ "xAccessor": "0b6693e2-f028-4cef-ae38-a9e3a712c5d1",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "#3185FC",
+ "forAccessor": "490543d6-dc11-4696-8261-fa41d4897288"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yLeftScale": "linear",
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yRightScale": "linear"
+ }
+ },
+ "title": "Storage Success Server Latency [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 15,
"i": "87066244-7840-4555-9d12-026d64977f1a",
- "w": 20,
- "x": 9,
- "y": 9
+ "w": 23,
+ "x": 0,
+ "y": 14
},
"panelIndex": "87066244-7840-4555-9d12-026d64977f1a",
- "panelRefName": "panel_87066244-7840-4555-9d12-026d64977f1a",
"title": "Success Server Latency",
- "type": "visualization",
- "version": "7.5.0"
+ "type": "lens",
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "de2c4d17-8208-4db2-9461-f10257c6b86a": {
+ "columnOrder": [
+ "945c1823-c41a-4ce3-b88b-1c013bd20b96",
+ "b76601bf-1caf-4f61-85f2-796aea0dd43d",
+ "70e1d63a-137c-4d51-b195-0dce32c673a8"
+ ],
+ "columns": {
+ "70e1d63a-137c-4d51-b195-0dce32c673a8": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Success E2E Latency (ms)",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 1,
+ "suffix": " ms"
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.success_e2elatency.avg"
+ },
+ "945c1823-c41a-4ce3-b88b-1c013bd20b96": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.dimensions.api_name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "70e1d63a-137c-4d51-b195-0dce32c673a8",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.dimensions.api_name"
+ },
+ "b76601bf-1caf-4f61-85f2-796aea0dd43d": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-de2c4d17-8208-4db2-9461-f10257c6b86a",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0.5,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "70e1d63a-137c-4d51-b195-0dce32c673a8"
+ ],
+ "layerId": "de2c4d17-8208-4db2-9461-f10257c6b86a",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "bar",
+ "splitAccessor": "945c1823-c41a-4ce3-b88b-1c013bd20b96",
+ "xAccessor": "b76601bf-1caf-4f61-85f2-796aea0dd43d",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "#3185FC",
+ "forAccessor": "70e1d63a-137c-4d51-b195-0dce32c673a8"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yLeftScale": "linear",
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yRightScale": "linear"
+ }
+ },
+ "title": "Storage Success E2E Latency [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 15,
"i": "756da375-e6a2-4668-af43-0cd294878254",
- "w": 19,
- "x": 29,
- "y": 9
+ "w": 25,
+ "x": 23,
+ "y": 14
},
"panelIndex": "756da375-e6a2-4668-af43-0cd294878254",
- "panelRefName": "panel_756da375-e6a2-4668-af43-0cd294878254",
"title": "Success E2E Latency",
- "type": "visualization",
- "version": "7.5.0"
+ "type": "lens",
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "721b6040-2117-44bf-b66b-afb85793d514": {
+ "columnOrder": [
+ "c80cde64-a940-4aa4-8d58-0afde134a141",
+ "1f16d1af-c76e-4040-8cc5-f57c905e0ea4"
+ ],
+ "columns": {
+ "1f16d1af-c76e-4040-8cc5-f57c905e0ea4": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "isBucketed": false,
+ "label": "Used Capacity",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 1
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.used_capacity.avg"
+ },
+ "c80cde64-a940-4aa4-8d58-0afde134a141": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "1f16d1af-c76e-4040-8cc5-f57c905e0ea4",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-721b6040-2117-44bf-b66b-afb85793d514",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": false,
+ "yLeft": false,
+ "yRight": false
+ },
+ "fillOpacity": 1.2,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": false,
+ "yLeft": false,
+ "yRight": false
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "1f16d1af-c76e-4040-8cc5-f57c905e0ea4"
+ ],
+ "layerId": "721b6040-2117-44bf-b66b-afb85793d514",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "bar_horizontal",
+ "xAccessor": "c80cde64-a940-4aa4-8d58-0afde134a141",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(104,204,202,1)",
+ "forAccessor": "1f16d1af-c76e-4040-8cc5-f57c905e0ea4"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": false
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": false
+ },
+ "valueLabels": "show"
+ }
+ },
+ "title": "Storage Used Capacity Resource Table [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
- "h": 18,
+ "h": 14,
"i": "bf57aed2-3b69-4c8c-b602-e9054d08deb9",
"w": 9,
"x": 0,
- "y": 20
+ "y": 29
},
"panelIndex": "bf57aed2-3b69-4c8c-b602-e9054d08deb9",
- "panelRefName": "panel_bf57aed2-3b69-4c8c-b602-e9054d08deb9",
"title": "Used Capacity by Resource",
- "type": "visualization",
- "version": "7.5.0"
+ "type": "lens",
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "adc8429d-18aa-496e-ad4d-9b9418ea5157": {
+ "columnOrder": [
+ "cd99d8b6-ed6d-446f-9ae1-72997cab109f",
+ "1ec9a04a-dd22-4b59-86ce-04be1d525dbc",
+ "6b619561-5f87-4042-9250-9f07e71d8bb4"
+ ],
+ "columns": {
+ "1ec9a04a-dd22-4b59-86ce-04be1d525dbc": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "6b619561-5f87-4042-9250-9f07e71d8bb4": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "isBucketed": false,
+ "label": "Storage Accounts Egress Total",
+ "operationType": "max",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 1
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.egress.total"
+ },
+ "cd99d8b6-ed6d-446f-9ae1-72997cab109f": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.dimensions.api_name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "6b619561-5f87-4042-9250-9f07e71d8bb4",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.dimensions.api_name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-adc8429d-18aa-496e-ad4d-9b9418ea5157",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "6b619561-5f87-4042-9250-9f07e71d8bb4"
+ ],
+ "layerId": "adc8429d-18aa-496e-ad4d-9b9418ea5157",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "cd99d8b6-ed6d-446f-9ae1-72997cab109f",
+ "xAccessor": "1ec9a04a-dd22-4b59-86ce-04be1d525dbc",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(0,149,177,1)",
+ "forAccessor": "6b619561-5f87-4042-9250-9f07e71d8bb4"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yLeftScale": "linear",
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yRightScale": "linear"
+ }
+ },
+ "title": "Storage Account Egress Traffic [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 14,
"i": "a715fafc-ca38-410c-9253-12ba506eabc0",
"w": 20,
"x": 9,
- "y": 24
+ "y": 29
},
"panelIndex": "a715fafc-ca38-410c-9253-12ba506eabc0",
- "panelRefName": "panel_a715fafc-ca38-410c-9253-12ba506eabc0",
"title": "Egress Traffic by APIName",
- "type": "visualization",
- "version": "7.5.0"
+ "type": "lens",
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "b648e834-9fc3-406e-bb6e-bc38516f1427": {
+ "columnOrder": [
+ "a0cbfa17-8e7a-4ba4-bc9b-1d34724e92b5",
+ "52ea9c9f-cb39-4311-a235-3489c5727f43",
+ "0a8507bb-d2a8-4914-a29f-137eed360a69"
+ ],
+ "columns": {
+ "0a8507bb-d2a8-4914-a29f-137eed360a69": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "isBucketed": false,
+ "label": "Storage Accounts Ingress Total",
+ "operationType": "max",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 1
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.ingress.total"
+ },
+ "52ea9c9f-cb39-4311-a235-3489c5727f43": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "a0cbfa17-8e7a-4ba4-bc9b-1d34724e92b5": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.dimensions.api_name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "0a8507bb-d2a8-4914-a29f-137eed360a69",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.dimensions.api_name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-b648e834-9fc3-406e-bb6e-bc38516f1427",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "0a8507bb-d2a8-4914-a29f-137eed360a69"
+ ],
+ "layerId": "b648e834-9fc3-406e-bb6e-bc38516f1427",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "a0cbfa17-8e7a-4ba4-bc9b-1d34724e92b5",
+ "xAccessor": "52ea9c9f-cb39-4311-a235-3489c5727f43",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(104,188,0,1)",
+ "forAccessor": "0a8507bb-d2a8-4914-a29f-137eed360a69"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yLeftScale": "linear",
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yRightScale": "linear"
+ }
+ },
+ "title": "Storage Account Ingress Traffic [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 14,
"i": "75f72920-be71-47a9-a967-f1c862ab2961",
"w": 19,
"x": 29,
- "y": 24
+ "y": 29
},
"panelIndex": "75f72920-be71-47a9-a967-f1c862ab2961",
- "panelRefName": "panel_75f72920-be71-47a9-a967-f1c862ab2961",
"title": "Ingress Traffic by APIName",
- "type": "visualization",
- "version": "7.5.0"
+ "type": "lens",
+ "version": "8.7.0"
}
],
"timeRestore": false,
"title": "[Azure Metrics] Storage Overview",
"version": 1
},
- "coreMigrationVersion": "7.14.0",
+ "coreMigrationVersion": "8.7.0",
+ "created_at": "2023-09-01T05:30:06.264Z",
"id": "azure_metrics-1a151f80-32db-11ea-a83e-25b8612d00cc",
"migrationVersion": {
- "dashboard": "7.14.0"
+ "dashboard": "8.7.0"
},
"references": [
{
- "id": "azure_metrics-fcc24d70-32f5-11ea-a83e-25b8612d00cc",
- "name": "3e05fed8-0edd-4973-a640-3499c62b141d:panel_3e05fed8-0edd-4973-a640-3499c62b141d",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-40dbc0d0-32e3-11ea-a83e-25b8612d00cc",
- "name": "a9456b9b-efa6-410d-a56c-4b66aa8c499e:panel_a9456b9b-efa6-410d-a56c-4b66aa8c499e",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-634b83c0-32ee-11ea-a83e-25b8612d00cc",
- "name": "ed66fab5-f4e7-45d9-b27f-2315e0a10850:panel_ed66fab5-f4e7-45d9-b27f-2315e0a10850",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-33d645e0-32ed-11ea-a83e-25b8612d00cc",
- "name": "71f11ae2-b13c-49b5-ae16-3d6d5e1dacec:panel_71f11ae2-b13c-49b5-ae16-3d6d5e1dacec",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-2219de20-32ed-11ea-a83e-25b8612d00cc",
- "name": "dae9895e-c53a-4989-bab1-1b7b7c233c56:panel_dae9895e-c53a-4989-bab1-1b7b7c233c56",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-553f9320-32e9-11ea-a83e-25b8612d00cc",
- "name": "1d623c03-4d02-4a81-b91e-49e82e112016:panel_1d623c03-4d02-4a81-b91e-49e82e112016",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-acced050-32d1-11ea-a83e-25b8612d00cc",
- "name": "ff6441f8-d66d-4399-bae5-25d3d861b299:panel_ff6441f8-d66d-4399-bae5-25d3d861b299",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-81f16b40-32ea-11ea-a83e-25b8612d00cc",
- "name": "87066244-7840-4555-9d12-026d64977f1a:panel_87066244-7840-4555-9d12-026d64977f1a",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-685fbeb0-32eb-11ea-a83e-25b8612d00cc",
- "name": "756da375-e6a2-4668-af43-0cd294878254:panel_756da375-e6a2-4668-af43-0cd294878254",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-109ec950-32e6-11ea-a83e-25b8612d00cc",
- "name": "bf57aed2-3b69-4c8c-b602-e9054d08deb9:panel_bf57aed2-3b69-4c8c-b602-e9054d08deb9",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_4d6088e2-f470-4c13-b08f-cf6b06b13c6a:optionsListDataView",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-599c62c0-32d7-11ea-a83e-25b8612d00cc",
- "name": "a715fafc-ca38-410c-9253-12ba506eabc0:panel_a715fafc-ca38-410c-9253-12ba506eabc0",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_edac4b55-78e4-4252-97eb-bbf610058b43:optionsListDataView",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-4eaef260-32e1-11ea-a83e-25b8612d00cc",
- "name": "75f72920-be71-47a9-a967-f1c862ab2961:panel_75f72920-be71-47a9-a967-f1c862ab2961",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_2bbcb2bd-697a-45a2-a463-4da14a9a07d4:optionsListDataView",
+ "type": "index-pattern"
}
],
"type": "dashboard"
diff --git a/packages/azure_metrics/kibana/dashboard/azure_metrics-72fe31e7-ea7d-4796-94d1-8f0a091904e2.json b/packages/azure_metrics/kibana/dashboard/azure_metrics-72fe31e7-ea7d-4796-94d1-8f0a091904e2.json
index 79f5f5e9ec5..6d0aec6b272 100644
--- a/packages/azure_metrics/kibana/dashboard/azure_metrics-72fe31e7-ea7d-4796-94d1-8f0a091904e2.json
+++ b/packages/azure_metrics/kibana/dashboard/azure_metrics-72fe31e7-ea7d-4796-94d1-8f0a091904e2.json
@@ -1,5 +1,11 @@
{
"attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
+ "panelsJSON": "{\"e24a18a5-e96e-4e48-a813-6ac27de167b6\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"azure.subscription_id\",\"title\":\"Subscription\",\"singleSelect\":true,\"id\":\"e24a18a5-e96e-4e48-a813-6ac27de167b6\",\"enhancements\":{}}},\"5764ac1d-87aa-4fa8-812a-d55f4dc804e9\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"azure.resource.group\",\"title\":\"Resource Group\",\"singleSelect\":true,\"id\":\"5764ac1d-87aa-4fa8-812a-d55f4dc804e9\",\"enhancements\":{}}},\"8e426d01-4311-46b4-9b3a-aa38989fab0d\":{\"order\":2,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"azure.resource.name\",\"title\":\"Resource\",\"singleSelect\":true,\"id\":\"8e426d01-4311-46b4-9b3a-aa38989fab0d\",\"enhancements\":{}}}}"
+ },
"description": "This dashboard shows metrics for the container registry in Azure.",
"hits": 0,
"kibanaSavedObjectMeta": {
@@ -18,144 +24,781 @@
"panelsJSON": [
{
"embeddableConfig": {
- "enhancements": {}
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "### Azure Containers\n\n[Instances](#/dashboard/azure_metrics-9c11ac60-6cf6-11ea-8fe8-71add5fd7c38) |\n[**Registries**](#/dashboard/azure_metrics-72fe31e7-ea7d-4796-94d1-8f0a091904e2) |\n[Services](#/dashboard/azure_metrics-dae20ed0-6d0a-11ea-8fe8-71add5fd7c38) ",
+ "openLinksInNewTab": false
+ },
+ "title": "Navigation Container Registry Overview [Azure Metrics]",
+ "type": "markdown",
+ "uiState": {}
+ }
},
"gridData": {
"h": 5,
"i": "51fee31f-97e1-4f8e-aeb2-daeca1ccf9be",
- "w": 9,
+ "w": 48,
"x": 0,
"y": 0
},
"panelIndex": "51fee31f-97e1-4f8e-aeb2-daeca1ccf9be",
- "panelRefName": "panel_51fee31f-97e1-4f8e-aeb2-daeca1ccf9be",
"type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "version": "8.4.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-0fb3202b-7afd-431a-a2b6-37db2b05e38e",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "0fb3202b-7afd-431a-a2b6-37db2b05e38e": {
+ "columnOrder": [
+ "794377c5-bb06-4742-925c-228ba53d2d33",
+ "b80cecc3-d968-4960-bd0f-6bb934462185",
+ "a462a422-ac96-41e0-ac89-b2829c843721"
+ ],
+ "columns": {
+ "794377c5-bb06-4742-925c-228ba53d2d33": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "excludeIsRegex": false,
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ },
+ "a462a422-ac96-41e0-ac89-b2829c843721": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Container Registry Successful Pull Count",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.container_registry.successful_pull_count.total"
+ },
+ "b80cecc3-d968-4960-bd0f-6bb934462185": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.resource.type : \"Microsoft.ContainerRegistry/registries\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "a462a422-ac96-41e0-ac89-b2829c843721"
+ ],
+ "layerId": "0fb3202b-7afd-431a-a2b6-37db2b05e38e",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "794377c5-bb06-4742-925c-228ba53d2d33",
+ "xAccessor": "b80cecc3-d968-4960-bd0f-6bb934462185",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(188,74,0,1)",
+ "forAccessor": "a462a422-ac96-41e0-ac89-b2829c843721"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 16,
"i": "d5569792-ff48-4843-b63e-d37218468ced",
- "w": 18,
- "x": 9,
- "y": 0
+ "w": 24,
+ "x": 0,
+ "y": 5
},
"panelIndex": "d5569792-ff48-4843-b63e-d37218468ced",
- "panelRefName": "panel_d5569792-ff48-4843-b63e-d37218468ced",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "title": "Container Registry Successful Pull Count [Azure Metrics]",
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-de18b08a-95c6-472d-a4d9-4b94fb83912a",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "de18b08a-95c6-472d-a4d9-4b94fb83912a": {
+ "columnOrder": [
+ "d3da8ced-dfbe-4f08-b0bd-d16769e39a81",
+ "d102bc80-f1c5-4753-83c0-260bd7dba88e",
+ "166a8c63-8bba-4f66-abf5-845fc94c9a81"
+ ],
+ "columns": {
+ "166a8c63-8bba-4f66-abf5-845fc94c9a81": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Container Registry Successful Push Count",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.container_registry.successful_push_count.total"
+ },
+ "d102bc80-f1c5-4753-83c0-260bd7dba88e": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "d3da8ced-dfbe-4f08-b0bd-d16769e39a81": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "excludeIsRegex": false,
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.resource.type : \"Microsoft.ContainerRegistry/registries\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "166a8c63-8bba-4f66-abf5-845fc94c9a81"
+ ],
+ "layerId": "de18b08a-95c6-472d-a4d9-4b94fb83912a",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "d3da8ced-dfbe-4f08-b0bd-d16769e39a81",
+ "xAccessor": "d102bc80-f1c5-4753-83c0-260bd7dba88e",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(128,137,0,1)",
+ "forAccessor": "166a8c63-8bba-4f66-abf5-845fc94c9a81"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 16,
"i": "25a02616-f735-494a-97f7-4a56531e9e5e",
- "w": 21,
- "x": 27,
- "y": 0
+ "w": 24,
+ "x": 24,
+ "y": 5
},
"panelIndex": "25a02616-f735-494a-97f7-4a56531e9e5e",
- "panelRefName": "panel_25a02616-f735-494a-97f7-4a56531e9e5e",
"title": "Container Registry Successful Push Count",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
- },
- {
- "embeddableConfig": {
- "enhancements": {}
- },
- "gridData": {
- "h": 11,
- "i": "ec183a66-545b-4a67-bfb4-568def660612",
- "w": 9,
- "x": 0,
- "y": 5
- },
- "panelIndex": "ec183a66-545b-4a67-bfb4-568def660612",
- "panelRefName": "panel_ec183a66-545b-4a67-bfb4-568def660612",
- "title": "Containers Filters",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-bb190f48-5d8d-46a4-8ef0-7f21c9b2719b",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "bb190f48-5d8d-46a4-8ef0-7f21c9b2719b": {
+ "columnOrder": [
+ "732bc310-84f8-40c4-93d0-3f877749f6d1",
+ "5407c119-e770-4a0e-9ad0-411609bb72e6",
+ "15634ea6-bd04-4b1f-8727-91b73494d345"
+ ],
+ "columns": {
+ "15634ea6-bd04-4b1f-8727-91b73494d345": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Container Registry Successful Pull Count",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.container_registry.successful_pull_count.total"
+ },
+ "5407c119-e770-4a0e-9ad0-411609bb72e6": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "732bc310-84f8-40c4-93d0-3f877749f6d1": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "excludeIsRegex": false,
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.resource.type : \"Microsoft.ContainerRegistry/registries\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0.5,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "15634ea6-bd04-4b1f-8727-91b73494d345"
+ ],
+ "layerId": "bb190f48-5d8d-46a4-8ef0-7f21c9b2719b",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "area",
+ "splitAccessor": "732bc310-84f8-40c4-93d0-3f877749f6d1",
+ "xAccessor": "5407c119-e770-4a0e-9ad0-411609bb72e6",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(211,96,134,1)",
+ "forAccessor": "15634ea6-bd04-4b1f-8727-91b73494d345"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 15,
"i": "7f508c43-afd7-4874-86ef-c6976700759b",
"w": 24,
"x": 0,
- "y": 16
+ "y": 21
},
"panelIndex": "7f508c43-afd7-4874-86ef-c6976700759b",
- "panelRefName": "panel_7f508c43-afd7-4874-86ef-c6976700759b",
"title": "Container Registry Total Pull Count",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-6062453c-6e46-4e3b-b924-63f77db4c2d7",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "6062453c-6e46-4e3b-b924-63f77db4c2d7": {
+ "columnOrder": [
+ "56774ff2-d06c-4363-a6bc-362331f2fd80",
+ "f7798c02-234e-42aa-af12-af6f5eb21dff",
+ "32082492-bced-4e4f-baf7-d3347f2ac59b"
+ ],
+ "columns": {
+ "32082492-bced-4e4f-baf7-d3347f2ac59b": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Container Registry Total Push Count",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.container_registry.total_push_count.total"
+ },
+ "56774ff2-d06c-4363-a6bc-362331f2fd80": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "excludeIsRegex": false,
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ },
+ "f7798c02-234e-42aa-af12-af6f5eb21dff": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.resource.type : \"Microsoft.ContainerRegistry/registries\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "32082492-bced-4e4f-baf7-d3347f2ac59b"
+ ],
+ "layerId": "6062453c-6e46-4e3b-b924-63f77db4c2d7",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "56774ff2-d06c-4363-a6bc-362331f2fd80",
+ "xAccessor": "f7798c02-234e-42aa-af12-af6f5eb21dff",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(252,196,0,1)",
+ "forAccessor": "32082492-bced-4e4f-baf7-d3347f2ac59b"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 15,
"i": "97a048da-9b56-420b-af8c-1f0d568f0f94",
"w": 24,
"x": 24,
- "y": 16
+ "y": 21
},
"panelIndex": "97a048da-9b56-420b-af8c-1f0d568f0f94",
- "panelRefName": "panel_97a048da-9b56-420b-af8c-1f0d568f0f94",
"title": "Container Registry Total Push Count",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "type": "lens",
+ "version": "8.4.0"
}
],
"timeRestore": false,
"title": "[Azure Metrics] Container Registry Overview",
"version": 1
},
- "coreMigrationVersion": "7.14.0",
+ "coreMigrationVersion": "8.4.0",
"id": "azure_metrics-72fe31e7-ea7d-4796-94d1-8f0a091904e2",
"migrationVersion": {
- "dashboard": "7.14.0"
+ "dashboard": "8.4.0"
},
"references": [
{
- "id": "azure_metrics-1e70dc50-6d22-11ea-8fe8-71add5fd7c38",
- "name": "51fee31f-97e1-4f8e-aeb2-daeca1ccf9be:panel_51fee31f-97e1-4f8e-aeb2-daeca1ccf9be",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "d5569792-ff48-4843-b63e-d37218468ced:indexpattern-datasource-layer-0fb3202b-7afd-431a-a2b6-37db2b05e38e",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "25a02616-f735-494a-97f7-4a56531e9e5e:indexpattern-datasource-layer-de18b08a-95c6-472d-a4d9-4b94fb83912a",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-7972b260-6d07-11ea-8fe8-71add5fd7c38",
- "name": "d5569792-ff48-4843-b63e-d37218468ced:panel_d5569792-ff48-4843-b63e-d37218468ced",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "7f508c43-afd7-4874-86ef-c6976700759b:indexpattern-datasource-layer-bb190f48-5d8d-46a4-8ef0-7f21c9b2719b",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-b88b7f90-6d07-11ea-8fe8-71add5fd7c38",
- "name": "25a02616-f735-494a-97f7-4a56531e9e5e:panel_25a02616-f735-494a-97f7-4a56531e9e5e",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "97a048da-9b56-420b-af8c-1f0d568f0f94:indexpattern-datasource-layer-6062453c-6e46-4e3b-b924-63f77db4c2d7",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-0fa31060-6aae-11ea-af5c-73e8f396b3e9",
- "name": "ec183a66-545b-4a67-bfb4-568def660612:panel_ec183a66-545b-4a67-bfb4-568def660612",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_e24a18a5-e96e-4e48-a813-6ac27de167b6:optionsListDataView",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-ff303710-6d07-11ea-8fe8-71add5fd7c38",
- "name": "7f508c43-afd7-4874-86ef-c6976700759b:panel_7f508c43-afd7-4874-86ef-c6976700759b",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_5764ac1d-87aa-4fa8-812a-d55f4dc804e9:optionsListDataView",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-ddea7430-6d07-11ea-8fe8-71add5fd7c38",
- "name": "97a048da-9b56-420b-af8c-1f0d568f0f94:panel_97a048da-9b56-420b-af8c-1f0d568f0f94",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_8e426d01-4311-46b4-9b3a-aa38989fab0d:optionsListDataView",
+ "type": "index-pattern"
}
],
"type": "dashboard"
diff --git a/packages/azure_metrics/kibana/dashboard/azure_metrics-91afcc50-eaad-11e9-90ec-112a988266d5.json b/packages/azure_metrics/kibana/dashboard/azure_metrics-91afcc50-eaad-11e9-90ec-112a988266d5.json
index 0b6551cda37..81b67b3a123 100644
--- a/packages/azure_metrics/kibana/dashboard/azure_metrics-91afcc50-eaad-11e9-90ec-112a988266d5.json
+++ b/packages/azure_metrics/kibana/dashboard/azure_metrics-91afcc50-eaad-11e9-90ec-112a988266d5.json
@@ -1,5 +1,11 @@
{
"attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
+ "panelsJSON": "{\"8637c045-a72a-4b38-9e62-d3bf2e7a08b7\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"cloud.region\",\"title\":\"Region\",\"id\":\"8637c045-a72a-4b38-9e62-d3bf2e7a08b7\",\"enhancements\":{}}},\"cee07fda-dcef-4e03-abb4-52e251ba0d66\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"azure.resource.group\",\"title\":\"Resource Group\",\"id\":\"cee07fda-dcef-4e03-abb4-52e251ba0d66\",\"enhancements\":{}}},\"becc78e5-ae0e-49c5-afd3-bae0f51fde81\":{\"order\":2,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"azure.dimensions.vmname\",\"title\":\"VM Name (dimension)\",\"id\":\"becc78e5-ae0e-49c5-afd3-bae0f51fde81\",\"enhancements\":{}}}}"
+ },
"description": "This dashboard visualized relevant metrics for VM ScaleSets running on Azure cloud.",
"hits": 0,
"kibanaSavedObjectMeta": {
@@ -18,75 +24,516 @@
"panelsJSON": [
{
"embeddableConfig": {
- "enhancements": {}
- },
- "gridData": {
- "h": 12,
- "i": "d84767cd-3fc9-438c-a969-f15c4d5fc9c5",
- "w": 6,
- "x": 0,
- "y": 0
- },
- "panelIndex": "d84767cd-3fc9-438c-a969-f15c4d5fc9c5",
- "panelRefName": "panel_d84767cd-3fc9-438c-a969-f15c4d5fc9c5",
- "title": "Filters",
- "type": "visualization",
- "version": "7.4.0"
- },
- {
- "embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-19ca4198-3d60-4298-bf58-2a8c8d703333",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "19ca4198-3d60-4298-bf58-2a8c8d703333": {
+ "columnOrder": [
+ "aaab3b26-7d59-4adf-926c-484db2bbcbca",
+ "ec46a4a5-cd6b-4b86-9673-12cfb32742f8",
+ "5e12e1b2-732b-4598-b8d1-f658302b4fef"
+ ],
+ "columns": {
+ "5e12e1b2-732b-4598-b8d1-f658302b4fef": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "avg(azure.compute_vm_scaleset.percentage_cpu.avg)",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm_scaleset.percentage_cpu.avg"
+ },
+ "aaab3b26-7d59-4adf-926c-484db2bbcbca": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "ec46a4a5-cd6b-4b86-9673-12cfb32742f8": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.resource.type :\"Microsoft.Compute/virtualMachineScaleSets\" "
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fittingFunction": "Zero",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "5e12e1b2-732b-4598-b8d1-f658302b4fef"
+ ],
+ "layerId": "19ca4198-3d60-4298-bf58-2a8c8d703333",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "ec46a4a5-cd6b-4b86-9673-12cfb32742f8",
+ "xAccessor": "aaab3b26-7d59-4adf-926c-484db2bbcbca",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "#3185FC",
+ "forAccessor": "5e12e1b2-732b-4598-b8d1-f658302b4fef"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "line",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 12,
"i": "127eff01-d34c-4bda-8f19-4cf06982989f",
- "w": 20,
- "x": 6,
+ "w": 24,
+ "x": 0,
"y": 0
},
"panelIndex": "127eff01-d34c-4bda-8f19-4cf06982989f",
- "panelRefName": "panel_127eff01-d34c-4bda-8f19-4cf06982989f",
"title": "Percentage CPU",
- "type": "visualization",
- "version": "7.4.0"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-e21a5a91-d219-4f09-b6d1-20eb943d56b3",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "e21a5a91-d219-4f09-b6d1-20eb943d56b3": {
+ "columnOrder": [
+ "f9ebe066-14eb-4b90-aceb-f2f5ef87a19a",
+ "3714522d-8d92-416a-bd8f-2d2a2defae96",
+ "1dd865ec-35f7-4842-a734-b49e8b8a3c54"
+ ],
+ "columns": {
+ "1dd865ec-35f7-4842-a734-b49e8b8a3c54": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "avg(azure.compute_vm_scaleset.available_memory_bytes.avg)",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 1
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm_scaleset.available_memory_bytes.avg"
+ },
+ "3714522d-8d92-416a-bd8f-2d2a2defae96": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ },
+ "f9ebe066-14eb-4b90-aceb-f2f5ef87a19a": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.resource.type :\"Microsoft.Compute/virtualMachineScaleSets\" "
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "1dd865ec-35f7-4842-a734-b49e8b8a3c54"
+ ],
+ "layerId": "e21a5a91-d219-4f09-b6d1-20eb943d56b3",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "3714522d-8d92-416a-bd8f-2d2a2defae96",
+ "xAccessor": "f9ebe066-14eb-4b90-aceb-f2f5ef87a19a",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(22,165,165,1)",
+ "forAccessor": "1dd865ec-35f7-4842-a734-b49e8b8a3c54"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "line",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 12,
"i": "2f85c4f1-a575-49a1-99d3-fbed8a2806ec",
- "w": 22,
- "x": 26,
+ "w": 24,
+ "x": 24,
"y": 0
},
"panelIndex": "2f85c4f1-a575-49a1-99d3-fbed8a2806ec",
- "panelRefName": "panel_2f85c4f1-a575-49a1-99d3-fbed8a2806ec",
"title": "Available Memory",
- "type": "visualization",
- "version": "7.4.0"
- },
- {
- "embeddableConfig": {
- "enhancements": {}
- },
- "gridData": {
- "h": 11,
- "i": "6cbc30b4-658e-4f7a-a888-221775fd0af3",
- "w": 12,
- "x": 36,
- "y": 12
- },
- "panelIndex": "6cbc30b4-658e-4f7a-a888-221775fd0af3",
- "panelRefName": "panel_6cbc30b4-658e-4f7a-a888-221775fd0af3",
- "title": "Disk Reads",
- "type": "visualization",
- "version": "7.4.0"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-6f3a6179-62e3-40fd-956b-8fdfd46f8371",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "6f3a6179-62e3-40fd-956b-8fdfd46f8371": {
+ "columnOrder": [
+ "50b321b7-2231-4b9b-8742-68c5b21bb7ff",
+ "0c0b01cd-a4c1-480d-993e-201cc50d9ffc",
+ "2b6d17dd-4bf7-46a8-baed-b64a32622da2"
+ ],
+ "columns": {
+ "0c0b01cd-a4c1-480d-993e-201cc50d9ffc": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ },
+ "2b6d17dd-4bf7-46a8-baed-b64a32622da2": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Azure VMSS Network In Total",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 1
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm_scaleset.network_in_total.total"
+ },
+ "50b321b7-2231-4b9b-8742-68c5b21bb7ff": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.resource.type : \"Microsoft.Compute/virtualMachineScaleSets\" "
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "2b6d17dd-4bf7-46a8-baed-b64a32622da2"
+ ],
+ "layerId": "6f3a6179-62e3-40fd-956b-8fdfd46f8371",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "0c0b01cd-a4c1-480d-993e-201cc50d9ffc",
+ "xAccessor": "50b321b7-2231-4b9b-8742-68c5b21bb7ff",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(104,204,202,1)",
+ "forAccessor": "2b6d17dd-4bf7-46a8-baed-b64a32622da2"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "line",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 11,
@@ -96,14 +543,174 @@
"y": 12
},
"panelIndex": "e195e7ba-c736-4bf7-9f23-c96f4acd9b6b",
- "panelRefName": "panel_e195e7ba-c736-4bf7-9f23-c96f4acd9b6b",
"title": "Network In Total",
- "type": "visualization",
- "version": "7.4.0"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-03783e9a-a85e-4cbc-bbd9-f3426f8077a5",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "03783e9a-a85e-4cbc-bbd9-f3426f8077a5": {
+ "columnOrder": [
+ "4e1e8b2d-e5eb-49a1-aae9-418fb76a732f",
+ "5a4ba3de-4077-4f57-ac47-4c000825ff2c",
+ "5423653e-dc39-4d05-b8ca-9a22cec245af"
+ ],
+ "columns": {
+ "4e1e8b2d-e5eb-49a1-aae9-418fb76a732f": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "5423653e-dc39-4d05-b8ca-9a22cec245af": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Azure VM Network Out Total",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 1
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm_scaleset.network_out_total.total"
+ },
+ "5a4ba3de-4077-4f57-ac47-4c000825ff2c": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.resource.type : \"Microsoft.Compute/virtualMachineScaleSets\" "
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "5423653e-dc39-4d05-b8ca-9a22cec245af"
+ ],
+ "layerId": "03783e9a-a85e-4cbc-bbd9-f3426f8077a5",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "5a4ba3de-4077-4f57-ac47-4c000825ff2c",
+ "xAccessor": "4e1e8b2d-e5eb-49a1-aae9-418fb76a732f",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(104,188,0,1)",
+ "forAccessor": "5423653e-dc39-4d05-b8ca-9a22cec245af"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "line",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 11,
@@ -113,14 +720,174 @@
"y": 12
},
"panelIndex": "64fc0214-97f7-4d52-a9bd-a91449293f1c",
- "panelRefName": "panel_64fc0214-97f7-4d52-a9bd-a91449293f1c",
"title": "Network Out Total",
- "type": "visualization",
- "version": "7.4.0"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-47a7b900-30f5-4735-9b3f-c1ce0791d125",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "47a7b900-30f5-4735-9b3f-c1ce0791d125": {
+ "columnOrder": [
+ "2001c825-d5f5-4a28-ad75-de6dcff20a4b",
+ "ebf663a2-c3d6-46b8-8c4a-30ceffce5c8a",
+ "ef7945e7-3f56-4447-b6e4-e536304c0a9b"
+ ],
+ "columns": {
+ "2001c825-d5f5-4a28-ad75-de6dcff20a4b": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "ebf663a2-c3d6-46b8-8c4a-30ceffce5c8a": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ },
+ "ef7945e7-3f56-4447-b6e4-e536304c0a9b": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "VM Disk Writes bytes",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 1
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm_scaleset.disk_write_bytes.total"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.resource.type :\"Microsoft.Compute/virtualMachineScaleSets\" "
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "ef7945e7-3f56-4447-b6e4-e536304c0a9b"
+ ],
+ "layerId": "47a7b900-30f5-4735-9b3f-c1ce0791d125",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "ebf663a2-c3d6-46b8-8c4a-30ceffce5c8a",
+ "xAccessor": "2001c825-d5f5-4a28-ad75-de6dcff20a4b",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(0,180,251,1)",
+ "forAccessor": "ef7945e7-3f56-4447-b6e4-e536304c0a9b"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "line",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 11,
@@ -130,14 +897,345 @@
"y": 12
},
"panelIndex": "12c9c185-81ed-4313-b274-b3384de2d396",
- "panelRefName": "panel_12c9c185-81ed-4313-b274-b3384de2d396",
"title": "Disk Writes",
- "type": "visualization",
- "version": "7.4.0"
+ "type": "lens",
+ "version": "8.4.0"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-f3485eca-571b-4f08-bd0c-4be759cc64b6",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "f3485eca-571b-4f08-bd0c-4be759cc64b6": {
+ "columnOrder": [
+ "87197844-2561-47b9-a72a-b0fb5b98b213",
+ "b44f6d7e-92c3-4aca-b17f-d224f542b2b1",
+ "459e86ae-fa0d-4f11-a148-d72a2160bc74"
+ ],
+ "columns": {
+ "459e86ae-fa0d-4f11-a148-d72a2160bc74": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "VM Disk Read bytes",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 1
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm_scaleset.disk_read_bytes.total"
+ },
+ "87197844-2561-47b9-a72a-b0fb5b98b213": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "b44f6d7e-92c3-4aca-b17f-d224f542b2b1": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.resource.type :\"Microsoft.Compute/virtualMachineScaleSets\" "
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "459e86ae-fa0d-4f11-a148-d72a2160bc74"
+ ],
+ "layerId": "f3485eca-571b-4f08-bd0c-4be759cc64b6",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "b44f6d7e-92c3-4aca-b17f-d224f542b2b1",
+ "xAccessor": "87197844-2561-47b9-a72a-b0fb5b98b213",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(252,196,0,1)",
+ "forAccessor": "459e86ae-fa0d-4f11-a148-d72a2160bc74"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "line",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
+ },
+ "gridData": {
+ "h": 11,
+ "i": "6cbc30b4-658e-4f7a-a888-221775fd0af3",
+ "w": 12,
+ "x": 36,
+ "y": 12
+ },
+ "panelIndex": "6cbc30b4-658e-4f7a-a888-221775fd0af3",
+ "title": "Disk Reads",
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-7afed980-1b20-4a23-9bd7-ea4103b0ca07",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "7afed980-1b20-4a23-9bd7-ea4103b0ca07": {
+ "columnOrder": [
+ "a9d03b2b-3461-480b-87ca-6c2b1a92027f",
+ "08450621-b253-4fec-b7b3-b972f61b8822",
+ "209ad925-36ae-4727-be0a-07ae3b8ee05d"
+ ],
+ "columns": {
+ "08450621-b253-4fec-b7b3-b972f61b8822": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ },
+ "209ad925-36ae-4727-be0a-07ae3b8ee05d": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "VM Disk Read Operations/s",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm_scaleset.disk_read_operations_per_sec.avg"
+ },
+ "a9d03b2b-3461-480b-87ca-6c2b1a92027f": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.resource.type : \"Microsoft.Compute/virtualMachineScaleSets\" "
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "209ad925-36ae-4727-be0a-07ae3b8ee05d"
+ ],
+ "layerId": "7afed980-1b20-4a23-9bd7-ea4103b0ca07",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "08450621-b253-4fec-b7b3-b972f61b8822",
+ "xAccessor": "a9d03b2b-3461-480b-87ca-6c2b1a92027f",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(252,196,0,1)",
+ "forAccessor": "209ad925-36ae-4727-be0a-07ae3b8ee05d"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "line",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 15,
@@ -147,14 +1245,168 @@
"y": 23
},
"panelIndex": "200ae92b-4184-4aed-9868-6ce5e16e7a8d",
- "panelRefName": "panel_200ae92b-4184-4aed-9868-6ce5e16e7a8d",
"title": "Disk Read Operations/s",
- "type": "visualization",
- "version": "7.4.0"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-f8a913c2-543a-4a5b-b388-3b5533fd0c9e",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "f8a913c2-543a-4a5b-b388-3b5533fd0c9e": {
+ "columnOrder": [
+ "5dd239de-13d4-455e-8529-194f1a07e594",
+ "8e969bff-e3b1-46b7-839c-90bd74ba46df",
+ "e9565d12-8e72-4111-bfd4-85f36000fb0f"
+ ],
+ "columns": {
+ "5dd239de-13d4-455e-8529-194f1a07e594": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "8e969bff-e3b1-46b7-839c-90bd74ba46df": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ },
+ "e9565d12-8e72-4111-bfd4-85f36000fb0f": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "VM Disk Write Operations/s",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm_scaleset.disk_write_operations_per_sec.avg"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.resource.type : \"Microsoft.Compute/virtualMachineScaleSets\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "e9565d12-8e72-4111-bfd4-85f36000fb0f"
+ ],
+ "layerId": "f8a913c2-543a-4a5b-b388-3b5533fd0c9e",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "8e969bff-e3b1-46b7-839c-90bd74ba46df",
+ "xAccessor": "5dd239de-13d4-455e-8529-194f1a07e594",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(104,204,202,1)",
+ "forAccessor": "e9565d12-8e72-4111-bfd4-85f36000fb0f"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "line",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 15,
@@ -164,66 +1416,75 @@
"y": 23
},
"panelIndex": "36c46a84-3e6b-4a7e-9246-357ae9d10d1e",
- "panelRefName": "panel_36c46a84-3e6b-4a7e-9246-357ae9d10d1e",
"title": "Disk Write Operations/s",
- "type": "visualization",
- "version": "7.4.0"
+ "type": "lens",
+ "version": "8.4.0"
}
],
"timeRestore": false,
"title": "[Azure Metrics] VM Scale Sets Overview ",
"version": 1
},
- "coreMigrationVersion": "7.14.0",
+ "coreMigrationVersion": "8.4.0",
"id": "azure_metrics-91afcc50-eaad-11e9-90ec-112a988266d5",
"migrationVersion": {
- "dashboard": "7.14.0"
+ "dashboard": "8.4.0"
},
"references": [
{
- "id": "azure_metrics-686bc990-ea92-11e9-90ec-112a988266d5",
- "name": "d84767cd-3fc9-438c-a969-f15c4d5fc9c5:panel_d84767cd-3fc9-438c-a969-f15c4d5fc9c5",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "127eff01-d34c-4bda-8f19-4cf06982989f:indexpattern-datasource-layer-19ca4198-3d60-4298-bf58-2a8c8d703333",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "2f85c4f1-a575-49a1-99d3-fbed8a2806ec:indexpattern-datasource-layer-e21a5a91-d219-4f09-b6d1-20eb943d56b3",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "e195e7ba-c736-4bf7-9f23-c96f4acd9b6b:indexpattern-datasource-layer-6f3a6179-62e3-40fd-956b-8fdfd46f8371",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-33500790-eaaf-11e9-90ec-112a988266d5",
- "name": "127eff01-d34c-4bda-8f19-4cf06982989f:panel_127eff01-d34c-4bda-8f19-4cf06982989f",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "64fc0214-97f7-4d52-a9bd-a91449293f1c:indexpattern-datasource-layer-03783e9a-a85e-4cbc-bbd9-f3426f8077a5",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-cecd6680-eb41-11e9-90ec-112a988266d5",
- "name": "2f85c4f1-a575-49a1-99d3-fbed8a2806ec:panel_2f85c4f1-a575-49a1-99d3-fbed8a2806ec",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "12c9c185-81ed-4313-b274-b3384de2d396:indexpattern-datasource-layer-47a7b900-30f5-4735-9b3f-c1ce0791d125",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-42cc28d0-ea9a-11e9-90ec-112a988266d5",
- "name": "6cbc30b4-658e-4f7a-a888-221775fd0af3:panel_6cbc30b4-658e-4f7a-a888-221775fd0af3",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "6cbc30b4-658e-4f7a-a888-221775fd0af3:indexpattern-datasource-layer-f3485eca-571b-4f08-bd0c-4be759cc64b6",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-64266ec0-eb42-11e9-90ec-112a988266d5",
- "name": "e195e7ba-c736-4bf7-9f23-c96f4acd9b6b:panel_e195e7ba-c736-4bf7-9f23-c96f4acd9b6b",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "200ae92b-4184-4aed-9868-6ce5e16e7a8d:indexpattern-datasource-layer-7afed980-1b20-4a23-9bd7-ea4103b0ca07",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-b45fd8e0-eb42-11e9-90ec-112a988266d5",
- "name": "64fc0214-97f7-4d52-a9bd-a91449293f1c:panel_64fc0214-97f7-4d52-a9bd-a91449293f1c",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "36c46a84-3e6b-4a7e-9246-357ae9d10d1e:indexpattern-datasource-layer-f8a913c2-543a-4a5b-b388-3b5533fd0c9e",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-0d03a670-eb43-11e9-90ec-112a988266d5",
- "name": "12c9c185-81ed-4313-b274-b3384de2d396:panel_12c9c185-81ed-4313-b274-b3384de2d396",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_8637c045-a72a-4b38-9e62-d3bf2e7a08b7:optionsListDataView",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-9c1a1910-ea9a-11e9-90ec-112a988266d5",
- "name": "200ae92b-4184-4aed-9868-6ce5e16e7a8d:panel_200ae92b-4184-4aed-9868-6ce5e16e7a8d",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_cee07fda-dcef-4e03-abb4-52e251ba0d66:optionsListDataView",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-cfaedaf0-eb43-11e9-90ec-112a988266d5",
- "name": "36c46a84-3e6b-4a7e-9246-357ae9d10d1e:panel_36c46a84-3e6b-4a7e-9246-357ae9d10d1e",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_becc78e5-ae0e-49c5-afd3-bae0f51fde81:optionsListDataView",
+ "type": "index-pattern"
}
],
"type": "dashboard"
diff --git a/packages/azure_metrics/kibana/dashboard/azure_metrics-9c11ac60-6cf6-11ea-8fe8-71add5fd7c38.json b/packages/azure_metrics/kibana/dashboard/azure_metrics-9c11ac60-6cf6-11ea-8fe8-71add5fd7c38.json
index 742ca1c38c7..cfe8dade387 100644
--- a/packages/azure_metrics/kibana/dashboard/azure_metrics-9c11ac60-6cf6-11ea-8fe8-71add5fd7c38.json
+++ b/packages/azure_metrics/kibana/dashboard/azure_metrics-9c11ac60-6cf6-11ea-8fe8-71add5fd7c38.json
@@ -1,7 +1,12 @@
{
"attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
+ "panelsJSON": "{\"ffdad1fb-52fd-4e71-bc31-b0c2c423ab11\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"ffdad1fb-52fd-4e71-bc31-b0c2c423ab11\",\"fieldName\":\"azure.subscription_id\",\"title\":\"Subscription\",\"singleSelect\":true,\"enhancements\":{}}},\"bc9a331c-0344-43d5-9076-7339b0ebdd90\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"bc9a331c-0344-43d5-9076-7339b0ebdd90\",\"fieldName\":\"azure.resource.group\",\"title\":\"Resource Group\",\"singleSelect\":true,\"enhancements\":{}}},\"e89da2e7-4e61-4d97-9cca-c0cad0a12093\":{\"type\":\"optionsListControl\",\"order\":2,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"e89da2e7-4e61-4d97-9cca-c0cad0a12093\",\"fieldName\":\"azure.resource.name\",\"title\":\"Resource\",\"singleSelect\":true,\"enhancements\":{}}}}"
+ },
"description": "This dashboard shows metrics for the container instances in Azure.",
- "hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [],
@@ -13,150 +18,858 @@
},
"optionsJSON": {
"hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
"useMargins": true
},
"panelsJSON": [
{
"embeddableConfig": {
- "enhancements": {}
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {}
+ },
+ "description": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "### Azure Containers\n\n[**Instances**](#/dashboard/azure_metrics-9c11ac60-6cf6-11ea-8fe8-71add5fd7c38) |\n[Registries](#/dashboard/azure_metrics-72fe31e7-ea7d-4796-94d1-8f0a091904e2) |\n[Services](#/dashboard/azure_metrics-dae20ed0-6d0a-11ea-8fe8-71add5fd7c38) ",
+ "openLinksInNewTab": false
+ },
+ "title": "Navigation Container Instance Overview [Azure Metrics]",
+ "type": "markdown",
+ "uiState": {}
+ }
},
"gridData": {
"h": 5,
"i": "c3f93abd-4a7c-43fa-bde7-d26925082d2f",
- "w": 11,
+ "w": 48,
"x": 0,
"y": 0
},
"panelIndex": "c3f93abd-4a7c-43fa-bde7-d26925082d2f",
- "panelRefName": "panel_c3f93abd-4a7c-43fa-bde7-d26925082d2f",
"type": "visualization",
- "version": "7.6.0"
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": false,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "658cae72-53f0-466c-a9a2-5d855dfaf21f": {
+ "columnOrder": [
+ "7201da9b-0826-4776-b394-9fbafcb1b3aa",
+ "3d85e797-bf3e-4d7f-b8ef-ee681ba8c7be",
+ "8e71fc83-f2ce-4285-9734-701e2440b333"
+ ],
+ "columns": {
+ "3d85e797-bf3e-4d7f-b8ef-ee681ba8c7be": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {},
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ },
+ "7201da9b-0826-4776-b394-9fbafcb1b3aa": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "8e71fc83-f2ce-4285-9734-701e2440b333": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Azure Container CPU Utilization",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.container_instance.cpu_usage.avg"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-658cae72-53f0-466c-a9a2-5d855dfaf21f",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "8e71fc83-f2ce-4285-9734-701e2440b333"
+ ],
+ "layerId": "658cae72-53f0-466c-a9a2-5d855dfaf21f",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "3d85e797-bf3e-4d7f-b8ef-ee681ba8c7be",
+ "xAccessor": "7201da9b-0826-4776-b394-9fbafcb1b3aa",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(164,221,0,1)",
+ "forAccessor": "8e71fc83-f2ce-4285-9734-701e2440b333"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yLeftScale": "linear",
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yRightScale": "linear"
+ }
+ },
+ "title": "Container Instance CPU Utilization [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 16,
"i": "ea4c505b-43fb-4869-a94a-bba028071ecc",
- "w": 17,
- "x": 11,
- "y": 0
+ "w": 24,
+ "x": 0,
+ "y": 5
},
"panelIndex": "ea4c505b-43fb-4869-a94a-bba028071ecc",
- "panelRefName": "panel_ea4c505b-43fb-4869-a94a-bba028071ecc",
"title": "Container Instance CPU Utilization",
- "type": "visualization",
- "version": "7.6.0"
+ "type": "lens",
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": false,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "56433bf4-d7c0-433f-964f-8c2dd8a97a6b": {
+ "columnOrder": [
+ "6fb6336e-dbe7-4c83-aa53-bdc5b1ab7f30",
+ "b2d1c4f7-4edd-40be-9074-c19a2e3713ac",
+ "9c786694-3df7-415a-a56a-5a057591bf90"
+ ],
+ "columns": {
+ "6fb6336e-dbe7-4c83-aa53-bdc5b1ab7f30": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "9c786694-3df7-415a-a56a-5a057591bf90": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "isBucketed": false,
+ "label": "Container Instance Memory Utilization",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 1
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.container_instance.memory_usage.avg"
+ },
+ "b2d1c4f7-4edd-40be-9074-c19a2e3713ac": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {},
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-56433bf4-d7c0-433f-964f-8c2dd8a97a6b",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "9c786694-3df7-415a-a56a-5a057591bf90"
+ ],
+ "layerId": "56433bf4-d7c0-433f-964f-8c2dd8a97a6b",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "b2d1c4f7-4edd-40be-9074-c19a2e3713ac",
+ "xAccessor": "6fb6336e-dbe7-4c83-aa53-bdc5b1ab7f30",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "#68BC00",
+ "forAccessor": "9c786694-3df7-415a-a56a-5a057591bf90"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yLeftScale": "linear",
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yRightScale": "linear"
+ }
+ },
+ "title": "Container Instance Memory Utilization [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 16,
"i": "0899027b-629e-4889-821f-45ee0161bd91",
- "w": 20,
- "x": 28,
- "y": 0
+ "w": 24,
+ "x": 24,
+ "y": 5
},
"panelIndex": "0899027b-629e-4889-821f-45ee0161bd91",
- "panelRefName": "panel_0899027b-629e-4889-821f-45ee0161bd91",
"title": "Container Instance Memory Utilization",
- "type": "visualization",
- "version": "7.6.0"
- },
- {
- "embeddableConfig": {
- "enhancements": {}
- },
- "gridData": {
- "h": 11,
- "i": "f72bd066-3696-4e0a-9660-78fb47c92152",
- "w": 11,
- "x": 0,
- "y": 5
- },
- "panelIndex": "f72bd066-3696-4e0a-9660-78fb47c92152",
- "panelRefName": "panel_f72bd066-3696-4e0a-9660-78fb47c92152",
- "title": "Containers Filters",
- "type": "visualization",
- "version": "7.6.0"
+ "type": "lens",
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": false,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "ddcbb406-9ddd-4f61-be95-9ed0c3d61d57": {
+ "columnOrder": [
+ "e4784370-989c-4e3f-b5c1-463097d0d63d",
+ "7a8b8086-cca2-4b64-bc9f-60b8e00d0ec6",
+ "e68f6c75-7232-46d8-aba4-2d9fbf90312d"
+ ],
+ "columns": {
+ "7a8b8086-cca2-4b64-bc9f-60b8e00d0ec6": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {},
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ },
+ "e4784370-989c-4e3f-b5c1-463097d0d63d": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "e68f6c75-7232-46d8-aba4-2d9fbf90312d": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "isBucketed": false,
+ "label": "Container Instance Network Bytes Received/s",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.container_instance.network_bytes_received_per_second.avg"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-ddcbb406-9ddd-4f61-be95-9ed0c3d61d57",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "e68f6c75-7232-46d8-aba4-2d9fbf90312d"
+ ],
+ "layerId": "ddcbb406-9ddd-4f61-be95-9ed0c3d61d57",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "7a8b8086-cca2-4b64-bc9f-60b8e00d0ec6",
+ "xAccessor": "e4784370-989c-4e3f-b5c1-463097d0d63d",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(251,158,0,1)",
+ "forAccessor": "e68f6c75-7232-46d8-aba4-2d9fbf90312d"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yLeftScale": "linear",
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yRightScale": "linear"
+ }
+ },
+ "title": "Container Instance Network Bytes Received/s [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 15,
"i": "7c9016b9-a76e-41f6-9945-ac6880fd9ab0",
"w": 24,
"x": 0,
- "y": 16
+ "y": 21
},
"panelIndex": "7c9016b9-a76e-41f6-9945-ac6880fd9ab0",
- "panelRefName": "panel_7c9016b9-a76e-41f6-9945-ac6880fd9ab0",
- "title": "Container Instance Netowrk Bytes Received/s",
- "type": "visualization",
- "version": "7.6.0"
+ "title": "Container Instance Network Bytes Received/s",
+ "type": "lens",
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": false,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "4d307ae6-2eb5-4cc8-b51b-3991b53b8bd8": {
+ "columnOrder": [
+ "4fec72f0-2a78-407f-8be4-6ae68a58820c",
+ "57a8bf85-b18a-4aac-8b55-18dbc32768eb",
+ "e7d9639b-cd0b-42bb-bbd2-90c300a70e02"
+ ],
+ "columns": {
+ "4fec72f0-2a78-407f-8be4-6ae68a58820c": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "57a8bf85-b18a-4aac-8b55-18dbc32768eb": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {},
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ },
+ "e7d9639b-cd0b-42bb-bbd2-90c300a70e02": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "isBucketed": false,
+ "label": "Container Instance Network Bytes Transmitted/s",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.container_instance.network_bytes_transmitted_per_second.avg"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-4d307ae6-2eb5-4cc8-b51b-3991b53b8bd8",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "e7d9639b-cd0b-42bb-bbd2-90c300a70e02"
+ ],
+ "layerId": "4d307ae6-2eb5-4cc8-b51b-3991b53b8bd8",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "57a8bf85-b18a-4aac-8b55-18dbc32768eb",
+ "xAccessor": "4fec72f0-2a78-407f-8be4-6ae68a58820c",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(128,137,0,1)",
+ "forAccessor": "e7d9639b-cd0b-42bb-bbd2-90c300a70e02"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yLeftScale": "linear",
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yRightScale": "linear"
+ }
+ },
+ "title": "Container Instance Network Bytes Transmitted/s [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 15,
"i": "0abdf4ee-b569-430b-972a-a60160ef2221",
"w": 24,
"x": 24,
- "y": 16
+ "y": 21
},
"panelIndex": "0abdf4ee-b569-430b-972a-a60160ef2221",
- "panelRefName": "panel_0abdf4ee-b569-430b-972a-a60160ef2221",
"title": "Container Instance Network Bytes Transmitted/s",
- "type": "visualization",
- "version": "7.6.0"
+ "type": "lens",
+ "version": "8.7.0"
}
],
"timeRestore": false,
"title": "[Azure Metrics] Container Instance Overview",
"version": 1
},
- "coreMigrationVersion": "7.14.0",
+ "coreMigrationVersion": "8.7.0",
+ "created_at": "2023-08-29T11:32:00.024Z",
"id": "azure_metrics-9c11ac60-6cf6-11ea-8fe8-71add5fd7c38",
"migrationVersion": {
- "dashboard": "7.14.0"
+ "dashboard": "8.7.0"
},
"references": [
{
- "id": "azure_metrics-5720b830-6aad-11ea-af5c-73e8f396b3e9",
- "name": "c3f93abd-4a7c-43fa-bde7-d26925082d2f:panel_c3f93abd-4a7c-43fa-bde7-d26925082d2f",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-04f8eec0-6ab1-11ea-af5c-73e8f396b3e9",
- "name": "ea4c505b-43fb-4869-a94a-bba028071ecc:panel_ea4c505b-43fb-4869-a94a-bba028071ecc",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-942844b0-6ac5-11ea-af5c-73e8f396b3e9",
- "name": "0899027b-629e-4889-821f-45ee0161bd91:panel_0899027b-629e-4889-821f-45ee0161bd91",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-0fa31060-6aae-11ea-af5c-73e8f396b3e9",
- "name": "f72bd066-3696-4e0a-9660-78fb47c92152:panel_f72bd066-3696-4e0a-9660-78fb47c92152",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_ffdad1fb-52fd-4e71-bc31-b0c2c423ab11:optionsListDataView",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-bd1c93b0-6cf7-11ea-8fe8-71add5fd7c38",
- "name": "7c9016b9-a76e-41f6-9945-ac6880fd9ab0:panel_7c9016b9-a76e-41f6-9945-ac6880fd9ab0",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_bc9a331c-0344-43d5-9076-7339b0ebdd90:optionsListDataView",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-74a8e130-6cfa-11ea-8fe8-71add5fd7c38",
- "name": "0abdf4ee-b569-430b-972a-a60160ef2221:panel_0abdf4ee-b569-430b-972a-a60160ef2221",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_e89da2e7-4e61-4d97-9cca-c0cad0a12093:optionsListDataView",
+ "type": "index-pattern"
}
],
"type": "dashboard"
diff --git a/packages/azure_metrics/kibana/dashboard/azure_metrics-a6f5d430-eaa6-11e9-90ec-112a988266d5.json b/packages/azure_metrics/kibana/dashboard/azure_metrics-a6f5d430-eaa6-11e9-90ec-112a988266d5.json
index d3328ad0231..dcc9c777310 100644
--- a/packages/azure_metrics/kibana/dashboard/azure_metrics-a6f5d430-eaa6-11e9-90ec-112a988266d5.json
+++ b/packages/azure_metrics/kibana/dashboard/azure_metrics-a6f5d430-eaa6-11e9-90ec-112a988266d5.json
@@ -1,5 +1,11 @@
{
"attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
+ "panelsJSON": "{\"13f93daa-2996-4413-8716-73b186ca0271\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"cloud.region\",\"title\":\"Region\",\"id\":\"13f93daa-2996-4413-8716-73b186ca0271\",\"enhancements\":{}}},\"fc120d66-f166-410b-b088-f948c09f5009\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"azure.resource.group\",\"title\":\"Resource Group\",\"id\":\"fc120d66-f166-410b-b088-f948c09f5009\",\"enhancements\":{}}},\"eee6fbaa-e4c9-4c8d-816c-5c47fa5a7b1a\":{\"order\":2,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"azure.resource.name\",\"title\":\"VM Name\",\"id\":\"eee6fbaa-e4c9-4c8d-816c-5c47fa5a7b1a\",\"enhancements\":{}}}}"
+ },
"description": "This dashboards shows ASP.NET and SQL Server specific metrics extracted from the azure.vm.windows.guestmetrics namespace",
"hits": 0,
"kibanaSavedObjectMeta": {
@@ -18,40 +24,165 @@
"panelsJSON": [
{
"embeddableConfig": {
- "enhancements": {}
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "### Azure Guest ASP.NET \u0026 SQL Server Metrics\n\n[Back to Overview Metrics](#/dashboard/azure_metrics-eb3f05f0-ea9a-11e9-90ec-112a988266d5) | [Memory \u0026 Process](#/dashboard/azure_metrics-b6b434c0-feae-11eb-8fff-87871c582eca) | [**ASP.NET and SQL Server**](#/dashboard/azure_metrics-a6f5d430-eaa6-11e9-90ec-112a988266d5) ",
+ "openLinksInNewTab": false
+ },
+ "title": "Navigation Compute VM Guest ASP.NET \u0026 SQL Server Guest Metrics [Azure Metrics]",
+ "type": "markdown",
+ "uiState": {}
+ }
},
"gridData": {
"h": 6,
"i": "aca8d6d8-91f6-4362-95e6-3547df2c95ab",
- "w": 10,
+ "w": 24,
"x": 0,
"y": 0
},
"panelIndex": "aca8d6d8-91f6-4362-95e6-3547df2c95ab",
- "panelRefName": "panel_aca8d6d8-91f6-4362-95e6-3547df2c95ab",
"type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "version": "8.4.0"
},
{
"embeddableConfig": {
- "enhancements": {}
- },
- "gridData": {
- "h": 6,
- "i": "b7b8bcc1-f776-45cf-a149-36665f2de746",
- "w": 14,
- "x": 10,
- "y": 0
- },
- "panelIndex": "b7b8bcc1-f776-45cf-a149-36665f2de746",
- "panelRefName": "panel_b7b8bcc1-f776-45cf-a149-36665f2de746",
- "title": "Filters",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
- },
- {
- "embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-04ca1413-c115-497d-9fc1-cbbc1096cd35",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "04ca1413-c115-497d-9fc1-cbbc1096cd35": {
+ "columnOrder": [
+ "99dfae3a-9f13-458b-a72c-7e1e60046230",
+ "150abef4-24f9-4590-97e1-37086c47b194"
+ ],
+ "columns": {
+ "150abef4-24f9-4590-97e1-37086c47b194": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "connections",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.sqlserver_general_statistics_user_connections.avg"
+ },
+ "99dfae3a-9f13-458b-a72c-7e1e60046230": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.resource.type :\"Microsoft.Compute/virtualMachines\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "150abef4-24f9-4590-97e1-37086c47b194"
+ ],
+ "layerId": "04ca1413-c115-497d-9fc1-cbbc1096cd35",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "xAccessor": "99dfae3a-9f13-458b-a72c-7e1e60046230",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "#3185FC",
+ "forAccessor": "150abef4-24f9-4590-97e1-37086c47b194"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 12,
@@ -61,14 +192,136 @@
"y": 0
},
"panelIndex": "6a5abca9-1cfd-45ef-aa88-9b4a72ce2dca",
- "panelRefName": "panel_6a5abca9-1cfd-45ef-aa88-9b4a72ce2dca",
"title": "SQL Server User Connections",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-32e3900a-495a-4014-85ad-2ed800ff76d8",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "32e3900a-495a-4014-85ad-2ed800ff76d8": {
+ "columnOrder": [
+ "760c9e2d-3ca5-4645-bc06-824141f59969",
+ "2e58f163-ed64-4a0d-867b-6e0797e313e5"
+ ],
+ "columns": {
+ "2e58f163-ed64-4a0d-867b-6e0797e313e5": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "applications running",
+ "operationType": "max",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.asp_net_applications_running.avg"
+ },
+ "760c9e2d-3ca5-4645-bc06-824141f59969": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.resource.type :\"Microsoft.Compute/virtualMachines\" "
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0.2,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "2e58f163-ed64-4a0d-867b-6e0797e313e5"
+ ],
+ "layerId": "32e3900a-495a-4014-85ad-2ed800ff76d8",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "area",
+ "xAccessor": "760c9e2d-3ca5-4645-bc06-824141f59969",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "#3185FC",
+ "forAccessor": "2e58f163-ed64-4a0d-867b-6e0797e313e5"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 12,
@@ -78,14 +331,141 @@
"y": 6
},
"panelIndex": "bc65dd87-08f6-49f7-b8bf-0d371431ad4d",
- "panelRefName": "panel_bc65dd87-08f6-49f7-b8bf-0d371431ad4d",
"title": "Applications Running",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-3aa3b228-eeaf-4a1b-801b-5fddfb60fed3",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "3aa3b228-eeaf-4a1b-801b-5fddfb60fed3": {
+ "columnOrder": [
+ "d43e87f6-e5f1-40b2-8587-c94c129e02ae",
+ "d0eb903b-4a8f-4a3d-aa1e-e0f6bcc2de2c"
+ ],
+ "columns": {
+ "d0eb903b-4a8f-4a3d-aa1e-e0f6bcc2de2c": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "memory",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 1
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.sqlserver_memory_manager_total_server_memory.avg"
+ },
+ "d43e87f6-e5f1-40b2-8587-c94c129e02ae": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.resource.type : \"Microsoft.Compute/virtualMachines\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "d0eb903b-4a8f-4a3d-aa1e-e0f6bcc2de2c"
+ ],
+ "layerId": "3aa3b228-eeaf-4a1b-801b-5fddfb60fed3",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "xAccessor": "d43e87f6-e5f1-40b2-8587-c94c129e02ae",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "#3185FC",
+ "forAccessor": "d0eb903b-4a8f-4a3d-aa1e-e0f6bcc2de2c"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 12,
@@ -95,14 +475,312 @@
"y": 12
},
"panelIndex": "aaa96404-80de-44dc-990c-76bf40d3827b",
- "panelRefName": "panel_aaa96404-80de-44dc-990c-76bf40d3827b",
"title": "SQL Server Total Server Memory",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-d0780101-176b-42b3-bd87-1eb75070e4d8",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-a24698c5-6841-456f-bd10-8ffe55877bca",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-3eb35d2d-eaa4-4bc8-8994-d92be01d01ae",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-46d93037-893a-4a1f-90fb-296f1eb58c17",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "3eb35d2d-eaa4-4bc8-8994-d92be01d01ae": {
+ "columnOrder": [
+ "15f62cf5-0520-4902-98a5-2b77d5c3c8cb",
+ "fc7f5591-8179-422c-9a7c-6ae237157c66"
+ ],
+ "columns": {
+ "15f62cf5-0520-4902-98a5-2b77d5c3c8cb": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "fc7f5591-8179-422c-9a7c-6ae237157c66": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "succeeded",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.asp_net_applications_requests_succeeded.avg"
+ }
+ },
+ "incompleteColumns": {}
+ },
+ "46d93037-893a-4a1f-90fb-296f1eb58c17": {
+ "columnOrder": [
+ "8012f73d-6b6f-4c5e-a248-b01a53923e75",
+ "9287f204-1e7f-4da7-88e8-75b129563978"
+ ],
+ "columns": {
+ "8012f73d-6b6f-4c5e-a248-b01a53923e75": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "9287f204-1e7f-4da7-88e8-75b129563978": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "total",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.asp_net_applications_requests_total.avg"
+ }
+ },
+ "incompleteColumns": {}
+ },
+ "a24698c5-6841-456f-bd10-8ffe55877bca": {
+ "columnOrder": [
+ "2361bae7-da67-4752-b81c-784d63bd1133",
+ "e61e9769-4de2-45c6-bbb0-071a58a8f319"
+ ],
+ "columns": {
+ "2361bae7-da67-4752-b81c-784d63bd1133": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "e61e9769-4de2-45c6-bbb0-071a58a8f319": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "failed",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.asp_net_applications_requests_failed.avg"
+ }
+ },
+ "incompleteColumns": {}
+ },
+ "d0780101-176b-42b3-bd87-1eb75070e4d8": {
+ "columnOrder": [
+ "765b02b8-1ecb-4331-bdca-669963ec0d18",
+ "e1f90bc3-ef99-4b93-9ca9-40554f931802"
+ ],
+ "columns": {
+ "765b02b8-1ecb-4331-bdca-669963ec0d18": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "e1f90bc3-ef99-4b93-9ca9-40554f931802": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "timed out",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.asp_net_applications_requests_timed_out.avg"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.resource.type : \"Microsoft.Compute/virtualMachines\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "e1f90bc3-ef99-4b93-9ca9-40554f931802"
+ ],
+ "layerId": "d0780101-176b-42b3-bd87-1eb75070e4d8",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "xAccessor": "765b02b8-1ecb-4331-bdca-669963ec0d18",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(254,146,0,1)",
+ "forAccessor": "e1f90bc3-ef99-4b93-9ca9-40554f931802"
+ }
+ ]
+ },
+ {
+ "accessors": [
+ "e61e9769-4de2-45c6-bbb0-071a58a8f319"
+ ],
+ "layerId": "a24698c5-6841-456f-bd10-8ffe55877bca",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "xAccessor": "2361bae7-da67-4752-b81c-784d63bd1133",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "#DB1374",
+ "forAccessor": "e61e9769-4de2-45c6-bbb0-071a58a8f319"
+ }
+ ]
+ },
+ {
+ "accessors": [
+ "fc7f5591-8179-422c-9a7c-6ae237157c66"
+ ],
+ "layerId": "3eb35d2d-eaa4-4bc8-8994-d92be01d01ae",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "xAccessor": "15f62cf5-0520-4902-98a5-2b77d5c3c8cb",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "#00B3A4",
+ "forAccessor": "fc7f5591-8179-422c-9a7c-6ae237157c66"
+ }
+ ]
+ },
+ {
+ "accessors": [
+ "9287f204-1e7f-4da7-88e8-75b129563978"
+ ],
+ "layerId": "46d93037-893a-4a1f-90fb-296f1eb58c17",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "xAccessor": "8012f73d-6b6f-4c5e-a248-b01a53923e75",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "#490092",
+ "forAccessor": "9287f204-1e7f-4da7-88e8-75b129563978"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 18,
@@ -112,14 +790,140 @@
"y": 18
},
"panelIndex": "5c0158cc-c884-4665-8bbf-7fc34d885d55",
- "panelRefName": "panel_5c0158cc-c884-4665-8bbf-7fc34d885d55",
"title": "Application Requests",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-4e9fe76c-dd6e-482e-b5e6-80365f63ee1a",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "4e9fe76c-dd6e-482e-b5e6-80365f63ee1a": {
+ "columnOrder": [
+ "b8991460-48a1-4f71-9db5-7c323e899b64",
+ "a7036c3d-b262-482f-ad20-ff5324c0bd47"
+ ],
+ "columns": {
+ "a7036c3d-b262-482f-ad20-ff5324c0bd47": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "isBucketed": false,
+ "label": "errors",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.asp_net_applications_errors_total.avg"
+ },
+ "b8991460-48a1-4f71-9db5-7c323e899b64": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.resource.type : \"Microsoft.Compute/virtualMachines\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0.2,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "a7036c3d-b262-482f-ad20-ff5324c0bd47"
+ ],
+ "layerId": "4e9fe76c-dd6e-482e-b5e6-80365f63ee1a",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "area",
+ "xAccessor": "b8991460-48a1-4f71-9db5-7c323e899b64",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(244,78,59,1)",
+ "forAccessor": "a7036c3d-b262-482f-ad20-ff5324c0bd47"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 18,
@@ -129,14 +933,194 @@
"y": 18
},
"panelIndex": "03c9cff0-b2ec-4dd1-9a2f-db7f441e5e71",
- "panelRefName": "panel_03c9cff0-b2ec-4dd1-9a2f-db7f441e5e71",
"title": "Application Error Rates",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-62a117f6-ae04-4140-b189-3bf7f1aeed34",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-63780669-90ca-47bc-88bb-13c44f2183fd",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "62a117f6-ae04-4140-b189-3bf7f1aeed34": {
+ "columnOrder": [
+ "c83c32be-ef92-46be-adc9-60270d078a0b",
+ "7646aaad-8f25-4012-b829-a2556dcefdea"
+ ],
+ "columns": {
+ "7646aaad-8f25-4012-b829-a2556dcefdea": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Page Reads/s",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.sqlserver_buffer_manager_page_reads_per_sec.avg"
+ },
+ "c83c32be-ef92-46be-adc9-60270d078a0b": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {}
+ },
+ "63780669-90ca-47bc-88bb-13c44f2183fd": {
+ "columnOrder": [
+ "2b43f295-060e-42df-b966-6a415cfe81bc",
+ "d454debf-a642-4d31-91b2-1fc06ba66237"
+ ],
+ "columns": {
+ "2b43f295-060e-42df-b966-6a415cfe81bc": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "d454debf-a642-4d31-91b2-1fc06ba66237": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Page Writes/s",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.sqlserver_buffer_manager_page_writes_per_sec.avg"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.resource.type : \"Microsoft.Compute/virtualMachines\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "7646aaad-8f25-4012-b829-a2556dcefdea"
+ ],
+ "layerId": "62a117f6-ae04-4140-b189-3bf7f1aeed34",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "xAccessor": "c83c32be-ef92-46be-adc9-60270d078a0b",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(252,196,0,1)",
+ "forAccessor": "7646aaad-8f25-4012-b829-a2556dcefdea"
+ }
+ ]
+ },
+ {
+ "accessors": [
+ "d454debf-a642-4d31-91b2-1fc06ba66237"
+ ],
+ "layerId": "63780669-90ca-47bc-88bb-13c44f2183fd",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "xAccessor": "2b43f295-060e-42df-b966-6a415cfe81bc",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(176,188,0,1)",
+ "forAccessor": "d454debf-a642-4d31-91b2-1fc06ba66237"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 12,
@@ -146,14 +1130,312 @@
"y": 24
},
"panelIndex": "43effd82-fc6a-4d11-bd1e-d3b12a34cbce",
- "panelRefName": "panel_43effd82-fc6a-4d11-bd1e-d3b12a34cbce",
"title": "SQL Server Page Reads/Writes",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-70eaf0a1-58ec-4104-a28d-f60b942907d7",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-a61ee0d9-85ea-4520-a2d8-58df29ff8037",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-a17f6ecc-8371-47d3-9712-c34fd46e2241",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-6e225479-97e6-48fc-a218-b73708f9e1e4",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "6e225479-97e6-48fc-a218-b73708f9e1e4": {
+ "columnOrder": [
+ "6dbb7446-8979-4cd8-be0e-8f53f6b28b4e",
+ "ddaaa53a-86eb-49e2-8cad-4e5680ede30f"
+ ],
+ "columns": {
+ "6dbb7446-8979-4cd8-be0e-8f53f6b28b4e": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "ddaaa53a-86eb-49e2-8cad-4e5680ede30f": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "total",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.asp_net_applications_sessions_total.avg"
+ }
+ },
+ "incompleteColumns": {}
+ },
+ "70eaf0a1-58ec-4104-a28d-f60b942907d7": {
+ "columnOrder": [
+ "710798d3-cbd4-461c-8003-8e8803946419",
+ "f7838f99-ab97-4720-8b61-ac694e147be6"
+ ],
+ "columns": {
+ "710798d3-cbd4-461c-8003-8e8803946419": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "f7838f99-ab97-4720-8b61-ac694e147be6": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "active",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.asp_net_applications_sessions_active.avg"
+ }
+ },
+ "incompleteColumns": {}
+ },
+ "a17f6ecc-8371-47d3-9712-c34fd46e2241": {
+ "columnOrder": [
+ "0ef5196d-6919-48d8-81fc-352f9df7fd20",
+ "40d92cb9-2a4b-494b-bf59-b24182da983b"
+ ],
+ "columns": {
+ "0ef5196d-6919-48d8-81fc-352f9df7fd20": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "40d92cb9-2a4b-494b-bf59-b24182da983b": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "abandoned",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.asp_net_applications_sessions_abandoned.avg"
+ }
+ },
+ "incompleteColumns": {}
+ },
+ "a61ee0d9-85ea-4520-a2d8-58df29ff8037": {
+ "columnOrder": [
+ "250ef7ef-8500-4087-8f08-50da9277b712",
+ "d5d7524c-135f-40fe-b419-827d9d7725a4"
+ ],
+ "columns": {
+ "250ef7ef-8500-4087-8f08-50da9277b712": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "d5d7524c-135f-40fe-b419-827d9d7725a4": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "timed out",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.asp_net_applications_sessions_timed_out.avg"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.resource.type : \"Microsoft.Compute/virtualMachines\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "f7838f99-ab97-4720-8b61-ac694e147be6"
+ ],
+ "layerId": "70eaf0a1-58ec-4104-a28d-f60b942907d7",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "xAccessor": "710798d3-cbd4-461c-8003-8e8803946419",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "#3185FC",
+ "forAccessor": "f7838f99-ab97-4720-8b61-ac694e147be6"
+ }
+ ]
+ },
+ {
+ "accessors": [
+ "d5d7524c-135f-40fe-b419-827d9d7725a4"
+ ],
+ "layerId": "a61ee0d9-85ea-4520-a2d8-58df29ff8037",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "xAccessor": "250ef7ef-8500-4087-8f08-50da9277b712",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "#DB1374",
+ "forAccessor": "d5d7524c-135f-40fe-b419-827d9d7725a4"
+ }
+ ]
+ },
+ {
+ "accessors": [
+ "40d92cb9-2a4b-494b-bf59-b24182da983b"
+ ],
+ "layerId": "a17f6ecc-8371-47d3-9712-c34fd46e2241",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "xAccessor": "0ef5196d-6919-48d8-81fc-352f9df7fd20",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "#00B3A4",
+ "forAccessor": "40d92cb9-2a4b-494b-bf59-b24182da983b"
+ }
+ ]
+ },
+ {
+ "accessors": [
+ "ddaaa53a-86eb-49e2-8cad-4e5680ede30f"
+ ],
+ "layerId": "6e225479-97e6-48fc-a218-b73708f9e1e4",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "xAccessor": "6dbb7446-8979-4cd8-be0e-8f53f6b28b4e",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "#490092",
+ "forAccessor": "ddaaa53a-86eb-49e2-8cad-4e5680ede30f"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 12,
@@ -163,66 +1445,105 @@
"y": 36
},
"panelIndex": "b89c7551-e0e1-4642-ac18-01322ea72db8",
- "panelRefName": "panel_b89c7551-e0e1-4642-ac18-01322ea72db8",
"title": "Application Sessions",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "type": "lens",
+ "version": "8.4.0"
}
],
"timeRestore": false,
"title": "[Azure Metrics] Compute VM Guest ASP.NET \u0026 Sql Server",
"version": 1
},
- "coreMigrationVersion": "7.14.0",
+ "coreMigrationVersion": "8.4.0",
"id": "azure_metrics-a6f5d430-eaa6-11e9-90ec-112a988266d5",
"migrationVersion": {
- "dashboard": "7.14.0"
+ "dashboard": "8.4.0"
},
"references": [
{
- "id": "azure_metrics-4bbd6f50-feaf-11eb-8fff-87871c582eca",
- "name": "aca8d6d8-91f6-4362-95e6-3547df2c95ab:panel_aca8d6d8-91f6-4362-95e6-3547df2c95ab",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "6a5abca9-1cfd-45ef-aa88-9b4a72ce2dca:indexpattern-datasource-layer-04ca1413-c115-497d-9fc1-cbbc1096cd35",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "bc65dd87-08f6-49f7-b8bf-0d371431ad4d:indexpattern-datasource-layer-32e3900a-495a-4014-85ad-2ed800ff76d8",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "aaa96404-80de-44dc-990c-76bf40d3827b:indexpattern-datasource-layer-3aa3b228-eeaf-4a1b-801b-5fddfb60fed3",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "5c0158cc-c884-4665-8bbf-7fc34d885d55:indexpattern-datasource-layer-d0780101-176b-42b3-bd87-1eb75070e4d8",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "5c0158cc-c884-4665-8bbf-7fc34d885d55:indexpattern-datasource-layer-a24698c5-6841-456f-bd10-8ffe55877bca",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "5c0158cc-c884-4665-8bbf-7fc34d885d55:indexpattern-datasource-layer-3eb35d2d-eaa4-4bc8-8994-d92be01d01ae",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "5c0158cc-c884-4665-8bbf-7fc34d885d55:indexpattern-datasource-layer-46d93037-893a-4a1f-90fb-296f1eb58c17",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "03c9cff0-b2ec-4dd1-9a2f-db7f441e5e71:indexpattern-datasource-layer-4e9fe76c-dd6e-482e-b5e6-80365f63ee1a",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "43effd82-fc6a-4d11-bd1e-d3b12a34cbce:indexpattern-datasource-layer-62a117f6-ae04-4140-b189-3bf7f1aeed34",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-5031b220-eb61-11e9-90ec-112a988266d5",
- "name": "b7b8bcc1-f776-45cf-a149-36665f2de746:panel_b7b8bcc1-f776-45cf-a149-36665f2de746",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "43effd82-fc6a-4d11-bd1e-d3b12a34cbce:indexpattern-datasource-layer-63780669-90ca-47bc-88bb-13c44f2183fd",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-0aacc190-eaa8-11e9-90ec-112a988266d5",
- "name": "6a5abca9-1cfd-45ef-aa88-9b4a72ce2dca:panel_6a5abca9-1cfd-45ef-aa88-9b4a72ce2dca",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "b89c7551-e0e1-4642-ac18-01322ea72db8:indexpattern-datasource-layer-70eaf0a1-58ec-4104-a28d-f60b942907d7",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-1f5c1cd0-eaa3-11e9-90ec-112a988266d5",
- "name": "bc65dd87-08f6-49f7-b8bf-0d371431ad4d:panel_bc65dd87-08f6-49f7-b8bf-0d371431ad4d",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "b89c7551-e0e1-4642-ac18-01322ea72db8:indexpattern-datasource-layer-a61ee0d9-85ea-4520-a2d8-58df29ff8037",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-d7ea4290-eaa8-11e9-90ec-112a988266d5",
- "name": "aaa96404-80de-44dc-990c-76bf40d3827b:panel_aaa96404-80de-44dc-990c-76bf40d3827b",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "b89c7551-e0e1-4642-ac18-01322ea72db8:indexpattern-datasource-layer-a17f6ecc-8371-47d3-9712-c34fd46e2241",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-097bc300-eaa5-11e9-90ec-112a988266d5",
- "name": "5c0158cc-c884-4665-8bbf-7fc34d885d55:panel_5c0158cc-c884-4665-8bbf-7fc34d885d55",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "b89c7551-e0e1-4642-ac18-01322ea72db8:indexpattern-datasource-layer-6e225479-97e6-48fc-a218-b73708f9e1e4",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-6d52a660-eaa4-11e9-90ec-112a988266d5",
- "name": "03c9cff0-b2ec-4dd1-9a2f-db7f441e5e71:panel_03c9cff0-b2ec-4dd1-9a2f-db7f441e5e71",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_13f93daa-2996-4413-8716-73b186ca0271:optionsListDataView",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-787a0a20-eaa8-11e9-90ec-112a988266d5",
- "name": "43effd82-fc6a-4d11-bd1e-d3b12a34cbce:panel_43effd82-fc6a-4d11-bd1e-d3b12a34cbce",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_fc120d66-f166-410b-b088-f948c09f5009:optionsListDataView",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-b9aa9b20-eaa5-11e9-90ec-112a988266d5",
- "name": "b89c7551-e0e1-4642-ac18-01322ea72db8:panel_b89c7551-e0e1-4642-ac18-01322ea72db8",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_eee6fbaa-e4c9-4c8d-816c-5c47fa5a7b1a:optionsListDataView",
+ "type": "index-pattern"
}
],
"type": "dashboard"
diff --git a/packages/azure_metrics/kibana/dashboard/azure_metrics-b165ef60-32f7-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/dashboard/azure_metrics-b165ef60-32f7-11ea-a83e-25b8612d00cc.json
index 9cae7ded159..b99db13decf 100644
--- a/packages/azure_metrics/kibana/dashboard/azure_metrics-b165ef60-32f7-11ea-a83e-25b8612d00cc.json
+++ b/packages/azure_metrics/kibana/dashboard/azure_metrics-b165ef60-32f7-11ea-a83e-25b8612d00cc.json
@@ -1,4 +1,11 @@
{
+ "id": "azure_metrics-b165ef60-32f7-11ea-a83e-25b8612d00cc",
+ "type": "dashboard",
+ "namespaces": [
+ "default"
+ ],
+ "updated_at": "2023-08-08T06:46:29.879Z",
+ "version": "WzgzMywxXQ==",
"attributes": {
"description": "This dashboard shows metrics for the blob storage type in Azure.",
"hits": 0,
@@ -39,9 +46,8 @@
},
"panelsJSON": [
{
- "embeddableConfig": {
- "enhancements": {}
- },
+ "version": "8.3.0",
+ "type": "visualization",
"gridData": {
"h": 5,
"i": "ed5f5642-c94a-481b-a8c2-7dfe4c6a4f05",
@@ -50,14 +56,34 @@
"y": 0
},
"panelIndex": "ed5f5642-c94a-481b-a8c2-7dfe4c6a4f05",
- "panelRefName": "panel_ed5f5642-c94a-481b-a8c2-7dfe4c6a4f05",
- "type": "visualization",
- "version": "7.7.0"
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "title": "Navigation Blob Storage Overview [Azure Metrics]",
+ "description": "",
+ "uiState": {},
+ "params": {
+ "fontSize": 10,
+ "markdown": "### Azure Storage\n\n[Overview](#/dashboard/azure_metrics-1a151f80-32db-11ea-a83e-25b8612d00cc) | [**Blob**](#/dashboard/azure_metrics-b165ef60-32f7-11ea-a83e-25b8612d00cc) | [File](#/dashboard/azure_metrics-dff7a080-32f7-11ea-a83e-25b8612d00cc) | [Table](#/dashboard/azure_metrics-ff2fe020-32f7-11ea-a83e-25b8612d00cc) | [Queue](#/dashboard/azure_metrics-10efa340-32f8-11ea-a83e-25b8612d00cc) ",
+ "openLinksInNewTab": false
+ },
+ "type": "markdown",
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ }
+ }
+ }
},
{
- "embeddableConfig": {
- "enhancements": {}
- },
+ "version": "8.3.0",
+ "type": "visualization",
"gridData": {
"h": 9,
"i": "a9456b9b-efa6-410d-a56c-4b66aa8c499e",
@@ -66,15 +92,100 @@
"y": 0
},
"panelIndex": "a9456b9b-efa6-410d-a56c-4b66aa8c499e",
- "panelRefName": "panel_a9456b9b-efa6-410d-a56c-4b66aa8c499e",
- "title": "Availability",
- "type": "visualization",
- "version": "7.7.0"
- },
- {
"embeddableConfig": {
- "enhancements": {}
+ "enhancements": {},
+ "savedVis": {
+ "title": "Storage Availability [Azure Metrics]",
+ "description": "",
+ "uiState": {},
+ "params": {
+ "axis_formatter": "number",
+ "axis_min": 0,
+ "axis_position": "left",
+ "axis_scale": "normal",
+ "background_color_rules": [
+ {
+ "background_color": "rgba(104,204,202,1)",
+ "id": "18f616c0-32e2-11ea-867b-37070aefa392",
+ "operator": "gte",
+ "value": 100
+ },
+ {
+ "background_color": "rgba(244,78,59,1)",
+ "id": "998b1c90-32e2-11ea-867b-37070aefa392",
+ "operator": "lt",
+ "value": 100
+ }
+ ],
+ "bar_color_rules": [
+ {
+ "id": "28142cf0-32e2-11ea-867b-37070aefa392"
+ }
+ ],
+ "drop_last_bucket": 0,
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "gauge_color_rules": [
+ {
+ "id": "29808e30-32e2-11ea-867b-37070aefa392"
+ }
+ ],
+ "gauge_inner_width": "7",
+ "gauge_style": "circle",
+ "gauge_width": 10,
+ "id": "0e91b810-32e2-11ea-a93d-dd20c62559b3",
+ "index_pattern": "metrics-*",
+ "interval": "5m",
+ "isModelInvalid": false,
+ "series": [
+ {
+ "axis_position": "right",
+ "chart_type": "line",
+ "color": "rgba(22,165,165,1)",
+ "fill": "0.6",
+ "formatter": "number",
+ "hide_in_legend": 1,
+ "id": "0e91b811-32e2-11ea-a93d-dd20c62559b3",
+ "label": "Availability",
+ "line_width": 2,
+ "metrics": [
+ {
+ "field": "azure.storage_account.availability.avg",
+ "id": "0e91b812-32e2-11ea-a93d-dd20c62559b3",
+ "type": "avg"
+ }
+ ],
+ "point_size": 0,
+ "separate_axis": 0,
+ "split_color_mode": "gradient",
+ "split_mode": "everything",
+ "stacked": "none",
+ "terms_field": null,
+ "type": "timeseries",
+ "value_template": "{{value}} %"
+ }
+ ],
+ "show_grid": 1,
+ "show_legend": 1,
+ "time_field": "@timestamp",
+ "time_range_mode": "last_value",
+ "type": "timeseries",
+ "use_kibana_indexes": false
+ },
+ "type": "metrics",
+ "data": {
+ "aggs": [],
+ "searchSource": {}
+ }
+ }
},
+ "title": "Availability"
+ },
+ {
+ "version": "8.3.0",
+ "type": "visualization",
"gridData": {
"h": 9,
"i": "0c873134-b025-487d-be81-f727dbff0174",
@@ -83,14 +194,101 @@
"y": 0
},
"panelIndex": "0c873134-b025-487d-be81-f727dbff0174",
- "panelRefName": "panel_0c873134-b025-487d-be81-f727dbff0174",
- "type": "visualization",
- "version": "7.7.0"
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "title": "Storage Blob Capacity [Azure Metrics]",
+ "description": "",
+ "uiState": {},
+ "params": {
+ "axis_formatter": "number",
+ "axis_min": 0,
+ "axis_position": "left",
+ "axis_scale": "normal",
+ "background_color": null,
+ "background_color_rules": [
+ {
+ "id": "71978870-32e4-11ea-af9e-d70582a45bda"
+ }
+ ],
+ "bar_color_rules": [
+ {
+ "id": "f11cfd90-32e5-11ea-af9e-d70582a45bda"
+ }
+ ],
+ "drilldown_url": "",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "gauge_color_rules": [
+ {
+ "id": "9c09ed50-32e4-11ea-af9e-d70582a45bda"
+ }
+ ],
+ "gauge_inner_color": null,
+ "gauge_inner_width": "6",
+ "gauge_style": "circle",
+ "gauge_width": "10",
+ "hide_last_value_indicator": true,
+ "id": "61fb4190-32e4-11ea-b9f8-4d0b340ad993",
+ "index_pattern": "metrics-*",
+ "interval": "60m",
+ "isModelInvalid": false,
+ "pivot_id": "azure.resource.name",
+ "pivot_label": "Resource Name",
+ "pivot_rows": "30",
+ "pivot_type": "string",
+ "series": [
+ {
+ "axis_position": "right",
+ "chart_type": "line",
+ "color": "rgba(0,156,224,1)",
+ "fill": "1.2",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "formatter": "bytes",
+ "id": "61fb4191-32e4-11ea-b9f8-4d0b340ad993",
+ "label": "Blob Capacity",
+ "line_width": 2,
+ "metrics": [
+ {
+ "field": "azure.storage_account.blob_capacity.avg",
+ "id": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
+ "type": "avg"
+ }
+ ],
+ "point_size": 0,
+ "separate_axis": 0,
+ "split_color_mode": "gradient",
+ "split_mode": "everything",
+ "stacked": "none",
+ "terms_field": "azure.resource.name",
+ "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
+ "type": "timeseries",
+ "value_template": "{{value}}"
+ }
+ ],
+ "show_grid": 1,
+ "show_legend": 1,
+ "time_field": "@timestamp",
+ "type": "gauge",
+ "use_kibana_indexes": false,
+ "drop_last_bucket": 1
+ },
+ "type": "metrics",
+ "data": {
+ "aggs": [],
+ "searchSource": {}
+ }
+ }
+ }
},
{
- "embeddableConfig": {
- "enhancements": {}
- },
+ "version": "8.3.0",
+ "type": "visualization",
"gridData": {
"h": 9,
"i": "41faed50-ba96-4484-b6dc-71ed3e2d3427",
@@ -99,14 +297,97 @@
"y": 0
},
"panelIndex": "41faed50-ba96-4484-b6dc-71ed3e2d3427",
- "panelRefName": "panel_41faed50-ba96-4484-b6dc-71ed3e2d3427",
- "type": "visualization",
- "version": "7.7.0"
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "title": "Storage Blob Count [Azure Metrics]",
+ "description": "",
+ "uiState": {},
+ "params": {
+ "axis_formatter": "number",
+ "axis_min": 0,
+ "axis_position": "left",
+ "axis_scale": "normal",
+ "background_color": null,
+ "background_color_rules": [
+ {
+ "id": "71978870-32e4-11ea-af9e-d70582a45bda"
+ }
+ ],
+ "bar_color_rules": [
+ {
+ "id": "f11cfd90-32e5-11ea-af9e-d70582a45bda"
+ }
+ ],
+ "drilldown_url": "",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "gauge_color_rules": [
+ {
+ "id": "9c09ed50-32e4-11ea-af9e-d70582a45bda"
+ }
+ ],
+ "gauge_inner_color": null,
+ "gauge_inner_width": "6",
+ "gauge_style": "circle",
+ "gauge_width": "10",
+ "hide_last_value_indicator": true,
+ "id": "61fb4190-32e4-11ea-b9f8-4d0b340ad993",
+ "index_pattern": "metrics-*",
+ "interval": "60m",
+ "isModelInvalid": false,
+ "series": [
+ {
+ "axis_position": "right",
+ "chart_type": "line",
+ "color": "rgba(0,156,224,1)",
+ "fill": "1.2",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "formatter": "'0'",
+ "id": "61fb4191-32e4-11ea-b9f8-4d0b340ad993",
+ "label": "Blob Count",
+ "line_width": 2,
+ "metrics": [
+ {
+ "field": "azure.storage_account.blob_count.avg",
+ "id": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
+ "type": "avg"
+ }
+ ],
+ "point_size": 0,
+ "separate_axis": 0,
+ "split_color_mode": "gradient",
+ "split_mode": "everything",
+ "stacked": "none",
+ "terms_field": "azure.resource.name",
+ "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
+ "type": "timeseries",
+ "value_template": "{{value}}"
+ }
+ ],
+ "show_grid": 1,
+ "show_legend": 1,
+ "time_field": "@timestamp",
+ "type": "gauge",
+ "use_kibana_indexes": false,
+ "drop_last_bucket": 1
+ },
+ "type": "metrics",
+ "data": {
+ "aggs": [],
+ "searchSource": {}
+ }
+ }
+ }
},
{
- "embeddableConfig": {
- "enhancements": {}
- },
+ "version": "8.3.0",
+ "type": "visualization",
"gridData": {
"h": 9,
"i": "1d623c03-4d02-4a81-b91e-49e82e112016",
@@ -115,15 +396,72 @@
"y": 0
},
"panelIndex": "1d623c03-4d02-4a81-b91e-49e82e112016",
- "panelRefName": "panel_1d623c03-4d02-4a81-b91e-49e82e112016",
- "title": "Transactions",
- "type": "visualization",
- "version": "7.7.0"
- },
- {
"embeddableConfig": {
- "enhancements": {}
+ "enhancements": {},
+ "savedVis": {
+ "title": "Storage Transactions [Azure Metrics]",
+ "description": "",
+ "uiState": {},
+ "params": {
+ "axis_formatter": "number",
+ "axis_min": 0,
+ "axis_position": "left",
+ "axis_scale": "normal",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "id": "c9fd65d0-32e8-11ea-84f4-e9593f8ba8f6",
+ "index_pattern": "metrics-*",
+ "interval": "5m",
+ "isModelInvalid": false,
+ "series": [
+ {
+ "axis_position": "right",
+ "chart_type": "bar",
+ "color": "#3185FC",
+ "fill": 0.5,
+ "formatter": "number",
+ "id": "c9fd8ce0-32e8-11ea-84f4-e9593f8ba8f6",
+ "label": "avg(azure.storage_account.transactions.total)",
+ "line_width": "1",
+ "metrics": [
+ {
+ "field": "azure.storage_account.transactions.total",
+ "id": "c9fd8ce1-32e8-11ea-84f4-e9593f8ba8f6",
+ "type": "max"
+ }
+ ],
+ "point_size": 0,
+ "separate_axis": 0,
+ "split_color_mode": "rainbow",
+ "split_mode": "terms",
+ "stacked": "none",
+ "terms_field": "azure.dimensions.response_type",
+ "terms_order_by": "c9fd8ce1-32e8-11ea-84f4-e9593f8ba8f6",
+ "type": "timeseries",
+ "value_template": "{{value}}"
+ }
+ ],
+ "show_grid": 1,
+ "show_legend": 1,
+ "time_field": "@timestamp",
+ "type": "timeseries",
+ "use_kibana_indexes": false,
+ "drop_last_bucket": 1
+ },
+ "type": "metrics",
+ "data": {
+ "aggs": [],
+ "searchSource": {}
+ }
+ }
},
+ "title": "Transactions"
+ },
+ {
+ "version": "8.3.0",
+ "type": "visualization",
"gridData": {
"h": 15,
"i": "ff6441f8-d66d-4399-bae5-25d3d861b299",
@@ -132,14 +470,81 @@
"y": 5
},
"panelIndex": "ff6441f8-d66d-4399-bae5-25d3d861b299",
- "panelRefName": "panel_ff6441f8-d66d-4399-bae5-25d3d861b299",
- "type": "visualization",
- "version": "7.7.0"
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "title": "Storage Filters [Azure Metrics]",
+ "description": "",
+ "uiState": {},
+ "params": {
+ "controls": [
+ {
+ "fieldName": "azure.subscription_id",
+ "id": "1549397251041",
+ "indexPatternRefName": "control_0_index_pattern",
+ "label": "Subscription",
+ "options": {
+ "dynamicOptions": true,
+ "multiselect": false,
+ "order": "desc",
+ "size": 5,
+ "type": "terms"
+ },
+ "parent": "",
+ "type": "list"
+ },
+ {
+ "fieldName": "azure.resource.group",
+ "id": "1549512142947",
+ "indexPatternRefName": "control_1_index_pattern",
+ "label": "Resource Group",
+ "options": {
+ "dynamicOptions": true,
+ "multiselect": true,
+ "order": "desc",
+ "size": 5,
+ "type": "terms"
+ },
+ "parent": "",
+ "type": "list"
+ },
+ {
+ "fieldName": "azure.resource.name",
+ "id": "1578578146383",
+ "indexPatternRefName": "control_2_index_pattern",
+ "label": "Resource Name",
+ "options": {
+ "dynamicOptions": true,
+ "multiselect": true,
+ "order": "desc",
+ "size": 5,
+ "type": "terms"
+ },
+ "parent": "",
+ "type": "list"
+ }
+ ],
+ "pinFilters": false,
+ "updateFiltersOnChange": true,
+ "useTimeFilter": false
+ },
+ "type": "input_control_vis",
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ }
+ }
+ }
},
{
- "embeddableConfig": {
- "enhancements": {}
- },
+ "version": "8.3.0",
+ "type": "visualization",
"gridData": {
"h": 15,
"i": "87066244-7840-4555-9d12-026d64977f1a",
@@ -148,15 +553,72 @@
"y": 9
},
"panelIndex": "87066244-7840-4555-9d12-026d64977f1a",
- "panelRefName": "panel_87066244-7840-4555-9d12-026d64977f1a",
- "title": "Success Server Latency",
- "type": "visualization",
- "version": "7.7.0"
- },
- {
"embeddableConfig": {
- "enhancements": {}
+ "enhancements": {},
+ "savedVis": {
+ "title": "Storage Success Server Latency [Azure Metrics]",
+ "description": "",
+ "uiState": {},
+ "params": {
+ "axis_formatter": "number",
+ "axis_min": 0,
+ "axis_position": "left",
+ "axis_scale": "normal",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "id": "e9a40230-32e9-11ea-bda2-69435df36a5c",
+ "index_pattern": "metrics-*",
+ "interval": "5m",
+ "isModelInvalid": false,
+ "series": [
+ {
+ "axis_position": "right",
+ "chart_type": "bar",
+ "color": "#3185FC",
+ "fill": 0.5,
+ "formatter": "number",
+ "id": "e9a40231-32e9-11ea-bda2-69435df36a5c",
+ "label": "SuccessServerLatency (ms)",
+ "line_width": "1",
+ "metrics": [
+ {
+ "field": "azure.storage_account.success_server_latency.avg",
+ "id": "e9a40232-32e9-11ea-bda2-69435df36a5c",
+ "type": "avg"
+ }
+ ],
+ "point_size": 0,
+ "separate_axis": 0,
+ "split_color_mode": "rainbow",
+ "split_mode": "terms",
+ "stacked": "none",
+ "terms_field": "azure.dimensions.api_name",
+ "terms_order_by": "e9a40232-32e9-11ea-bda2-69435df36a5c",
+ "type": "timeseries",
+ "value_template": "{{value}} ms"
+ }
+ ],
+ "show_grid": 1,
+ "show_legend": 1,
+ "time_field": "@timestamp",
+ "type": "timeseries",
+ "use_kibana_indexes": false,
+ "drop_last_bucket": 1
+ },
+ "type": "metrics",
+ "data": {
+ "aggs": [],
+ "searchSource": {}
+ }
+ }
},
+ "title": "Success Server Latency"
+ },
+ {
+ "version": "8.3.0",
+ "type": "visualization",
"gridData": {
"h": 15,
"i": "756da375-e6a2-4668-af43-0cd294878254",
@@ -165,15 +627,72 @@
"y": 9
},
"panelIndex": "756da375-e6a2-4668-af43-0cd294878254",
- "panelRefName": "panel_756da375-e6a2-4668-af43-0cd294878254",
- "title": "Success E2E Latency",
- "type": "visualization",
- "version": "7.7.0"
- },
- {
"embeddableConfig": {
- "enhancements": {}
+ "enhancements": {},
+ "savedVis": {
+ "title": "Storage Success E2E Latency [Azure Metrics]",
+ "description": "",
+ "uiState": {},
+ "params": {
+ "axis_formatter": "number",
+ "axis_min": 0,
+ "axis_position": "left",
+ "axis_scale": "normal",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "id": "da4459b0-32ea-11ea-be35-cb10be813609",
+ "index_pattern": "metrics-*",
+ "interval": "5m",
+ "isModelInvalid": false,
+ "series": [
+ {
+ "axis_position": "right",
+ "chart_type": "bar",
+ "color": "#3185FC",
+ "fill": 0.5,
+ "formatter": "number",
+ "id": "da4459b1-32ea-11ea-be35-cb10be813609",
+ "label": "Success E2E Latency (ms)",
+ "line_width": "1",
+ "metrics": [
+ {
+ "field": "azure.storage_account.success_e2elatency.avg",
+ "id": "da4459b2-32ea-11ea-be35-cb10be813609",
+ "type": "avg"
+ }
+ ],
+ "point_size": 0,
+ "separate_axis": 0,
+ "split_color_mode": "rainbow",
+ "split_mode": "terms",
+ "stacked": "none",
+ "terms_field": "azure.dimensions.api_name",
+ "terms_order_by": "da4459b2-32ea-11ea-be35-cb10be813609",
+ "type": "timeseries",
+ "value_template": "{{value}} ms"
+ }
+ ],
+ "show_grid": 1,
+ "show_legend": 1,
+ "time_field": "@timestamp",
+ "type": "timeseries",
+ "use_kibana_indexes": false,
+ "drop_last_bucket": 1
+ },
+ "type": "metrics",
+ "data": {
+ "aggs": [],
+ "searchSource": {}
+ }
+ }
},
+ "title": "Success E2E Latency"
+ },
+ {
+ "version": "8.3.0",
+ "type": "visualization",
"gridData": {
"h": 9,
"i": "34aa5ce7-4f4b-4712-836f-3765e7c3fb3f",
@@ -182,14 +701,97 @@
"y": 0
},
"panelIndex": "34aa5ce7-4f4b-4712-836f-3765e7c3fb3f",
- "panelRefName": "panel_34aa5ce7-4f4b-4712-836f-3765e7c3fb3f",
- "type": "visualization",
- "version": "7.7.0"
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "title": "Storage Container Count [Azure Metrics]",
+ "description": "",
+ "uiState": {},
+ "params": {
+ "axis_formatter": "number",
+ "axis_min": 0,
+ "axis_position": "left",
+ "axis_scale": "normal",
+ "background_color": null,
+ "background_color_rules": [
+ {
+ "id": "71978870-32e4-11ea-af9e-d70582a45bda"
+ }
+ ],
+ "bar_color_rules": [
+ {
+ "id": "f11cfd90-32e5-11ea-af9e-d70582a45bda"
+ }
+ ],
+ "drilldown_url": "",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "gauge_color_rules": [
+ {
+ "id": "9c09ed50-32e4-11ea-af9e-d70582a45bda"
+ }
+ ],
+ "gauge_inner_color": null,
+ "gauge_inner_width": "6",
+ "gauge_style": "circle",
+ "gauge_width": "10",
+ "hide_last_value_indicator": true,
+ "id": "61fb4190-32e4-11ea-b9f8-4d0b340ad993",
+ "index_pattern": "metrics-*",
+ "interval": "60m",
+ "isModelInvalid": false,
+ "series": [
+ {
+ "axis_position": "right",
+ "chart_type": "line",
+ "color": "rgba(104,188,0,1)",
+ "fill": "1.2",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "formatter": "'0'",
+ "id": "61fb4191-32e4-11ea-b9f8-4d0b340ad993",
+ "label": "Container Count",
+ "line_width": 2,
+ "metrics": [
+ {
+ "field": "azure.storage_account.container_count.avg",
+ "id": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
+ "type": "avg"
+ }
+ ],
+ "point_size": 0,
+ "separate_axis": 0,
+ "split_color_mode": "gradient",
+ "split_mode": "everything",
+ "stacked": "none",
+ "terms_field": "azure.resource.name",
+ "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
+ "type": "timeseries",
+ "value_template": "{{value}}"
+ }
+ ],
+ "show_grid": 1,
+ "show_legend": 1,
+ "time_field": "@timestamp",
+ "type": "gauge",
+ "use_kibana_indexes": false,
+ "drop_last_bucket": 1
+ },
+ "type": "metrics",
+ "data": {
+ "aggs": [],
+ "searchSource": {}
+ }
+ }
+ }
},
{
- "embeddableConfig": {
- "enhancements": {}
- },
+ "version": "8.3.0",
+ "type": "visualization",
"gridData": {
"h": 14,
"i": "a715fafc-ca38-410c-9253-12ba506eabc0",
@@ -198,15 +800,105 @@
"y": 24
},
"panelIndex": "a715fafc-ca38-410c-9253-12ba506eabc0",
- "panelRefName": "panel_a715fafc-ca38-410c-9253-12ba506eabc0",
- "title": "Egress Traffic by APIName",
- "type": "visualization",
- "version": "7.7.0"
- },
- {
"embeddableConfig": {
- "enhancements": {}
+ "enhancements": {},
+ "savedVis": {
+ "title": "Storage Account Egress Traffic [Azure Metrics]",
+ "description": "",
+ "uiState": {},
+ "params": {
+ "axis_formatter": "number",
+ "axis_min": 0,
+ "axis_position": "left",
+ "axis_scale": "normal",
+ "background_color_rules": [
+ {
+ "id": "0791c5a0-32d8-11ea-98d2-1194b9f2bfc0"
+ }
+ ],
+ "bar_color_rules": [
+ {
+ "id": "fca016e0-32de-11ea-a435-e7199eba380d"
+ }
+ ],
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "gauge_color_rules": [
+ {
+ "id": "fb8be7c0-32de-11ea-a435-e7199eba380d"
+ }
+ ],
+ "gauge_inner_width": 10,
+ "gauge_style": "half",
+ "gauge_width": 10,
+ "id": "f0edca80-32d5-11ea-b19d-fb5049b980ca",
+ "index_pattern": "metrics-*",
+ "interval": "5m",
+ "isModelInvalid": false,
+ "series": [
+ {
+ "axis_position": "right",
+ "chart_type": "line",
+ "color": "rgba(0,149,177,1)",
+ "fill": 0,
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "formatter": "bytes",
+ "hidden": false,
+ "id": "f0edf190-32d5-11ea-b19d-fb5049b980ca",
+ "label": "Storage Accounts Egress Total",
+ "line_width": 2,
+ "metrics": [
+ {
+ "field": "azure.storage_account.egress.total",
+ "id": "f0edf191-32d5-11ea-b19d-fb5049b980ca",
+ "type": "max"
+ }
+ ],
+ "point_size": 0,
+ "separate_axis": 0,
+ "split_color_mode": "gradient",
+ "split_filters": [
+ {
+ "color": "rgba(0,98,177,1)",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "id": "283dc410-32d9-11ea-98d2-1194b9f2bfc0"
+ }
+ ],
+ "split_mode": "terms",
+ "stacked": "none",
+ "terms_field": "azure.dimensions.api_name",
+ "terms_order_by": "f0edf191-32d5-11ea-b19d-fb5049b980ca",
+ "type": "timeseries",
+ "value_template": "{{value}}"
+ }
+ ],
+ "show_grid": 1,
+ "show_legend": 1,
+ "time_field": "@timestamp",
+ "type": "timeseries",
+ "use_kibana_indexes": false,
+ "drop_last_bucket": 1
+ },
+ "type": "metrics",
+ "data": {
+ "aggs": [],
+ "searchSource": {}
+ }
+ }
},
+ "title": "Egress Traffic by APIName"
+ },
+ {
+ "version": "8.3.0",
+ "type": "visualization",
"gridData": {
"h": 14,
"i": "75f72920-be71-47a9-a967-f1c862ab2961",
@@ -215,21 +907,107 @@
"y": 24
},
"panelIndex": "75f72920-be71-47a9-a967-f1c862ab2961",
- "panelRefName": "panel_75f72920-be71-47a9-a967-f1c862ab2961",
- "title": "Ingress Traffic by APIName",
- "type": "visualization",
- "version": "7.7.0"
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "title": "Storage Account Ingress Traffic [Azure Metrics]",
+ "description": "",
+ "uiState": {},
+ "params": {
+ "axis_formatter": "number",
+ "axis_min": 0,
+ "axis_position": "left",
+ "axis_scale": "normal",
+ "background_color_rules": [
+ {
+ "id": "0791c5a0-32d8-11ea-98d2-1194b9f2bfc0"
+ }
+ ],
+ "bar_color_rules": [
+ {
+ "id": "fca016e0-32de-11ea-a435-e7199eba380d"
+ }
+ ],
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "gauge_color_rules": [
+ {
+ "id": "fb8be7c0-32de-11ea-a435-e7199eba380d"
+ }
+ ],
+ "gauge_inner_width": 10,
+ "gauge_style": "half",
+ "gauge_width": 10,
+ "id": "f0edca80-32d5-11ea-b19d-fb5049b980ca",
+ "index_pattern": "metrics-*",
+ "interval": "5m",
+ "isModelInvalid": false,
+ "series": [
+ {
+ "axis_position": "right",
+ "chart_type": "line",
+ "color": "rgba(104,188,0,1)",
+ "fill": 0,
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "formatter": "bytes",
+ "hidden": false,
+ "id": "f0edf190-32d5-11ea-b19d-fb5049b980ca",
+ "label": "Storage Accounts Ingress Total",
+ "line_width": 2,
+ "metrics": [
+ {
+ "field": "azure.storage_account.ingress.total",
+ "id": "f0edf191-32d5-11ea-b19d-fb5049b980ca",
+ "type": "max"
+ }
+ ],
+ "point_size": 0,
+ "separate_axis": 0,
+ "split_color_mode": "gradient",
+ "split_filters": [
+ {
+ "color": "rgba(0,98,177,1)",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "id": "283dc410-32d9-11ea-98d2-1194b9f2bfc0"
+ }
+ ],
+ "split_mode": "terms",
+ "stacked": "none",
+ "terms_field": "azure.dimensions.api_name",
+ "terms_order_by": "f0edf191-32d5-11ea-b19d-fb5049b980ca",
+ "type": "timeseries",
+ "value_template": "{{value}}"
+ }
+ ],
+ "show_grid": 1,
+ "show_legend": 1,
+ "time_field": "@timestamp",
+ "type": "timeseries",
+ "use_kibana_indexes": false,
+ "drop_last_bucket": 1
+ },
+ "type": "metrics",
+ "data": {
+ "aggs": [],
+ "searchSource": {}
+ }
+ }
+ },
+ "title": "Ingress Traffic by APIName"
}
],
"timeRestore": false,
"title": "[Azure Metrics] Blob Storage Overview",
"version": 1
},
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-b165ef60-32f7-11ea-a83e-25b8612d00cc",
- "migrationVersion": {
- "dashboard": "7.14.0"
- },
"references": [
{
"id": "metrics-*",
@@ -237,60 +1015,23 @@
"type": "index-pattern"
},
{
- "id": "azure_metrics-e4b25ee0-32f6-11ea-a83e-25b8612d00cc",
- "name": "ed5f5642-c94a-481b-a8c2-7dfe4c6a4f05:panel_ed5f5642-c94a-481b-a8c2-7dfe4c6a4f05",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-40dbc0d0-32e3-11ea-a83e-25b8612d00cc",
- "name": "a9456b9b-efa6-410d-a56c-4b66aa8c499e:panel_a9456b9b-efa6-410d-a56c-4b66aa8c499e",
- "type": "visualization"
+ "type": "index-pattern",
+ "name": "ff6441f8-d66d-4399-bae5-25d3d861b299:control_0_index_pattern",
+ "id": "metrics-*"
},
{
- "id": "azure_metrics-17ee2920-3391-11ea-a83e-25b8612d00cc",
- "name": "0c873134-b025-487d-be81-f727dbff0174:panel_0c873134-b025-487d-be81-f727dbff0174",
- "type": "visualization"
+ "type": "index-pattern",
+ "name": "ff6441f8-d66d-4399-bae5-25d3d861b299:control_1_index_pattern",
+ "id": "metrics-*"
},
{
- "id": "azure_metrics-55936920-3391-11ea-a83e-25b8612d00cc",
- "name": "41faed50-ba96-4484-b6dc-71ed3e2d3427:panel_41faed50-ba96-4484-b6dc-71ed3e2d3427",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-553f9320-32e9-11ea-a83e-25b8612d00cc",
- "name": "1d623c03-4d02-4a81-b91e-49e82e112016:panel_1d623c03-4d02-4a81-b91e-49e82e112016",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-acced050-32d1-11ea-a83e-25b8612d00cc",
- "name": "ff6441f8-d66d-4399-bae5-25d3d861b299:panel_ff6441f8-d66d-4399-bae5-25d3d861b299",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-81f16b40-32ea-11ea-a83e-25b8612d00cc",
- "name": "87066244-7840-4555-9d12-026d64977f1a:panel_87066244-7840-4555-9d12-026d64977f1a",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-685fbeb0-32eb-11ea-a83e-25b8612d00cc",
- "name": "756da375-e6a2-4668-af43-0cd294878254:panel_756da375-e6a2-4668-af43-0cd294878254",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-9e991b10-3391-11ea-a83e-25b8612d00cc",
- "name": "34aa5ce7-4f4b-4712-836f-3765e7c3fb3f:panel_34aa5ce7-4f4b-4712-836f-3765e7c3fb3f",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-599c62c0-32d7-11ea-a83e-25b8612d00cc",
- "name": "a715fafc-ca38-410c-9253-12ba506eabc0:panel_a715fafc-ca38-410c-9253-12ba506eabc0",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-4eaef260-32e1-11ea-a83e-25b8612d00cc",
- "name": "75f72920-be71-47a9-a967-f1c862ab2961:panel_75f72920-be71-47a9-a967-f1c862ab2961",
- "type": "visualization"
+ "type": "index-pattern",
+ "name": "ff6441f8-d66d-4399-bae5-25d3d861b299:control_2_index_pattern",
+ "id": "metrics-*"
}
],
- "type": "dashboard"
+ "migrationVersion": {
+ "dashboard": "8.3.0"
+ },
+ "coreMigrationVersion": "8.3.0"
}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/dashboard/azure_metrics-b232c220-8481-11ea-b181-4b1a9e0110f9.json b/packages/azure_metrics/kibana/dashboard/azure_metrics-b232c220-8481-11ea-b181-4b1a9e0110f9.json
index c1a559d2c57..f1a3bba939d 100644
--- a/packages/azure_metrics/kibana/dashboard/azure_metrics-b232c220-8481-11ea-b181-4b1a9e0110f9.json
+++ b/packages/azure_metrics/kibana/dashboard/azure_metrics-b232c220-8481-11ea-b181-4b1a9e0110f9.json
@@ -1,5 +1,11 @@
{
"attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
+ "panelsJSON": "{\"5ded6e5e-32f8-491e-a515-5465e2549e82\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"azure.subscription_id\",\"title\":\"Subscription\",\"singleSelect\":true,\"id\":\"5ded6e5e-32f8-491e-a515-5465e2549e82\",\"enhancements\":{}}},\"81c62f66-38e0-45a3-9b19-e380906868b3\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"azure.resource.group\",\"title\":\"Resource Group\",\"singleSelect\":true,\"id\":\"81c62f66-38e0-45a3-9b19-e380906868b3\",\"enhancements\":{}}},\"7b24bd7b-62d4-41d1-8b73-a0cadf1977b4\":{\"order\":2,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"azure.resource.name\",\"title\":\"Resource\",\"singleSelect\":true,\"id\":\"7b24bd7b-62d4-41d1-8b73-a0cadf1977b4\",\"enhancements\":{}}},\"5966e687-c394-49b7-9425-6b78bdd42278\":{\"order\":3,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"azure.dimensions.database_name\",\"title\":\"Database\",\"id\":\"5966e687-c394-49b7-9425-6b78bdd42278\",\"enhancements\":{}}}}"
+ },
"description": "This Azure Database Account dashboard visualizes the most important database account metrics.",
"hits": 0,
"kibanaSavedObjectMeta": {
@@ -18,188 +24,1106 @@
"panelsJSON": [
{
"embeddableConfig": {
- "enhancements": {}
- },
- "gridData": {
- "h": 4,
- "i": "fe2125b1-526c-4293-b488-86d8c15ea3fb",
- "w": 9,
- "x": 0,
- "y": 0
- },
- "panelIndex": "fe2125b1-526c-4293-b488-86d8c15ea3fb",
- "panelRefName": "panel_fe2125b1-526c-4293-b488-86d8c15ea3fb",
- "type": "visualization",
- "version": "7.6.0"
- },
- {
- "embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-2ea02a2a-cdd3-40ba-97da-5b9d05e8c045",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "2ea02a2a-cdd3-40ba-97da-5b9d05e8c045": {
+ "columnOrder": [
+ "c97e22a5-f733-4829-9b73-6cbc360fc7ba",
+ "7363b83c-fe2f-4995-a378-dc4d1bab3111",
+ "3fb621b2-d036-4d81-921c-1a84b4e90811"
+ ],
+ "columns": {
+ "3fb621b2-d036-4d81-921c-1a84b4e90811": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "isBucketed": false,
+ "label": "Data Usage",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.database_account.data_usage.total"
+ },
+ "7363b83c-fe2f-4995-a378-dc4d1bab3111": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.dimensions.database_name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [
+ "\"\u003cempty\u003e\""
+ ],
+ "excludeIsRegex": true,
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "3fb621b2-d036-4d81-921c-1a84b4e90811",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.dimensions.database_name"
+ },
+ "c97e22a5-f733-4829-9b73-6cbc360fc7ba": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.resource.type : \"Microsoft.DocumentDb/databaseAccounts\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "3fb621b2-d036-4d81-921c-1a84b4e90811"
+ ],
+ "layerId": "2ea02a2a-cdd3-40ba-97da-5b9d05e8c045",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "7363b83c-fe2f-4995-a378-dc4d1bab3111",
+ "xAccessor": "c97e22a5-f733-4829-9b73-6cbc360fc7ba",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "#3185FC",
+ "forAccessor": "3fb621b2-d036-4d81-921c-1a84b4e90811"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "line",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 18,
"i": "db895503-5a84-4b26-b889-c3c7ca964643",
- "w": 18,
- "x": 9,
- "y": 0
+ "w": 24,
+ "x": 0,
+ "y": 4
},
"panelIndex": "db895503-5a84-4b26-b889-c3c7ca964643",
- "panelRefName": "panel_db895503-5a84-4b26-b889-c3c7ca964643",
"title": "Data Usage",
- "type": "visualization",
- "version": "7.6.0"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-4fccce2f-367f-4ed1-8b1d-95e99a644bf6",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "4fccce2f-367f-4ed1-8b1d-95e99a644bf6": {
+ "columnOrder": [
+ "4e3e96de-e88a-43f1-8381-9760892ace3c",
+ "01be910c-aa52-4746-aa95-8ae74666515c",
+ "3c4ed7dd-e654-4c8b-bb2a-4b57c77fc059"
+ ],
+ "columns": {
+ "01be910c-aa52-4746-aa95-8ae74666515c": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.dimensions.database_name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [
+ "\"\u003cempty\u003e\""
+ ],
+ "excludeIsRegex": true,
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "3c4ed7dd-e654-4c8b-bb2a-4b57c77fc059",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.dimensions.database_name"
+ },
+ "3c4ed7dd-e654-4c8b-bb2a-4b57c77fc059": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "isBucketed": false,
+ "label": "Index Usage",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.database_account.index_usage.total"
+ },
+ "4e3e96de-e88a-43f1-8381-9760892ace3c": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.resource.type : \"Microsoft.DocumentDb/databaseAccounts\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "3c4ed7dd-e654-4c8b-bb2a-4b57c77fc059"
+ ],
+ "layerId": "4fccce2f-367f-4ed1-8b1d-95e99a644bf6",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "01be910c-aa52-4746-aa95-8ae74666515c",
+ "xAccessor": "4e3e96de-e88a-43f1-8381-9760892ace3c",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(176,188,0,1)",
+ "forAccessor": "3c4ed7dd-e654-4c8b-bb2a-4b57c77fc059"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "line",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 18,
"i": "0b986285-a5d0-4a31-bdb8-0f29cd50c2eb",
- "w": 21,
- "x": 27,
- "y": 0
+ "w": 24,
+ "x": 24,
+ "y": 4
},
"panelIndex": "0b986285-a5d0-4a31-bdb8-0f29cd50c2eb",
- "panelRefName": "panel_0b986285-a5d0-4a31-bdb8-0f29cd50c2eb",
"title": "Index Usage",
- "type": "visualization",
- "version": "7.6.0"
- },
- {
- "embeddableConfig": {
- "enhancements": {}
- },
- "gridData": {
- "h": 14,
- "i": "7d7b71ea-eb6b-43bf-be61-80235d1d4529",
- "w": 9,
- "x": 0,
- "y": 4
- },
- "panelIndex": "7d7b71ea-eb6b-43bf-be61-80235d1d4529",
- "panelRefName": "panel_7d7b71ea-eb6b-43bf-be61-80235d1d4529",
- "type": "visualization",
- "version": "7.6.0"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-ce857b4e-c1a6-426a-922a-74414174f31c",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "ce857b4e-c1a6-426a-922a-74414174f31c": {
+ "columnOrder": [
+ "6806524d-6952-4c0f-965e-a589f2ceb49d",
+ "8898315e-288c-49f3-9c48-d9a7fff604f9",
+ "d59fadff-0350-4448-adff-1926cfdfe2a7"
+ ],
+ "columns": {
+ "6806524d-6952-4c0f-965e-a589f2ceb49d": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "8898315e-288c-49f3-9c48-d9a7fff604f9": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.dimensions.database_name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [
+ "\"\u003cempty\u003e\""
+ ],
+ "excludeIsRegex": true,
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "d59fadff-0350-4448-adff-1926cfdfe2a7",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.dimensions.database_name"
+ },
+ "d59fadff-0350-4448-adff-1926cfdfe2a7": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "isBucketed": false,
+ "label": "Total Requests",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.database_account.total_requests.count"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.resource.type : \"Microsoft.DocumentDb/databaseAccounts\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "d59fadff-0350-4448-adff-1926cfdfe2a7"
+ ],
+ "layerId": "ce857b4e-c1a6-426a-922a-74414174f31c",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "8898315e-288c-49f3-9c48-d9a7fff604f9",
+ "xAccessor": "6806524d-6952-4c0f-965e-a589f2ceb49d",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(211,49,21,1)",
+ "forAccessor": "d59fadff-0350-4448-adff-1926cfdfe2a7"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "line",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 15,
"i": "f6ce8b48-a876-4031-a43f-3ca3704a4ad6",
"w": 24,
"x": 0,
- "y": 18
+ "y": 22
},
"panelIndex": "f6ce8b48-a876-4031-a43f-3ca3704a4ad6",
- "panelRefName": "panel_f6ce8b48-a876-4031-a43f-3ca3704a4ad6",
"title": "Total Requests",
- "type": "visualization",
- "version": "7.6.0"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-29755bf1-08a6-4d0a-91be-45e89f7acf6c",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "29755bf1-08a6-4d0a-91be-45e89f7acf6c": {
+ "columnOrder": [
+ "d296a866-7260-4fd0-92b8-c51c474191dc",
+ "6d44ab5c-94d8-44e3-90cf-2907e0818887",
+ "b2b5caee-bc32-49d4-a106-0bc5189d9c60"
+ ],
+ "columns": {
+ "6d44ab5c-94d8-44e3-90cf-2907e0818887": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.dimensions.database_name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [
+ "\"\u003cempty\u003e\""
+ ],
+ "excludeIsRegex": true,
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "b2b5caee-bc32-49d4-a106-0bc5189d9c60",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.dimensions.database_name"
+ },
+ "b2b5caee-bc32-49d4-a106-0bc5189d9c60": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "isBucketed": false,
+ "label": "Document Count",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.database_account.document_count.total"
+ },
+ "d296a866-7260-4fd0-92b8-c51c474191dc": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.resource.type : \"Microsoft.DocumentDb/databaseAccounts\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "b2b5caee-bc32-49d4-a106-0bc5189d9c60"
+ ],
+ "layerId": "29755bf1-08a6-4d0a-91be-45e89f7acf6c",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "6d44ab5c-94d8-44e3-90cf-2907e0818887",
+ "xAccessor": "d296a866-7260-4fd0-92b8-c51c474191dc",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(102,102,102,1)",
+ "forAccessor": "b2b5caee-bc32-49d4-a106-0bc5189d9c60"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "line",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 15,
"i": "c604014a-647f-4a1d-b2e9-0304fdacc363",
"w": 24,
"x": 24,
- "y": 18
+ "y": 22
},
"panelIndex": "c604014a-647f-4a1d-b2e9-0304fdacc363",
- "panelRefName": "panel_c604014a-647f-4a1d-b2e9-0304fdacc363",
"title": "Document Count",
- "type": "visualization",
- "version": "7.6.0"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-836ebce7-0f89-405a-a22b-87640aefc7a7",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "836ebce7-0f89-405a-a22b-87640aefc7a7": {
+ "columnOrder": [
+ "510de163-da9e-4bbb-9123-fbcd8137f1b0",
+ "582ca1b9-b067-43f1-83ac-e7eaae6be66a",
+ "533fedbb-252f-4692-a9f4-684f2db7ecea"
+ ],
+ "columns": {
+ "510de163-da9e-4bbb-9123-fbcd8137f1b0": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "533fedbb-252f-4692-a9f4-684f2db7ecea": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Available storage",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.database_account.available_storage.total"
+ },
+ "582ca1b9-b067-43f1-83ac-e7eaae6be66a": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.dimensions.database_name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [
+ "\"\u003cempty\u003e\""
+ ],
+ "excludeIsRegex": true,
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "533fedbb-252f-4692-a9f4-684f2db7ecea",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.dimensions.database_name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.resource.type : \"Microsoft.DocumentDb/databaseAccounts\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "533fedbb-252f-4692-a9f4-684f2db7ecea"
+ ],
+ "layerId": "836ebce7-0f89-405a-a22b-87640aefc7a7",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "582ca1b9-b067-43f1-83ac-e7eaae6be66a",
+ "xAccessor": "510de163-da9e-4bbb-9123-fbcd8137f1b0",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(101,50,148,1)",
+ "forAccessor": "533fedbb-252f-4692-a9f4-684f2db7ecea"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "line",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 15,
"i": "b0cbeaf7-8a12-4efa-b63b-5479c2cb39a9",
"w": 24,
"x": 0,
- "y": 33
+ "y": 37
},
"panelIndex": "b0cbeaf7-8a12-4efa-b63b-5479c2cb39a9",
- "panelRefName": "panel_b0cbeaf7-8a12-4efa-b63b-5479c2cb39a9",
"title": "Available Storage",
- "type": "visualization",
- "version": "7.6.0"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-3450e519-734c-41f0-8359-ca2bdfa410d9",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "3450e519-734c-41f0-8359-ca2bdfa410d9": {
+ "columnOrder": [
+ "e68bc054-a100-4a07-aa25-d143e7b35d7a",
+ "e6baa80e-eb80-490f-af62-85b660093713",
+ "927efb5c-668b-4d6b-b418-2826c9d0eea2"
+ ],
+ "columns": {
+ "927efb5c-668b-4d6b-b418-2826c9d0eea2": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Total Requests",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.database_account.total_requests.count"
+ },
+ "e68bc054-a100-4a07-aa25-d143e7b35d7a": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Status Codes",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderBy": {
+ "fallback": false,
+ "type": "alphabetical"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.dimensions.status_code"
+ },
+ "e6baa80e-eb80-490f-af62-85b660093713": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 5 values of azure.dimensions.database_name",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderBy": {
+ "fallback": false,
+ "type": "alphabetical"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.dimensions.database_name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.resource.type : \"Microsoft.DocumentDb/databaseAccounts\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": false,
+ "yLeft": true,
+ "yRight": true
+ },
+ "layers": [
+ {
+ "accessors": [
+ "927efb5c-668b-4d6b-b418-2826c9d0eea2"
+ ],
+ "layerId": "3450e519-734c-41f0-8359-ca2bdfa410d9",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_stacked",
+ "showGridlines": false,
+ "splitAccessor": "e68bc054-a100-4a07-aa25-d143e7b35d7a",
+ "xAccessor": "e6baa80e-eb80-490f-af62-85b660093713"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": false,
+ "yLeft": true,
+ "yRight": true
+ },
+ "title": "Empty XY chart",
+ "valueLabels": "hide",
+ "xTitle": "",
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 15,
- "i": "5e755432-3e55-405c-91cf-3348d5067a3a",
+ "i": "8686b8c9-df01-4872-8f72-001b39c0d824",
"w": 24,
"x": 24,
- "y": 33
+ "y": 37
},
- "panelIndex": "5e755432-3e55-405c-91cf-3348d5067a3a",
- "panelRefName": "panel_5e755432-3e55-405c-91cf-3348d5067a3a",
+ "panelIndex": "8686b8c9-df01-4872-8f72-001b39c0d824",
"title": "Requests Per Status Code",
+ "type": "lens",
+ "version": "8.4.0"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {}
+ },
+ "description": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "### Azure Database Accounts\n",
+ "openLinksInNewTab": false
+ },
+ "type": "markdown",
+ "uiState": {}
+ }
+ },
+ "gridData": {
+ "h": 4,
+ "i": "ba6e5ed6-86d8-4d43-bc3c-158737ec9fdf",
+ "w": 48,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "ba6e5ed6-86d8-4d43-bc3c-158737ec9fdf",
+ "title": "Navigation Database Account Overview [Azure Metrics]",
"type": "visualization",
- "version": "7.6.0"
+ "version": "8.4.0"
}
],
"timeRestore": false,
"title": "[Azure Metrics] Database Account Overview",
"version": 1
},
- "coreMigrationVersion": "7.14.0",
+ "coreMigrationVersion": "8.4.0",
"id": "azure_metrics-b232c220-8481-11ea-b181-4b1a9e0110f9",
"migrationVersion": {
- "dashboard": "7.14.0"
+ "dashboard": "8.4.0"
},
"references": [
{
- "id": "azure_metrics-4177aab0-83cc-11ea-be84-f5d4d6b9a792",
- "name": "fe2125b1-526c-4293-b488-86d8c15ea3fb:panel_fe2125b1-526c-4293-b488-86d8c15ea3fb",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "db895503-5a84-4b26-b889-c3c7ca964643:indexpattern-datasource-layer-2ea02a2a-cdd3-40ba-97da-5b9d05e8c045",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "0b986285-a5d0-4a31-bdb8-0f29cd50c2eb:indexpattern-datasource-layer-4fccce2f-367f-4ed1-8b1d-95e99a644bf6",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "f6ce8b48-a876-4031-a43f-3ca3704a4ad6:indexpattern-datasource-layer-ce857b4e-c1a6-426a-922a-74414174f31c",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-a49b4e20-8490-11ea-b181-4b1a9e0110f9",
- "name": "db895503-5a84-4b26-b889-c3c7ca964643:panel_db895503-5a84-4b26-b889-c3c7ca964643",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "c604014a-647f-4a1d-b2e9-0304fdacc363:indexpattern-datasource-layer-29755bf1-08a6-4d0a-91be-45e89f7acf6c",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-d2801d70-8490-11ea-b181-4b1a9e0110f9",
- "name": "0b986285-a5d0-4a31-bdb8-0f29cd50c2eb:panel_0b986285-a5d0-4a31-bdb8-0f29cd50c2eb",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "b0cbeaf7-8a12-4efa-b63b-5479c2cb39a9:indexpattern-datasource-layer-836ebce7-0f89-405a-a22b-87640aefc7a7",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-674c1d70-83cc-11ea-be84-f5d4d6b9a792",
- "name": "7d7b71ea-eb6b-43bf-be61-80235d1d4529:panel_7d7b71ea-eb6b-43bf-be61-80235d1d4529",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "8686b8c9-df01-4872-8f72-001b39c0d824:indexpattern-datasource-layer-3450e519-734c-41f0-8359-ca2bdfa410d9",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-a16b5900-8492-11ea-b181-4b1a9e0110f9",
- "name": "f6ce8b48-a876-4031-a43f-3ca3704a4ad6:panel_f6ce8b48-a876-4031-a43f-3ca3704a4ad6",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_5ded6e5e-32f8-491e-a515-5465e2549e82:optionsListDataView",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-d3ac7d90-8492-11ea-b181-4b1a9e0110f9",
- "name": "c604014a-647f-4a1d-b2e9-0304fdacc363:panel_c604014a-647f-4a1d-b2e9-0304fdacc363",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_81c62f66-38e0-45a3-9b19-e380906868b3:optionsListDataView",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-81f16b40-32ea-11ea-a83e-25b8612d11cc",
- "name": "b0cbeaf7-8a12-4efa-b63b-5479c2cb39a9:panel_b0cbeaf7-8a12-4efa-b63b-5479c2cb39a9",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_7b24bd7b-62d4-41d1-8b73-a0cadf1977b4:optionsListDataView",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-037382e0-856e-11ea-91bc-ab084c7ec0e7",
- "name": "5e755432-3e55-405c-91cf-3348d5067a3a:panel_5e755432-3e55-405c-91cf-3348d5067a3a",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_5966e687-c394-49b7-9425-6b78bdd42278:optionsListDataView",
+ "type": "index-pattern"
}
],
"type": "dashboard"
diff --git a/packages/azure_metrics/kibana/dashboard/azure_metrics-b6b434c0-feae-11eb-8fff-87871c582eca.json b/packages/azure_metrics/kibana/dashboard/azure_metrics-b6b434c0-feae-11eb-8fff-87871c582eca.json
index c051ac8175a..faf367b1ce7 100644
--- a/packages/azure_metrics/kibana/dashboard/azure_metrics-b6b434c0-feae-11eb-8fff-87871c582eca.json
+++ b/packages/azure_metrics/kibana/dashboard/azure_metrics-b6b434c0-feae-11eb-8fff-87871c582eca.json
@@ -1,5 +1,11 @@
{
"attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
+ "panelsJSON": "{\"a3cac948-1725-4a9c-a58f-b0abf3c4f3eb\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"cloud.region\",\"title\":\"Region\",\"id\":\"a3cac948-1725-4a9c-a58f-b0abf3c4f3eb\",\"enhancements\":{}}},\"f29b5d93-bc00-4d20-9e72-9aa80d5dcbbe\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"azure.resource.group\",\"title\":\"Resource Group\",\"id\":\"f29b5d93-bc00-4d20-9e72-9aa80d5dcbbe\",\"enhancements\":{}}},\"0eb8103d-8425-410f-afa5-6c686749b5b9\":{\"order\":2,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"azure.resource.name\",\"title\":\"VM Name\",\"id\":\"0eb8103d-8425-410f-afa5-6c686749b5b9\",\"enhancements\":{}}}}"
+ },
"description": "Guest Memory Metrics \u0026 Process Compute VM",
"hits": 0,
"kibanaSavedObjectMeta": {
@@ -20,243 +26,1390 @@
{
"embeddableConfig": {
"enhancements": {},
- "hidePanelTitles": false
+ "hidePanelTitles": false,
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "### Azure Guest Metrics for Windows VM's\n\n[Back to Overview](#/dashboard/azure_metrics-eb3f05f0-ea9a-11e9-90ec-112a988266d5) | [**Memory \u0026 Process**](#/dashboard/azure_metrics-b6b434c0-feae-11eb-8fff-87871c582eca) | [ASP.NET and SQL Server](#/dashboard/azure_metrics-a6f5d430-eaa6-11e9-90ec-112a988266d5) ",
+ "openLinksInNewTab": false
+ },
+ "title": "Navigation Compute VM Memory \u0026 Process Metrics [Azure Metrics]",
+ "type": "markdown",
+ "uiState": {}
+ }
},
"gridData": {
"h": 7,
"i": "6df47ee8-074f-441f-9d2d-f423f0eccf30",
- "w": 13,
+ "w": 26,
"x": 0,
"y": 0
},
"panelIndex": "6df47ee8-074f-441f-9d2d-f423f0eccf30",
- "panelRefName": "panel_6df47ee8-074f-441f-9d2d-f423f0eccf30",
"title": "Navigation Guest Metrics",
"type": "visualization",
- "version": "7.14.0-SNAPSHOT"
- },
- {
- "embeddableConfig": {
- "enhancements": {},
- "hidePanelTitles": false
- },
- "gridData": {
- "h": 7,
- "i": "03e2eaef-c73b-42d6-9e37-0c0eb13e1617",
- "w": 13,
- "x": 13,
- "y": 0
- },
- "panelIndex": "03e2eaef-c73b-42d6-9e37-0c0eb13e1617",
- "panelRefName": "panel_03e2eaef-c73b-42d6-9e37-0c0eb13e1617",
- "title": "Filters",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "version": "8.4.0"
},
{
"embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-23eeae24-a238-4cfc-8673-69f05420ac16",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-938e962f-006c-4f82-81e5-f3cf38e3ff3b",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "23eeae24-a238-4cfc-8673-69f05420ac16": {
+ "columnOrder": [
+ "8e27eec1-e8f7-464b-b441-080b1d162bb0",
+ "9ea462e9-3bbe-47f9-9b14-bfaf4e632200",
+ "02e01509-6981-4f1d-ba33-18e4336f61c1"
+ ],
+ "columns": {
+ "02e01509-6981-4f1d-ba33-18e4336f61c1": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Network interface received bytes/sec",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 1,
+ "suffix": "/s"
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.network_interface_bytes_received_per_sec.avg"
+ },
+ "8e27eec1-e8f7-464b-b441-080b1d162bb0": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "9ea462e9-3bbe-47f9-9b14-bfaf4e632200": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ }
+ },
+ "incompleteColumns": {}
+ },
+ "938e962f-006c-4f82-81e5-f3cf38e3ff3b": {
+ "columnOrder": [
+ "06e98232-adb4-4c42-8ba0-67e26aeacb13",
+ "b2b5e381-a999-4fb7-af4e-97f9ba3cb7f4",
+ "3b7b092f-815d-48fc-a24a-0bf922122064"
+ ],
+ "columns": {
+ "06e98232-adb4-4c42-8ba0-67e26aeacb13": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "3b7b092f-815d-48fc-a24a-0bf922122064": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Network interface sent bytes/sec",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 1
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.network_interface_bytes_sent_per_sec.avg"
+ },
+ "b2b5e381-a999-4fb7-af4e-97f9ba3cb7f4": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.namespace : \"Azure.VM.Windows.GuestMetrics\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "layers": [
+ {
+ "accessors": [
+ "02e01509-6981-4f1d-ba33-18e4336f61c1"
+ ],
+ "layerId": "23eeae24-a238-4cfc-8673-69f05420ac16",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "position": "top",
+ "seriesType": "area",
+ "showGridlines": false,
+ "splitAccessor": "9ea462e9-3bbe-47f9-9b14-bfaf4e632200",
+ "xAccessor": "8e27eec1-e8f7-464b-b441-080b1d162bb0",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "forAccessor": "02e01509-6981-4f1d-ba33-18e4336f61c1"
+ }
+ ]
+ },
+ {
+ "accessors": [
+ "3b7b092f-815d-48fc-a24a-0bf922122064"
+ ],
+ "layerId": "938e962f-006c-4f82-81e5-f3cf38e3ff3b",
+ "layerType": "data",
+ "seriesType": "area",
+ "splitAccessor": "b2b5e381-a999-4fb7-af4e-97f9ba3cb7f4",
+ "xAccessor": "06e98232-adb4-4c42-8ba0-67e26aeacb13",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "forAccessor": "3b7b092f-815d-48fc-a24a-0bf922122064"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "area",
+ "title": "Empty XY chart",
+ "valueLabels": "hide",
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
"enhancements": {},
"hidePanelTitles": false
},
"gridData": {
"h": 18,
- "i": "d92cc81b-bd94-4502-aa37-de44f2cada39",
+ "i": "7e138e70-820d-42ad-9e0d-8e6a3e136f54",
"w": 22,
"x": 26,
"y": 0
},
- "panelIndex": "d92cc81b-bd94-4502-aa37-de44f2cada39",
- "panelRefName": "panel_d92cc81b-bd94-4502-aa37-de44f2cada39",
+ "panelIndex": "7e138e70-820d-42ad-9e0d-8e6a3e136f54",
"title": "Network interface sent/received bytes/sec",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-23eeae24-a238-4cfc-8673-69f05420ac16",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "23eeae24-a238-4cfc-8673-69f05420ac16": {
+ "columnOrder": [
+ "8e27eec1-e8f7-464b-b441-080b1d162bb0",
+ "9ea462e9-3bbe-47f9-9b14-bfaf4e632200",
+ "02e01509-6981-4f1d-ba33-18e4336f61c1"
+ ],
+ "columns": {
+ "02e01509-6981-4f1d-ba33-18e4336f61c1": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Process Working Set Private",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 1
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.process_working_set_private.avg"
+ },
+ "8e27eec1-e8f7-464b-b441-080b1d162bb0": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "9ea462e9-3bbe-47f9-9b14-bfaf4e632200": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.namespace : \"Azure.VM.Windows.GuestMetrics\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "layers": [
+ {
+ "accessors": [
+ "02e01509-6981-4f1d-ba33-18e4336f61c1"
+ ],
+ "layerId": "23eeae24-a238-4cfc-8673-69f05420ac16",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "position": "top",
+ "seriesType": "area",
+ "showGridlines": false,
+ "splitAccessor": "9ea462e9-3bbe-47f9-9b14-bfaf4e632200",
+ "xAccessor": "8e27eec1-e8f7-464b-b441-080b1d162bb0",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "forAccessor": "02e01509-6981-4f1d-ba33-18e4336f61c1"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "area",
+ "title": "Empty XY chart",
+ "valueLabels": "hide",
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
"enhancements": {},
"hidePanelTitles": false
},
"gridData": {
"h": 15,
- "i": "8d1c9102-89da-4af1-a139-0e0433778f3f",
+ "i": "99c2cd2e-18a5-41eb-a725-cb1f998843b3",
"w": 26,
"x": 0,
"y": 7
},
- "panelIndex": "8d1c9102-89da-4af1-a139-0e0433778f3f",
- "panelRefName": "panel_8d1c9102-89da-4af1-a139-0e0433778f3f",
+ "panelIndex": "99c2cd2e-18a5-41eb-a725-cb1f998843b3",
"title": "Process Working Set Private",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-e7bf0a20-33a2-4378-98f2-d99de0c55911",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "e7bf0a20-33a2-4378-98f2-d99de0c55911": {
+ "columnOrder": [
+ "e06d815f-cd9a-4ac6-b791-5f5698314b4d",
+ "0cd867ab-5d0e-401c-bf57-710ce6e54afc"
+ ],
+ "columns": {
+ "0cd867ab-5d0e-401c-bf57-710ce6e54afc": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Handle Count Average",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.process_handle_count.avg"
+ },
+ "e06d815f-cd9a-4ac6-b791-5f5698314b4d": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.namespace : \"Azure.VM.Windows.GuestMetrics\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": false,
+ "yLeft": false,
+ "yRight": true
+ },
+ "gridlinesVisibilitySettings": {
+ "x": false,
+ "yLeft": false,
+ "yRight": true
+ },
+ "layers": [
+ {
+ "accessors": [
+ "0cd867ab-5d0e-401c-bf57-710ce6e54afc"
+ ],
+ "layerId": "e7bf0a20-33a2-4378-98f2-d99de0c55911",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_horizontal",
+ "showGridlines": false,
+ "xAccessor": "e06d815f-cd9a-4ac6-b791-5f5698314b4d",
+ "yConfig": [
+ {
+ "axisMode": "auto",
+ "color": "#d36086",
+ "forAccessor": "0cd867ab-5d0e-401c-bf57-710ce6e54afc"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "bar_horizontal",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "title": "Empty XY chart",
+ "valueLabels": "show",
+ "xTitle": "",
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
"enhancements": {},
"hidePanelTitles": false
},
"gridData": {
"h": 11,
- "i": "2393ec57-d9de-4f90-a628-fd1fceb39942",
+ "i": "ca6f4ef8-7e5c-4630-a590-18ce33a78a3d",
"w": 11,
"x": 26,
"y": 18
},
- "panelIndex": "2393ec57-d9de-4f90-a628-fd1fceb39942",
- "panelRefName": "panel_2393ec57-d9de-4f90-a628-fd1fceb39942",
+ "panelIndex": "ca6f4ef8-7e5c-4630-a590-18ce33a78a3d",
"title": "Handle Count",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-e7bf0a20-33a2-4378-98f2-d99de0c55911",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "e7bf0a20-33a2-4378-98f2-d99de0c55911": {
+ "columnOrder": [
+ "e06d815f-cd9a-4ac6-b791-5f5698314b4d",
+ "0cd867ab-5d0e-401c-bf57-710ce6e54afc"
+ ],
+ "columns": {
+ "0cd867ab-5d0e-401c-bf57-710ce6e54afc": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Thread Count Average",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.process_thread_count.avg"
+ },
+ "e06d815f-cd9a-4ac6-b791-5f5698314b4d": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.namespace : \"Azure.VM.Windows.GuestMetrics\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": false,
+ "yLeft": false,
+ "yRight": true
+ },
+ "gridlinesVisibilitySettings": {
+ "x": false,
+ "yLeft": false,
+ "yRight": true
+ },
+ "layers": [
+ {
+ "accessors": [
+ "0cd867ab-5d0e-401c-bf57-710ce6e54afc"
+ ],
+ "layerId": "e7bf0a20-33a2-4378-98f2-d99de0c55911",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_horizontal",
+ "showGridlines": false,
+ "xAccessor": "e06d815f-cd9a-4ac6-b791-5f5698314b4d",
+ "yConfig": [
+ {
+ "axisMode": "auto",
+ "color": "#da8b45",
+ "forAccessor": "0cd867ab-5d0e-401c-bf57-710ce6e54afc"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "bar_horizontal",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "title": "Empty XY chart",
+ "valueLabels": "show",
+ "xTitle": "",
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
"enhancements": {},
"hidePanelTitles": false
},
"gridData": {
"h": 11,
- "i": "78f90428-8dff-489c-a916-d8fba60b958f",
+ "i": "af9b103b-35e9-45c0-9b3b-08dc9bacf330",
"w": 11,
"x": 37,
"y": 18
},
- "panelIndex": "78f90428-8dff-489c-a916-d8fba60b958f",
- "panelRefName": "panel_78f90428-8dff-489c-a916-d8fba60b958f",
+ "panelIndex": "af9b103b-35e9-45c0-9b3b-08dc9bacf330",
"title": "Thread Count",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-23eeae24-a238-4cfc-8673-69f05420ac16",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "23eeae24-a238-4cfc-8673-69f05420ac16": {
+ "columnOrder": [
+ "8e27eec1-e8f7-464b-b441-080b1d162bb0",
+ "9ea462e9-3bbe-47f9-9b14-bfaf4e632200",
+ "02e01509-6981-4f1d-ba33-18e4336f61c1"
+ ],
+ "columns": {
+ "02e01509-6981-4f1d-ba33-18e4336f61c1": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Memory committed bytes",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 1
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.memory_committed_bytes.avg"
+ },
+ "8e27eec1-e8f7-464b-b441-080b1d162bb0": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "9ea462e9-3bbe-47f9-9b14-bfaf4e632200": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.namespace : \"Azure.VM.Windows.GuestMetrics\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "layers": [
+ {
+ "accessors": [
+ "02e01509-6981-4f1d-ba33-18e4336f61c1"
+ ],
+ "layerId": "23eeae24-a238-4cfc-8673-69f05420ac16",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "position": "top",
+ "seriesType": "area",
+ "showGridlines": false,
+ "splitAccessor": "9ea462e9-3bbe-47f9-9b14-bfaf4e632200",
+ "xAccessor": "8e27eec1-e8f7-464b-b441-080b1d162bb0",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "forAccessor": "02e01509-6981-4f1d-ba33-18e4336f61c1"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "area",
+ "title": "Empty XY chart",
+ "valueLabels": "hide",
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
"enhancements": {},
"hidePanelTitles": false
},
"gridData": {
"h": 15,
- "i": "bd8c4170-3a70-4617-ac8d-61473df84c94",
+ "i": "2ea4838a-ea4f-4c11-945a-16d86c7d0877",
"w": 26,
"x": 0,
"y": 22
},
- "panelIndex": "bd8c4170-3a70-4617-ac8d-61473df84c94",
- "panelRefName": "panel_bd8c4170-3a70-4617-ac8d-61473df84c94",
+ "panelIndex": "2ea4838a-ea4f-4c11-945a-16d86c7d0877",
"title": "Memory Committed Bytes",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-e7bf0a20-33a2-4378-98f2-d99de0c55911",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "e7bf0a20-33a2-4378-98f2-d99de0c55911": {
+ "columnOrder": [
+ "e06d815f-cd9a-4ac6-b791-5f5698314b4d",
+ "0cd867ab-5d0e-401c-bf57-710ce6e54afc"
+ ],
+ "columns": {
+ "0cd867ab-5d0e-401c-bf57-710ce6e54afc": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Process Count Average",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.system_processes.avg"
+ },
+ "e06d815f-cd9a-4ac6-b791-5f5698314b4d": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.namespace : \"Azure.VM.Windows.GuestMetrics\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": false,
+ "yLeft": false,
+ "yRight": true
+ },
+ "gridlinesVisibilitySettings": {
+ "x": false,
+ "yLeft": false,
+ "yRight": true
+ },
+ "layers": [
+ {
+ "accessors": [
+ "0cd867ab-5d0e-401c-bf57-710ce6e54afc"
+ ],
+ "layerId": "e7bf0a20-33a2-4378-98f2-d99de0c55911",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_horizontal",
+ "showGridlines": false,
+ "xAccessor": "e06d815f-cd9a-4ac6-b791-5f5698314b4d",
+ "yConfig": [
+ {
+ "axisMode": "auto",
+ "color": "#ca8eae",
+ "forAccessor": "0cd867ab-5d0e-401c-bf57-710ce6e54afc"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "bar_horizontal",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "title": "Empty XY chart",
+ "valueLabels": "show",
+ "xTitle": "",
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
"enhancements": {},
"hidePanelTitles": false
},
"gridData": {
"h": 8,
- "i": "b46e124f-7836-4b99-9bf0-1884ae65dc39",
+ "i": "3f1f707c-36f7-4918-814a-474eda5e497a",
"w": 22,
"x": 26,
"y": 29
},
- "panelIndex": "b46e124f-7836-4b99-9bf0-1884ae65dc39",
- "panelRefName": "panel_b46e124f-7836-4b99-9bf0-1884ae65dc39",
+ "panelIndex": "3f1f707c-36f7-4918-814a-474eda5e497a",
"title": "Process Count",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-23eeae24-a238-4cfc-8673-69f05420ac16",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "23eeae24-a238-4cfc-8673-69f05420ac16": {
+ "columnOrder": [
+ "8e27eec1-e8f7-464b-b441-080b1d162bb0",
+ "9ea462e9-3bbe-47f9-9b14-bfaf4e632200",
+ "02e01509-6981-4f1d-ba33-18e4336f61c1"
+ ],
+ "columns": {
+ "02e01509-6981-4f1d-ba33-18e4336f61c1": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Process Working Set",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 1
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.process_working_set.avg"
+ },
+ "8e27eec1-e8f7-464b-b441-080b1d162bb0": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "9ea462e9-3bbe-47f9-9b14-bfaf4e632200": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.namespace : \"Azure.VM.Windows.GuestMetrics\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "layers": [
+ {
+ "accessors": [
+ "02e01509-6981-4f1d-ba33-18e4336f61c1"
+ ],
+ "layerId": "23eeae24-a238-4cfc-8673-69f05420ac16",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "position": "top",
+ "seriesType": "area",
+ "showGridlines": false,
+ "splitAccessor": "9ea462e9-3bbe-47f9-9b14-bfaf4e632200",
+ "xAccessor": "8e27eec1-e8f7-464b-b441-080b1d162bb0",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "forAccessor": "02e01509-6981-4f1d-ba33-18e4336f61c1"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "area",
+ "title": "Empty XY chart",
+ "valueLabels": "hide",
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
"enhancements": {},
"hidePanelTitles": false
},
"gridData": {
"h": 15,
- "i": "4d5cd3af-24ff-4cd0-80ad-a4c7efb712b5",
+ "i": "eaa72995-e8f3-48b6-9d5e-dae6e829eb43",
"w": 24,
"x": 0,
"y": 37
},
- "panelIndex": "4d5cd3af-24ff-4cd0-80ad-a4c7efb712b5",
- "panelRefName": "panel_4d5cd3af-24ff-4cd0-80ad-a4c7efb712b5",
+ "panelIndex": "eaa72995-e8f3-48b6-9d5e-dae6e829eb43",
"title": "Process Working Set",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-23eeae24-a238-4cfc-8673-69f05420ac16",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "23eeae24-a238-4cfc-8673-69f05420ac16": {
+ "columnOrder": [
+ "8e27eec1-e8f7-464b-b441-080b1d162bb0",
+ "9ea462e9-3bbe-47f9-9b14-bfaf4e632200",
+ "02e01509-6981-4f1d-ba33-18e4336f61c1"
+ ],
+ "columns": {
+ "02e01509-6981-4f1d-ba33-18e4336f61c1": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Available memory",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 1
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.memory_available_bytes.avg"
+ },
+ "8e27eec1-e8f7-464b-b441-080b1d162bb0": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "9ea462e9-3bbe-47f9-9b14-bfaf4e632200": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.namespace : \"Azure.VM.Windows.GuestMetrics\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "layers": [
+ {
+ "accessors": [
+ "02e01509-6981-4f1d-ba33-18e4336f61c1"
+ ],
+ "layerId": "23eeae24-a238-4cfc-8673-69f05420ac16",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "position": "top",
+ "seriesType": "area",
+ "showGridlines": false,
+ "splitAccessor": "9ea462e9-3bbe-47f9-9b14-bfaf4e632200",
+ "xAccessor": "8e27eec1-e8f7-464b-b441-080b1d162bb0",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "forAccessor": "02e01509-6981-4f1d-ba33-18e4336f61c1"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "area",
+ "title": "Empty XY chart",
+ "valueLabels": "hide",
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
"enhancements": {},
"hidePanelTitles": false
},
"gridData": {
"h": 15,
- "i": "ef7d4ded-899b-4aef-827f-b0f960337479",
+ "i": "dc3f7246-f3f7-4b77-9ee8-0308e1a8c4e4",
"w": 24,
"x": 24,
"y": 37
},
- "panelIndex": "ef7d4ded-899b-4aef-827f-b0f960337479",
- "panelRefName": "panel_ef7d4ded-899b-4aef-827f-b0f960337479",
+ "panelIndex": "dc3f7246-f3f7-4b77-9ee8-0308e1a8c4e4",
"title": "Available Memory",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "type": "lens",
+ "version": "8.4.0"
}
],
"timeRestore": false,
"title": "[Azure Metrics] Compute VM Guest Memory \u0026 Process Metrics Compute VM",
"version": 1
},
- "coreMigrationVersion": "7.14.0",
+ "coreMigrationVersion": "8.4.0",
"id": "azure_metrics-b6b434c0-feae-11eb-8fff-87871c582eca",
"migrationVersion": {
- "dashboard": "7.14.0"
+ "dashboard": "8.4.0"
},
"references": [
{
- "id": "azure_metrics-94be5bc0-feae-11eb-8fff-87871c582eca",
- "name": "6df47ee8-074f-441f-9d2d-f423f0eccf30:panel_6df47ee8-074f-441f-9d2d-f423f0eccf30",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "7e138e70-820d-42ad-9e0d-8e6a3e136f54:indexpattern-datasource-layer-23eeae24-a238-4cfc-8673-69f05420ac16",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "7e138e70-820d-42ad-9e0d-8e6a3e136f54:indexpattern-datasource-layer-938e962f-006c-4f82-81e5-f3cf38e3ff3b",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "99c2cd2e-18a5-41eb-a725-cb1f998843b3:indexpattern-datasource-layer-23eeae24-a238-4cfc-8673-69f05420ac16",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-5031b220-eb61-11e9-90ec-112a988266d5",
- "name": "03e2eaef-c73b-42d6-9e37-0c0eb13e1617:panel_03e2eaef-c73b-42d6-9e37-0c0eb13e1617",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "ca6f4ef8-7e5c-4630-a590-18ce33a78a3d:indexpattern-datasource-layer-e7bf0a20-33a2-4378-98f2-d99de0c55911",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-46ccce70-ff61-11eb-af1d-2505733a31f2",
- "name": "d92cc81b-bd94-4502-aa37-de44f2cada39:panel_d92cc81b-bd94-4502-aa37-de44f2cada39",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "af9b103b-35e9-45c0-9b3b-08dc9bacf330:indexpattern-datasource-layer-e7bf0a20-33a2-4378-98f2-d99de0c55911",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-707d2660-ff62-11eb-af1d-2505733a31f2",
- "name": "8d1c9102-89da-4af1-a139-0e0433778f3f:panel_8d1c9102-89da-4af1-a139-0e0433778f3f",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "2ea4838a-ea4f-4c11-945a-16d86c7d0877:indexpattern-datasource-layer-23eeae24-a238-4cfc-8673-69f05420ac16",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-4c2cb860-ff5e-11eb-af1d-2505733a31f2",
- "name": "2393ec57-d9de-4f90-a628-fd1fceb39942:panel_2393ec57-d9de-4f90-a628-fd1fceb39942",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "3f1f707c-36f7-4918-814a-474eda5e497a:indexpattern-datasource-layer-e7bf0a20-33a2-4378-98f2-d99de0c55911",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-044b8940-ff5e-11eb-af1d-2505733a31f2",
- "name": "78f90428-8dff-489c-a916-d8fba60b958f:panel_78f90428-8dff-489c-a916-d8fba60b958f",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "eaa72995-e8f3-48b6-9d5e-dae6e829eb43:indexpattern-datasource-layer-23eeae24-a238-4cfc-8673-69f05420ac16",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-1e9d1bb0-ff63-11eb-af1d-2505733a31f2",
- "name": "bd8c4170-3a70-4617-ac8d-61473df84c94:panel_bd8c4170-3a70-4617-ac8d-61473df84c94",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "dc3f7246-f3f7-4b77-9ee8-0308e1a8c4e4:indexpattern-datasource-layer-23eeae24-a238-4cfc-8673-69f05420ac16",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-c8a33540-ff5e-11eb-af1d-2505733a31f2",
- "name": "b46e124f-7836-4b99-9bf0-1884ae65dc39:panel_b46e124f-7836-4b99-9bf0-1884ae65dc39",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_a3cac948-1725-4a9c-a58f-b0abf3c4f3eb:optionsListDataView",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-1a61d870-ff62-11eb-af1d-2505733a31f2",
- "name": "4d5cd3af-24ff-4cd0-80ad-a4c7efb712b5:panel_4d5cd3af-24ff-4cd0-80ad-a4c7efb712b5",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_f29b5d93-bc00-4d20-9e72-9aa80d5dcbbe:optionsListDataView",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-46dd8ff0-ff64-11eb-af1d-2505733a31f2",
- "name": "ef7d4ded-899b-4aef-827f-b0f960337479:panel_ef7d4ded-899b-4aef-827f-b0f960337479",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_0eb8103d-8425-410f-afa5-6c686749b5b9:optionsListDataView",
+ "type": "index-pattern"
}
],
"type": "dashboard"
diff --git a/packages/azure_metrics/kibana/dashboard/azure_metrics-d8e3c5f0-feaf-11eb-8fff-87871c582eca.json b/packages/azure_metrics/kibana/dashboard/azure_metrics-d8e3c5f0-feaf-11eb-8fff-87871c582eca.json
index 17a458ef704..4b23fd98980 100644
--- a/packages/azure_metrics/kibana/dashboard/azure_metrics-d8e3c5f0-feaf-11eb-8fff-87871c582eca.json
+++ b/packages/azure_metrics/kibana/dashboard/azure_metrics-d8e3c5f0-feaf-11eb-8fff-87871c582eca.json
@@ -1,5 +1,11 @@
{
"attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
+ "panelsJSON": "{\"8a580292-80b5-46b0-bee4-d8780a00cbc2\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"cloud.region\",\"title\":\"Region\",\"id\":\"8a580292-80b5-46b0-bee4-d8780a00cbc2\",\"enhancements\":{}}},\"deeb5974-3f32-4cd6-933b-283f1a5da384\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"azure.resource.group\",\"title\":\"Resource Group\",\"id\":\"deeb5974-3f32-4cd6-933b-283f1a5da384\",\"enhancements\":{}}},\"8ccf77b5-f2ad-4a11-8419-4d1a8fb15ea4\":{\"order\":2,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"azure.resource.name\",\"title\":\"VM Name\",\"id\":\"8ccf77b5-f2ad-4a11-8419-4d1a8fb15ea4\",\"enhancements\":{}}}}"
+ },
"description": " Guest Linux Metrics Overview",
"hits": 0,
"kibanaSavedObjectMeta": {
@@ -20,266 +26,1541 @@
{
"embeddableConfig": {
"enhancements": {},
- "hidePanelTitles": false
+ "hidePanelTitles": false,
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "### Azure Compute VM \n\n[Back to Overview](#/dashboard/azure_metrics-eb3f05f0-ea9a-11e9-90ec-112a988266d5) | [**Guest Linux VM Metrics**](#/dashboard/azure_metrics-d8e3c5f0-feaf-11eb-8fff-87871c582eca) ",
+ "openLinksInNewTab": false
+ },
+ "title": "Navigation Guest Linux Metrics Compute VM [Azure Metrics]",
+ "type": "markdown",
+ "uiState": {}
+ }
},
"gridData": {
"h": 9,
"i": "df6397e0-3fed-4c5f-9841-3b7f89c7e41b",
- "w": 7,
+ "w": 24,
"x": 0,
"y": 0
},
"panelIndex": "df6397e0-3fed-4c5f-9841-3b7f89c7e41b",
- "panelRefName": "panel_df6397e0-3fed-4c5f-9841-3b7f89c7e41b",
"title": "Navigation Guest Linux Metrics ",
"type": "visualization",
- "version": "7.14.0-SNAPSHOT"
- },
- {
- "embeddableConfig": {
- "enhancements": {},
- "hidePanelTitles": false
- },
- "gridData": {
- "h": 9,
- "i": "b7571f38-4a0f-411c-b84c-746669df468d",
- "w": 17,
- "x": 7,
- "y": 0
- },
- "panelIndex": "b7571f38-4a0f-411c-b84c-746669df468d",
- "panelRefName": "panel_b7571f38-4a0f-411c-b84c-746669df468d",
- "title": "Filters",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "version": "8.4.0"
},
{
"embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-b032bfa9-557c-4826-9c6f-65fd8c1adbca",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-760bd9e2-c8ad-45ff-a3c9-dcd978a4ad81",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "760bd9e2-c8ad-45ff-a3c9-dcd978a4ad81": {
+ "columnOrder": [
+ "b0a97ff6-213d-431b-9a71-030ef6f96ea5",
+ "af164723-c93c-481b-a345-eabc03fba644",
+ "169deb7e-b008-4af6-9b8e-9f9dda9c5c50"
+ ],
+ "columns": {
+ "169deb7e-b008-4af6-9b8e-9f9dda9c5c50": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "net/bytes received",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.net_per_bytes_recv.avg"
+ },
+ "af164723-c93c-481b-a345-eabc03fba644": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "b0a97ff6-213d-431b-9a71-030ef6f96ea5": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ }
+ },
+ "incompleteColumns": {}
+ },
+ "b032bfa9-557c-4826-9c6f-65fd8c1adbca": {
+ "columnOrder": [
+ "f3051120-8461-4c10-9462-9bfd410a9305",
+ "26f75266-751c-4401-8cbd-262c135184b5",
+ "0a3ecf93-a404-48af-bb7c-701ec62b69b6"
+ ],
+ "columns": {
+ "0a3ecf93-a404-48af-bb7c-701ec62b69b6": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "net/bytes sent",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 1
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.net_per_bytes_sent.avg"
+ },
+ "26f75266-751c-4401-8cbd-262c135184b5": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "f3051120-8461-4c10-9462-9bfd410a9305": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.namespace : \"Azure.VM.Linux.GuestMetrics\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "layers": [
+ {
+ "accessors": [
+ "0a3ecf93-a404-48af-bb7c-701ec62b69b6"
+ ],
+ "layerId": "b032bfa9-557c-4826-9c6f-65fd8c1adbca",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "area",
+ "showGridlines": false,
+ "splitAccessor": "f3051120-8461-4c10-9462-9bfd410a9305",
+ "xAccessor": "26f75266-751c-4401-8cbd-262c135184b5",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "forAccessor": "0a3ecf93-a404-48af-bb7c-701ec62b69b6"
+ }
+ ]
+ },
+ {
+ "accessors": [
+ "169deb7e-b008-4af6-9b8e-9f9dda9c5c50"
+ ],
+ "layerId": "760bd9e2-c8ad-45ff-a3c9-dcd978a4ad81",
+ "layerType": "data",
+ "seriesType": "area",
+ "splitAccessor": "b0a97ff6-213d-431b-9a71-030ef6f96ea5",
+ "xAccessor": "af164723-c93c-481b-a345-eabc03fba644",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "forAccessor": "169deb7e-b008-4af6-9b8e-9f9dda9c5c50"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "area",
+ "title": "Empty XY chart",
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
"enhancements": {},
"hidePanelTitles": false
},
"gridData": {
"h": 9,
- "i": "b82d81ce-f973-4c4a-b5a6-9a99b1f10a08",
+ "i": "2c6f3f4a-ff97-47e3-8eff-13376a4efeed",
"w": 24,
"x": 24,
"y": 0
},
- "panelIndex": "b82d81ce-f973-4c4a-b5a6-9a99b1f10a08",
- "panelRefName": "panel_b82d81ce-f973-4c4a-b5a6-9a99b1f10a08",
+ "panelIndex": "2c6f3f4a-ff97-47e3-8eff-13376a4efeed",
"title": " net/bytes sent/recv",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-b032bfa9-557c-4826-9c6f-65fd8c1adbca",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "b032bfa9-557c-4826-9c6f-65fd8c1adbca": {
+ "columnOrder": [
+ "f3051120-8461-4c10-9462-9bfd410a9305",
+ "26f75266-751c-4401-8cbd-262c135184b5",
+ "0a3ecf93-a404-48af-bb7c-701ec62b69b6"
+ ],
+ "columns": {
+ "0a3ecf93-a404-48af-bb7c-701ec62b69b6": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "CPU Usage Active",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.cpu_per_usage_active.avg"
+ },
+ "26f75266-751c-4401-8cbd-262c135184b5": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "f3051120-8461-4c10-9462-9bfd410a9305": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.namespace : \"Azure.VM.Linux.GuestMetrics\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "layers": [
+ {
+ "accessors": [
+ "0a3ecf93-a404-48af-bb7c-701ec62b69b6"
+ ],
+ "layerId": "b032bfa9-557c-4826-9c6f-65fd8c1adbca",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "area",
+ "showGridlines": false,
+ "splitAccessor": "f3051120-8461-4c10-9462-9bfd410a9305",
+ "xAccessor": "26f75266-751c-4401-8cbd-262c135184b5",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "forAccessor": "0a3ecf93-a404-48af-bb7c-701ec62b69b6"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "area",
+ "title": "Empty XY chart",
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
"enhancements": {},
"hidePanelTitles": false
},
"gridData": {
"h": 13,
- "i": "58f59040-938e-4b40-a8a6-a2c33caf037d",
+ "i": "59dd4415-6d20-4005-86a6-a841f0f82b18",
"w": 24,
"x": 0,
"y": 9
},
- "panelIndex": "58f59040-938e-4b40-a8a6-a2c33caf037d",
- "panelRefName": "panel_58f59040-938e-4b40-a8a6-a2c33caf037d",
+ "panelIndex": "59dd4415-6d20-4005-86a6-a841f0f82b18",
"title": "CPU Usage Active",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-b032bfa9-557c-4826-9c6f-65fd8c1adbca",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "b032bfa9-557c-4826-9c6f-65fd8c1adbca": {
+ "columnOrder": [
+ "f3051120-8461-4c10-9462-9bfd410a9305",
+ "26f75266-751c-4401-8cbd-262c135184b5",
+ "0a3ecf93-a404-48af-bb7c-701ec62b69b6"
+ ],
+ "columns": {
+ "0a3ecf93-a404-48af-bb7c-701ec62b69b6": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "CPU Usage Idle",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.cpu_per_usage_idle.avg"
+ },
+ "26f75266-751c-4401-8cbd-262c135184b5": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "f3051120-8461-4c10-9462-9bfd410a9305": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.namespace : \"Azure.VM.Linux.GuestMetrics\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "layers": [
+ {
+ "accessors": [
+ "0a3ecf93-a404-48af-bb7c-701ec62b69b6"
+ ],
+ "layerId": "b032bfa9-557c-4826-9c6f-65fd8c1adbca",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "area",
+ "showGridlines": false,
+ "splitAccessor": "f3051120-8461-4c10-9462-9bfd410a9305",
+ "xAccessor": "26f75266-751c-4401-8cbd-262c135184b5",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "forAccessor": "0a3ecf93-a404-48af-bb7c-701ec62b69b6"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "area",
+ "title": "Empty XY chart",
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
"enhancements": {},
"hidePanelTitles": false
},
"gridData": {
"h": 13,
- "i": "8a4be2ce-48e1-4de5-b9b5-5799375e8603",
+ "i": "6576350e-67e7-4d69-b1ab-bf567bf902f6",
"w": 24,
"x": 24,
"y": 9
},
- "panelIndex": "8a4be2ce-48e1-4de5-b9b5-5799375e8603",
- "panelRefName": "panel_8a4be2ce-48e1-4de5-b9b5-5799375e8603",
+ "panelIndex": "6576350e-67e7-4d69-b1ab-bf567bf902f6",
"title": "CPU Usage Idle",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-b032bfa9-557c-4826-9c6f-65fd8c1adbca",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "b032bfa9-557c-4826-9c6f-65fd8c1adbca": {
+ "columnOrder": [
+ "f3051120-8461-4c10-9462-9bfd410a9305",
+ "26f75266-751c-4401-8cbd-262c135184b5",
+ "0a3ecf93-a404-48af-bb7c-701ec62b69b6"
+ ],
+ "columns": {
+ "0a3ecf93-a404-48af-bb7c-701ec62b69b6": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Memory available",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 1
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.mem_per_available.avg"
+ },
+ "26f75266-751c-4401-8cbd-262c135184b5": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "f3051120-8461-4c10-9462-9bfd410a9305": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.namespace : \"Azure.VM.Linux.GuestMetrics\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "layers": [
+ {
+ "accessors": [
+ "0a3ecf93-a404-48af-bb7c-701ec62b69b6"
+ ],
+ "layerId": "b032bfa9-557c-4826-9c6f-65fd8c1adbca",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "area",
+ "showGridlines": false,
+ "splitAccessor": "f3051120-8461-4c10-9462-9bfd410a9305",
+ "xAccessor": "26f75266-751c-4401-8cbd-262c135184b5",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "forAccessor": "0a3ecf93-a404-48af-bb7c-701ec62b69b6"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "area",
+ "title": "Empty XY chart",
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
"enhancements": {},
"hidePanelTitles": false
},
"gridData": {
- "h": 13,
- "i": "7065ba6b-f72d-4099-93ba-7e79aab75ef8",
+ "h": 14,
+ "i": "41d0e8ec-d75e-4df4-83a7-e7902c2474b3",
"w": 24,
"x": 0,
"y": 22
},
- "panelIndex": "7065ba6b-f72d-4099-93ba-7e79aab75ef8",
- "panelRefName": "panel_7065ba6b-f72d-4099-93ba-7e79aab75ef8",
+ "panelIndex": "41d0e8ec-d75e-4df4-83a7-e7902c2474b3",
"title": "Memory Available",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-b032bfa9-557c-4826-9c6f-65fd8c1adbca",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "b032bfa9-557c-4826-9c6f-65fd8c1adbca": {
+ "columnOrder": [
+ "f3051120-8461-4c10-9462-9bfd410a9305",
+ "26f75266-751c-4401-8cbd-262c135184b5",
+ "0a3ecf93-a404-48af-bb7c-701ec62b69b6"
+ ],
+ "columns": {
+ "0a3ecf93-a404-48af-bb7c-701ec62b69b6": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Memory used",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 1
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.mem_per_used.avg"
+ },
+ "26f75266-751c-4401-8cbd-262c135184b5": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "f3051120-8461-4c10-9462-9bfd410a9305": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.namespace : \"Azure.VM.Linux.GuestMetrics\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "layers": [
+ {
+ "accessors": [
+ "0a3ecf93-a404-48af-bb7c-701ec62b69b6"
+ ],
+ "layerId": "b032bfa9-557c-4826-9c6f-65fd8c1adbca",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "area",
+ "showGridlines": false,
+ "splitAccessor": "f3051120-8461-4c10-9462-9bfd410a9305",
+ "xAccessor": "26f75266-751c-4401-8cbd-262c135184b5",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "forAccessor": "0a3ecf93-a404-48af-bb7c-701ec62b69b6"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "area",
+ "title": "Empty XY chart",
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
"enhancements": {},
"hidePanelTitles": false
},
"gridData": {
- "h": 13,
- "i": "bf1ba548-d4c6-4ab2-8857-ae4b4dd256d8",
+ "h": 14,
+ "i": "91d87470-2a44-4974-a333-92b59602b35e",
"w": 24,
"x": 24,
"y": 22
},
- "panelIndex": "bf1ba548-d4c6-4ab2-8857-ae4b4dd256d8",
- "panelRefName": "panel_bf1ba548-d4c6-4ab2-8857-ae4b4dd256d8",
+ "panelIndex": "91d87470-2a44-4974-a333-92b59602b35e",
"title": "Memory Used",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-b032bfa9-557c-4826-9c6f-65fd8c1adbca",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "b032bfa9-557c-4826-9c6f-65fd8c1adbca": {
+ "columnOrder": [
+ "f3051120-8461-4c10-9462-9bfd410a9305",
+ "26f75266-751c-4401-8cbd-262c135184b5",
+ "0a3ecf93-a404-48af-bb7c-701ec62b69b6"
+ ],
+ "columns": {
+ "0a3ecf93-a404-48af-bb7c-701ec62b69b6": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Swap used",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 1
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.swap_per_used.avg"
+ },
+ "26f75266-751c-4401-8cbd-262c135184b5": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "f3051120-8461-4c10-9462-9bfd410a9305": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.namespace : \"Azure.VM.Linux.GuestMetrics\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "layers": [
+ {
+ "accessors": [
+ "0a3ecf93-a404-48af-bb7c-701ec62b69b6"
+ ],
+ "layerId": "b032bfa9-557c-4826-9c6f-65fd8c1adbca",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "area",
+ "showGridlines": false,
+ "splitAccessor": "f3051120-8461-4c10-9462-9bfd410a9305",
+ "xAccessor": "26f75266-751c-4401-8cbd-262c135184b5",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "forAccessor": "0a3ecf93-a404-48af-bb7c-701ec62b69b6"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "area",
+ "title": "Empty XY chart",
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
"enhancements": {},
"hidePanelTitles": false
},
"gridData": {
"h": 14,
- "i": "1cdd4ae6-10bf-4714-adf6-bf2447e4f5fd",
+ "i": "113b78ed-2dd8-4864-a0e3-21109cd64b8a",
"w": 24,
"x": 0,
- "y": 35
+ "y": 36
},
- "panelIndex": "1cdd4ae6-10bf-4714-adf6-bf2447e4f5fd",
- "panelRefName": "panel_1cdd4ae6-10bf-4714-adf6-bf2447e4f5fd",
+ "panelIndex": "113b78ed-2dd8-4864-a0e3-21109cd64b8a",
"title": "Swap Used",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-b032bfa9-557c-4826-9c6f-65fd8c1adbca",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "b032bfa9-557c-4826-9c6f-65fd8c1adbca": {
+ "columnOrder": [
+ "f3051120-8461-4c10-9462-9bfd410a9305",
+ "26f75266-751c-4401-8cbd-262c135184b5",
+ "0a3ecf93-a404-48af-bb7c-701ec62b69b6"
+ ],
+ "columns": {
+ "0a3ecf93-a404-48af-bb7c-701ec62b69b6": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Memory used",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 1
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.swap_per_free.avg"
+ },
+ "26f75266-751c-4401-8cbd-262c135184b5": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "f3051120-8461-4c10-9462-9bfd410a9305": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.namespace : \"Azure.VM.Linux.GuestMetrics\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "layers": [
+ {
+ "accessors": [
+ "0a3ecf93-a404-48af-bb7c-701ec62b69b6"
+ ],
+ "layerId": "b032bfa9-557c-4826-9c6f-65fd8c1adbca",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "area",
+ "showGridlines": false,
+ "splitAccessor": "f3051120-8461-4c10-9462-9bfd410a9305",
+ "xAccessor": "26f75266-751c-4401-8cbd-262c135184b5",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "forAccessor": "0a3ecf93-a404-48af-bb7c-701ec62b69b6"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "area",
+ "title": "Empty XY chart",
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
"enhancements": {},
"hidePanelTitles": false
},
"gridData": {
"h": 14,
- "i": "f75069c9-88e3-4bba-92e8-8ad443f2ccb4",
+ "i": "5b49fc1b-be9f-4b2a-8692-d5e73654dad3",
"w": 24,
"x": 24,
- "y": 35
+ "y": 36
},
- "panelIndex": "f75069c9-88e3-4bba-92e8-8ad443f2ccb4",
- "panelRefName": "panel_f75069c9-88e3-4bba-92e8-8ad443f2ccb4",
+ "panelIndex": "5b49fc1b-be9f-4b2a-8692-d5e73654dad3",
"title": "Swap Free",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-b032bfa9-557c-4826-9c6f-65fd8c1adbca",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "b032bfa9-557c-4826-9c6f-65fd8c1adbca": {
+ "columnOrder": [
+ "f3051120-8461-4c10-9462-9bfd410a9305",
+ "26f75266-751c-4401-8cbd-262c135184b5",
+ "0a3ecf93-a404-48af-bb7c-701ec62b69b6"
+ ],
+ "columns": {
+ "0a3ecf93-a404-48af-bb7c-701ec62b69b6": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Diskio Read bytes",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 1
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.diskio_per_read_bytes.avg"
+ },
+ "26f75266-751c-4401-8cbd-262c135184b5": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "f3051120-8461-4c10-9462-9bfd410a9305": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.namespace : \"Azure.VM.Linux.GuestMetrics\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "layers": [
+ {
+ "accessors": [
+ "0a3ecf93-a404-48af-bb7c-701ec62b69b6"
+ ],
+ "layerId": "b032bfa9-557c-4826-9c6f-65fd8c1adbca",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "area",
+ "showGridlines": false,
+ "splitAccessor": "f3051120-8461-4c10-9462-9bfd410a9305",
+ "xAccessor": "26f75266-751c-4401-8cbd-262c135184b5",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "forAccessor": "0a3ecf93-a404-48af-bb7c-701ec62b69b6"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "area",
+ "title": "Empty XY chart",
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
"enhancements": {},
"hidePanelTitles": false
},
"gridData": {
"h": 14,
- "i": "36841927-78f4-406a-b56c-9f05ccfa3bf9",
+ "i": "269b6858-7076-45f6-aba8-f3ac92fa9fad",
"w": 24,
"x": 0,
- "y": 49
+ "y": 50
},
- "panelIndex": "36841927-78f4-406a-b56c-9f05ccfa3bf9",
- "panelRefName": "panel_36841927-78f4-406a-b56c-9f05ccfa3bf9",
+ "panelIndex": "269b6858-7076-45f6-aba8-f3ac92fa9fad",
"title": "Diskio Read Bytes",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-b032bfa9-557c-4826-9c6f-65fd8c1adbca",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "b032bfa9-557c-4826-9c6f-65fd8c1adbca": {
+ "columnOrder": [
+ "f3051120-8461-4c10-9462-9bfd410a9305",
+ "26f75266-751c-4401-8cbd-262c135184b5",
+ "0a3ecf93-a404-48af-bb7c-701ec62b69b6"
+ ],
+ "columns": {
+ "0a3ecf93-a404-48af-bb7c-701ec62b69b6": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Memory used",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 1
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.diskio_per_write_bytes.avg"
+ },
+ "26f75266-751c-4401-8cbd-262c135184b5": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "f3051120-8461-4c10-9462-9bfd410a9305": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.namespace : \"Azure.VM.Linux.GuestMetrics\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "layers": [
+ {
+ "accessors": [
+ "0a3ecf93-a404-48af-bb7c-701ec62b69b6"
+ ],
+ "layerId": "b032bfa9-557c-4826-9c6f-65fd8c1adbca",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "area",
+ "showGridlines": false,
+ "splitAccessor": "f3051120-8461-4c10-9462-9bfd410a9305",
+ "xAccessor": "26f75266-751c-4401-8cbd-262c135184b5",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "forAccessor": "0a3ecf93-a404-48af-bb7c-701ec62b69b6"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right"
+ },
+ "preferredSeriesType": "area",
+ "title": "Empty XY chart",
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
"enhancements": {},
"hidePanelTitles": false
},
"gridData": {
"h": 14,
- "i": "161249d0-506f-4bc1-a351-eacde8bd7fec",
+ "i": "dfb7c4a7-8fb0-4eaf-aaa2-12235ee79282",
"w": 24,
"x": 24,
- "y": 49
+ "y": 50
},
- "panelIndex": "161249d0-506f-4bc1-a351-eacde8bd7fec",
- "panelRefName": "panel_161249d0-506f-4bc1-a351-eacde8bd7fec",
+ "panelIndex": "dfb7c4a7-8fb0-4eaf-aaa2-12235ee79282",
"title": "Diskio Write Bytes",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "type": "lens",
+ "version": "8.4.0"
}
],
"timeRestore": false,
"title": "[Azure Metrics] Compute VM Guest Linux Metrics Overview",
"version": 1
},
- "coreMigrationVersion": "7.14.0",
+ "coreMigrationVersion": "8.4.0",
"id": "azure_metrics-d8e3c5f0-feaf-11eb-8fff-87871c582eca",
"migrationVersion": {
- "dashboard": "7.14.0"
+ "dashboard": "8.4.0"
},
"references": [
{
- "id": "azure_metrics-bcb236a0-feaf-11eb-8fff-87871c582eca",
- "name": "df6397e0-3fed-4c5f-9841-3b7f89c7e41b:panel_df6397e0-3fed-4c5f-9841-3b7f89c7e41b",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "2c6f3f4a-ff97-47e3-8eff-13376a4efeed:indexpattern-datasource-layer-b032bfa9-557c-4826-9c6f-65fd8c1adbca",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "2c6f3f4a-ff97-47e3-8eff-13376a4efeed:indexpattern-datasource-layer-760bd9e2-c8ad-45ff-a3c9-dcd978a4ad81",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "59dd4415-6d20-4005-86a6-a841f0f82b18:indexpattern-datasource-layer-b032bfa9-557c-4826-9c6f-65fd8c1adbca",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-5031b220-eb61-11e9-90ec-112a988266d5",
- "name": "b7571f38-4a0f-411c-b84c-746669df468d:panel_b7571f38-4a0f-411c-b84c-746669df468d",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "6576350e-67e7-4d69-b1ab-bf567bf902f6:indexpattern-datasource-layer-b032bfa9-557c-4826-9c6f-65fd8c1adbca",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-b5aad170-ff66-11eb-af1d-2505733a31f2",
- "name": "b82d81ce-f973-4c4a-b5a6-9a99b1f10a08:panel_b82d81ce-f973-4c4a-b5a6-9a99b1f10a08",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "41d0e8ec-d75e-4df4-83a7-e7902c2474b3:indexpattern-datasource-layer-b032bfa9-557c-4826-9c6f-65fd8c1adbca",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-45344560-ff67-11eb-af1d-2505733a31f2",
- "name": "58f59040-938e-4b40-a8a6-a2c33caf037d:panel_58f59040-938e-4b40-a8a6-a2c33caf037d",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "91d87470-2a44-4974-a333-92b59602b35e:indexpattern-datasource-layer-b032bfa9-557c-4826-9c6f-65fd8c1adbca",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-7ddc8350-ff67-11eb-af1d-2505733a31f2",
- "name": "8a4be2ce-48e1-4de5-b9b5-5799375e8603:panel_8a4be2ce-48e1-4de5-b9b5-5799375e8603",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "113b78ed-2dd8-4864-a0e3-21109cd64b8a:indexpattern-datasource-layer-b032bfa9-557c-4826-9c6f-65fd8c1adbca",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-0d24a880-ff68-11eb-af1d-2505733a31f2",
- "name": "7065ba6b-f72d-4099-93ba-7e79aab75ef8:panel_7065ba6b-f72d-4099-93ba-7e79aab75ef8",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "5b49fc1b-be9f-4b2a-8692-d5e73654dad3:indexpattern-datasource-layer-b032bfa9-557c-4826-9c6f-65fd8c1adbca",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-58baa240-ff68-11eb-af1d-2505733a31f2",
- "name": "bf1ba548-d4c6-4ab2-8857-ae4b4dd256d8:panel_bf1ba548-d4c6-4ab2-8857-ae4b4dd256d8",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "269b6858-7076-45f6-aba8-f3ac92fa9fad:indexpattern-datasource-layer-b032bfa9-557c-4826-9c6f-65fd8c1adbca",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-160e5bd0-ff6d-11eb-af1d-2505733a31f2",
- "name": "1cdd4ae6-10bf-4714-adf6-bf2447e4f5fd:panel_1cdd4ae6-10bf-4714-adf6-bf2447e4f5fd",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "dfb7c4a7-8fb0-4eaf-aaa2-12235ee79282:indexpattern-datasource-layer-b032bfa9-557c-4826-9c6f-65fd8c1adbca",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-59b69c30-ff6d-11eb-af1d-2505733a31f2",
- "name": "f75069c9-88e3-4bba-92e8-8ad443f2ccb4:panel_f75069c9-88e3-4bba-92e8-8ad443f2ccb4",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_8a580292-80b5-46b0-bee4-d8780a00cbc2:optionsListDataView",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-f4367270-ff69-11eb-af1d-2505733a31f2",
- "name": "36841927-78f4-406a-b56c-9f05ccfa3bf9:panel_36841927-78f4-406a-b56c-9f05ccfa3bf9",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_deeb5974-3f32-4cd6-933b-283f1a5da384:optionsListDataView",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-4fa6b100-ff6b-11eb-af1d-2505733a31f2",
- "name": "161249d0-506f-4bc1-a351-eacde8bd7fec:panel_161249d0-506f-4bc1-a351-eacde8bd7fec",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_8ccf77b5-f2ad-4a11-8419-4d1a8fb15ea4:optionsListDataView",
+ "type": "index-pattern"
}
],
"type": "dashboard"
diff --git a/packages/azure_metrics/kibana/dashboard/azure_metrics-dae20ed0-6d0a-11ea-8fe8-71add5fd7c38.json b/packages/azure_metrics/kibana/dashboard/azure_metrics-dae20ed0-6d0a-11ea-8fe8-71add5fd7c38.json
index a69b1e0e5f6..835183c17ea 100644
--- a/packages/azure_metrics/kibana/dashboard/azure_metrics-dae20ed0-6d0a-11ea-8fe8-71add5fd7c38.json
+++ b/packages/azure_metrics/kibana/dashboard/azure_metrics-dae20ed0-6d0a-11ea-8fe8-71add5fd7c38.json
@@ -1,5 +1,11 @@
{
"attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
+ "panelsJSON": "{\"86dd2752-09d1-4688-879b-80a081fcaf17\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"azure.subscription_id\",\"title\":\"Subscription\",\"singleSelect\":true,\"id\":\"86dd2752-09d1-4688-879b-80a081fcaf17\",\"enhancements\":{}}},\"b38c448d-a50d-4298-a673-bbf7aff4e948\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"azure.resource.group\",\"title\":\"Resource Group\",\"singleSelect\":true,\"id\":\"b38c448d-a50d-4298-a673-bbf7aff4e948\",\"enhancements\":{}}},\"5f67629e-dd36-4154-8a6f-003df1c08474\":{\"order\":2,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"azure.resource.name\",\"title\":\"Resource\",\"singleSelect\":true,\"id\":\"5f67629e-dd36-4154-8a6f-003df1c08474\",\"enhancements\":{}}}}"
+ },
"description": "This dashboard shows metrics for the container service in Azure.",
"hits": 0,
"kibanaSavedObjectMeta": {
@@ -18,167 +24,1032 @@
"panelsJSON": [
{
"embeddableConfig": {
- "enhancements": {}
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {}
+ },
+ "description": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "### Azure Containers\n\n[Instances](#/dashboard/azure_metrics-9c11ac60-6cf6-11ea-8fe8-71add5fd7c38) |\n[Registries](#/dashboard/azure_metrics-72fe31e7-ea7d-4796-94d1-8f0a091904e2) |\n[**Services**](#/dashboard/azure_metrics-dae20ed0-6d0a-11ea-8fe8-71add5fd7c38) ",
+ "openLinksInNewTab": false
+ },
+ "title": "Navigation Container Service Overview [Azure Metrics]",
+ "type": "markdown",
+ "uiState": {}
+ }
},
"gridData": {
"h": 5,
"i": "32b4e6e2-bf3f-4c4a-8fdb-925f21f9d22b",
- "w": 9,
+ "w": 48,
"x": 0,
"y": 0
},
"panelIndex": "32b4e6e2-bf3f-4c4a-8fdb-925f21f9d22b",
- "panelRefName": "panel_32b4e6e2-bf3f-4c4a-8fdb-925f21f9d22b",
"type": "visualization",
- "version": "7.6.0"
+ "version": "8.4.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-69bd04bd-3fd9-4664-a868-60a064a5cb5a",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "69bd04bd-3fd9-4664-a868-60a064a5cb5a": {
+ "columnOrder": [
+ "52fad886-ec57-45a0-a2c7-576392f1c640",
+ "b62a95f0-ba65-41cb-95d7-aff57217a255",
+ "d7d96aa2-65e3-445a-b385-0d2135148245"
+ ],
+ "columns": {
+ "52fad886-ec57-45a0-a2c7-576392f1c640": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "b62a95f0-ba65-41cb-95d7-aff57217a255": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "excludeIsRegex": false,
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ },
+ "d7d96aa2-65e3-445a-b385-0d2135148245": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Container Service Kube Node Status Allocatable Memory Bytes",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 1
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.container_service.kube_node_status_allocatable_memory_bytes.avg"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.resource.type : \"Microsoft.ContainerService/managedClusters\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "d7d96aa2-65e3-445a-b385-0d2135148245"
+ ],
+ "layerId": "69bd04bd-3fd9-4664-a868-60a064a5cb5a",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "b62a95f0-ba65-41cb-95d7-aff57217a255",
+ "xAccessor": "52fad886-ec57-45a0-a2c7-576392f1c640",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(176,188,0,1)",
+ "forAccessor": "d7d96aa2-65e3-445a-b385-0d2135148245"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "line",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 17,
"i": "c35d3d89-2f34-43a0-b346-85ba0e7c9e89",
- "w": 18,
- "x": 9,
- "y": 0
+ "w": 24,
+ "x": 0,
+ "y": 5
},
"panelIndex": "c35d3d89-2f34-43a0-b346-85ba0e7c9e89",
- "panelRefName": "panel_c35d3d89-2f34-43a0-b346-85ba0e7c9e89",
"title": "Container Service Kube Node Status Allocatable Memory",
- "type": "visualization",
- "version": "7.6.0"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-7f40a742-367e-4df3-8d53-a2f2c9324c3e",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "7f40a742-367e-4df3-8d53-a2f2c9324c3e": {
+ "columnOrder": [
+ "3848dabd-d669-470c-b379-57e0788b63ad",
+ "40cf282e-df15-4273-9455-4e5cf822f493",
+ "4685825e-fd59-46d0-bd52-d8d1fe94a9b9"
+ ],
+ "columns": {
+ "3848dabd-d669-470c-b379-57e0788b63ad": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "excludeIsRegex": false,
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ },
+ "40cf282e-df15-4273-9455-4e5cf822f493": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "4685825e-fd59-46d0-bd52-d8d1fe94a9b9": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Container Service Kube Node Status Allocatable CPU Cores",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.container_service.kube_node_status_allocatable_cpu_cores.avg"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.resource.type : \"Microsoft.ContainerService/managedClusters\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "4685825e-fd59-46d0-bd52-d8d1fe94a9b9"
+ ],
+ "layerId": "7f40a742-367e-4df3-8d53-a2f2c9324c3e",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "3848dabd-d669-470c-b379-57e0788b63ad",
+ "xAccessor": "40cf282e-df15-4273-9455-4e5cf822f493",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(196,81,0,1)",
+ "forAccessor": "4685825e-fd59-46d0-bd52-d8d1fe94a9b9"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 17,
"i": "e1952edf-ed31-49ee-8db1-24370998ab89",
- "w": 21,
- "x": 27,
- "y": 0
+ "w": 24,
+ "x": 24,
+ "y": 5
},
"panelIndex": "e1952edf-ed31-49ee-8db1-24370998ab89",
- "panelRefName": "panel_e1952edf-ed31-49ee-8db1-24370998ab89",
"title": "Container Service Kube Node Status Allocatable CPU Cores",
- "type": "visualization",
- "version": "7.6.0"
- },
- {
- "embeddableConfig": {
- "enhancements": {}
- },
- "gridData": {
- "h": 12,
- "i": "ec183a66-545b-4a67-bfb4-568def660612",
- "w": 9,
- "x": 0,
- "y": 5
- },
- "panelIndex": "ec183a66-545b-4a67-bfb4-568def660612",
- "panelRefName": "panel_ec183a66-545b-4a67-bfb4-568def660612",
- "title": "Container Filters",
- "type": "visualization",
- "version": "7.6.0"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-8268302f-e1ba-4e07-ab78-4b566a7e2f70",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "8268302f-e1ba-4e07-ab78-4b566a7e2f70": {
+ "columnOrder": [
+ "3807ea54-febf-4899-b59e-a6ae10ec8216",
+ "ccbbed49-224f-472f-a4f5-2ab5ca2137d6",
+ "a8f5ceb6-831c-4e7d-b266-6ab77c27d1bd"
+ ],
+ "columns": {
+ "3807ea54-febf-4899-b59e-a6ae10ec8216": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.dimensions.pod",
+ "operationType": "terms",
+ "params": {
+ "excludeIsRegex": false,
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.dimensions.pod"
+ },
+ "a8f5ceb6-831c-4e7d-b266-6ab77c27d1bd": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Container Service Kube Pod Status Phase",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.container_service.kube_pod_status_phase.avg"
+ },
+ "ccbbed49-224f-472f-a4f5-2ab5ca2137d6": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.resource.type : \"Microsoft.ContainerService/managedClusters\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "a8f5ceb6-831c-4e7d-b266-6ab77c27d1bd"
+ ],
+ "layerId": "8268302f-e1ba-4e07-ab78-4b566a7e2f70",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "3807ea54-febf-4899-b59e-a6ae10ec8216",
+ "xAccessor": "ccbbed49-224f-472f-a4f5-2ab5ca2137d6",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(240,213,175,1)",
+ "forAccessor": "a8f5ceb6-831c-4e7d-b266-6ab77c27d1bd"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 15,
"i": "ada37452-619f-470a-b9cd-bafa20e7d7b1",
"w": 24,
"x": 0,
- "y": 17
+ "y": 22
},
"panelIndex": "ada37452-619f-470a-b9cd-bafa20e7d7b1",
- "panelRefName": "panel_ada37452-619f-470a-b9cd-bafa20e7d7b1",
"title": "Container Service Kube Pod Status Phase",
- "type": "visualization",
- "version": "7.6.0"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-d9594890-7ab7-4d9a-8234-e2c8f1655947",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "d9594890-7ab7-4d9a-8234-e2c8f1655947": {
+ "columnOrder": [
+ "e8cf1299-021f-40df-a995-3115fa9e5514",
+ "e38b53cb-2c25-4be2-af24-0d47927066a6",
+ "ffd873dd-2003-48c6-9be7-156f497496f9"
+ ],
+ "columns": {
+ "e38b53cb-2c25-4be2-af24-0d47927066a6": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "e8cf1299-021f-40df-a995-3115fa9e5514": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.dimensions.pod",
+ "operationType": "terms",
+ "params": {
+ "excludeIsRegex": false,
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.dimensions.pod"
+ },
+ "ffd873dd-2003-48c6-9be7-156f497496f9": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Average of azure.container_service.kube_pod_status_ready.avg",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.container_service.kube_pod_status_ready.avg"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.resource.type : \"Microsoft.ContainerService/managedClusters\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "ffd873dd-2003-48c6-9be7-156f497496f9"
+ ],
+ "layerId": "d9594890-7ab7-4d9a-8234-e2c8f1655947",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "e8cf1299-021f-40df-a995-3115fa9e5514",
+ "xAccessor": "e38b53cb-2c25-4be2-af24-0d47927066a6",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(200,205,124,1)",
+ "forAccessor": "ffd873dd-2003-48c6-9be7-156f497496f9"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 15,
"i": "c8d3ed1a-6e72-4115-9a69-db1919a36fc4",
"w": 24,
"x": 24,
- "y": 17
+ "y": 22
},
"panelIndex": "c8d3ed1a-6e72-4115-9a69-db1919a36fc4",
- "panelRefName": "panel_c8d3ed1a-6e72-4115-9a69-db1919a36fc4",
"title": "Container Service Kube Pod Status Ready",
- "type": "visualization",
- "version": "7.6.0"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-b6bbccbe-23e8-4204-b8b0-7e40c8363d6a",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "b6bbccbe-23e8-4204-b8b0-7e40c8363d6a": {
+ "columnOrder": [
+ "b39fcfe5-b01a-4a59-acf1-e9ddb85d7fb2",
+ "73ba5f61-46b6-470a-8917-c3e3aeeedf99",
+ "0d21fd08-6990-4730-8784-568f4a661b81"
+ ],
+ "columns": {
+ "0d21fd08-6990-4730-8784-568f4a661b81": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Average of azure.container_service.kube_node_status_condition.avg",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.container_service.kube_node_status_condition.avg"
+ },
+ "73ba5f61-46b6-470a-8917-c3e3aeeedf99": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "azure.dimensions.node: Descending",
+ "operationType": "terms",
+ "params": {
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "0d21fd08-6990-4730-8784-568f4a661b81",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.dimensions.node"
+ },
+ "b39fcfe5-b01a-4a59-acf1-e9ddb85d7fb2": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "filters",
+ "operationType": "filters",
+ "params": {
+ "filters": [
+ {
+ "input": {
+ "language": "kuery",
+ "query": "azure.dimensions.condition : \"Ready\" and azure.dimensions.status : \"true\" "
+ },
+ "label": "Ready \"true\""
+ },
+ {
+ "input": {
+ "language": "kuery",
+ "query": "azure.dimensions.condition : \"Ready\" and azure.dimensions.status : \"false\" "
+ },
+ "label": "Ready \"false\""
+ },
+ {
+ "input": {
+ "language": "kuery",
+ "query": "azure.dimensions.condition : \"NetworkUnavailable\" and azure.dimensions.status : \"true\" "
+ },
+ "label": "Network Unavailable \"true\""
+ },
+ {
+ "input": {
+ "language": "kuery",
+ "query": "azure.dimensions.condition : \"NetworkUnavailable\" and azure.dimensions.status : \"false\" "
+ },
+ "label": "NetworkUnavailable \"false\""
+ },
+ {
+ "input": {
+ "language": "kuery",
+ "query": "azure.dimensions.condition : \"OutOfDisk\" and azure.dimensions.status : \"false\" "
+ },
+ "label": "OutOfDisk \"false\""
+ },
+ {
+ "input": {
+ "language": "kuery",
+ "query": "azure.dimensions.condition : \"OutOfDisk\" and azure.dimensions.status : \"true\" "
+ },
+ "label": "OutOfDisk \"true\""
+ },
+ {
+ "input": {
+ "language": "kuery",
+ "query": "azure.dimensions.condition : \"MemoryPressure\" and azure.dimensions.status : \"true\" "
+ },
+ "label": "MemoryPressure \"true\""
+ },
+ {
+ "input": {
+ "language": "kuery",
+ "query": "azure.dimensions.condition : \"MemoryPressure\" and azure.dimensions.status : \"false\" "
+ },
+ "label": "MemoryPressure \"false\""
+ },
+ {
+ "input": {
+ "language": "kuery",
+ "query": "azure.dimensions.condition : \"DiskPressure\" and azure.dimensions.status : \"false\" "
+ },
+ "label": "DiskPressure \"false\""
+ },
+ {
+ "input": {
+ "language": "kuery",
+ "query": "azure.dimensions.condition : \"DiskPressure\" and azure.dimensions.status : \"true\" "
+ },
+ "label": "DiskPressure \"true\""
+ }
+ ]
+ },
+ "scale": "ordinal"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "gridConfig": {
+ "isCellLabelVisible": false,
+ "isXAxisLabelVisible": true,
+ "isXAxisTitleVisible": true,
+ "isYAxisLabelVisible": true,
+ "isYAxisTitleVisible": false,
+ "type": "heatmap_grid",
+ "yTitle": ""
+ },
+ "layerId": "b6bbccbe-23e8-4204-b8b0-7e40c8363d6a",
+ "layerType": "data",
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "type": "heatmap_legend"
+ },
+ "palette": {
+ "accessor": "0d21fd08-6990-4730-8784-568f4a661b81",
+ "name": "custom",
+ "params": {
+ "colorStops": [
+ {
+ "color": "#A50026",
+ "stop": 0
+ },
+ {
+ "color": "#F36D43",
+ "stop": 20
+ },
+ {
+ "color": "#FEDF8B",
+ "stop": 40
+ },
+ {
+ "color": "#D8EF8C",
+ "stop": 60
+ },
+ {
+ "color": "#65BC62",
+ "stop": 80
+ }
+ ],
+ "continuity": "none",
+ "name": "custom",
+ "rangeMax": 100,
+ "rangeMin": 0,
+ "steps": 5,
+ "stops": [
+ {
+ "color": "#A50026",
+ "stop": 20
+ },
+ {
+ "color": "#F36D43",
+ "stop": 40
+ },
+ {
+ "color": "#FEDF8B",
+ "stop": 60
+ },
+ {
+ "color": "#D8EF8C",
+ "stop": 80
+ },
+ {
+ "color": "#65BC62",
+ "stop": 100
+ }
+ ]
+ },
+ "type": "palette"
+ },
+ "shape": "heatmap",
+ "title": "Empty Heatmap chart",
+ "valueAccessor": "0d21fd08-6990-4730-8784-568f4a661b81",
+ "xAccessor": "b39fcfe5-b01a-4a59-acf1-e9ddb85d7fb2",
+ "yAccessor": "73ba5f61-46b6-470a-8917-c3e3aeeedf99"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsHeatmap"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 15,
- "i": "707fb714-99af-4484-a56e-bfecdf592c58",
+ "i": "02550033-51ea-4075-92ae-9ca33ea71e39",
"w": 48,
"x": 0,
- "y": 32
+ "y": 37
},
- "panelIndex": "707fb714-99af-4484-a56e-bfecdf592c58",
- "panelRefName": "panel_707fb714-99af-4484-a56e-bfecdf592c58",
+ "panelIndex": "02550033-51ea-4075-92ae-9ca33ea71e39",
"title": "Container Service Kube Node Status Condition",
- "type": "visualization",
- "version": "7.6.0"
+ "type": "lens",
+ "version": "8.4.0"
}
],
"timeRestore": false,
"title": "[Azure Metrics] Container Service Overview",
"version": 1
},
- "coreMigrationVersion": "7.14.0",
+ "coreMigrationVersion": "8.4.0",
"id": "azure_metrics-dae20ed0-6d0a-11ea-8fe8-71add5fd7c38",
"migrationVersion": {
- "dashboard": "7.14.0"
+ "dashboard": "8.4.0"
},
"references": [
{
- "id": "azure_metrics-3630b9a0-6d22-11ea-8fe8-71add5fd7c38",
- "name": "32b4e6e2-bf3f-4c4a-8fdb-925f21f9d22b:panel_32b4e6e2-bf3f-4c4a-8fdb-925f21f9d22b",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "c35d3d89-2f34-43a0-b346-85ba0e7c9e89:indexpattern-datasource-layer-69bd04bd-3fd9-4664-a868-60a064a5cb5a",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "e1952edf-ed31-49ee-8db1-24370998ab89:indexpattern-datasource-layer-7f40a742-367e-4df3-8d53-a2f2c9324c3e",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-eda368d0-6d1d-11ea-8fe8-71add5fd7c38",
- "name": "c35d3d89-2f34-43a0-b346-85ba0e7c9e89:panel_c35d3d89-2f34-43a0-b346-85ba0e7c9e89",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "ada37452-619f-470a-b9cd-bafa20e7d7b1:indexpattern-datasource-layer-8268302f-e1ba-4e07-ab78-4b566a7e2f70",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-6e2d9930-6d1e-11ea-8fe8-71add5fd7c38",
- "name": "e1952edf-ed31-49ee-8db1-24370998ab89:panel_e1952edf-ed31-49ee-8db1-24370998ab89",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "c8d3ed1a-6e72-4115-9a69-db1919a36fc4:indexpattern-datasource-layer-d9594890-7ab7-4d9a-8234-e2c8f1655947",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-0fa31060-6aae-11ea-af5c-73e8f396b3e9",
- "name": "ec183a66-545b-4a67-bfb4-568def660612:panel_ec183a66-545b-4a67-bfb4-568def660612",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "02550033-51ea-4075-92ae-9ca33ea71e39:indexpattern-datasource-layer-b6bbccbe-23e8-4204-b8b0-7e40c8363d6a",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-bda7b580-6d1f-11ea-8fe8-71add5fd7c38",
- "name": "ada37452-619f-470a-b9cd-bafa20e7d7b1:panel_ada37452-619f-470a-b9cd-bafa20e7d7b1",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_86dd2752-09d1-4688-879b-80a081fcaf17:optionsListDataView",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-c19586f0-6d1e-11ea-8fe8-71add5fd7c38",
- "name": "c8d3ed1a-6e72-4115-9a69-db1919a36fc4:panel_c8d3ed1a-6e72-4115-9a69-db1919a36fc4",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_b38c448d-a50d-4298-a673-bbf7aff4e948:optionsListDataView",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-e79211c0-6d37-11ea-8fe8-71add5fd7c38",
- "name": "707fb714-99af-4484-a56e-bfecdf592c58:panel_707fb714-99af-4484-a56e-bfecdf592c58",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_5f67629e-dd36-4154-8a6f-003df1c08474:optionsListDataView",
+ "type": "index-pattern"
}
],
"type": "dashboard"
diff --git a/packages/azure_metrics/kibana/dashboard/azure_metrics-dff7a080-32f7-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/dashboard/azure_metrics-dff7a080-32f7-11ea-a83e-25b8612d00cc.json
index 5ff08ae6db5..aa4a43f0884 100644
--- a/packages/azure_metrics/kibana/dashboard/azure_metrics-dff7a080-32f7-11ea-a83e-25b8612d00cc.json
+++ b/packages/azure_metrics/kibana/dashboard/azure_metrics-dff7a080-32f7-11ea-a83e-25b8612d00cc.json
@@ -1,7 +1,12 @@
{
"attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
+ "panelsJSON": "{\"c7829894-f20c-4b19-ad2d-3a612701abc9\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"c7829894-f20c-4b19-ad2d-3a612701abc9\",\"fieldName\":\"azure.subscription_id\",\"title\":\"Subscription\",\"singleSelect\":true,\"enhancements\":{}}},\"95194504-becb-41f2-bd07-37297fd2fef6\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"95194504-becb-41f2-bd07-37297fd2fef6\",\"fieldName\":\"azure.resource.group\",\"title\":\"Resource Group\",\"enhancements\":{}}},\"d8a53398-5fc3-428e-9182-12bda0d851de\":{\"type\":\"optionsListControl\",\"order\":2,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"d8a53398-5fc3-428e-9182-12bda0d851de\",\"fieldName\":\"azure.resource.name\",\"title\":\"Resource Name\",\"enhancements\":{}}}}"
+ },
"description": "This dashboard shows metrics for file storage type in Azure.",
- "hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [
@@ -35,232 +40,1846 @@
},
"optionsJSON": {
"hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
"useMargins": true
},
"panelsJSON": [
{
"embeddableConfig": {
- "enhancements": {}
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "fontSize": 10,
+ "markdown": "### Azure Storage\n\n[Overview](#/dashboard/azure_metrics-1a151f80-32db-11ea-a83e-25b8612d00cc) | [Blob](#/dashboard/azure_metrics-b165ef60-32f7-11ea-a83e-25b8612d00cc) | [**File**](#/dashboard/azure_metrics-dff7a080-32f7-11ea-a83e-25b8612d00cc) | [Table](#/dashboard/azure_metrics-ff2fe020-32f7-11ea-a83e-25b8612d00cc) | [Queue](#/dashboard/azure_metrics-10efa340-32f8-11ea-a83e-25b8612d00cc) ",
+ "openLinksInNewTab": false
+ },
+ "title": "Navigation File Storage Overview [Azure Metrics]",
+ "type": "markdown",
+ "uiState": {}
+ }
},
"gridData": {
"h": 5,
"i": "ee131d2d-7ab5-4434-9e3b-230759c3e5ff",
- "w": 9,
+ "w": 48,
"x": 0,
"y": 0
},
"panelIndex": "ee131d2d-7ab5-4434-9e3b-230759c3e5ff",
- "panelRefName": "panel_ee131d2d-7ab5-4434-9e3b-230759c3e5ff",
"type": "visualization",
- "version": "7.7.0"
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "663f068d-e20e-4707-8a8e-749b694027f0": {
+ "columnOrder": [
+ "84db5c1c-ec68-45ed-a47e-28cffd3de24a",
+ "12c42888-d32f-44da-a61d-84c1f18bdeefX0",
+ "12c42888-d32f-44da-a61d-84c1f18bdeefX1",
+ "12c42888-d32f-44da-a61d-84c1f18bdeef"
+ ],
+ "columns": {
+ "12c42888-d32f-44da-a61d-84c1f18bdeef": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "overall_max(average(azure.storage_account.file_capacity.avg))",
+ "operationType": "formula",
+ "params": {
+ "formula": "overall_max(average(azure.storage_account.file_capacity.avg))",
+ "isFormulaBroken": false
+ },
+ "references": [
+ "12c42888-d32f-44da-a61d-84c1f18bdeefX1"
+ ],
+ "scale": "ratio"
+ },
+ "12c42888-d32f-44da-a61d-84c1f18bdeefX0": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of overall_max(average(azure.storage_account.file_capacity.avg))",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": false
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.file_capacity.avg"
+ },
+ "12c42888-d32f-44da-a61d-84c1f18bdeefX1": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of overall_max(average(azure.storage_account.file_capacity.avg))",
+ "operationType": "overall_max",
+ "references": [
+ "12c42888-d32f-44da-a61d-84c1f18bdeefX0"
+ ],
+ "scale": "ratio"
+ },
+ "84db5c1c-ec68-45ed-a47e-28cffd3de24a": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "isBucketed": false,
+ "label": "File Capacity",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes"
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.file_capacity.avg"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-663f068d-e20e-4707-8a8e-749b694027f0",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "#FCC400",
+ "layerId": "663f068d-e20e-4707-8a8e-749b694027f0",
+ "layerType": "data",
+ "maxAccessor": "12c42888-d32f-44da-a61d-84c1f18bdeef",
+ "metricAccessor": "84db5c1c-ec68-45ed-a47e-28cffd3de24a"
+ }
+ },
+ "title": "Storage File Capacity [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 9,
- "i": "a9456b9b-efa6-410d-a56c-4b66aa8c499e",
+ "i": "b24e3e0d-a748-4bb9-ad71-e0de392e2696",
"w": 5,
- "x": 9,
- "y": 0
+ "x": 0,
+ "y": 5
},
- "panelIndex": "a9456b9b-efa6-410d-a56c-4b66aa8c499e",
- "panelRefName": "panel_a9456b9b-efa6-410d-a56c-4b66aa8c499e",
- "title": "Availability",
- "type": "visualization",
- "version": "7.7.0"
+ "panelIndex": "b24e3e0d-a748-4bb9-ad71-e0de392e2696",
+ "title": "Storage File Capacity [Azure Metrics]",
+ "type": "lens",
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "755bcc63-9b76-40e2-ae5d-0080d083461c": {
+ "columnOrder": [
+ "23858a4e-1e42-4904-83a2-ed6e49295ba2",
+ "9f5ac963-172f-4634-9a08-251dffc2537dX0",
+ "9f5ac963-172f-4634-9a08-251dffc2537dX1",
+ "9f5ac963-172f-4634-9a08-251dffc2537d"
+ ],
+ "columns": {
+ "23858a4e-1e42-4904-83a2-ed6e49295ba2": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "isBucketed": false,
+ "label": "File Count",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "number"
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.file_count.avg"
+ },
+ "9f5ac963-172f-4634-9a08-251dffc2537d": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "overall_max(average(azure.storage_account.file_count.avg))",
+ "operationType": "formula",
+ "params": {
+ "formula": "overall_max(average(azure.storage_account.file_count.avg))",
+ "isFormulaBroken": false
+ },
+ "references": [
+ "9f5ac963-172f-4634-9a08-251dffc2537dX1"
+ ],
+ "scale": "ratio"
+ },
+ "9f5ac963-172f-4634-9a08-251dffc2537dX0": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of overall_max(average(azure.storage_account.file_count.avg))",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": false
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.file_count.avg"
+ },
+ "9f5ac963-172f-4634-9a08-251dffc2537dX1": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of overall_max(average(azure.storage_account.file_count.avg))",
+ "operationType": "overall_max",
+ "references": [
+ "9f5ac963-172f-4634-9a08-251dffc2537dX0"
+ ],
+ "scale": "ratio"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-755bcc63-9b76-40e2-ae5d-0080d083461c",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "#A4DD00",
+ "layerId": "755bcc63-9b76-40e2-ae5d-0080d083461c",
+ "layerType": "data",
+ "maxAccessor": "9f5ac963-172f-4634-9a08-251dffc2537d",
+ "metricAccessor": "23858a4e-1e42-4904-83a2-ed6e49295ba2"
+ }
+ },
+ "title": "Storage File Count [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 9,
- "i": "b24e3e0d-a748-4bb9-ad71-e0de392e2696",
+ "i": "8131dfcd-2c52-4641-8259-2f4f2e7558d0",
"w": 5,
- "x": 14,
- "y": 0
+ "x": 5,
+ "y": 5
},
- "panelIndex": "b24e3e0d-a748-4bb9-ad71-e0de392e2696",
- "panelRefName": "panel_b24e3e0d-a748-4bb9-ad71-e0de392e2696",
- "type": "visualization",
- "version": "7.7.0"
+ "panelIndex": "8131dfcd-2c52-4641-8259-2f4f2e7558d0",
+ "title": "Storage File Count [Azure Metrics]",
+ "type": "lens",
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "c35f1e39-72c5-4288-b72e-80b53abee398": {
+ "columnOrder": [
+ "22f058a6-1825-4063-8158-d90762047b37",
+ "062f829c-7c18-40ba-8284-fd5a58c25a8aX0",
+ "062f829c-7c18-40ba-8284-fd5a58c25a8aX1",
+ "062f829c-7c18-40ba-8284-fd5a58c25a8a"
+ ],
+ "columns": {
+ "062f829c-7c18-40ba-8284-fd5a58c25a8a": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "overall_max(average(azure.storage_account.file_share_count.avg))",
+ "operationType": "formula",
+ "params": {
+ "formula": "overall_max(average(azure.storage_account.file_share_count.avg))",
+ "isFormulaBroken": false
+ },
+ "references": [
+ "062f829c-7c18-40ba-8284-fd5a58c25a8aX1"
+ ],
+ "scale": "ratio"
+ },
+ "062f829c-7c18-40ba-8284-fd5a58c25a8aX0": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of overall_max(average(azure.storage_account.file_share_count.avg))",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": false
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.file_share_count.avg"
+ },
+ "062f829c-7c18-40ba-8284-fd5a58c25a8aX1": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of overall_max(average(azure.storage_account.file_share_count.avg))",
+ "operationType": "overall_max",
+ "references": [
+ "062f829c-7c18-40ba-8284-fd5a58c25a8aX0"
+ ],
+ "scale": "ratio"
+ },
+ "22f058a6-1825-4063-8158-d90762047b37": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "isBucketed": false,
+ "label": "File Share Count",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "number"
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.file_share_count.avg"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-c35f1e39-72c5-4288-b72e-80b53abee398",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "#A4DD00",
+ "layerId": "c35f1e39-72c5-4288-b72e-80b53abee398",
+ "layerType": "data",
+ "maxAccessor": "062f829c-7c18-40ba-8284-fd5a58c25a8a",
+ "metricAccessor": "22f058a6-1825-4063-8158-d90762047b37"
+ }
+ },
+ "title": "Storage File Share Count [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 9,
- "i": "8131dfcd-2c52-4641-8259-2f4f2e7558d0",
+ "i": "49233089-be1d-4cda-9ccf-2815152e1016",
"w": 5,
- "x": 19,
- "y": 0
+ "x": 10,
+ "y": 5
},
- "panelIndex": "8131dfcd-2c52-4641-8259-2f4f2e7558d0",
- "panelRefName": "panel_8131dfcd-2c52-4641-8259-2f4f2e7558d0",
- "type": "visualization",
- "version": "7.7.0"
+ "panelIndex": "49233089-be1d-4cda-9ccf-2815152e1016",
+ "title": "Storage File Share Count [Azure Metrics]",
+ "type": "lens",
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "b8cd849b-ef0d-492a-88b8-70d5f5b654ce": {
+ "columnOrder": [
+ "eb4b9d4f-0ea2-42cf-9641-65ff9f2c5335",
+ "a7b1928f-ce2c-43ff-b945-a6b419d9b760"
+ ],
+ "columns": {
+ "a7b1928f-ce2c-43ff-b945-a6b419d9b760": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Availability",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 1,
+ "suffix": " %"
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.availability.avg"
+ },
+ "eb4b9d4f-0ea2-42cf-9641-65ff9f2c5335": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-b8cd849b-ef0d-492a-88b8-70d5f5b654ce",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0.6,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "a7b1928f-ce2c-43ff-b945-a6b419d9b760"
+ ],
+ "layerId": "b8cd849b-ef0d-492a-88b8-70d5f5b654ce",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "area",
+ "xAccessor": "eb4b9d4f-0ea2-42cf-9641-65ff9f2c5335",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(22,165,165,1)",
+ "forAccessor": "a7b1928f-ce2c-43ff-b945-a6b419d9b760"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": false
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yLeftScale": "linear",
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yRightScale": "linear"
+ }
+ },
+ "title": "Storage Availability [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 9,
- "i": "49233089-be1d-4cda-9ccf-2815152e1016",
- "w": 5,
- "x": 24,
- "y": 0
+ "i": "a9456b9b-efa6-410d-a56c-4b66aa8c499e",
+ "w": 14,
+ "x": 15,
+ "y": 5
},
- "panelIndex": "49233089-be1d-4cda-9ccf-2815152e1016",
- "panelRefName": "panel_49233089-be1d-4cda-9ccf-2815152e1016",
- "type": "visualization",
- "version": "7.7.0"
+ "panelIndex": "a9456b9b-efa6-410d-a56c-4b66aa8c499e",
+ "title": "Availability",
+ "type": "lens",
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "e20a4093-e091-482f-ba02-7433fa318536": {
+ "columnOrder": [
+ "99d6d2f9-fd90-4283-a041-f197eeebaaad",
+ "5f30c9f9-723a-493b-90b2-6b73114680cb",
+ "cf40e3fc-c7d5-4e5c-9440-26f87c96afd3"
+ ],
+ "columns": {
+ "5f30c9f9-723a-493b-90b2-6b73114680cb": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.dimensions.response_type",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "cf40e3fc-c7d5-4e5c-9440-26f87c96afd3",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.dimensions.response_type"
+ },
+ "99d6d2f9-fd90-4283-a041-f197eeebaaad": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "cf40e3fc-c7d5-4e5c-9440-26f87c96afd3": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "avg(azure.storage_account.transactions.total)",
+ "operationType": "max",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.transactions.total"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-e20a4093-e091-482f-ba02-7433fa318536",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0.5,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "cf40e3fc-c7d5-4e5c-9440-26f87c96afd3"
+ ],
+ "layerId": "e20a4093-e091-482f-ba02-7433fa318536",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "bar",
+ "splitAccessor": "5f30c9f9-723a-493b-90b2-6b73114680cb",
+ "xAccessor": "99d6d2f9-fd90-4283-a041-f197eeebaaad",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "#3185FC",
+ "forAccessor": "cf40e3fc-c7d5-4e5c-9440-26f87c96afd3"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yLeftScale": "linear",
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yRightScale": "linear"
+ }
+ },
+ "title": "Storage Transactions [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 9,
"i": "1d623c03-4d02-4a81-b91e-49e82e112016",
"w": 19,
"x": 29,
- "y": 0
+ "y": 5
},
"panelIndex": "1d623c03-4d02-4a81-b91e-49e82e112016",
- "panelRefName": "panel_1d623c03-4d02-4a81-b91e-49e82e112016",
"title": "Transactions",
- "type": "visualization",
- "version": "7.7.0"
+ "type": "lens",
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "0af83a0b-7495-43ef-b775-3947b43ae3d2": {
+ "columnOrder": [
+ "a9cc5858-41b5-4dc6-a06f-8a2c20f56190",
+ "9d4a0ed0-f231-4462-a164-0babab6e282bX0",
+ "9d4a0ed0-f231-4462-a164-0babab6e282bX1",
+ "9d4a0ed0-f231-4462-a164-0babab6e282b"
+ ],
+ "columns": {
+ "9d4a0ed0-f231-4462-a164-0babab6e282b": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "overall_max(average(azure.storage_account.file_share_snapshot_count.avg))",
+ "operationType": "formula",
+ "params": {
+ "formula": "overall_max(average(azure.storage_account.file_share_snapshot_count.avg))",
+ "isFormulaBroken": false
+ },
+ "references": [
+ "9d4a0ed0-f231-4462-a164-0babab6e282bX1"
+ ],
+ "scale": "ratio"
+ },
+ "9d4a0ed0-f231-4462-a164-0babab6e282bX0": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of overall_max(average(azure.storage_account.file_share_snapshot_count.avg))",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": false
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.file_share_snapshot_count.avg"
+ },
+ "9d4a0ed0-f231-4462-a164-0babab6e282bX1": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of overall_max(average(azure.storage_account.file_share_snapshot_count.avg))",
+ "operationType": "overall_max",
+ "references": [
+ "9d4a0ed0-f231-4462-a164-0babab6e282bX0"
+ ],
+ "scale": "ratio"
+ },
+ "a9cc5858-41b5-4dc6-a06f-8a2c20f56190": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "isBucketed": false,
+ "label": "File Share Snapshot Count",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "number"
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.file_share_snapshot_count.avg"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-0af83a0b-7495-43ef-b775-3947b43ae3d2",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "#0062B1",
+ "layerId": "0af83a0b-7495-43ef-b775-3947b43ae3d2",
+ "layerType": "data",
+ "maxAccessor": "9d4a0ed0-f231-4462-a164-0babab6e282b",
+ "metricAccessor": "a9cc5858-41b5-4dc6-a06f-8a2c20f56190"
+ }
+ },
+ "title": "Storage File Share Snapshot Count [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
- "h": 15,
- "i": "ff6441f8-d66d-4399-bae5-25d3d861b299",
+ "h": 8,
+ "i": "2d5c6c0f-f4d2-44fb-b7e5-1a855b75e40f",
"w": 9,
"x": 0,
- "y": 5
+ "y": 14
},
- "panelIndex": "ff6441f8-d66d-4399-bae5-25d3d861b299",
- "panelRefName": "panel_ff6441f8-d66d-4399-bae5-25d3d861b299",
- "type": "visualization",
- "version": "7.7.0"
+ "panelIndex": "2d5c6c0f-f4d2-44fb-b7e5-1a855b75e40f",
+ "title": "Storage File Share Snapshot Count [Azure Metrics]",
+ "type": "lens",
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "4e6e46e0-0574-442a-90ad-8f4da25050a8": {
+ "columnOrder": [
+ "b2d735cd-4039-429b-b7c7-eb3d90db3b20",
+ "bb9ea912-54a1-4623-8764-5aa15ec3e04c",
+ "05ccf6a0-2c96-4739-9d44-605c279562f4"
+ ],
+ "columns": {
+ "05ccf6a0-2c96-4739-9d44-605c279562f4": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "SuccessServerLatency (ms)",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 1,
+ "suffix": " ms"
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.success_server_latency.avg"
+ },
+ "b2d735cd-4039-429b-b7c7-eb3d90db3b20": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.dimensions.api_name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "05ccf6a0-2c96-4739-9d44-605c279562f4",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.dimensions.api_name"
+ },
+ "bb9ea912-54a1-4623-8764-5aa15ec3e04c": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-4e6e46e0-0574-442a-90ad-8f4da25050a8",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0.5,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "05ccf6a0-2c96-4739-9d44-605c279562f4"
+ ],
+ "layerId": "4e6e46e0-0574-442a-90ad-8f4da25050a8",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "bar",
+ "splitAccessor": "b2d735cd-4039-429b-b7c7-eb3d90db3b20",
+ "xAccessor": "bb9ea912-54a1-4623-8764-5aa15ec3e04c",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "#3185FC",
+ "forAccessor": "05ccf6a0-2c96-4739-9d44-605c279562f4"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yLeftScale": "linear",
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yRightScale": "linear"
+ }
+ },
+ "title": "Storage Success Server Latency [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 15,
"i": "87066244-7840-4555-9d12-026d64977f1a",
"w": 20,
"x": 9,
- "y": 9
+ "y": 14
},
"panelIndex": "87066244-7840-4555-9d12-026d64977f1a",
- "panelRefName": "panel_87066244-7840-4555-9d12-026d64977f1a",
"title": "Success Server Latency",
- "type": "visualization",
- "version": "7.7.0"
+ "type": "lens",
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "cafb9be2-3e64-4c88-9890-c6df9bdb8785": {
+ "columnOrder": [
+ "794cf5e2-d317-4f30-a975-e4ca760b7dbc",
+ "74ae4067-b47d-49c0-a9f7-7d9eca1a0961",
+ "8376a8a7-8690-48eb-9db1-adec8860c89a"
+ ],
+ "columns": {
+ "74ae4067-b47d-49c0-a9f7-7d9eca1a0961": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "794cf5e2-d317-4f30-a975-e4ca760b7dbc": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.dimensions.api_name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "8376a8a7-8690-48eb-9db1-adec8860c89a",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.dimensions.api_name"
+ },
+ "8376a8a7-8690-48eb-9db1-adec8860c89a": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Success E2E Latency (ms)",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 1,
+ "suffix": " ms"
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.success_e2elatency.avg"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-cafb9be2-3e64-4c88-9890-c6df9bdb8785",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0.5,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "8376a8a7-8690-48eb-9db1-adec8860c89a"
+ ],
+ "layerId": "cafb9be2-3e64-4c88-9890-c6df9bdb8785",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "bar",
+ "splitAccessor": "794cf5e2-d317-4f30-a975-e4ca760b7dbc",
+ "xAccessor": "74ae4067-b47d-49c0-a9f7-7d9eca1a0961",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "#3185FC",
+ "forAccessor": "8376a8a7-8690-48eb-9db1-adec8860c89a"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yLeftScale": "linear",
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yRightScale": "linear"
+ }
+ },
+ "title": "Storage Success E2E Latency [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 15,
"i": "756da375-e6a2-4668-af43-0cd294878254",
"w": 19,
"x": 29,
- "y": 9
+ "y": 14
},
"panelIndex": "756da375-e6a2-4668-af43-0cd294878254",
- "panelRefName": "panel_756da375-e6a2-4668-af43-0cd294878254",
"title": "Success E2E Latency",
- "type": "visualization",
- "version": "7.7.0"
+ "type": "lens",
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "d0d4f08e-f81f-4ef5-b7de-fa476c0e719e": {
+ "columnOrder": [
+ "19e57c7d-acf6-4e08-b599-0269fa62707f",
+ "a67f2ce4-fc3a-4924-a5f5-c96e4474d4f3X0",
+ "a67f2ce4-fc3a-4924-a5f5-c96e4474d4f3X1",
+ "a67f2ce4-fc3a-4924-a5f5-c96e4474d4f3"
+ ],
+ "columns": {
+ "19e57c7d-acf6-4e08-b599-0269fa62707f": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "isBucketed": false,
+ "label": "File Share Snapshot Size",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes"
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.file_share_snapshot_size.avg"
+ },
+ "a67f2ce4-fc3a-4924-a5f5-c96e4474d4f3": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "overall_max(average(azure.storage_account.file_share_snapshot_size.avg))",
+ "operationType": "formula",
+ "params": {
+ "formula": "overall_max(average(azure.storage_account.file_share_snapshot_size.avg))",
+ "isFormulaBroken": false
+ },
+ "references": [
+ "a67f2ce4-fc3a-4924-a5f5-c96e4474d4f3X1"
+ ],
+ "scale": "ratio"
+ },
+ "a67f2ce4-fc3a-4924-a5f5-c96e4474d4f3X0": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of overall_max(average(azure.storage_account.file_share_snapshot_size.avg))",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": false
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.file_share_snapshot_size.avg"
+ },
+ "a67f2ce4-fc3a-4924-a5f5-c96e4474d4f3X1": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of overall_max(average(azure.storage_account.file_share_snapshot_size.avg))",
+ "operationType": "overall_max",
+ "references": [
+ "a67f2ce4-fc3a-4924-a5f5-c96e4474d4f3X0"
+ ],
+ "scale": "ratio"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-d0d4f08e-f81f-4ef5-b7de-fa476c0e719e",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "#0062B1",
+ "layerId": "d0d4f08e-f81f-4ef5-b7de-fa476c0e719e",
+ "layerType": "data",
+ "maxAccessor": "a67f2ce4-fc3a-4924-a5f5-c96e4474d4f3",
+ "metricAccessor": "19e57c7d-acf6-4e08-b599-0269fa62707f"
+ }
+ },
+ "title": "Storage File Share Snapshot Size [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
- "h": 8,
- "i": "2d5c6c0f-f4d2-44fb-b7e5-1a855b75e40f",
- "w": 4,
+ "h": 7,
+ "i": "c6792441-37b6-4ef4-ad8b-21f137b2f0b4",
+ "w": 9,
"x": 0,
- "y": 20
+ "y": 22
},
- "panelIndex": "2d5c6c0f-f4d2-44fb-b7e5-1a855b75e40f",
- "panelRefName": "panel_2d5c6c0f-f4d2-44fb-b7e5-1a855b75e40f",
- "type": "visualization",
- "version": "7.7.0"
+ "panelIndex": "c6792441-37b6-4ef4-ad8b-21f137b2f0b4",
+ "title": "Storage File Share Snapshot Size [Azure Metrics]",
+ "type": "lens",
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "93a05ec0-0f19-4812-93be-6f7dd9dcf90f": {
+ "columnOrder": [
+ "a60341c7-5528-441d-8703-c21b368b46ab",
+ "ab446534-5509-411d-9354-db0fbfde7394",
+ "e4afa96f-9ac7-4e50-904f-bec27d4c0d24"
+ ],
+ "columns": {
+ "a60341c7-5528-441d-8703-c21b368b46ab": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.dimensions.api_name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "e4afa96f-9ac7-4e50-904f-bec27d4c0d24",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.dimensions.api_name"
+ },
+ "ab446534-5509-411d-9354-db0fbfde7394": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "e4afa96f-9ac7-4e50-904f-bec27d4c0d24": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "isBucketed": false,
+ "label": "Storage Accounts Ingress Total",
+ "operationType": "max",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 1
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.ingress.total"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-93a05ec0-0f19-4812-93be-6f7dd9dcf90f",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "e4afa96f-9ac7-4e50-904f-bec27d4c0d24"
+ ],
+ "layerId": "93a05ec0-0f19-4812-93be-6f7dd9dcf90f",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "a60341c7-5528-441d-8703-c21b368b46ab",
+ "xAccessor": "ab446534-5509-411d-9354-db0fbfde7394",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(104,188,0,1)",
+ "forAccessor": "e4afa96f-9ac7-4e50-904f-bec27d4c0d24"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yLeftScale": "linear",
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yRightScale": "linear"
+ }
+ },
+ "title": "Storage Account Ingress Traffic [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
- "h": 8,
- "i": "c6792441-37b6-4ef4-ad8b-21f137b2f0b4",
- "w": 5,
- "x": 4,
- "y": 20
+ "h": 14,
+ "i": "75f72920-be71-47a9-a967-f1c862ab2961",
+ "w": 24,
+ "x": 24,
+ "y": 29
},
- "panelIndex": "c6792441-37b6-4ef4-ad8b-21f137b2f0b4",
- "panelRefName": "panel_c6792441-37b6-4ef4-ad8b-21f137b2f0b4",
- "type": "visualization",
- "version": "7.7.0"
+ "panelIndex": "75f72920-be71-47a9-a967-f1c862ab2961",
+ "title": "Ingress Traffic by APIName",
+ "type": "lens",
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "c8c992bf-7fce-42d6-9f2c-c4387ea2ed69": {
+ "columnOrder": [
+ "662706fd-22eb-4e13-bf8d-49046d97a50c",
+ "648dbe26-960c-42a5-b6a2-719df4525ead",
+ "6dc4b040-e9fd-46b6-acf6-256427c6e0ad"
+ ],
+ "columns": {
+ "648dbe26-960c-42a5-b6a2-719df4525ead": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "662706fd-22eb-4e13-bf8d-49046d97a50c": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.dimensions.api_name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "6dc4b040-e9fd-46b6-acf6-256427c6e0ad",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.dimensions.api_name"
+ },
+ "6dc4b040-e9fd-46b6-acf6-256427c6e0ad": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "isBucketed": false,
+ "label": "Storage Accounts Egress Total",
+ "operationType": "max",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 1
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.egress.total"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-c8c992bf-7fce-42d6-9f2c-c4387ea2ed69",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "6dc4b040-e9fd-46b6-acf6-256427c6e0ad"
+ ],
+ "layerId": "c8c992bf-7fce-42d6-9f2c-c4387ea2ed69",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "662706fd-22eb-4e13-bf8d-49046d97a50c",
+ "xAccessor": "648dbe26-960c-42a5-b6a2-719df4525ead",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(0,149,177,1)",
+ "forAccessor": "6dc4b040-e9fd-46b6-acf6-256427c6e0ad"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yLeftScale": "linear",
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yRightScale": "linear"
+ }
+ },
+ "title": "Storage Account Egress Traffic [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 14,
"i": "a715fafc-ca38-410c-9253-12ba506eabc0",
- "w": 20,
- "x": 9,
- "y": 24
+ "w": 24,
+ "x": 0,
+ "y": 29
},
"panelIndex": "a715fafc-ca38-410c-9253-12ba506eabc0",
- "panelRefName": "panel_a715fafc-ca38-410c-9253-12ba506eabc0",
"title": "Egress Traffic by APIName",
- "type": "visualization",
- "version": "7.7.0"
- },
- {
- "embeddableConfig": {
- "enhancements": {}
- },
- "gridData": {
- "h": 14,
- "i": "75f72920-be71-47a9-a967-f1c862ab2961",
- "w": 19,
- "x": 29,
- "y": 24
- },
- "panelIndex": "75f72920-be71-47a9-a967-f1c862ab2961",
- "panelRefName": "panel_75f72920-be71-47a9-a967-f1c862ab2961",
- "title": "Ingress Traffic by APIName",
- "type": "visualization",
- "version": "7.7.0"
+ "type": "lens",
+ "version": "8.7.0"
}
],
"timeRestore": false,
"title": "[Azure Metrics] File Storage Overview",
"version": 1
},
- "coreMigrationVersion": "7.14.0",
+ "coreMigrationVersion": "8.7.0",
+ "created_at": "2023-09-01T05:23:11.892Z",
"id": "azure_metrics-dff7a080-32f7-11ea-a83e-25b8612d00cc",
"migrationVersion": {
- "dashboard": "7.14.0"
+ "dashboard": "8.7.0"
},
"references": [
{
@@ -269,69 +1888,19 @@
"type": "index-pattern"
},
{
- "id": "azure_metrics-f18a7cb0-32f6-11ea-a83e-25b8612d00cc",
- "name": "ee131d2d-7ab5-4434-9e3b-230759c3e5ff:panel_ee131d2d-7ab5-4434-9e3b-230759c3e5ff",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-40dbc0d0-32e3-11ea-a83e-25b8612d00cc",
- "name": "a9456b9b-efa6-410d-a56c-4b66aa8c499e:panel_a9456b9b-efa6-410d-a56c-4b66aa8c499e",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-453965a0-3393-11ea-a83e-25b8612d00cc",
- "name": "b24e3e0d-a748-4bb9-ad71-e0de392e2696:panel_b24e3e0d-a748-4bb9-ad71-e0de392e2696",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-722ef2f0-3393-11ea-a83e-25b8612d00cc",
- "name": "8131dfcd-2c52-4641-8259-2f4f2e7558d0:panel_8131dfcd-2c52-4641-8259-2f4f2e7558d0",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-a4bf9710-3393-11ea-a83e-25b8612d00cc",
- "name": "49233089-be1d-4cda-9ccf-2815152e1016:panel_49233089-be1d-4cda-9ccf-2815152e1016",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-553f9320-32e9-11ea-a83e-25b8612d00cc",
- "name": "1d623c03-4d02-4a81-b91e-49e82e112016:panel_1d623c03-4d02-4a81-b91e-49e82e112016",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-acced050-32d1-11ea-a83e-25b8612d00cc",
- "name": "ff6441f8-d66d-4399-bae5-25d3d861b299:panel_ff6441f8-d66d-4399-bae5-25d3d861b299",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-81f16b40-32ea-11ea-a83e-25b8612d00cc",
- "name": "87066244-7840-4555-9d12-026d64977f1a:panel_87066244-7840-4555-9d12-026d64977f1a",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-685fbeb0-32eb-11ea-a83e-25b8612d00cc",
- "name": "756da375-e6a2-4668-af43-0cd294878254:panel_756da375-e6a2-4668-af43-0cd294878254",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-09a6f150-3399-11ea-a83e-25b8612d00cc",
- "name": "2d5c6c0f-f4d2-44fb-b7e5-1a855b75e40f:panel_2d5c6c0f-f4d2-44fb-b7e5-1a855b75e40f",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-241a55e0-3399-11ea-a83e-25b8612d00cc",
- "name": "c6792441-37b6-4ef4-ad8b-21f137b2f0b4:panel_c6792441-37b6-4ef4-ad8b-21f137b2f0b4",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_c7829894-f20c-4b19-ad2d-3a612701abc9:optionsListDataView",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-599c62c0-32d7-11ea-a83e-25b8612d00cc",
- "name": "a715fafc-ca38-410c-9253-12ba506eabc0:panel_a715fafc-ca38-410c-9253-12ba506eabc0",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_95194504-becb-41f2-bd07-37297fd2fef6:optionsListDataView",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-4eaef260-32e1-11ea-a83e-25b8612d00cc",
- "name": "75f72920-be71-47a9-a967-f1c862ab2961:panel_75f72920-be71-47a9-a967-f1c862ab2961",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_d8a53398-5fc3-428e-9182-12bda0d851de:optionsListDataView",
+ "type": "index-pattern"
}
],
"type": "dashboard"
diff --git a/packages/azure_metrics/kibana/dashboard/azure_metrics-eb3f05f0-ea9a-11e9-90ec-112a988266d5.json b/packages/azure_metrics/kibana/dashboard/azure_metrics-eb3f05f0-ea9a-11e9-90ec-112a988266d5.json
index 92bb713a654..55fb2955fbb 100644
--- a/packages/azure_metrics/kibana/dashboard/azure_metrics-eb3f05f0-ea9a-11e9-90ec-112a988266d5.json
+++ b/packages/azure_metrics/kibana/dashboard/azure_metrics-eb3f05f0-ea9a-11e9-90ec-112a988266d5.json
@@ -1,5 +1,11 @@
{
"attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
+ "panelsJSON": "{\"f6cf2f69-1455-4255-8cbb-754914b6f548\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"cloud.region\",\"title\":\"Region\",\"id\":\"f6cf2f69-1455-4255-8cbb-754914b6f548\",\"enhancements\":{}}},\"8f432dec-9bb0-4084-a307-5894e4a3bb12\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"azure.resource.group\",\"title\":\"Resource Group\",\"id\":\"8f432dec-9bb0-4084-a307-5894e4a3bb12\",\"enhancements\":{}}},\"1bd55cba-ce48-43f7-86cb-539ac5da7cae\":{\"order\":2,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"azure.resource.name\",\"title\":\"VM Name\",\"id\":\"1bd55cba-ce48-43f7-86cb-539ac5da7cae\",\"enhancements\":{}}}}"
+ },
"description": "This dashboard visualized relevant metrics for VMs running on Azure cloud.",
"hits": 0,
"kibanaSavedObjectMeta": {
@@ -18,40 +24,206 @@
"panelsJSON": [
{
"embeddableConfig": {
- "enhancements": {}
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "### Azure Compute VM \n\n[**Overview**](#/dashboard/azure_metrics-1a151f80-32db-11ea-a83e-25b8612d00cc) | [Guest Windows VM Metrics](#/dashboard/azure_metrics-b6b434c0-feae-11eb-8fff-87871c582eca) | [Guest Linux VM Metrics](#/dashboard/azure_metrics-d8e3c5f0-feaf-11eb-8fff-87871c582eca)",
+ "openLinksInNewTab": false
+ },
+ "title": "Navigation Compute VM Overview [Azure Metrics]",
+ "type": "markdown",
+ "uiState": {}
+ }
},
"gridData": {
"h": 6,
"i": "6dd69df8-690d-4fda-a3ee-691fb5de4645",
- "w": 10,
+ "w": 26,
"x": 0,
"y": 0
},
"panelIndex": "6dd69df8-690d-4fda-a3ee-691fb5de4645",
- "panelRefName": "panel_6dd69df8-690d-4fda-a3ee-691fb5de4645",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
- },
- {
- "embeddableConfig": {
- "enhancements": {}
- },
- "gridData": {
- "h": 6,
- "i": "aa881f9d-28d3-4722-822e-3e670021cf52",
- "w": 16,
- "x": 10,
- "y": 0
- },
- "panelIndex": "aa881f9d-28d3-4722-822e-3e670021cf52",
- "panelRefName": "panel_aa881f9d-28d3-4722-822e-3e670021cf52",
- "title": "VM Filters",
"type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "version": "8.4.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-ac0ccc8f-748c-414f-90e7-b2d160d261d1",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "ac0ccc8f-748c-414f-90e7-b2d160d261d1": {
+ "columnOrder": [
+ "dee4dad2-a884-422e-879f-d22250a2624a",
+ "b22915e9-c769-4ec3-bf53-4f0070ff0cab",
+ "7df0f935-5335-4b0f-999b-bcd3664bf942"
+ ],
+ "columns": {
+ "7df0f935-5335-4b0f-999b-bcd3664bf942": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "VM Available Memory",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 1
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.available_memory_bytes.avg"
+ },
+ "b22915e9-c769-4ec3-bf53-4f0070ff0cab": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "dee4dad2-a884-422e-879f-d22250a2624a": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "excludeIsRegex": false,
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.resource.type : \"Microsoft.Compute/virtualMachines\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "7df0f935-5335-4b0f-999b-bcd3664bf942"
+ ],
+ "layerId": "ac0ccc8f-748c-414f-90e7-b2d160d261d1",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "dee4dad2-a884-422e-879f-d22250a2624a",
+ "xAccessor": "b22915e9-c769-4ec3-bf53-4f0070ff0cab",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(176,188,0,1)",
+ "forAccessor": "7df0f935-5335-4b0f-999b-bcd3664bf942"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 18,
@@ -61,14 +233,181 @@
"y": 0
},
"panelIndex": "2473ef72-c56c-4783-a36a-f4b8efd66ab7",
- "panelRefName": "panel_2473ef72-c56c-4783-a36a-f4b8efd66ab7",
"title": "VM Available Memory",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-7c37793f-5510-4105-bfa8-cba2ca4327c3",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "7c37793f-5510-4105-bfa8-cba2ca4327c3": {
+ "columnOrder": [
+ "1ed55f41-0e9e-4bfb-967a-0c9e660c8f23",
+ "26e9426d-e265-4110-a808-180d7dcc8d31",
+ "461d9c41-8634-4719-8116-42be96c1234b"
+ ],
+ "columns": {
+ "1ed55f41-0e9e-4bfb-967a-0c9e660c8f23": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "excludeIsRegex": false,
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ },
+ "26e9426d-e265-4110-a808-180d7dcc8d31": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "461d9c41-8634-4719-8116-42be96c1234b": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "isBucketed": false,
+ "label": "Azure VM CPU Utilization",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 1,
+ "suffix": "%"
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.percentage_cpu.avg"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.resource.type : \"Microsoft.Compute/virtualMachines\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "461d9c41-8634-4719-8116-42be96c1234b"
+ ],
+ "layerId": "7c37793f-5510-4105-bfa8-cba2ca4327c3",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "1ed55f41-0e9e-4bfb-967a-0c9e660c8f23",
+ "xAccessor": "26e9426d-e265-4110-a808-180d7dcc8d31",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(252,196,0,1)",
+ "forAccessor": "461d9c41-8634-4719-8116-42be96c1234b"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 12,
@@ -78,14 +417,176 @@
"y": 6
},
"panelIndex": "e673f70c-f811-4290-9087-578c7dd13675",
- "panelRefName": "panel_e673f70c-f811-4290-9087-578c7dd13675",
"title": "VM CPU Utilization",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-7ceb0410-35b9-4a5b-982d-45160c136a49",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "7ceb0410-35b9-4a5b-982d-45160c136a49": {
+ "columnOrder": [
+ "44e7d79c-cce8-4902-aa3b-3f6ad6ffb40c",
+ "09edcbe8-2531-4a5f-af07-28563db428aa",
+ "c5cfcafe-5176-4e63-a6dc-586d62286f98"
+ ],
+ "columns": {
+ "09edcbe8-2531-4a5f-af07-28563db428aa": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "44e7d79c-cce8-4902-aa3b-3f6ad6ffb40c": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "excludeIsRegex": false,
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ },
+ "c5cfcafe-5176-4e63-a6dc-586d62286f98": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Azure VM Network In Total",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 1
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.network_in_total.total"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.resource.type : \"Microsoft.Compute/virtualMachines\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "c5cfcafe-5176-4e63-a6dc-586d62286f98"
+ ],
+ "layerId": "7ceb0410-35b9-4a5b-982d-45160c136a49",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "44e7d79c-cce8-4902-aa3b-3f6ad6ffb40c",
+ "xAccessor": "09edcbe8-2531-4a5f-af07-28563db428aa",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(104,204,202,1)",
+ "forAccessor": "c5cfcafe-5176-4e63-a6dc-586d62286f98"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 12,
@@ -95,14 +596,176 @@
"y": 18
},
"panelIndex": "535d70b3-3f3c-4a84-85ba-ab671b6d144f",
- "panelRefName": "panel_535d70b3-3f3c-4a84-85ba-ab671b6d144f",
"title": "VM Network In Total",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-a8cb2545-583d-451b-a086-1f8fb6dfc7b2",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "a8cb2545-583d-451b-a086-1f8fb6dfc7b2": {
+ "columnOrder": [
+ "4fe31555-4459-4b29-95ea-a711dec4f81e",
+ "476914ec-c92e-456b-ad0f-673254257df0",
+ "d851dd26-8630-4296-8c57-2274c5ba8517"
+ ],
+ "columns": {
+ "476914ec-c92e-456b-ad0f-673254257df0": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "4fe31555-4459-4b29-95ea-a711dec4f81e": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "excludeIsRegex": false,
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ },
+ "d851dd26-8630-4296-8c57-2274c5ba8517": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Azure VM Network Out Total",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 1
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.network_out_total.total"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.resource.type : \"Microsoft.Compute/virtualMachines\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "d851dd26-8630-4296-8c57-2274c5ba8517"
+ ],
+ "layerId": "a8cb2545-583d-451b-a086-1f8fb6dfc7b2",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "4fe31555-4459-4b29-95ea-a711dec4f81e",
+ "xAccessor": "476914ec-c92e-456b-ad0f-673254257df0",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(115,216,255,1)",
+ "forAccessor": "d851dd26-8630-4296-8c57-2274c5ba8517"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 12,
@@ -112,14 +775,176 @@
"y": 18
},
"panelIndex": "6903a45e-bf11-4db2-9497-fd9692e83448",
- "panelRefName": "panel_6903a45e-bf11-4db2-9497-fd9692e83448",
"title": "VM Network Out Total",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-7884bf33-f9c1-4249-85f6-e23361d08c14",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "7884bf33-f9c1-4249-85f6-e23361d08c14": {
+ "columnOrder": [
+ "0677be68-a86e-410f-bfba-3a10d8e31076",
+ "f41039cd-ec6f-4962-99eb-6730dac55c81",
+ "b148ba9a-a87b-4f66-8322-f031a143f7d2"
+ ],
+ "columns": {
+ "0677be68-a86e-410f-bfba-3a10d8e31076": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "excludeIsRegex": false,
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ },
+ "b148ba9a-a87b-4f66-8322-f031a143f7d2": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "VM Disk Writes bytes",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 1
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.disk_write_bytes.total"
+ },
+ "f41039cd-ec6f-4962-99eb-6730dac55c81": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.resource.type :\"Microsoft.Compute/virtualMachines\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "b148ba9a-a87b-4f66-8322-f031a143f7d2"
+ ],
+ "layerId": "7884bf33-f9c1-4249-85f6-e23361d08c14",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "0677be68-a86e-410f-bfba-3a10d8e31076",
+ "xAccessor": "f41039cd-ec6f-4962-99eb-6730dac55c81",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(176,188,0,1)",
+ "forAccessor": "b148ba9a-a87b-4f66-8322-f031a143f7d2"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 12,
@@ -129,14 +954,176 @@
"y": 18
},
"panelIndex": "aa57fa8f-f6ea-45e3-9b2c-ba948d625813",
- "panelRefName": "panel_aa57fa8f-f6ea-45e3-9b2c-ba948d625813",
"title": "VM Disk Writes",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-83a8d3cd-ad25-4d78-a8e6-e35b83ac8245",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "83a8d3cd-ad25-4d78-a8e6-e35b83ac8245": {
+ "columnOrder": [
+ "5c8395a4-f0f7-4409-b542-7eff011d9bb0",
+ "6042afbc-97ba-4a9a-b6ce-c473cae6721e",
+ "bb35db70-0fc3-4dea-a37c-6c05ced09132"
+ ],
+ "columns": {
+ "5c8395a4-f0f7-4409-b542-7eff011d9bb0": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "excludeIsRegex": false,
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ },
+ "6042afbc-97ba-4a9a-b6ce-c473cae6721e": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "bb35db70-0fc3-4dea-a37c-6c05ced09132": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "VM Disk Read bytes",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 1
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.disk_read_bytes.total"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.resource.type :\"Microsoft.Compute/virtualMachines\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "bb35db70-0fc3-4dea-a37c-6c05ced09132"
+ ],
+ "layerId": "83a8d3cd-ad25-4d78-a8e6-e35b83ac8245",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "5c8395a4-f0f7-4409-b542-7eff011d9bb0",
+ "xAccessor": "6042afbc-97ba-4a9a-b6ce-c473cae6721e",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(252,196,0,1)",
+ "forAccessor": "bb35db70-0fc3-4dea-a37c-6c05ced09132"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 12,
@@ -146,13 +1133,170 @@
"y": 18
},
"panelIndex": "14e225ef-6417-4377-b2cb-6b46b6693b78",
- "panelRefName": "panel_14e225ef-6417-4377-b2cb-6b46b6693b78",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "title": "VM Disk Reads [Azure Metrics]",
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-6f90b4b3-9fa8-451f-bc49-59bc3836450f",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "6f90b4b3-9fa8-451f-bc49-59bc3836450f": {
+ "columnOrder": [
+ "e90705d6-65bf-44ad-a639-82ea78d9305b",
+ "d3ab6fd4-1f88-408a-af43-deef5dffea76",
+ "ecf4dc66-da0f-4066-9ac5-87b27bc2fbfa"
+ ],
+ "columns": {
+ "d3ab6fd4-1f88-408a-af43-deef5dffea76": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "e90705d6-65bf-44ad-a639-82ea78d9305b": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "excludeIsRegex": false,
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ },
+ "ecf4dc66-da0f-4066-9ac5-87b27bc2fbfa": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "VM Disk Read Operations/s",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.disk_read_operations_per_sec.avg"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.resource.type : \"Microsoft.Compute/virtualMachines\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "ecf4dc66-da0f-4066-9ac5-87b27bc2fbfa"
+ ],
+ "layerId": "6f90b4b3-9fa8-451f-bc49-59bc3836450f",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "e90705d6-65bf-44ad-a639-82ea78d9305b",
+ "xAccessor": "d3ab6fd4-1f88-408a-af43-deef5dffea76",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(252,196,0,1)",
+ "forAccessor": "ecf4dc66-da0f-4066-9ac5-87b27bc2fbfa"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 13,
@@ -162,14 +1306,170 @@
"y": 30
},
"panelIndex": "8879143b-ed83-45ec-8c58-b10dc1597c22",
- "panelRefName": "panel_8879143b-ed83-45ec-8c58-b10dc1597c22",
"title": "VM Disk Read Operations/s",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "type": "lens",
+ "version": "8.4.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "indexpattern-datasource-layer-7a182b0f-6f12-475b-bf0b-1c3c59cd7fd7",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "datasourceStates": {
+ "indexpattern": {
+ "layers": {
+ "7a182b0f-6f12-475b-bf0b-1c3c59cd7fd7": {
+ "columnOrder": [
+ "de2c3ced-f671-4d66-bf4d-3ac52d766c56",
+ "90f5f864-5365-45ea-b7ae-319c3a215f71",
+ "f004326b-6910-4472-b28b-ea6f83be1026"
+ ],
+ "columns": {
+ "90f5f864-5365-45ea-b7ae-319c3a215f71": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "de2c3ced-f671-4d66-bf4d-3ac52d766c56": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.resource.name",
+ "operationType": "terms",
+ "params": {
+ "excludeIsRegex": false,
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderAgg": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "orderBy": {
+ "type": "custom"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.resource.name"
+ },
+ "f004326b-6910-4472-b28b-ea6f83be1026": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "VM Disk Write Operations/s",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.compute_vm.disk_write_operations_per_sec.avg"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": "azure.resource.type : \"Microsoft.Compute/virtualMachines\""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "f004326b-6910-4472-b28b-ea6f83be1026"
+ ],
+ "layerId": "7a182b0f-6f12-475b-bf0b-1c3c59cd7fd7",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "de2c3ced-f671-4d66-bf4d-3ac52d766c56",
+ "xAccessor": "90f5f864-5365-45ea-b7ae-319c3a215f71",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(252,196,0,1)",
+ "forAccessor": "f004326b-6910-4472-b28b-ea6f83be1026"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yTitle": ""
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 13,
@@ -179,71 +1479,75 @@
"y": 30
},
"panelIndex": "4071f2bf-1794-45ff-b76d-58864226d8b7",
- "panelRefName": "panel_4071f2bf-1794-45ff-b76d-58864226d8b7",
"title": "VM Disk Write Operations/s",
- "type": "visualization",
- "version": "7.14.0-SNAPSHOT"
+ "type": "lens",
+ "version": "8.4.0"
}
],
"timeRestore": false,
"title": "[Azure Metrics] Compute VMs Overview",
"version": 1
},
- "coreMigrationVersion": "7.14.0",
+ "coreMigrationVersion": "8.4.0",
"id": "azure_metrics-eb3f05f0-ea9a-11e9-90ec-112a988266d5",
"migrationVersion": {
- "dashboard": "7.14.0"
+ "dashboard": "8.4.0"
},
"references": [
{
- "id": "azure_metrics-eaf13b40-feac-11eb-8fff-87871c582eca",
- "name": "6dd69df8-690d-4fda-a3ee-691fb5de4645:panel_6dd69df8-690d-4fda-a3ee-691fb5de4645",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "2473ef72-c56c-4783-a36a-f4b8efd66ab7:indexpattern-datasource-layer-ac0ccc8f-748c-414f-90e7-b2d160d261d1",
+ "type": "index-pattern"
+ },
+ {
+ "id": "metrics-*",
+ "name": "e673f70c-f811-4290-9087-578c7dd13675:indexpattern-datasource-layer-7c37793f-5510-4105-bfa8-cba2ca4327c3",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-5031b220-eb61-11e9-90ec-112a988266d5",
- "name": "aa881f9d-28d3-4722-822e-3e670021cf52:panel_aa881f9d-28d3-4722-822e-3e670021cf52",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "535d70b3-3f3c-4a84-85ba-ab671b6d144f:indexpattern-datasource-layer-7ceb0410-35b9-4a5b-982d-45160c136a49",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-7205a4f0-ea95-11e9-90ec-112a988266d5",
- "name": "2473ef72-c56c-4783-a36a-f4b8efd66ab7:panel_2473ef72-c56c-4783-a36a-f4b8efd66ab7",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "6903a45e-bf11-4db2-9497-fd9692e83448:indexpattern-datasource-layer-a8cb2545-583d-451b-a086-1f8fb6dfc7b2",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-db9a3490-ea8f-11e9-90ec-112a988266d5",
- "name": "e673f70c-f811-4290-9087-578c7dd13675:panel_e673f70c-f811-4290-9087-578c7dd13675",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "aa57fa8f-f6ea-45e3-9b2c-ba948d625813:indexpattern-datasource-layer-7884bf33-f9c1-4249-85f6-e23361d08c14",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-8b6b9450-ea99-11e9-90ec-112a988266d5",
- "name": "535d70b3-3f3c-4a84-85ba-ab671b6d144f:panel_535d70b3-3f3c-4a84-85ba-ab671b6d144f",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "14e225ef-6417-4377-b2cb-6b46b6693b78:indexpattern-datasource-layer-83a8d3cd-ad25-4d78-a8e6-e35b83ac8245",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-abd32c30-ea99-11e9-90ec-112a988266d5",
- "name": "6903a45e-bf11-4db2-9497-fd9692e83448:panel_6903a45e-bf11-4db2-9497-fd9692e83448",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "8879143b-ed83-45ec-8c58-b10dc1597c22:indexpattern-datasource-layer-6f90b4b3-9fa8-451f-bc49-59bc3836450f",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-5c016810-ea9a-11e9-90ec-112a988266d5",
- "name": "aa57fa8f-f6ea-45e3-9b2c-ba948d625813:panel_aa57fa8f-f6ea-45e3-9b2c-ba948d625813",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "4071f2bf-1794-45ff-b76d-58864226d8b7:indexpattern-datasource-layer-7a182b0f-6f12-475b-bf0b-1c3c59cd7fd7",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-e8ca65c0-eb45-11e9-90ec-112a988266d5",
- "name": "14e225ef-6417-4377-b2cb-6b46b6693b78:panel_14e225ef-6417-4377-b2cb-6b46b6693b78",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_f6cf2f69-1455-4255-8cbb-754914b6f548:optionsListDataView",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-3a50e950-eb46-11e9-90ec-112a988266d5",
- "name": "8879143b-ed83-45ec-8c58-b10dc1597c22:panel_8879143b-ed83-45ec-8c58-b10dc1597c22",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_8f432dec-9bb0-4084-a307-5894e4a3bb12:optionsListDataView",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-0892eaa0-ea9a-11e9-90ec-112a988266d5",
- "name": "4071f2bf-1794-45ff-b76d-58864226d8b7:panel_4071f2bf-1794-45ff-b76d-58864226d8b7",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_1bd55cba-ce48-43f7-86cb-539ac5da7cae:optionsListDataView",
+ "type": "index-pattern"
}
],
"type": "dashboard"
diff --git a/packages/azure_metrics/kibana/dashboard/azure_metrics-ff2fe020-32f7-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/dashboard/azure_metrics-ff2fe020-32f7-11ea-a83e-25b8612d00cc.json
index 9f1061b9748..15c0d6e2df2 100644
--- a/packages/azure_metrics/kibana/dashboard/azure_metrics-ff2fe020-32f7-11ea-a83e-25b8612d00cc.json
+++ b/packages/azure_metrics/kibana/dashboard/azure_metrics-ff2fe020-32f7-11ea-a83e-25b8612d00cc.json
@@ -1,7 +1,12 @@
{
"attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}",
+ "panelsJSON": "{\"859278cd-7231-4483-9a14-5bd544d85949\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"859278cd-7231-4483-9a14-5bd544d85949\",\"fieldName\":\"azure.subscription_id\",\"title\":\"Subscription\",\"singleSelect\":true,\"enhancements\":{}}},\"5606188c-ad52-4ec8-9eb0-5816a7e45c11\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"5606188c-ad52-4ec8-9eb0-5816a7e45c11\",\"fieldName\":\"azure.resource.group\",\"title\":\"Resource Group\",\"enhancements\":{}}},\"6f841590-bae1-4d83-8290-eb8d4e0e186f\":{\"type\":\"optionsListControl\",\"order\":2,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"6f841590-bae1-4d83-8290-eb8d4e0e186f\",\"fieldName\":\"azure.resource.name\",\"title\":\"Resource Name\",\"enhancements\":{}}}}"
+ },
"description": "This dashboard shows metrics for table storage type in Azure.",
- "hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [
@@ -35,200 +40,1580 @@
},
"optionsJSON": {
"hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
"useMargins": true
},
"panelsJSON": [
{
"embeddableConfig": {
- "enhancements": {}
+ "enhancements": {},
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "fontSize": 10,
+ "markdown": "### Azure Storage\n\n[Overview](#/dashboard/azure_metrics-1a151f80-32db-11ea-a83e-25b8612d00cc) | [Blob](#/dashboard/azure_metrics-b165ef60-32f7-11ea-a83e-25b8612d00cc) | [File](#/dashboard/azure_metrics-dff7a080-32f7-11ea-a83e-25b8612d00cc) | [**Table**](#/dashboard/azure_metrics-ff2fe020-32f7-11ea-a83e-25b8612d00cc) | [Queue](#/dashboard/azure_metrics-10efa340-32f8-11ea-a83e-25b8612d00cc) ",
+ "openLinksInNewTab": false
+ },
+ "title": "Navigation Table Storage Overview [Azure Metrics]",
+ "type": "markdown",
+ "uiState": {}
+ }
},
"gridData": {
"h": 5,
"i": "204cbabc-fafd-472c-b106-bd08f5262b1f",
- "w": 9,
+ "w": 48,
"x": 0,
"y": 0
},
"panelIndex": "204cbabc-fafd-472c-b106-bd08f5262b1f",
- "panelRefName": "panel_204cbabc-fafd-472c-b106-bd08f5262b1f",
- "type": "visualization",
- "version": "7.7.0"
- },
- {
- "embeddableConfig": {
- "enhancements": {}
- },
- "gridData": {
- "h": 9,
- "i": "a9456b9b-efa6-410d-a56c-4b66aa8c499e",
- "w": 5,
- "x": 9,
- "y": 0
- },
- "panelIndex": "a9456b9b-efa6-410d-a56c-4b66aa8c499e",
- "panelRefName": "panel_a9456b9b-efa6-410d-a56c-4b66aa8c499e",
- "title": "Availability",
"type": "visualization",
- "version": "7.7.0"
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "8af334fb-517e-41e8-93e9-c4dc79c034ed": {
+ "columnOrder": [
+ "65b98bd8-f136-4716-9ec6-94443d4fac64",
+ "4ec7ad4b-9db8-47c7-98d7-19400cb70922X0",
+ "4ec7ad4b-9db8-47c7-98d7-19400cb70922X1",
+ "4ec7ad4b-9db8-47c7-98d7-19400cb70922"
+ ],
+ "columns": {
+ "4ec7ad4b-9db8-47c7-98d7-19400cb70922": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "overall_max(average(azure.storage_account.table_capacity.avg))",
+ "operationType": "formula",
+ "params": {
+ "formula": "overall_max(average(azure.storage_account.table_capacity.avg))",
+ "isFormulaBroken": false
+ },
+ "references": [
+ "4ec7ad4b-9db8-47c7-98d7-19400cb70922X1"
+ ],
+ "scale": "ratio"
+ },
+ "4ec7ad4b-9db8-47c7-98d7-19400cb70922X0": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of overall_max(average(azure.storage_account.table_capacity.avg))",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": false
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.table_capacity.avg"
+ },
+ "4ec7ad4b-9db8-47c7-98d7-19400cb70922X1": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of overall_max(average(azure.storage_account.table_capacity.avg))",
+ "operationType": "overall_max",
+ "references": [
+ "4ec7ad4b-9db8-47c7-98d7-19400cb70922X0"
+ ],
+ "scale": "ratio"
+ },
+ "65b98bd8-f136-4716-9ec6-94443d4fac64": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "isBucketed": false,
+ "label": "Table Capacity",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes"
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.table_capacity.avg"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-8af334fb-517e-41e8-93e9-c4dc79c034ed",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "#68CCCA",
+ "layerId": "8af334fb-517e-41e8-93e9-c4dc79c034ed",
+ "layerType": "data",
+ "maxAccessor": "4ec7ad4b-9db8-47c7-98d7-19400cb70922",
+ "metricAccessor": "65b98bd8-f136-4716-9ec6-94443d4fac64"
+ }
+ },
+ "title": "Storage Table Capacity [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 9,
"i": "15b7c108-0214-4af6-9719-fab59affafec",
"w": 5,
- "x": 14,
- "y": 0
+ "x": 0,
+ "y": 5
},
"panelIndex": "15b7c108-0214-4af6-9719-fab59affafec",
- "panelRefName": "panel_15b7c108-0214-4af6-9719-fab59affafec",
- "type": "visualization",
- "version": "7.7.0"
+ "title": "Storage Table Capacity [Azure Metrics]",
+ "type": "lens",
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "9a7e40c9-8b33-4ae4-9954-5b4ef7d462f9": {
+ "columnOrder": [
+ "2d62dcb1-64ad-46b4-9909-34975f4409ab",
+ "c17ea056-b0cd-4821-a97c-8682579757c3X0",
+ "c17ea056-b0cd-4821-a97c-8682579757c3X1",
+ "c17ea056-b0cd-4821-a97c-8682579757c3"
+ ],
+ "columns": {
+ "2d62dcb1-64ad-46b4-9909-34975f4409ab": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "isBucketed": false,
+ "label": "Table Count",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "number"
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.table_count.avg"
+ },
+ "c17ea056-b0cd-4821-a97c-8682579757c3": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "overall_max(average(azure.storage_account.table_count.avg))",
+ "operationType": "formula",
+ "params": {
+ "formula": "overall_max(average(azure.storage_account.table_count.avg))",
+ "isFormulaBroken": false
+ },
+ "references": [
+ "c17ea056-b0cd-4821-a97c-8682579757c3X1"
+ ],
+ "scale": "ratio"
+ },
+ "c17ea056-b0cd-4821-a97c-8682579757c3X0": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of overall_max(average(azure.storage_account.table_count.avg))",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": false
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.table_count.avg"
+ },
+ "c17ea056-b0cd-4821-a97c-8682579757c3X1": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of overall_max(average(azure.storage_account.table_count.avg))",
+ "operationType": "overall_max",
+ "references": [
+ "c17ea056-b0cd-4821-a97c-8682579757c3X0"
+ ],
+ "scale": "ratio"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-9a7e40c9-8b33-4ae4-9954-5b4ef7d462f9",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "#68CCCA",
+ "layerId": "9a7e40c9-8b33-4ae4-9954-5b4ef7d462f9",
+ "layerType": "data",
+ "maxAccessor": "c17ea056-b0cd-4821-a97c-8682579757c3",
+ "metricAccessor": "2d62dcb1-64ad-46b4-9909-34975f4409ab"
+ }
+ },
+ "title": "Storage Table Count [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 9,
"i": "4177a6e6-97d7-447e-bcf3-ee9c1d660bd8",
"w": 5,
- "x": 19,
- "y": 0
+ "x": 5,
+ "y": 5
},
"panelIndex": "4177a6e6-97d7-447e-bcf3-ee9c1d660bd8",
- "panelRefName": "panel_4177a6e6-97d7-447e-bcf3-ee9c1d660bd8",
- "type": "visualization",
- "version": "7.7.0"
+ "title": "Storage Table Count [Azure Metrics]",
+ "type": "lens",
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "562fb6db-df95-4ee2-b9b6-021ecaf2aba0": {
+ "columnOrder": [
+ "fa522977-cc94-4c29-b0fd-812045d19c42",
+ "303b0b16-adb3-4fa9-bd7c-67dc742d8f3eX0",
+ "303b0b16-adb3-4fa9-bd7c-67dc742d8f3eX1",
+ "303b0b16-adb3-4fa9-bd7c-67dc742d8f3e"
+ ],
+ "columns": {
+ "303b0b16-adb3-4fa9-bd7c-67dc742d8f3e": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "overall_max(average(azure.storage_account.table_entity_count.avg))",
+ "operationType": "formula",
+ "params": {
+ "formula": "overall_max(average(azure.storage_account.table_entity_count.avg))",
+ "isFormulaBroken": false
+ },
+ "references": [
+ "303b0b16-adb3-4fa9-bd7c-67dc742d8f3eX1"
+ ],
+ "scale": "ratio"
+ },
+ "303b0b16-adb3-4fa9-bd7c-67dc742d8f3eX0": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of overall_max(average(azure.storage_account.table_entity_count.avg))",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": false
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.table_entity_count.avg"
+ },
+ "303b0b16-adb3-4fa9-bd7c-67dc742d8f3eX1": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Part of overall_max(average(azure.storage_account.table_entity_count.avg))",
+ "operationType": "overall_max",
+ "references": [
+ "303b0b16-adb3-4fa9-bd7c-67dc742d8f3eX0"
+ ],
+ "scale": "ratio"
+ },
+ "fa522977-cc94-4c29-b0fd-812045d19c42": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "isBucketed": false,
+ "label": "Table Entity Count",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "number"
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.table_entity_count.avg"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-562fb6db-df95-4ee2-b9b6-021ecaf2aba0",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "#68CCCA",
+ "layerId": "562fb6db-df95-4ee2-b9b6-021ecaf2aba0",
+ "layerType": "data",
+ "maxAccessor": "303b0b16-adb3-4fa9-bd7c-67dc742d8f3e",
+ "metricAccessor": "fa522977-cc94-4c29-b0fd-812045d19c42"
+ }
+ },
+ "title": "Storage Table Entity Count [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 9,
"i": "28d85d90-3881-4d1f-b60c-43b545fc9f0e",
"w": 5,
- "x": 24,
- "y": 0
+ "x": 10,
+ "y": 5
},
"panelIndex": "28d85d90-3881-4d1f-b60c-43b545fc9f0e",
- "panelRefName": "panel_28d85d90-3881-4d1f-b60c-43b545fc9f0e",
- "type": "visualization",
- "version": "7.7.0"
+ "title": "Storage Table Entity Count [Azure Metrics]",
+ "type": "lens",
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "6ec5d19a-5b84-4f8a-951a-6b752989e5db": {
+ "columnOrder": [
+ "1e1ec37f-3e5a-443b-8ec6-1eb681feb19b",
+ "2481e81f-e447-4eee-9c37-2ecd948035f2"
+ ],
+ "columns": {
+ "1e1ec37f-3e5a-443b-8ec6-1eb681feb19b": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "2481e81f-e447-4eee-9c37-2ecd948035f2": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Availability",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 1,
+ "suffix": " %"
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.availability.avg"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-6ec5d19a-5b84-4f8a-951a-6b752989e5db",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0.6,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "2481e81f-e447-4eee-9c37-2ecd948035f2"
+ ],
+ "layerId": "6ec5d19a-5b84-4f8a-951a-6b752989e5db",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "area",
+ "xAccessor": "1e1ec37f-3e5a-443b-8ec6-1eb681feb19b",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(22,165,165,1)",
+ "forAccessor": "2481e81f-e447-4eee-9c37-2ecd948035f2"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": false
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yLeftScale": "linear",
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yRightScale": "linear"
+ }
+ },
+ "title": "Storage Availability [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 9,
- "i": "1d623c03-4d02-4a81-b91e-49e82e112016",
- "w": 19,
- "x": 29,
- "y": 0
+ "i": "a9456b9b-efa6-410d-a56c-4b66aa8c499e",
+ "w": 14,
+ "x": 15,
+ "y": 5
},
- "panelIndex": "1d623c03-4d02-4a81-b91e-49e82e112016",
- "panelRefName": "panel_1d623c03-4d02-4a81-b91e-49e82e112016",
- "title": "Transactions",
- "type": "visualization",
- "version": "7.7.0"
+ "panelIndex": "a9456b9b-efa6-410d-a56c-4b66aa8c499e",
+ "title": "Availability",
+ "type": "lens",
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "fdeea35c-0b85-4ce8-9148-6c340ed94aca": {
+ "columnOrder": [
+ "ce2cd4a6-25e6-48f3-bb29-4c723e497688",
+ "e438b915-2c1f-47e4-ab09-aaa2a45dbf6e",
+ "dc02b832-60c4-4a37-8295-81ca9af56da5"
+ ],
+ "columns": {
+ "ce2cd4a6-25e6-48f3-bb29-4c723e497688": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "dc02b832-60c4-4a37-8295-81ca9af56da5": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "avg(azure.storage_account.transactions.total)",
+ "operationType": "max",
+ "params": {
+ "emptyAsNull": true
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.transactions.total"
+ },
+ "e438b915-2c1f-47e4-ab09-aaa2a45dbf6e": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.dimensions.response_type",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "dc02b832-60c4-4a37-8295-81ca9af56da5",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.dimensions.response_type"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-fdeea35c-0b85-4ce8-9148-6c340ed94aca",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0.5,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "dc02b832-60c4-4a37-8295-81ca9af56da5"
+ ],
+ "layerId": "fdeea35c-0b85-4ce8-9148-6c340ed94aca",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "bar",
+ "splitAccessor": "e438b915-2c1f-47e4-ab09-aaa2a45dbf6e",
+ "xAccessor": "ce2cd4a6-25e6-48f3-bb29-4c723e497688",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "#3185FC",
+ "forAccessor": "dc02b832-60c4-4a37-8295-81ca9af56da5"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yLeftScale": "linear",
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yRightScale": "linear"
+ }
+ },
+ "title": "Storage Transactions [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
- "h": 15,
- "i": "ff6441f8-d66d-4399-bae5-25d3d861b299",
- "w": 9,
- "x": 0,
+ "h": 9,
+ "i": "1d623c03-4d02-4a81-b91e-49e82e112016",
+ "w": 19,
+ "x": 29,
"y": 5
},
- "panelIndex": "ff6441f8-d66d-4399-bae5-25d3d861b299",
- "panelRefName": "panel_ff6441f8-d66d-4399-bae5-25d3d861b299",
- "type": "visualization",
- "version": "7.7.0"
+ "panelIndex": "1d623c03-4d02-4a81-b91e-49e82e112016",
+ "title": "Transactions",
+ "type": "lens",
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "ffffce6b-7ff2-4323-aace-756f6f71630e": {
+ "columnOrder": [
+ "2f3e58ea-acff-4be1-bad4-ebc45bb62465",
+ "3b97b566-65b4-4c3c-bbcf-24aab6d57e17",
+ "727a5c36-c364-41c8-8b05-ae24da3122ec"
+ ],
+ "columns": {
+ "2f3e58ea-acff-4be1-bad4-ebc45bb62465": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.dimensions.api_name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "727a5c36-c364-41c8-8b05-ae24da3122ec",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.dimensions.api_name"
+ },
+ "3b97b566-65b4-4c3c-bbcf-24aab6d57e17": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "727a5c36-c364-41c8-8b05-ae24da3122ec": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "SuccessServerLatency (ms)",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 1,
+ "suffix": " ms"
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.success_server_latency.avg"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-ffffce6b-7ff2-4323-aace-756f6f71630e",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0.5,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "727a5c36-c364-41c8-8b05-ae24da3122ec"
+ ],
+ "layerId": "ffffce6b-7ff2-4323-aace-756f6f71630e",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "bar",
+ "splitAccessor": "2f3e58ea-acff-4be1-bad4-ebc45bb62465",
+ "xAccessor": "3b97b566-65b4-4c3c-bbcf-24aab6d57e17",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "#3185FC",
+ "forAccessor": "727a5c36-c364-41c8-8b05-ae24da3122ec"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": false
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yLeftScale": "linear",
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yRightScale": "linear"
+ }
+ },
+ "title": "Storage Success Server Latency [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 15,
"i": "87066244-7840-4555-9d12-026d64977f1a",
- "w": 20,
- "x": 9,
- "y": 9
+ "w": 24,
+ "x": 0,
+ "y": 14
},
"panelIndex": "87066244-7840-4555-9d12-026d64977f1a",
- "panelRefName": "panel_87066244-7840-4555-9d12-026d64977f1a",
"title": "Success Server Latency",
- "type": "visualization",
- "version": "7.7.0"
+ "type": "lens",
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "d47b5c9b-40f9-4a0e-acc5-d73058704ddc": {
+ "columnOrder": [
+ "1f077c05-f392-41f8-9687-bf528926222c",
+ "fa2f0143-0dfe-4318-ade6-9e37b34d6785",
+ "77a4e9f4-1a06-46b4-b1a6-7ca0d8802e12"
+ ],
+ "columns": {
+ "1f077c05-f392-41f8-9687-bf528926222c": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.dimensions.api_name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "77a4e9f4-1a06-46b4-b1a6-7ca0d8802e12",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.dimensions.api_name"
+ },
+ "77a4e9f4-1a06-46b4-b1a6-7ca0d8802e12": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Success E2E Latency (ms)",
+ "operationType": "average",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 1,
+ "suffix": " ms"
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.success_e2elatency.avg"
+ },
+ "fa2f0143-0dfe-4318-ade6-9e37b34d6785": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-d47b5c9b-40f9-4a0e-acc5-d73058704ddc",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0.5,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "77a4e9f4-1a06-46b4-b1a6-7ca0d8802e12"
+ ],
+ "layerId": "d47b5c9b-40f9-4a0e-acc5-d73058704ddc",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "bar",
+ "splitAccessor": "1f077c05-f392-41f8-9687-bf528926222c",
+ "xAccessor": "fa2f0143-0dfe-4318-ade6-9e37b34d6785",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "#3185FC",
+ "forAccessor": "77a4e9f4-1a06-46b4-b1a6-7ca0d8802e12"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yLeftScale": "linear",
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yRightScale": "linear"
+ }
+ },
+ "title": "Storage Success E2E Latency [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 15,
"i": "756da375-e6a2-4668-af43-0cd294878254",
- "w": 19,
- "x": 29,
- "y": 9
+ "w": 24,
+ "x": 24,
+ "y": 14
},
"panelIndex": "756da375-e6a2-4668-af43-0cd294878254",
- "panelRefName": "panel_756da375-e6a2-4668-af43-0cd294878254",
"title": "Success E2E Latency",
- "type": "visualization",
- "version": "7.7.0"
+ "type": "lens",
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "e0f41a92-50ad-4209-b292-1f0c2d8db375": {
+ "columnOrder": [
+ "323383ba-66eb-47fb-b730-d64adae78d9b",
+ "4b8f44d5-8fd6-4bbd-bdfc-e4fa2971b108",
+ "a5b3fe18-0281-4168-af20-34a06fd7f8ed"
+ ],
+ "columns": {
+ "323383ba-66eb-47fb-b730-d64adae78d9b": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.dimensions.api_name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "a5b3fe18-0281-4168-af20-34a06fd7f8ed",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.dimensions.api_name"
+ },
+ "4b8f44d5-8fd6-4bbd-bdfc-e4fa2971b108": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "a5b3fe18-0281-4168-af20-34a06fd7f8ed": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "isBucketed": false,
+ "label": "Storage Accounts Egress Total",
+ "operationType": "max",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 1
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.egress.total"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-e0f41a92-50ad-4209-b292-1f0c2d8db375",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "a5b3fe18-0281-4168-af20-34a06fd7f8ed"
+ ],
+ "layerId": "e0f41a92-50ad-4209-b292-1f0c2d8db375",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "323383ba-66eb-47fb-b730-d64adae78d9b",
+ "xAccessor": "4b8f44d5-8fd6-4bbd-bdfc-e4fa2971b108",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(0,149,177,1)",
+ "forAccessor": "a5b3fe18-0281-4168-af20-34a06fd7f8ed"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yLeftScale": "linear",
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yRightScale": "linear"
+ }
+ },
+ "title": "Storage Account Egress Traffic [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 14,
"i": "a715fafc-ca38-410c-9253-12ba506eabc0",
- "w": 20,
- "x": 9,
- "y": 24
+ "w": 24,
+ "x": 0,
+ "y": 29
},
"panelIndex": "a715fafc-ca38-410c-9253-12ba506eabc0",
- "panelRefName": "panel_a715fafc-ca38-410c-9253-12ba506eabc0",
"title": "Egress Traffic by APIName",
- "type": "visualization",
- "version": "7.7.0"
+ "type": "lens",
+ "version": "8.7.0"
},
{
"embeddableConfig": {
- "enhancements": {}
+ "attributes": {
+ "references": [],
+ "state": {
+ "adHocDataViews": {
+ "tsvb_ad_hoc_metrics-*/@timestamp": {
+ "allowNoIndex": true,
+ "fieldAttrs": {},
+ "fieldFormats": {},
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "metrics-*",
+ "runtimeFieldMap": {},
+ "sourceFilters": [],
+ "timeFieldName": "@timestamp",
+ "title": "metrics-*"
+ }
+ },
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "2d4ade86-4433-4eb8-962b-6f92900590dc": {
+ "columnOrder": [
+ "98eae805-2650-4843-a347-e4ef37788a15",
+ "bbc8e243-6b26-4dee-9096-96a6ff5fe938",
+ "a2d3840e-d2ef-4510-a746-08b2f1085e1e"
+ ],
+ "columns": {
+ "98eae805-2650-4843-a347-e4ef37788a15": {
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Top 10 values of azure.dimensions.api_name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "a2d3840e-d2ef-4510-a746-08b2f1085e1e",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "azure.dimensions.api_name"
+ },
+ "a2d3840e-d2ef-4510-a746-08b2f1085e1e": {
+ "customLabel": true,
+ "dataType": "number",
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "isBucketed": false,
+ "label": "Storage Accounts Ingress Total",
+ "operationType": "max",
+ "params": {
+ "emptyAsNull": true,
+ "format": {
+ "id": "bytes",
+ "params": {
+ "decimals": 1
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "azure.storage_account.ingress.total"
+ },
+ "bbc8e243-6b26-4dee-9096-96a6ff5fe938": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": true,
+ "includeEmptyRows": true,
+ "interval": "5m"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {}
+ }
+ }
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [
+ {
+ "id": "tsvb_ad_hoc_metrics-*/@timestamp",
+ "name": "indexpattern-datasource-layer-2d4ade86-4433-4eb8-962b-6f92900590dc",
+ "type": "index-pattern"
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": false,
+ "yRight": true
+ },
+ "fillOpacity": 0,
+ "fittingFunction": "None",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "a2d3840e-d2ef-4510-a746-08b2f1085e1e"
+ ],
+ "layerId": "2d4ade86-4433-4eb8-962b-6f92900590dc",
+ "layerType": "data",
+ "palette": {
+ "name": "default",
+ "type": "palette"
+ },
+ "seriesType": "line",
+ "splitAccessor": "98eae805-2650-4843-a347-e4ef37788a15",
+ "xAccessor": "bbc8e243-6b26-4dee-9096-96a6ff5fe938",
+ "yConfig": [
+ {
+ "axisMode": "left",
+ "color": "rgba(104,188,0,1)",
+ "forAccessor": "a2d3840e-d2ef-4510-a746-08b2f1085e1e"
+ }
+ ]
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "maxLines": 1,
+ "position": "right",
+ "shouldTruncate": true,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide",
+ "valuesInLegend": true,
+ "yLeftExtent": {
+ "mode": "full"
+ },
+ "yLeftScale": "linear",
+ "yRightExtent": {
+ "mode": "full"
+ },
+ "yRightScale": "linear"
+ }
+ },
+ "title": "Storage Account Ingress Traffic [Azure Metrics] (converted)",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {},
+ "hidePanelTitles": false
},
"gridData": {
"h": 14,
"i": "75f72920-be71-47a9-a967-f1c862ab2961",
- "w": 19,
- "x": 29,
- "y": 24
+ "w": 24,
+ "x": 24,
+ "y": 29
},
"panelIndex": "75f72920-be71-47a9-a967-f1c862ab2961",
- "panelRefName": "panel_75f72920-be71-47a9-a967-f1c862ab2961",
"title": "Ingress Traffic by APIName",
- "type": "visualization",
- "version": "7.7.0"
+ "type": "lens",
+ "version": "8.7.0"
}
],
"timeRestore": false,
"title": "[Azure Metrics] Table Storage Overview",
"version": 1
},
- "coreMigrationVersion": "7.14.0",
+ "coreMigrationVersion": "8.7.0",
+ "created_at": "2023-09-01T05:45:24.377Z",
"id": "azure_metrics-ff2fe020-32f7-11ea-a83e-25b8612d00cc",
"migrationVersion": {
- "dashboard": "7.14.0"
+ "dashboard": "8.7.0"
},
"references": [
{
@@ -237,59 +1622,19 @@
"type": "index-pattern"
},
{
- "id": "azure_metrics-fdef3f40-32f6-11ea-a83e-25b8612d00cc",
- "name": "204cbabc-fafd-472c-b106-bd08f5262b1f:panel_204cbabc-fafd-472c-b106-bd08f5262b1f",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-40dbc0d0-32e3-11ea-a83e-25b8612d00cc",
- "name": "a9456b9b-efa6-410d-a56c-4b66aa8c499e:panel_a9456b9b-efa6-410d-a56c-4b66aa8c499e",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-f528e6a0-339a-11ea-a83e-25b8612d00cc",
- "name": "15b7c108-0214-4af6-9719-fab59affafec:panel_15b7c108-0214-4af6-9719-fab59affafec",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-43b31a20-339b-11ea-a83e-25b8612d00cc",
- "name": "4177a6e6-97d7-447e-bcf3-ee9c1d660bd8:panel_4177a6e6-97d7-447e-bcf3-ee9c1d660bd8",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-5cbf5820-339c-11ea-a83e-25b8612d00cc",
- "name": "28d85d90-3881-4d1f-b60c-43b545fc9f0e:panel_28d85d90-3881-4d1f-b60c-43b545fc9f0e",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-553f9320-32e9-11ea-a83e-25b8612d00cc",
- "name": "1d623c03-4d02-4a81-b91e-49e82e112016:panel_1d623c03-4d02-4a81-b91e-49e82e112016",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-acced050-32d1-11ea-a83e-25b8612d00cc",
- "name": "ff6441f8-d66d-4399-bae5-25d3d861b299:panel_ff6441f8-d66d-4399-bae5-25d3d861b299",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-81f16b40-32ea-11ea-a83e-25b8612d00cc",
- "name": "87066244-7840-4555-9d12-026d64977f1a:panel_87066244-7840-4555-9d12-026d64977f1a",
- "type": "visualization"
- },
- {
- "id": "azure_metrics-685fbeb0-32eb-11ea-a83e-25b8612d00cc",
- "name": "756da375-e6a2-4668-af43-0cd294878254:panel_756da375-e6a2-4668-af43-0cd294878254",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_859278cd-7231-4483-9a14-5bd544d85949:optionsListDataView",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-599c62c0-32d7-11ea-a83e-25b8612d00cc",
- "name": "a715fafc-ca38-410c-9253-12ba506eabc0:panel_a715fafc-ca38-410c-9253-12ba506eabc0",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_5606188c-ad52-4ec8-9eb0-5816a7e45c11:optionsListDataView",
+ "type": "index-pattern"
},
{
- "id": "azure_metrics-4eaef260-32e1-11ea-a83e-25b8612d00cc",
- "name": "75f72920-be71-47a9-a967-f1c862ab2961:panel_75f72920-be71-47a9-a967-f1c862ab2961",
- "type": "visualization"
+ "id": "metrics-*",
+ "name": "controlGroup_6f841590-bae1-4d83-8290-eb8d4e0e186f:optionsListDataView",
+ "type": "index-pattern"
}
],
"type": "dashboard"
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-0241cc10-339d-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/visualization/azure_metrics-0241cc10-339d-11ea-a83e-25b8612d00cc.json
deleted file mode 100644
index 2a88b6dde03..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-0241cc10-339d-11ea-a83e-25b8612d00cc.json
+++ /dev/null
@@ -1,96 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Storage Queue Count [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "background_color": null,
- "background_color_rules": [
- {
- "id": "71978870-32e4-11ea-af9e-d70582a45bda"
- }
- ],
- "bar_color_rules": [
- {
- "id": "f11cfd90-32e5-11ea-af9e-d70582a45bda"
- }
- ],
- "drilldown_url": "",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "gauge_color_rules": [
- {
- "id": "9c09ed50-32e4-11ea-af9e-d70582a45bda"
- }
- ],
- "gauge_inner_color": null,
- "gauge_inner_width": "6",
- "gauge_style": "circle",
- "gauge_width": "10",
- "hide_last_value_indicator": true,
- "id": "61fb4190-32e4-11ea-b9f8-4d0b340ad993",
- "index_pattern": "metrics-*",
- "interval": "60m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(164,221,0,1)",
- "fill": "1.2",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "formatter": "'0'",
- "id": "61fb4191-32e4-11ea-b9f8-4d0b340ad993",
- "label": "Queue Count",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.storage_account.queue_count.avg",
- "id": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "everything",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
- "type": "timeseries",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "gauge",
- "use_kibana_indexes": false
- },
- "title": "Storage Queue Count [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-0241cc10-339d-11ea-a83e-25b8612d00cc",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-037382e0-856e-11ea-91bc-ab084c7ec0e7.json b/packages/azure_metrics/kibana/visualization/azure_metrics-037382e0-856e-11ea-91bc-ab084c7ec0e7.json
deleted file mode 100644
index d6026e50c9d..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-037382e0-856e-11ea-91bc-ab084c7ec0e7.json
+++ /dev/null
@@ -1,223 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index"
- }
- },
- "title": " Database Account Requests By Status Code [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [
- {
- "enabled": true,
- "id": "1",
- "params": {
- "customLabel": "Total Requests",
- "field": "azure.database_account.total_requests.count"
- },
- "schema": "metric",
- "type": "avg"
- },
- {
- "enabled": true,
- "id": "2",
- "params": {
- "customLabel": "Status Codes",
- "field": "azure.dimensions.status_code",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "_key",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 5
- },
- "schema": "group",
- "type": "terms"
- },
- {
- "enabled": true,
- "id": "3",
- "params": {
- "customLabel": "Database",
- "field": "azure.dimensions.database_name",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "_key",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 5
- },
- "schema": "split",
- "type": "terms"
- }
- ],
- "params": {
- "addLegend": true,
- "addTimeMarker": false,
- "addTooltip": false,
- "categoryAxes": [
- {
- "id": "CategoryAxis-1",
- "labels": {
- "filter": true,
- "show": true,
- "truncate": 100
- },
- "position": "bottom",
- "scale": {
- "type": "linear"
- },
- "show": false,
- "style": {},
- "title": {},
- "type": "category"
- }
- ],
- "detailedTooltip": true,
- "dimensions": {
- "series": [
- {
- "accessor": 0,
- "aggType": "terms",
- "format": {
- "id": "terms",
- "params": {
- "id": "string",
- "missingBucketLabel": "Missing",
- "otherBucketLabel": "Other",
- "parsedUrl": {
- "basePath": "",
- "origin": "http://localhost:5601",
- "pathname": "/app/kibana"
- }
- }
- },
- "label": "Status Codes",
- "params": {}
- }
- ],
- "splitColumn": [
- {
- "accessor": 1,
- "aggType": "terms",
- "format": {
- "id": "terms",
- "params": {
- "id": "string",
- "missingBucketLabel": "Missing",
- "otherBucketLabel": "Other",
- "parsedUrl": {
- "basePath": "",
- "origin": "http://localhost:5601",
- "pathname": "/app/kibana"
- }
- }
- },
- "label": "Database",
- "params": {}
- }
- ],
- "x": null,
- "y": [
- {
- "accessor": 2,
- "aggType": "avg",
- "format": {
- "id": "number",
- "params": {
- "parsedUrl": {
- "basePath": "",
- "origin": "http://localhost:5601",
- "pathname": "/app/kibana"
- }
- }
- },
- "label": "Total Requests",
- "params": {}
- }
- ]
- },
- "grid": {
- "categoryLines": false
- },
- "isVislibVis": true,
- "labels": {
- "show": false
- },
- "legendPosition": "right",
- "palette": {
- "name": "kibana_palette",
- "type": "palette"
- },
- "row": false,
- "seriesParams": [
- {
- "data": {
- "id": "1",
- "label": "Total Requests"
- },
- "drawLinesBetweenPoints": true,
- "lineWidth": 2,
- "mode": "stacked",
- "show": true,
- "showCircles": true,
- "type": "histogram",
- "valueAxis": "ValueAxis-1"
- }
- ],
- "thresholdLine": {
- "color": "#E7664C",
- "show": false,
- "style": "full",
- "value": 10,
- "width": 1
- },
- "times": [],
- "type": "histogram",
- "valueAxes": [
- {
- "id": "ValueAxis-1",
- "labels": {
- "filter": false,
- "rotate": 0,
- "show": true,
- "truncate": 100
- },
- "name": "LeftAxis-1",
- "position": "left",
- "scale": {
- "mode": "normal",
- "type": "linear"
- },
- "show": true,
- "style": {},
- "title": {
- "text": "Total Requests"
- },
- "type": "value"
- }
- ]
- },
- "title": " Database Account Requests By Status Code [Azure Metrics]",
- "type": "histogram"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-037382e0-856e-11ea-91bc-ab084c7ec0e7",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [
- {
- "id": "metrics-*",
- "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
- "type": "index-pattern"
- }
- ],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-044b8940-ff5e-11eb-af1d-2505733a31f2.json b/packages/azure_metrics/kibana/visualization/azure_metrics-044b8940-ff5e-11eb-af1d-2505733a31f2.json
deleted file mode 100644
index b3b307200e1..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-044b8940-ff5e-11eb-af1d-2505733a31f2.json
+++ /dev/null
@@ -1,96 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "title": "Azure Compute VM Guest Thread Count [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_position": "left",
- "axis_scale": "normal",
- "background_color_rules": [
- {
- "id": "914bafb0-ff5d-11eb-8d10-c71ba6abf264"
- }
- ],
- "bar_color_rules": [
- {
- "id": "8f566f60-ff5d-11eb-8d10-c71ba6abf264"
- }
- ],
- "drop_last_bucket": 0,
- "filter": {
- "language": "kuery",
- "query": "azure.namespace : \"Azure.VM.Windows.GuestMetrics\" "
- },
- "gauge_color_rules": [
- {
- "id": "8dae3da0-ff5d-11eb-8d10-c71ba6abf264"
- }
- ],
- "gauge_inner_width": 10,
- "gauge_style": "half",
- "gauge_width": 10,
- "id": "095723bb-6b35-4299-95b6-3b1e4fe567aa",
- "index_pattern": "metrics-*",
- "interval": "",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(231,102,76,1)",
- "fill": 0.5,
- "formatter": "number",
- "id": "1d3aba96-1604-449a-97f9-42f7000a424c",
- "label": "Thread Count Average",
- "line_width": 1,
- "metrics": [
- {
- "field": "azure.compute_vm.process_thread_count.avg",
- "id": "3c459779-ee47-438a-9931-c543e713478b",
- "type": "avg"
- }
- ],
- "palette": {
- "name": "default",
- "type": "palette"
- },
- "point_size": 1,
- "separate_axis": 0,
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "",
- "time_range_mode": "entire_time_range",
- "tooltip_mode": "show_all",
- "type": "top_n",
- "use_kibana_indexes": true
- },
- "title": "Azure Compute VM Guest Thread Count [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-044b8940-ff5e-11eb-af1d-2505733a31f2",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-04f8eec0-6ab1-11ea-af5c-73e8f396b3e9.json b/packages/azure_metrics/kibana/visualization/azure_metrics-04f8eec0-6ab1-11ea-af5c-73e8f396b3e9.json
deleted file mode 100644
index 276799e8aac..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-04f8eec0-6ab1-11ea-af5c-73e8f396b3e9.json
+++ /dev/null
@@ -1,67 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Container Instance CPU Utilization [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type : \"Microsoft.ContainerInstance/containerGroups\" "
- },
- "id": "61ca57f0-469d-11e7-af02-69e470af7417",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(164,221,0,1)",
- "fill": "",
- "formatter": "number",
- "id": "61ca57f1-469d-11e7-af02-69e470af7417",
- "label": "Azure Container CPU Utilization",
- "line_width": "2",
- "metrics": [
- {
- "field": "azure.container_instance.cpu_usage.avg",
- "id": "61ca57f2-469d-11e7-af02-69e470af7417",
- "type": "avg"
- }
- ],
- "point_size": "",
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "type": "timeseries"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "Container Instance CPU Utilization [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-04f8eec0-6ab1-11ea-af5c-73e8f396b3e9",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-0892eaa0-ea9a-11e9-90ec-112a988266d5.json b/packages/azure_metrics/kibana/visualization/azure_metrics-0892eaa0-ea9a-11e9-90ec-112a988266d5.json
deleted file mode 100644
index 70cc2de737e..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-0892eaa0-ea9a-11e9-90ec-112a988266d5.json
+++ /dev/null
@@ -1,69 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "VM Disk Write Operations/s [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type : \"Microsoft.Compute/virtualMachines\" "
- },
- "id": "39b6adc0-ea99-11e9-8328-799c817fb96b",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(252,196,0,1)",
- "fill": 0,
- "formatter": "number",
- "id": "39b6adc1-ea99-11e9-8328-799c817fb96b",
- "label": "VM Disk Write Operations/s",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.compute_vm.disk_write_operations_per_sec.avg",
- "id": "39b6adc2-ea99-11e9-8328-799c817fb96b",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "type": "timeseries",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "VM Disk Write Operations/s [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-0892eaa0-ea9a-11e9-90ec-112a988266d5",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-097bc300-eaa5-11e9-90ec-112a988266d5.json b/packages/azure_metrics/kibana/visualization/azure_metrics-097bc300-eaa5-11e9-90ec-112a988266d5.json
deleted file mode 100644
index 50e76a0b164..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-097bc300-eaa5-11e9-90ec-112a988266d5.json
+++ /dev/null
@@ -1,136 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "ASP.NET Application Requests [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type : \"Microsoft.Compute/virtualMachines\" "
- },
- "id": "be74e9e0-eaa4-11e9-8923-850d87d8e766",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(254,146,0,1)",
- "fill": 0,
- "formatter": "number",
- "id": "be74e9e1-eaa4-11e9-8923-850d87d8e766",
- "label": "timed out",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.compute_vm.asp_net_applications_requests_timed_out.avg",
- "id": "be74e9e2-eaa4-11e9-8923-850d87d8e766",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "everything",
- "stacked": "none",
- "value_template": "{{value}}"
- },
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "#DB1374",
- "fill": 0,
- "formatter": "number",
- "id": "be74e9e3-eaa4-11e9-8923-850d87d8e766",
- "label": "failed",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.compute_vm.asp_net_applications_requests_failed.avg",
- "id": "be74e9e4-eaa4-11e9-8923-850d87d8e766",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "everything",
- "stacked": "none",
- "value_template": "{{value}}"
- },
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "#00B3A4",
- "fill": 0,
- "formatter": "number",
- "id": "be7510f0-eaa4-11e9-8923-850d87d8e766",
- "label": "succeeded",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.compute_vm.asp_net_applications_requests_succeeded.avg",
- "id": "be7510f1-eaa4-11e9-8923-850d87d8e766",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "everything",
- "stacked": "none",
- "value_template": "{{value}}"
- },
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "#490092",
- "fill": 0,
- "formatter": "number",
- "id": "be7510f2-eaa4-11e9-8923-850d87d8e766",
- "label": "total",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.compute_vm.asp_net_applications_requests_total.avg",
- "id": "be7510f3-eaa4-11e9-8923-850d87d8e766",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "everything",
- "stacked": "none",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "ASP.NET Application Requests [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-097bc300-eaa5-11e9-90ec-112a988266d5",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-09a6f150-3399-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/visualization/azure_metrics-09a6f150-3399-11ea-a83e-25b8612d00cc.json
deleted file mode 100644
index 0b0378d608e..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-09a6f150-3399-11ea-a83e-25b8612d00cc.json
+++ /dev/null
@@ -1,100 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Storage File Share Snapshot Count [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "background_color": null,
- "background_color_rules": [
- {
- "id": "71978870-32e4-11ea-af9e-d70582a45bda"
- }
- ],
- "bar_color_rules": [
- {
- "id": "f11cfd90-32e5-11ea-af9e-d70582a45bda"
- }
- ],
- "drilldown_url": "",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "gauge_color_rules": [
- {
- "id": "9c09ed50-32e4-11ea-af9e-d70582a45bda"
- }
- ],
- "gauge_inner_color": null,
- "gauge_inner_width": "6",
- "gauge_style": "circle",
- "gauge_width": "10",
- "hide_last_value_indicator": true,
- "id": "61fb4190-32e4-11ea-b9f8-4d0b340ad993",
- "index_pattern": "metrics-*",
- "interval": "60m",
- "isModelInvalid": false,
- "pivot_id": "azure.resource.name",
- "pivot_label": "Resource Name",
- "pivot_rows": "30",
- "pivot_type": "string",
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(0,98,177,1)",
- "fill": "1.2",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "formatter": "'0'",
- "id": "61fb4191-32e4-11ea-b9f8-4d0b340ad993",
- "label": "File Share Snapshot Count",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.storage_account.file_share_snapshot_count.avg",
- "id": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "everything",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
- "type": "timeseries",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "gauge",
- "use_kibana_indexes": false
- },
- "title": "Storage File Share Snapshot Count [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-09a6f150-3399-11ea-a83e-25b8612d00cc",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-09f05e00-32f7-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/visualization/azure_metrics-09f05e00-32f7-11ea-a83e-25b8612d00cc.json
deleted file mode 100644
index 889b2397171..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-09f05e00-32f7-11ea-a83e-25b8612d00cc.json
+++ /dev/null
@@ -1,34 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "title": "Navigation Queue Storage Overview [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "fontSize": 10,
- "markdown": "### Azure Storage\n\n[Overview](#/dashboard/azure_metrics-1a151f80-32db-11ea-a83e-25b8612d00cc) | [Blob](#/dashboard/azure_metrics-b165ef60-32f7-11ea-a83e-25b8612d00cc) | [File](#/dashboard/azure_metrics-dff7a080-32f7-11ea-a83e-25b8612d00cc) | [Table](#/dashboard/azure_metrics-ff2fe020-32f7-11ea-a83e-25b8612d00cc) | [**Queue**](#/dashboard/azure_metrics-10efa340-32f8-11ea-a83e-25b8612d00cc) ",
- "openLinksInNewTab": false
- },
- "title": "Navigation Queue Storage Overview [Azure Metrics]",
- "type": "markdown"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-09f05e00-32f7-11ea-a83e-25b8612d00cc",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-0aacc190-eaa8-11e9-90ec-112a988266d5.json b/packages/azure_metrics/kibana/visualization/azure_metrics-0aacc190-eaa8-11e9-90ec-112a988266d5.json
deleted file mode 100644
index 9f746ddf181..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-0aacc190-eaa8-11e9-90ec-112a988266d5.json
+++ /dev/null
@@ -1,67 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "SQL Server User Connections [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type :\"Microsoft.Compute/virtualMachines\" "
- },
- "id": "da495db0-eaa7-11e9-a88b-4b683ca3087b",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "#3185FC",
- "fill": 0,
- "formatter": "number",
- "id": "da495db1-eaa7-11e9-a88b-4b683ca3087b",
- "label": "connections",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.compute_vm.sqlserver_general_statistics_user_connections.avg",
- "id": "da495db2-eaa7-11e9-a88b-4b683ca3087b",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "everything",
- "stacked": "none",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "SQL Server User Connections [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-0aacc190-eaa8-11e9-90ec-112a988266d5",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-0d03a670-eb43-11e9-90ec-112a988266d5.json b/packages/azure_metrics/kibana/visualization/azure_metrics-0d03a670-eb43-11e9-90ec-112a988266d5.json
deleted file mode 100644
index 7c9ef8f6ce4..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-0d03a670-eb43-11e9-90ec-112a988266d5.json
+++ /dev/null
@@ -1,69 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "VMSS Disk Writes [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type :\"Microsoft.Compute/virtualMachineScaleSets\" "
- },
- "id": "39b6adc0-ea99-11e9-8328-799c817fb96b",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(0,180,251,1)",
- "fill": 0,
- "formatter": "bytes",
- "id": "39b6adc1-ea99-11e9-8328-799c817fb96b",
- "label": "VM Disk Writes bytes",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.compute_vm_scaleset.disk_write_bytes.total",
- "id": "39b6adc2-ea99-11e9-8328-799c817fb96b",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "type": "timeseries",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "VMSS Disk Writes [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-0d03a670-eb43-11e9-90ec-112a988266d5",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-0d24a880-ff68-11eb-af1d-2505733a31f2.json b/packages/azure_metrics/kibana/visualization/azure_metrics-0d24a880-ff68-11eb-af1d-2505733a31f2.json
deleted file mode 100644
index 0b864c5721c..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-0d24a880-ff68-11eb-af1d-2505733a31f2.json
+++ /dev/null
@@ -1,80 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "title": "Azure Compute VM Guest Mem available [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_position": "left",
- "axis_scale": "normal",
- "drop_last_bucket": 0,
- "filter": {
- "language": "kuery",
- "query": "azure.namespace : \"Azure.VM.Linux.GuestMetrics\" "
- },
- "id": "0fb3f4f8-aa8a-4aa0-9fbe-b0edf258db35",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(170,101,86,1)",
- "fill": 0.5,
- "formatter": "bytes",
- "id": "1d3aba96-1604-449a-97f9-42f7000a424c",
- "label": "Memory available",
- "line_width": 1,
- "metrics": [
- {
- "field": "azure.compute_vm.mem_per_available.avg",
- "id": "3c459779-ee47-438a-9931-c543e713478b",
- "type": "avg"
- }
- ],
- "palette": {
- "name": "complimentary",
- "type": "palette"
- },
- "point_size": 1,
- "separate_axis": 0,
- "split_color_mode": null,
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "type": "timeseries"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "",
- "time_range_mode": "entire_time_range",
- "tooltip_mode": "show_all",
- "type": "timeseries",
- "use_kibana_indexes": true
- },
- "title": "Azure Compute VM Guest Mem available [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-0d24a880-ff68-11eb-af1d-2505733a31f2",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-0fa31060-6aae-11ea-af5c-73e8f396b3e9.json b/packages/azure_metrics/kibana/visualization/azure_metrics-0fa31060-6aae-11ea-af5c-73e8f396b3e9.json
deleted file mode 100644
index 6eaf220198f..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-0fa31060-6aae-11ea-af5c-73e8f396b3e9.json
+++ /dev/null
@@ -1,91 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Containers Filters [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "controls": [
- {
- "fieldName": "azure.subscription_id",
- "id": "1584710440054",
- "indexPatternRefName": "control_0_index_pattern",
- "label": "Subscription",
- "options": {
- "dynamicOptions": true,
- "multiselect": false,
- "order": "desc",
- "size": 5,
- "type": "terms"
- },
- "parent": "",
- "type": "list"
- },
- {
- "fieldName": "azure.resource.group",
- "id": "1584710497045",
- "indexPatternRefName": "control_1_index_pattern",
- "label": "Resource Group",
- "options": {
- "dynamicOptions": true,
- "multiselect": false,
- "order": "desc",
- "size": 5,
- "type": "terms"
- },
- "parent": "",
- "type": "list"
- },
- {
- "fieldName": "azure.resource.name",
- "id": "1584710535722",
- "indexPatternRefName": "control_2_index_pattern",
- "label": "Resource",
- "options": {
- "dynamicOptions": true,
- "multiselect": false,
- "order": "desc",
- "size": 5,
- "type": "terms"
- },
- "parent": "",
- "type": "list"
- }
- ],
- "pinFilters": false,
- "updateFiltersOnChange": true,
- "useTimeFilter": false
- },
- "title": "Containers Filters [Azure Metrics]",
- "type": "input_control_vis"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-0fa31060-6aae-11ea-af5c-73e8f396b3e9",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [
- {
- "id": "metrics-*",
- "name": "control_0_index_pattern",
- "type": "index-pattern"
- },
- {
- "id": "metrics-*",
- "name": "control_1_index_pattern",
- "type": "index-pattern"
- },
- {
- "id": "metrics-*",
- "name": "control_2_index_pattern",
- "type": "index-pattern"
- }
- ],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-109ec950-32e6-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/visualization/azure_metrics-109ec950-32e6-11ea-a83e-25b8612d00cc.json
deleted file mode 100644
index babac6e1863..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-109ec950-32e6-11ea-a83e-25b8612d00cc.json
+++ /dev/null
@@ -1,100 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Storage Used Capacity Resource Table [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "background_color": null,
- "background_color_rules": [
- {
- "id": "71978870-32e4-11ea-af9e-d70582a45bda"
- }
- ],
- "bar_color_rules": [
- {
- "id": "f11cfd90-32e5-11ea-af9e-d70582a45bda"
- }
- ],
- "drilldown_url": "",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "gauge_color_rules": [
- {
- "id": "9c09ed50-32e4-11ea-af9e-d70582a45bda"
- }
- ],
- "gauge_inner_color": null,
- "gauge_inner_width": "6",
- "gauge_style": "circle",
- "gauge_width": "10",
- "hide_last_value_indicator": true,
- "id": "61fb4190-32e4-11ea-b9f8-4d0b340ad993",
- "index_pattern": "metrics-*",
- "interval": "60m",
- "isModelInvalid": false,
- "pivot_id": "azure.resource.name",
- "pivot_label": "Resource Name",
- "pivot_rows": "30",
- "pivot_type": "string",
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(104,204,202,1)",
- "fill": "1.2",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "formatter": "bytes",
- "id": "61fb4191-32e4-11ea-b9f8-4d0b340ad993",
- "label": "Used Capacity",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.storage_account.used_capacity.avg",
- "id": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
- "type": "timeseries",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "top_n",
- "use_kibana_indexes": false
- },
- "title": "Storage Used Capacity Resource Table [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-109ec950-32e6-11ea-a83e-25b8612d00cc",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-160e5bd0-ff6d-11eb-af1d-2505733a31f2.json b/packages/azure_metrics/kibana/visualization/azure_metrics-160e5bd0-ff6d-11eb-af1d-2505733a31f2.json
deleted file mode 100644
index ed98caa3af9..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-160e5bd0-ff6d-11eb-af1d-2505733a31f2.json
+++ /dev/null
@@ -1,80 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "title": "Azure Compute VM Guest Swap Used [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_position": "left",
- "axis_scale": "normal",
- "drop_last_bucket": 0,
- "filter": {
- "language": "kuery",
- "query": "azure.namespace : \"Azure.VM.Linux.GuestMetrics\" "
- },
- "id": "e0973b16-3ae9-492b-a436-049bf60dbef5",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(96,146,192,1)",
- "fill": 0.5,
- "formatter": "bytes",
- "id": "1d3aba96-1604-449a-97f9-42f7000a424c",
- "label": "Swap used",
- "line_width": 1,
- "metrics": [
- {
- "field": "azure.compute_vm.swap_per_used.avg",
- "id": "3c459779-ee47-438a-9931-c543e713478b",
- "type": "avg"
- }
- ],
- "palette": {
- "name": "complimentary",
- "type": "palette"
- },
- "point_size": 1,
- "separate_axis": 0,
- "split_color_mode": null,
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "type": "timeseries"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "",
- "time_range_mode": "entire_time_range",
- "tooltip_mode": "show_all",
- "type": "timeseries",
- "use_kibana_indexes": true
- },
- "title": "Azure Compute VM Guest Swap Used [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-160e5bd0-ff6d-11eb-af1d-2505733a31f2",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-17ee2920-3391-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/visualization/azure_metrics-17ee2920-3391-11ea-a83e-25b8612d00cc.json
deleted file mode 100644
index 28a54fd708f..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-17ee2920-3391-11ea-a83e-25b8612d00cc.json
+++ /dev/null
@@ -1,100 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Storage Blob Capacity [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "background_color": null,
- "background_color_rules": [
- {
- "id": "71978870-32e4-11ea-af9e-d70582a45bda"
- }
- ],
- "bar_color_rules": [
- {
- "id": "f11cfd90-32e5-11ea-af9e-d70582a45bda"
- }
- ],
- "drilldown_url": "",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "gauge_color_rules": [
- {
- "id": "9c09ed50-32e4-11ea-af9e-d70582a45bda"
- }
- ],
- "gauge_inner_color": null,
- "gauge_inner_width": "6",
- "gauge_style": "circle",
- "gauge_width": "10",
- "hide_last_value_indicator": true,
- "id": "61fb4190-32e4-11ea-b9f8-4d0b340ad993",
- "index_pattern": "metrics-*",
- "interval": "60m",
- "isModelInvalid": false,
- "pivot_id": "azure.resource.name",
- "pivot_label": "Resource Name",
- "pivot_rows": "30",
- "pivot_type": "string",
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(0,156,224,1)",
- "fill": "1.2",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "formatter": "bytes",
- "id": "61fb4191-32e4-11ea-b9f8-4d0b340ad993",
- "label": "Blob Capacity",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.storage_account.blob_capacity.avg",
- "id": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "everything",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
- "type": "timeseries",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "gauge",
- "use_kibana_indexes": false
- },
- "title": "Storage Blob Capacity [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-17ee2920-3391-11ea-a83e-25b8612d00cc",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-1a61d870-ff62-11eb-af1d-2505733a31f2.json b/packages/azure_metrics/kibana/visualization/azure_metrics-1a61d870-ff62-11eb-af1d-2505733a31f2.json
deleted file mode 100644
index 81106787b17..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-1a61d870-ff62-11eb-af1d-2505733a31f2.json
+++ /dev/null
@@ -1,79 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "title": "Azure Compute VM Guest Process Working Set [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_position": "left",
- "axis_scale": "normal",
- "drop_last_bucket": 0,
- "filter": {
- "language": "kuery",
- "query": "azure.namespace : \"Azure.VM.Windows.GuestMetrics\" "
- },
- "id": "47544067-6bb1-4de2-ae92-834d46582265",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "#68BC00",
- "fill": 0.5,
- "formatter": "bytes",
- "id": "1d3aba96-1604-449a-97f9-42f7000a424c",
- "label": "Process Working Set",
- "line_width": 1,
- "metrics": [
- {
- "field": "azure.compute_vm.process_working_set.avg",
- "id": "3c459779-ee47-438a-9931-c543e713478b",
- "type": "avg"
- }
- ],
- "palette": {
- "name": "default",
- "type": "palette"
- },
- "point_size": 1,
- "separate_axis": 0,
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "type": "timeseries"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "",
- "time_range_mode": "entire_time_range",
- "tooltip_mode": "show_all",
- "type": "timeseries",
- "use_kibana_indexes": true
- },
- "title": "Azure Compute VM Guest Process Working Set [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-1a61d870-ff62-11eb-af1d-2505733a31f2",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-1e70dc50-6d22-11ea-8fe8-71add5fd7c38.json b/packages/azure_metrics/kibana/visualization/azure_metrics-1e70dc50-6d22-11ea-8fe8-71add5fd7c38.json
deleted file mode 100644
index f2b28808e5f..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-1e70dc50-6d22-11ea-8fe8-71add5fd7c38.json
+++ /dev/null
@@ -1,34 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "title": "Navigation Container Registry Overview [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "fontSize": 12,
- "markdown": "### Azure Containers\n\n[Instances](#/dashboard/azure_metrics-9c11ac60-6cf6-11ea-8fe8-71add5fd7c38) |\n[**Registries**](#/dashboard/azure_metrics-72fe31e7-ea7d-4796-94d1-8f0a091904e2) |\n[Services](#/dashboard/azure_metrics-dae20ed0-6d0a-11ea-8fe8-71add5fd7c38) ",
- "openLinksInNewTab": false
- },
- "title": "Navigation Container Registry Overview [Azure Metrics]",
- "type": "markdown"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-1e70dc50-6d22-11ea-8fe8-71add5fd7c38",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-1e9d1bb0-ff63-11eb-af1d-2505733a31f2.json b/packages/azure_metrics/kibana/visualization/azure_metrics-1e9d1bb0-ff63-11eb-af1d-2505733a31f2.json
deleted file mode 100644
index 37421718b86..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-1e9d1bb0-ff63-11eb-af1d-2505733a31f2.json
+++ /dev/null
@@ -1,79 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "title": "Azure Compute VM Guest Memory Committed Bytes [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_position": "left",
- "axis_scale": "normal",
- "drop_last_bucket": 0,
- "filter": {
- "language": "kuery",
- "query": "azure.namespace : \"Azure.VM.Windows.GuestMetrics\" "
- },
- "id": "8851f76e-5376-4962-87c2-b17d7b27f3bd",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "#68BC00",
- "fill": 0.5,
- "formatter": "bytes",
- "id": "1d3aba96-1604-449a-97f9-42f7000a424c",
- "label": "Memory committed bytes",
- "line_width": 1,
- "metrics": [
- {
- "field": "azure.compute_vm.memory_committed_bytes.avg",
- "id": "3c459779-ee47-438a-9931-c543e713478b",
- "type": "avg"
- }
- ],
- "palette": {
- "name": "default",
- "type": "palette"
- },
- "point_size": 1,
- "separate_axis": 0,
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "type": "timeseries"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "",
- "time_range_mode": "entire_time_range",
- "tooltip_mode": "show_all",
- "type": "timeseries",
- "use_kibana_indexes": true
- },
- "title": "Azure Compute VM Guest Memory Committed Bytes [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-1e9d1bb0-ff63-11eb-af1d-2505733a31f2",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-1f5c1cd0-eaa3-11e9-90ec-112a988266d5.json b/packages/azure_metrics/kibana/visualization/azure_metrics-1f5c1cd0-eaa3-11e9-90ec-112a988266d5.json
deleted file mode 100644
index 731b29d05e1..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-1f5c1cd0-eaa3-11e9-90ec-112a988266d5.json
+++ /dev/null
@@ -1,86 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "ASP.NET Applications Running [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "background_color_rules": [
- {
- "id": "04bf3740-eaa3-11e9-8742-b533e334ee9a"
- }
- ],
- "bar_color_rules": [
- {
- "id": "03eec7e0-eaa3-11e9-8742-b533e334ee9a"
- }
- ],
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type : \"Microsoft.Compute/virtualMachines\" "
- },
- "gauge_color_rules": [
- {
- "id": "07485320-eaa3-11e9-8742-b533e334ee9a"
- }
- ],
- "gauge_inner_width": 10,
- "gauge_style": "half",
- "gauge_width": 10,
- "id": "d1acb8f0-eaa2-11e9-a229-c9171499dcc6",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "#3185FC",
- "fill": "0.2",
- "formatter": "number",
- "id": "d1acb8f1-eaa2-11e9-a229-c9171499dcc6",
- "label": "applications running",
- "line_width": "1",
- "metrics": [
- {
- "field": "azure.compute_vm.asp_net_applications_running.avg",
- "id": "d1acb8f2-eaa2-11e9-a229-c9171499dcc6",
- "type": "max"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "everything",
- "stacked": "none",
- "type": "timeseries",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "ASP.NET Applications Running [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-1f5c1cd0-eaa3-11e9-90ec-112a988266d5",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-2219de20-32ed-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/visualization/azure_metrics-2219de20-32ed-11ea-a83e-25b8612d00cc.json
deleted file mode 100644
index 7c84debe193..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-2219de20-32ed-11ea-a83e-25b8612d00cc.json
+++ /dev/null
@@ -1,96 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Storage Egress Gauge [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "background_color": null,
- "background_color_rules": [
- {
- "id": "71978870-32e4-11ea-af9e-d70582a45bda"
- }
- ],
- "bar_color_rules": [
- {
- "id": "f11cfd90-32e5-11ea-af9e-d70582a45bda"
- }
- ],
- "drilldown_url": "",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "gauge_color_rules": [
- {
- "id": "9c09ed50-32e4-11ea-af9e-d70582a45bda"
- }
- ],
- "gauge_inner_color": null,
- "gauge_inner_width": "6",
- "gauge_style": "circle",
- "gauge_width": "10",
- "hide_last_value_indicator": true,
- "id": "61fb4190-32e4-11ea-b9f8-4d0b340ad993",
- "index_pattern": "metrics-*",
- "interval": "60m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(104,204,202,1)",
- "fill": "1.2",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "formatter": "bytes",
- "id": "61fb4191-32e4-11ea-b9f8-4d0b340ad993",
- "label": "Egress",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.storage_account.egress.total",
- "id": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "everything",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
- "type": "timeseries",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "gauge",
- "use_kibana_indexes": false
- },
- "title": "Storage Egress Gauge [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-2219de20-32ed-11ea-a83e-25b8612d00cc",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-241a55e0-3399-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/visualization/azure_metrics-241a55e0-3399-11ea-a83e-25b8612d00cc.json
deleted file mode 100644
index 43ab3760df5..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-241a55e0-3399-11ea-a83e-25b8612d00cc.json
+++ /dev/null
@@ -1,100 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Storage File Share Snapshot Size [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "background_color": null,
- "background_color_rules": [
- {
- "id": "71978870-32e4-11ea-af9e-d70582a45bda"
- }
- ],
- "bar_color_rules": [
- {
- "id": "f11cfd90-32e5-11ea-af9e-d70582a45bda"
- }
- ],
- "drilldown_url": "",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "gauge_color_rules": [
- {
- "id": "9c09ed50-32e4-11ea-af9e-d70582a45bda"
- }
- ],
- "gauge_inner_color": null,
- "gauge_inner_width": "6",
- "gauge_style": "circle",
- "gauge_width": "10",
- "hide_last_value_indicator": true,
- "id": "61fb4190-32e4-11ea-b9f8-4d0b340ad993",
- "index_pattern": "metrics-*",
- "interval": "60m",
- "isModelInvalid": false,
- "pivot_id": "azure.resource.name",
- "pivot_label": "Resource Name",
- "pivot_rows": "30",
- "pivot_type": "string",
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(0,98,177,1)",
- "fill": "1.2",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "formatter": "bytes",
- "id": "61fb4191-32e4-11ea-b9f8-4d0b340ad993",
- "label": "File Share Snapshot Size",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.storage_account.file_share_snapshot_size.avg",
- "id": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "everything",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
- "type": "timeseries",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "gauge",
- "use_kibana_indexes": false
- },
- "title": "Storage File Share Snapshot Size [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-241a55e0-3399-11ea-a83e-25b8612d00cc",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-2bedaca0-339d-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/visualization/azure_metrics-2bedaca0-339d-11ea-a83e-25b8612d00cc.json
deleted file mode 100644
index 8c19ce15320..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-2bedaca0-339d-11ea-a83e-25b8612d00cc.json
+++ /dev/null
@@ -1,96 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Storage Queue Message Count [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "background_color": null,
- "background_color_rules": [
- {
- "id": "71978870-32e4-11ea-af9e-d70582a45bda"
- }
- ],
- "bar_color_rules": [
- {
- "id": "f11cfd90-32e5-11ea-af9e-d70582a45bda"
- }
- ],
- "drilldown_url": "",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "gauge_color_rules": [
- {
- "id": "9c09ed50-32e4-11ea-af9e-d70582a45bda"
- }
- ],
- "gauge_inner_color": null,
- "gauge_inner_width": "6",
- "gauge_style": "circle",
- "gauge_width": "10",
- "hide_last_value_indicator": true,
- "id": "61fb4190-32e4-11ea-b9f8-4d0b340ad993",
- "index_pattern": "metrics-*",
- "interval": "60m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(104,204,202,1)",
- "fill": "1.2",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "formatter": "'0a'",
- "id": "61fb4191-32e4-11ea-b9f8-4d0b340ad993",
- "label": "Queue Message Count",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.storage_account.queue_message_count.avg",
- "id": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "everything",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
- "type": "timeseries",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "gauge",
- "use_kibana_indexes": false
- },
- "title": "Storage Queue Message Count [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-2bedaca0-339d-11ea-a83e-25b8612d00cc",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-33500790-eaaf-11e9-90ec-112a988266d5.json b/packages/azure_metrics/kibana/visualization/azure_metrics-33500790-eaaf-11e9-90ec-112a988266d5.json
deleted file mode 100644
index e06aa933e31..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-33500790-eaaf-11e9-90ec-112a988266d5.json
+++ /dev/null
@@ -1,68 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "VMSS CPU Utilization [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type :\"Microsoft.Compute/virtualMachineScaleSets\" "
- },
- "id": "7666abc0-eaae-11e9-a083-57ad7f0b1ec1",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "#3185FC",
- "fill": 0,
- "formatter": "number",
- "id": "7666abc1-eaae-11e9-a083-57ad7f0b1ec1",
- "label": "avg(azure.compute_vm_scaleset.percentage_cpu.avg)",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.compute_vm_scaleset.percentage_cpu.avg",
- "id": "7666abc2-eaae-11e9-a083-57ad7f0b1ec1",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "rainbow",
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "VMSS CPU Utilization [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-33500790-eaaf-11e9-90ec-112a988266d5",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-33d645e0-32ed-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/visualization/azure_metrics-33d645e0-32ed-11ea-a83e-25b8612d00cc.json
deleted file mode 100644
index d74bf518371..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-33d645e0-32ed-11ea-a83e-25b8612d00cc.json
+++ /dev/null
@@ -1,96 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Storage Ingress Gauge [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "background_color": null,
- "background_color_rules": [
- {
- "id": "71978870-32e4-11ea-af9e-d70582a45bda"
- }
- ],
- "bar_color_rules": [
- {
- "id": "f11cfd90-32e5-11ea-af9e-d70582a45bda"
- }
- ],
- "drilldown_url": "",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "gauge_color_rules": [
- {
- "id": "9c09ed50-32e4-11ea-af9e-d70582a45bda"
- }
- ],
- "gauge_inner_color": null,
- "gauge_inner_width": "6",
- "gauge_style": "circle",
- "gauge_width": "10",
- "hide_last_value_indicator": true,
- "id": "61fb4190-32e4-11ea-b9f8-4d0b340ad993",
- "index_pattern": "metrics-*",
- "interval": "60m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(104,204,202,1)",
- "fill": "1.2",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "formatter": "bytes",
- "id": "61fb4191-32e4-11ea-b9f8-4d0b340ad993",
- "label": "Ingress",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.storage_account.ingress.total",
- "id": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "everything",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
- "type": "timeseries",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "gauge",
- "use_kibana_indexes": false
- },
- "title": "Storage Ingress Gauge [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-33d645e0-32ed-11ea-a83e-25b8612d00cc",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-3630b9a0-6d22-11ea-8fe8-71add5fd7c38.json b/packages/azure_metrics/kibana/visualization/azure_metrics-3630b9a0-6d22-11ea-8fe8-71add5fd7c38.json
deleted file mode 100644
index 9845db90760..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-3630b9a0-6d22-11ea-8fe8-71add5fd7c38.json
+++ /dev/null
@@ -1,28 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Navigation Container Service Overview [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "fontSize": 12,
- "markdown": "### Azure Containers\n\n[Instances](#/dashboard/azure_metrics-9c11ac60-6cf6-11ea-8fe8-71add5fd7c38) |\n[Registries](#/dashboard/azure_metrics-72fe31e7-ea7d-4796-94d1-8f0a091904e2) |\n[**Services**](#/dashboard/azure_metrics-dae20ed0-6d0a-11ea-8fe8-71add5fd7c38) ",
- "openLinksInNewTab": false
- },
- "title": "Navigation Container Service Overview [Azure Metrics]",
- "type": "markdown"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-3630b9a0-6d22-11ea-8fe8-71add5fd7c38",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-3a50e950-eb46-11e9-90ec-112a988266d5.json b/packages/azure_metrics/kibana/visualization/azure_metrics-3a50e950-eb46-11e9-90ec-112a988266d5.json
deleted file mode 100644
index 3e76eb336b8..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-3a50e950-eb46-11e9-90ec-112a988266d5.json
+++ /dev/null
@@ -1,69 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "VM Disk Read Operations/s [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type : \"Microsoft.Compute/virtualMachines\" "
- },
- "id": "39b6adc0-ea99-11e9-8328-799c817fb96b",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(252,196,0,1)",
- "fill": 0,
- "formatter": "number",
- "id": "39b6adc1-ea99-11e9-8328-799c817fb96b",
- "label": "VM Disk Read Operations/s",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.compute_vm.disk_read_operations_per_sec.avg",
- "id": "39b6adc2-ea99-11e9-8328-799c817fb96b",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "type": "timeseries",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "VM Disk Read Operations/s [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-3a50e950-eb46-11e9-90ec-112a988266d5",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-40dbc0d0-32e3-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/visualization/azure_metrics-40dbc0d0-32e3-11ea-a83e-25b8612d00cc.json
deleted file mode 100644
index 736e5beb6e9..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-40dbc0d0-32e3-11ea-a83e-25b8612d00cc.json
+++ /dev/null
@@ -1,99 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Storage Availability [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "background_color_rules": [
- {
- "background_color": "rgba(104,204,202,1)",
- "id": "18f616c0-32e2-11ea-867b-37070aefa392",
- "operator": "gte",
- "value": 100
- },
- {
- "background_color": "rgba(244,78,59,1)",
- "id": "998b1c90-32e2-11ea-867b-37070aefa392",
- "operator": "lt",
- "value": 100
- }
- ],
- "bar_color_rules": [
- {
- "id": "28142cf0-32e2-11ea-867b-37070aefa392"
- }
- ],
- "drop_last_bucket": 0,
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "gauge_color_rules": [
- {
- "id": "29808e30-32e2-11ea-867b-37070aefa392"
- }
- ],
- "gauge_inner_width": "7",
- "gauge_style": "circle",
- "gauge_width": 10,
- "id": "0e91b810-32e2-11ea-a93d-dd20c62559b3",
- "index_pattern": "metrics-*",
- "interval": "5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(22,165,165,1)",
- "fill": "0.6",
- "formatter": "number",
- "hide_in_legend": 1,
- "id": "0e91b811-32e2-11ea-a93d-dd20c62559b3",
- "label": "Availability",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.storage_account.availability.avg",
- "id": "0e91b812-32e2-11ea-a93d-dd20c62559b3",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "everything",
- "stacked": "none",
- "terms_field": null,
- "type": "timeseries",
- "value_template": "{{value}} %"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "time_range_mode": "last_value",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "Storage Availability [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-40dbc0d0-32e3-11ea-a83e-25b8612d00cc",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-4177aab0-83cc-11ea-be84-f5d4d6b9a792.json b/packages/azure_metrics/kibana/visualization/azure_metrics-4177aab0-83cc-11ea-be84-f5d4d6b9a792.json
deleted file mode 100644
index 832be6404f0..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-4177aab0-83cc-11ea-be84-f5d4d6b9a792.json
+++ /dev/null
@@ -1,28 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Navigation Database Account Overview [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "fontSize": 12,
- "markdown": "### Azure Database Accounts\n",
- "openLinksInNewTab": false
- },
- "title": "Navigation Database Account Overview [Azure Metrics]",
- "type": "markdown"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-4177aab0-83cc-11ea-be84-f5d4d6b9a792",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-42cc28d0-ea9a-11e9-90ec-112a988266d5.json b/packages/azure_metrics/kibana/visualization/azure_metrics-42cc28d0-ea9a-11e9-90ec-112a988266d5.json
deleted file mode 100644
index 88f1883f823..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-42cc28d0-ea9a-11e9-90ec-112a988266d5.json
+++ /dev/null
@@ -1,69 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "VMSS Disk Reads [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type :\"Microsoft.Compute/virtualMachineScaleSets\" "
- },
- "id": "39b6adc0-ea99-11e9-8328-799c817fb96b",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(252,196,0,1)",
- "fill": 0,
- "formatter": "bytes",
- "id": "39b6adc1-ea99-11e9-8328-799c817fb96b",
- "label": "VM Disk Read bytes",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.compute_vm_scaleset.disk_read_bytes.total",
- "id": "39b6adc2-ea99-11e9-8328-799c817fb96b",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "type": "timeseries",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "VMSS Disk Reads [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-42cc28d0-ea9a-11e9-90ec-112a988266d5",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-43b31a20-339b-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/visualization/azure_metrics-43b31a20-339b-11ea-a83e-25b8612d00cc.json
deleted file mode 100644
index 35a89a48f2a..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-43b31a20-339b-11ea-a83e-25b8612d00cc.json
+++ /dev/null
@@ -1,96 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Storage Table Count [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "background_color": null,
- "background_color_rules": [
- {
- "id": "71978870-32e4-11ea-af9e-d70582a45bda"
- }
- ],
- "bar_color_rules": [
- {
- "id": "f11cfd90-32e5-11ea-af9e-d70582a45bda"
- }
- ],
- "drilldown_url": "",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "gauge_color_rules": [
- {
- "id": "9c09ed50-32e4-11ea-af9e-d70582a45bda"
- }
- ],
- "gauge_inner_color": null,
- "gauge_inner_width": "6",
- "gauge_style": "circle",
- "gauge_width": "10",
- "hide_last_value_indicator": true,
- "id": "61fb4190-32e4-11ea-b9f8-4d0b340ad993",
- "index_pattern": "metrics-*",
- "interval": "60m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(104,204,202,1)",
- "fill": "1.2",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "formatter": "'0'",
- "id": "61fb4191-32e4-11ea-b9f8-4d0b340ad993",
- "label": "Table Count",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.storage_account.table_count.avg",
- "id": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "everything",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
- "type": "timeseries",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "gauge",
- "use_kibana_indexes": false
- },
- "title": "Storage Table Count [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-43b31a20-339b-11ea-a83e-25b8612d00cc",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-45344560-ff67-11eb-af1d-2505733a31f2.json b/packages/azure_metrics/kibana/visualization/azure_metrics-45344560-ff67-11eb-af1d-2505733a31f2.json
deleted file mode 100644
index 2260724a824..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-45344560-ff67-11eb-af1d-2505733a31f2.json
+++ /dev/null
@@ -1,79 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "title": "Azure Compute Guest CPU Usage Active [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_position": "left",
- "axis_scale": "normal",
- "drop_last_bucket": 0,
- "filter": {
- "language": "kuery",
- "query": "azure.namespace : \"Azure.VM.Linux.GuestMetrics\" "
- },
- "id": "64599d87-7adf-47e3-893c-9a2ce48182b0",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "#68BC00",
- "fill": 0.5,
- "formatter": "number",
- "id": "1d3aba96-1604-449a-97f9-42f7000a424c",
- "label": "CPU Usage Active",
- "line_width": 1,
- "metrics": [
- {
- "field": "azure.compute_vm.cpu_per_usage_active.avg",
- "id": "3c459779-ee47-438a-9931-c543e713478b",
- "type": "avg"
- }
- ],
- "palette": {
- "name": "default",
- "type": "palette"
- },
- "point_size": 1,
- "separate_axis": 0,
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "type": "timeseries"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "",
- "time_range_mode": "entire_time_range",
- "tooltip_mode": "show_all",
- "type": "timeseries",
- "use_kibana_indexes": true
- },
- "title": "Azure Compute Guest CPU Usage Active [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-45344560-ff67-11eb-af1d-2505733a31f2",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-453965a0-3393-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/visualization/azure_metrics-453965a0-3393-11ea-a83e-25b8612d00cc.json
deleted file mode 100644
index 6e8c8de147f..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-453965a0-3393-11ea-a83e-25b8612d00cc.json
+++ /dev/null
@@ -1,100 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Storage File Capacity [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "background_color": null,
- "background_color_rules": [
- {
- "id": "71978870-32e4-11ea-af9e-d70582a45bda"
- }
- ],
- "bar_color_rules": [
- {
- "id": "f11cfd90-32e5-11ea-af9e-d70582a45bda"
- }
- ],
- "drilldown_url": "",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "gauge_color_rules": [
- {
- "id": "9c09ed50-32e4-11ea-af9e-d70582a45bda"
- }
- ],
- "gauge_inner_color": null,
- "gauge_inner_width": "6",
- "gauge_style": "circle",
- "gauge_width": "10",
- "hide_last_value_indicator": true,
- "id": "61fb4190-32e4-11ea-b9f8-4d0b340ad993",
- "index_pattern": "metrics-*",
- "interval": "60m",
- "isModelInvalid": false,
- "pivot_id": "azure.resource.name",
- "pivot_label": "Resource Name",
- "pivot_rows": "30",
- "pivot_type": "string",
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(252,196,0,1)",
- "fill": "1.2",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "formatter": "bytes",
- "id": "61fb4191-32e4-11ea-b9f8-4d0b340ad993",
- "label": "File Capacity",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.storage_account.file_capacity.avg",
- "id": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "everything",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
- "type": "timeseries",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "gauge",
- "use_kibana_indexes": false
- },
- "title": "Storage File Capacity [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-453965a0-3393-11ea-a83e-25b8612d00cc",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-46ccce70-ff61-11eb-af1d-2505733a31f2.json b/packages/azure_metrics/kibana/visualization/azure_metrics-46ccce70-ff61-11eb-af1d-2505733a31f2.json
deleted file mode 100644
index ae09db39d8c..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-46ccce70-ff61-11eb-af1d-2505733a31f2.json
+++ /dev/null
@@ -1,142 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "title": "Azure Compute VM Guest Network interface bytes/sec",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_position": "left",
- "axis_scale": "normal",
- "background_color_rules": [
- {
- "id": "6d634e20-ff60-11eb-8d10-c71ba6abf264"
- }
- ],
- "bar_color_rules": [
- {
- "id": "70b908d0-ff60-11eb-8d10-c71ba6abf264"
- }
- ],
- "drop_last_bucket": 0,
- "filter": {
- "language": "kuery",
- "query": "azure.namespace : \"Azure.VM.Windows.GuestMetrics\" "
- },
- "gauge_color_rules": [
- {
- "id": "72827e30-ff60-11eb-8d10-c71ba6abf264"
- }
- ],
- "gauge_inner_width": 10,
- "gauge_style": "half",
- "gauge_width": 10,
- "id": "20c8ad7b-ede0-40c2-a0b0-b6d7fe2ade2c",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(96,146,192,1)",
- "fill": "0.5",
- "formatter": "bytes",
- "hidden": false,
- "hide_in_legend": 0,
- "id": "1d3aba96-1604-449a-97f9-42f7000a424c",
- "label": "Network interface received bytes/sec",
- "line_width": 1,
- "metrics": [
- {
- "field": "azure.compute_vm.network_interface_bytes_received_per_sec.avg",
- "id": "3c459779-ee47-438a-9931-c543e713478b",
- "type": "avg"
- }
- ],
- "palette": {
- "name": "temperature",
- "type": "palette"
- },
- "point_size": 1,
- "separate_axis": 0,
- "split_color_mode": null,
- "split_mode": "terms",
- "stacked": "none",
- "steps": 0,
- "terms_field": "azure.resource.name",
- "terms_order_by": "3c459779-ee47-438a-9931-c543e713478b",
- "type": "timeseries",
- "value_template": "{{value}}/s"
- },
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "#68BC00",
- "fill": 0.5,
- "formatter": "bytes",
- "id": "fc394600-ff5f-11eb-8d10-c71ba6abf264",
- "label": "Network interface sent bytes/sec",
- "line_width": 1,
- "metrics": [
- {
- "field": "azure.compute_vm.network_interface_bytes_sent_per_sec.avg",
- "id": "fc394601-ff5f-11eb-8d10-c71ba6abf264",
- "type": "avg"
- }
- ],
- "palette": {
- "name": "positive",
- "type": "palette"
- },
- "point_size": 1,
- "separate_axis": 0,
- "split_color_mode": null,
- "split_filters": [
- {
- "color": "#68BC00",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "id": "19695990-ff60-11eb-8d10-c71ba6abf264"
- }
- ],
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "type": "timeseries",
- "value_template": "{{value}}/s"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "",
- "time_range_mode": "entire_time_range",
- "tooltip_mode": "show_all",
- "type": "timeseries",
- "use_kibana_indexes": true
- },
- "title": "Azure Compute VM Guest Network interface bytes/sec",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-46ccce70-ff61-11eb-af1d-2505733a31f2",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-46dd8ff0-ff64-11eb-af1d-2505733a31f2.json b/packages/azure_metrics/kibana/visualization/azure_metrics-46dd8ff0-ff64-11eb-af1d-2505733a31f2.json
deleted file mode 100644
index ea1094d5f6a..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-46dd8ff0-ff64-11eb-af1d-2505733a31f2.json
+++ /dev/null
@@ -1,79 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "title": "Azure Compute VM Guest Available Memory [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_position": "left",
- "axis_scale": "normal",
- "drop_last_bucket": 0,
- "filter": {
- "language": "kuery",
- "query": "azure.namespace : \"Azure.VM.Windows.GuestMetrics\" "
- },
- "id": "519576cd-f5e4-48d0-a598-5e09fe30b8ef",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "#68BC00",
- "fill": 0.5,
- "formatter": "bytes",
- "id": "1d3aba96-1604-449a-97f9-42f7000a424c",
- "label": "Available memory",
- "line_width": 1,
- "metrics": [
- {
- "field": "azure.compute_vm.memory_available_bytes.avg",
- "id": "3c459779-ee47-438a-9931-c543e713478b",
- "type": "avg"
- }
- ],
- "palette": {
- "name": "default",
- "type": "palette"
- },
- "point_size": 1,
- "separate_axis": 0,
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "type": "timeseries"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "",
- "time_range_mode": "entire_time_range",
- "tooltip_mode": "show_all",
- "type": "timeseries",
- "use_kibana_indexes": true
- },
- "title": "Azure Compute VM Guest Available Memory [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-46dd8ff0-ff64-11eb-af1d-2505733a31f2",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-4bbd6f50-feaf-11eb-8fff-87871c582eca.json b/packages/azure_metrics/kibana/visualization/azure_metrics-4bbd6f50-feaf-11eb-8fff-87871c582eca.json
deleted file mode 100644
index 623bef9735e..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-4bbd6f50-feaf-11eb-8fff-87871c582eca.json
+++ /dev/null
@@ -1,34 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "title": "Navigation Compute VM Guest ASP.NET \u0026 SQL Server Guest Metrics [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "fontSize": 12,
- "markdown": "### Azure Guest ASP.NET \u0026 SQL Server Metrics\n\n[Back to Overview Metrics](#/dashboard/azure_metrics-eb3f05f0-ea9a-11e9-90ec-112a988266d5) | [Memory \u0026 Process](#/dashboard/azure_metrics-b6b434c0-feae-11eb-8fff-87871c582eca) | [**ASP.NET and SQL Server**](#/dashboard/azure_metrics-a6f5d430-eaa6-11e9-90ec-112a988266d5) ",
- "openLinksInNewTab": false
- },
- "title": "Navigation Compute VM Guest ASP.NET \u0026 SQL Server Guest Metrics [Azure Metrics]",
- "type": "markdown"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-4bbd6f50-feaf-11eb-8fff-87871c582eca",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-4c2cb860-ff5e-11eb-af1d-2505733a31f2.json b/packages/azure_metrics/kibana/visualization/azure_metrics-4c2cb860-ff5e-11eb-af1d-2505733a31f2.json
deleted file mode 100644
index aa4f049d0bd..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-4c2cb860-ff5e-11eb-af1d-2505733a31f2.json
+++ /dev/null
@@ -1,89 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "title": "Azure Compute VM Guest Handle Count [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_position": "left",
- "axis_scale": "normal",
- "background_color_rules": [
- {
- "id": "30de8430-ff5e-11eb-8d10-c71ba6abf264"
- }
- ],
- "bar_color_rules": [
- {
- "id": "314eab20-ff5e-11eb-8d10-c71ba6abf264"
- }
- ],
- "drop_last_bucket": 0,
- "filter": {
- "language": "kuery",
- "query": "azure.namespace : \"Azure.VM.Windows.GuestMetrics\" "
- },
- "id": "18a8b235-96dd-4eec-889b-15a487d62956",
- "index_pattern": "metrics-*",
- "interval": "",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(211,96,134,1)",
- "fill": 0.5,
- "formatter": "number",
- "id": "1d3aba96-1604-449a-97f9-42f7000a424c",
- "label": "Handle Count Average",
- "line_width": 1,
- "metrics": [
- {
- "field": "azure.compute_vm.process_handle_count.avg",
- "id": "3c459779-ee47-438a-9931-c543e713478b",
- "type": "avg"
- }
- ],
- "palette": {
- "name": "default",
- "type": "palette"
- },
- "point_size": 1,
- "separate_axis": 0,
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "type": "timeseries"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "",
- "time_range_mode": "entire_time_range",
- "tooltip_mode": "show_all",
- "type": "top_n",
- "use_kibana_indexes": true
- },
- "title": "Azure Compute VM Guest Handle Count [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-4c2cb860-ff5e-11eb-af1d-2505733a31f2",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-4eaef260-32e1-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/visualization/azure_metrics-4eaef260-32e1-11ea-a83e-25b8612d00cc.json
deleted file mode 100644
index 24fa71d7012..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-4eaef260-32e1-11ea-a83e-25b8612d00cc.json
+++ /dev/null
@@ -1,103 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Storage Account Ingress Traffic [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "background_color_rules": [
- {
- "id": "0791c5a0-32d8-11ea-98d2-1194b9f2bfc0"
- }
- ],
- "bar_color_rules": [
- {
- "id": "fca016e0-32de-11ea-a435-e7199eba380d"
- }
- ],
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "gauge_color_rules": [
- {
- "id": "fb8be7c0-32de-11ea-a435-e7199eba380d"
- }
- ],
- "gauge_inner_width": 10,
- "gauge_style": "half",
- "gauge_width": 10,
- "id": "f0edca80-32d5-11ea-b19d-fb5049b980ca",
- "index_pattern": "metrics-*",
- "interval": "5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(104,188,0,1)",
- "fill": 0,
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "formatter": "bytes",
- "hidden": false,
- "id": "f0edf190-32d5-11ea-b19d-fb5049b980ca",
- "label": "Storage Accounts Ingress Total",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.storage_account.ingress.total",
- "id": "f0edf191-32d5-11ea-b19d-fb5049b980ca",
- "type": "max"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_filters": [
- {
- "color": "rgba(0,98,177,1)",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "id": "283dc410-32d9-11ea-98d2-1194b9f2bfc0"
- }
- ],
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.dimensions.api_name",
- "terms_order_by": "f0edf191-32d5-11ea-b19d-fb5049b980ca",
- "type": "timeseries",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "Storage Account Ingress Traffic [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-4eaef260-32e1-11ea-a83e-25b8612d00cc",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-4fa6b100-ff6b-11eb-af1d-2505733a31f2.json b/packages/azure_metrics/kibana/visualization/azure_metrics-4fa6b100-ff6b-11eb-af1d-2505733a31f2.json
deleted file mode 100644
index 3500bed0824..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-4fa6b100-ff6b-11eb-af1d-2505733a31f2.json
+++ /dev/null
@@ -1,79 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "title": "Azure Compute VM Guest Diskio Write Bytes [Azure metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_position": "left",
- "axis_scale": "normal",
- "drop_last_bucket": 0,
- "filter": {
- "language": "kuery",
- "query": "azure.namespace : \"Azure.VM.Linux.GuestMetrics\" "
- },
- "id": "1f539c7c-0bf8-4abe-ad51-063944c4ab87",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "#68BC00",
- "fill": 0.5,
- "formatter": "bytes",
- "id": "1d3aba96-1604-449a-97f9-42f7000a424c",
- "label": "Diskio Write bytes",
- "line_width": 1,
- "metrics": [
- {
- "field": "azure.compute_vm.diskio_per_write_bytes.avg",
- "id": "3c459779-ee47-438a-9931-c543e713478b",
- "type": "avg"
- }
- ],
- "palette": {
- "name": "default",
- "type": "palette"
- },
- "point_size": 1,
- "separate_axis": 0,
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "type": "timeseries"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "",
- "time_range_mode": "entire_time_range",
- "tooltip_mode": "show_all",
- "type": "timeseries",
- "use_kibana_indexes": true
- },
- "title": "Azure Compute VM Guest Diskio Write Bytes [Azure metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-4fa6b100-ff6b-11eb-af1d-2505733a31f2",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-5031b220-eb61-11e9-90ec-112a988266d5.json b/packages/azure_metrics/kibana/visualization/azure_metrics-5031b220-eb61-11e9-90ec-112a988266d5.json
deleted file mode 100644
index 8a566af5267..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-5031b220-eb61-11e9-90ec-112a988266d5.json
+++ /dev/null
@@ -1,97 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "title": "VM Filters [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "controls": [
- {
- "fieldName": "cloud.region",
- "id": "1549397251041",
- "indexPatternRefName": "control_0_index_pattern",
- "label": "Region",
- "options": {
- "dynamicOptions": true,
- "multiselect": true,
- "order": "desc",
- "size": 5,
- "type": "terms"
- },
- "parent": "",
- "type": "list"
- },
- {
- "fieldName": "azure.resource.group",
- "id": "1549512142947",
- "indexPatternRefName": "control_1_index_pattern",
- "label": "Resource Group",
- "options": {
- "dynamicOptions": true,
- "multiselect": true,
- "order": "desc",
- "size": 5,
- "type": "terms"
- },
- "parent": "",
- "type": "list"
- },
- {
- "fieldName": "azure.resource.name",
- "id": "1570774891724",
- "indexPatternRefName": "control_2_index_pattern",
- "label": "VM Name",
- "options": {
- "dynamicOptions": true,
- "multiselect": true,
- "order": "desc",
- "size": 5,
- "type": "terms"
- },
- "parent": "",
- "type": "list"
- }
- ],
- "pinFilters": false,
- "updateFiltersOnChange": true,
- "useTimeFilter": false
- },
- "title": "VM Filters [Azure Metrics]",
- "type": "input_control_vis"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-5031b220-eb61-11e9-90ec-112a988266d5",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [
- {
- "id": "metrics-*",
- "name": "control_0_index_pattern",
- "type": "index-pattern"
- },
- {
- "id": "metrics-*",
- "name": "control_1_index_pattern",
- "type": "index-pattern"
- },
- {
- "id": "metrics-*",
- "name": "control_2_index_pattern",
- "type": "index-pattern"
- }
- ],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-553f9320-32e9-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/visualization/azure_metrics-553f9320-32e9-11ea-a83e-25b8612d00cc.json
deleted file mode 100644
index af068d3a366..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-553f9320-32e9-11ea-a83e-25b8612d00cc.json
+++ /dev/null
@@ -1,70 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Storage Transactions [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "id": "c9fd65d0-32e8-11ea-84f4-e9593f8ba8f6",
- "index_pattern": "metrics-*",
- "interval": "5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "bar",
- "color": "#3185FC",
- "fill": 0.5,
- "formatter": "number",
- "id": "c9fd8ce0-32e8-11ea-84f4-e9593f8ba8f6",
- "label": "avg(azure.storage_account.transactions.total)",
- "line_width": "1",
- "metrics": [
- {
- "field": "azure.storage_account.transactions.total",
- "id": "c9fd8ce1-32e8-11ea-84f4-e9593f8ba8f6",
- "type": "max"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "rainbow",
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.dimensions.response_type",
- "terms_order_by": "c9fd8ce1-32e8-11ea-84f4-e9593f8ba8f6",
- "type": "timeseries",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "Storage Transactions [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-553f9320-32e9-11ea-a83e-25b8612d00cc",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-55936920-3391-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/visualization/azure_metrics-55936920-3391-11ea-a83e-25b8612d00cc.json
deleted file mode 100644
index cee3f6c2644..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-55936920-3391-11ea-a83e-25b8612d00cc.json
+++ /dev/null
@@ -1,96 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Storage Blob Count [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "background_color": null,
- "background_color_rules": [
- {
- "id": "71978870-32e4-11ea-af9e-d70582a45bda"
- }
- ],
- "bar_color_rules": [
- {
- "id": "f11cfd90-32e5-11ea-af9e-d70582a45bda"
- }
- ],
- "drilldown_url": "",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "gauge_color_rules": [
- {
- "id": "9c09ed50-32e4-11ea-af9e-d70582a45bda"
- }
- ],
- "gauge_inner_color": null,
- "gauge_inner_width": "6",
- "gauge_style": "circle",
- "gauge_width": "10",
- "hide_last_value_indicator": true,
- "id": "61fb4190-32e4-11ea-b9f8-4d0b340ad993",
- "index_pattern": "metrics-*",
- "interval": "60m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(0,156,224,1)",
- "fill": "1.2",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "formatter": "'0'",
- "id": "61fb4191-32e4-11ea-b9f8-4d0b340ad993",
- "label": "Blob Count",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.storage_account.blob_count.avg",
- "id": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "everything",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
- "type": "timeseries",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "gauge",
- "use_kibana_indexes": false
- },
- "title": "Storage Blob Count [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-55936920-3391-11ea-a83e-25b8612d00cc",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-5720b830-6aad-11ea-af5c-73e8f396b3e9.json b/packages/azure_metrics/kibana/visualization/azure_metrics-5720b830-6aad-11ea-af5c-73e8f396b3e9.json
deleted file mode 100644
index df5c0706e3f..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-5720b830-6aad-11ea-af5c-73e8f396b3e9.json
+++ /dev/null
@@ -1,28 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Navigation Container Instance Overview [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "fontSize": 12,
- "markdown": "### Azure Containers\n\n[**Instances**](#/dashboard/azure_metrics-9c11ac60-6cf6-11ea-8fe8-71add5fd7c38) |\n[Registries](#/dashboard/azure_metrics-72fe31e7-ea7d-4796-94d1-8f0a091904e2) |\n[Services](#/dashboard/azure_metrics-dae20ed0-6d0a-11ea-8fe8-71add5fd7c38) ",
- "openLinksInNewTab": false
- },
- "title": "Navigation Container Instance Overview [Azure Metrics]",
- "type": "markdown"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-5720b830-6aad-11ea-af5c-73e8f396b3e9",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-58baa240-ff68-11eb-af1d-2505733a31f2.json b/packages/azure_metrics/kibana/visualization/azure_metrics-58baa240-ff68-11eb-af1d-2505733a31f2.json
deleted file mode 100644
index aae1783ceee..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-58baa240-ff68-11eb-af1d-2505733a31f2.json
+++ /dev/null
@@ -1,80 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "title": "Azure Compute VM Guest Memory used [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_position": "left",
- "axis_scale": "normal",
- "drop_last_bucket": 0,
- "filter": {
- "language": "kuery",
- "query": "azure.namespace : \"Azure.VM.Linux.GuestMetrics\" "
- },
- "id": "3b6b4d67-082c-4253-98f2-23cfda52c7b7",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(231,102,76,1)",
- "fill": 0.5,
- "formatter": "bytes",
- "id": "1d3aba96-1604-449a-97f9-42f7000a424c",
- "label": "Memory used",
- "line_width": 1,
- "metrics": [
- {
- "field": "azure.compute_vm.mem_per_used.avg",
- "id": "3c459779-ee47-438a-9931-c543e713478b",
- "type": "avg"
- }
- ],
- "palette": {
- "name": "negative",
- "type": "palette"
- },
- "point_size": 1,
- "separate_axis": 0,
- "split_color_mode": null,
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "type": "timeseries"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "",
- "time_range_mode": "entire_time_range",
- "tooltip_mode": "show_all",
- "type": "timeseries",
- "use_kibana_indexes": true
- },
- "title": "Azure Compute VM Guest Memory used [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-58baa240-ff68-11eb-af1d-2505733a31f2",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-599c62c0-32d7-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/visualization/azure_metrics-599c62c0-32d7-11ea-a83e-25b8612d00cc.json
deleted file mode 100644
index 00ad8d91456..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-599c62c0-32d7-11ea-a83e-25b8612d00cc.json
+++ /dev/null
@@ -1,103 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Storage Account Egress Traffic [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "background_color_rules": [
- {
- "id": "0791c5a0-32d8-11ea-98d2-1194b9f2bfc0"
- }
- ],
- "bar_color_rules": [
- {
- "id": "fca016e0-32de-11ea-a435-e7199eba380d"
- }
- ],
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "gauge_color_rules": [
- {
- "id": "fb8be7c0-32de-11ea-a435-e7199eba380d"
- }
- ],
- "gauge_inner_width": 10,
- "gauge_style": "half",
- "gauge_width": 10,
- "id": "f0edca80-32d5-11ea-b19d-fb5049b980ca",
- "index_pattern": "metrics-*",
- "interval": "5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(0,149,177,1)",
- "fill": 0,
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "formatter": "bytes",
- "hidden": false,
- "id": "f0edf190-32d5-11ea-b19d-fb5049b980ca",
- "label": "Storage Accounts Egress Total",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.storage_account.egress.total",
- "id": "f0edf191-32d5-11ea-b19d-fb5049b980ca",
- "type": "max"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_filters": [
- {
- "color": "rgba(0,98,177,1)",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "id": "283dc410-32d9-11ea-98d2-1194b9f2bfc0"
- }
- ],
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.dimensions.api_name",
- "terms_order_by": "f0edf191-32d5-11ea-b19d-fb5049b980ca",
- "type": "timeseries",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "Storage Account Egress Traffic [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-599c62c0-32d7-11ea-a83e-25b8612d00cc",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-59b69c30-ff6d-11eb-af1d-2505733a31f2.json b/packages/azure_metrics/kibana/visualization/azure_metrics-59b69c30-ff6d-11eb-af1d-2505733a31f2.json
deleted file mode 100644
index 80bb96419b7..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-59b69c30-ff6d-11eb-af1d-2505733a31f2.json
+++ /dev/null
@@ -1,80 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "title": "Azure Compute VM Guest Swap Free [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_position": "left",
- "axis_scale": "normal",
- "drop_last_bucket": 0,
- "filter": {
- "language": "kuery",
- "query": "azure.namespace : \"Azure.VM.Linux.GuestMetrics\" "
- },
- "id": "bac46e14-eff0-4cd7-b441-085064a59c91",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "#68BC00",
- "fill": 0.5,
- "formatter": "bytes",
- "id": "1d3aba96-1604-449a-97f9-42f7000a424c",
- "label": "Swap Free",
- "line_width": 1,
- "metrics": [
- {
- "field": "azure.compute_vm.swap_per_free.avg",
- "id": "3c459779-ee47-438a-9931-c543e713478b",
- "type": "avg"
- }
- ],
- "palette": {
- "name": "status",
- "type": "palette"
- },
- "point_size": 1,
- "separate_axis": 0,
- "split_color_mode": null,
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "type": "timeseries"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "",
- "time_range_mode": "entire_time_range",
- "tooltip_mode": "show_all",
- "type": "timeseries",
- "use_kibana_indexes": true
- },
- "title": "Azure Compute VM Guest Swap Free [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-59b69c30-ff6d-11eb-af1d-2505733a31f2",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-5c016810-ea9a-11e9-90ec-112a988266d5.json b/packages/azure_metrics/kibana/visualization/azure_metrics-5c016810-ea9a-11e9-90ec-112a988266d5.json
deleted file mode 100644
index 3ceec4b8f79..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-5c016810-ea9a-11e9-90ec-112a988266d5.json
+++ /dev/null
@@ -1,69 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "VM Disk Writes [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type :\"Microsoft.Compute/virtualMachines\" "
- },
- "id": "39b6adc0-ea99-11e9-8328-799c817fb96b",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(176,188,0,1)",
- "fill": 0,
- "formatter": "bytes",
- "id": "39b6adc1-ea99-11e9-8328-799c817fb96b",
- "label": "VM Disk Writes bytes",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.compute_vm.disk_write_bytes.total",
- "id": "39b6adc2-ea99-11e9-8328-799c817fb96b",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "type": "timeseries",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "VM Disk Writes [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-5c016810-ea9a-11e9-90ec-112a988266d5",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-5cbf5820-339c-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/visualization/azure_metrics-5cbf5820-339c-11ea-a83e-25b8612d00cc.json
deleted file mode 100644
index bc5c1f39457..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-5cbf5820-339c-11ea-a83e-25b8612d00cc.json
+++ /dev/null
@@ -1,96 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Storage Table Entity Count [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "background_color": null,
- "background_color_rules": [
- {
- "id": "71978870-32e4-11ea-af9e-d70582a45bda"
- }
- ],
- "bar_color_rules": [
- {
- "id": "f11cfd90-32e5-11ea-af9e-d70582a45bda"
- }
- ],
- "drilldown_url": "",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "gauge_color_rules": [
- {
- "id": "9c09ed50-32e4-11ea-af9e-d70582a45bda"
- }
- ],
- "gauge_inner_color": null,
- "gauge_inner_width": "6",
- "gauge_style": "circle",
- "gauge_width": "10",
- "hide_last_value_indicator": true,
- "id": "61fb4190-32e4-11ea-b9f8-4d0b340ad993",
- "index_pattern": "metrics-*",
- "interval": "60m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(104,204,202,1)",
- "fill": "1.2",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "formatter": "'0a'",
- "id": "61fb4191-32e4-11ea-b9f8-4d0b340ad993",
- "label": "Table Entity Count",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.storage_account.table_entity_count.avg",
- "id": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "everything",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
- "type": "timeseries",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "gauge",
- "use_kibana_indexes": false
- },
- "title": "Storage Table Entity Count [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-5cbf5820-339c-11ea-a83e-25b8612d00cc",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-634b83c0-32ee-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/visualization/azure_metrics-634b83c0-32ee-11ea-a83e-25b8612d00cc.json
deleted file mode 100644
index 27898c2f261..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-634b83c0-32ee-11ea-a83e-25b8612d00cc.json
+++ /dev/null
@@ -1,100 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Storage Used Capacity [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "background_color": null,
- "background_color_rules": [
- {
- "id": "71978870-32e4-11ea-af9e-d70582a45bda"
- }
- ],
- "bar_color_rules": [
- {
- "id": "f11cfd90-32e5-11ea-af9e-d70582a45bda"
- }
- ],
- "drilldown_url": "",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "gauge_color_rules": [
- {
- "id": "9c09ed50-32e4-11ea-af9e-d70582a45bda"
- }
- ],
- "gauge_inner_color": null,
- "gauge_inner_width": "6",
- "gauge_style": "circle",
- "gauge_width": "10",
- "hide_last_value_indicator": true,
- "id": "61fb4190-32e4-11ea-b9f8-4d0b340ad993",
- "index_pattern": "metrics-*",
- "interval": "60m",
- "isModelInvalid": false,
- "pivot_id": "azure.resource.name",
- "pivot_label": "Resource Name",
- "pivot_rows": "30",
- "pivot_type": "string",
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(104,204,202,1)",
- "fill": "1.2",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "formatter": "bytes",
- "id": "61fb4191-32e4-11ea-b9f8-4d0b340ad993",
- "label": "Used Capacity",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.storage_account.used_capacity.avg",
- "id": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "everything",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
- "type": "timeseries",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "gauge",
- "use_kibana_indexes": false
- },
- "title": "Storage Used Capacity [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-634b83c0-32ee-11ea-a83e-25b8612d00cc",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-64266ec0-eb42-11e9-90ec-112a988266d5.json b/packages/azure_metrics/kibana/visualization/azure_metrics-64266ec0-eb42-11e9-90ec-112a988266d5.json
deleted file mode 100644
index e7ac5b4f0fe..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-64266ec0-eb42-11e9-90ec-112a988266d5.json
+++ /dev/null
@@ -1,69 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "VMSS Network In Total [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type : \"Microsoft.Compute/virtualMachineScaleSets\" "
- },
- "id": "39b6adc0-ea99-11e9-8328-799c817fb96b",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(104,204,202,1)",
- "fill": 0,
- "formatter": "bytes",
- "id": "39b6adc1-ea99-11e9-8328-799c817fb96b",
- "label": "Azure VMSS Network In Total",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.compute_vm_scaleset.network_in_total.total",
- "id": "39b6adc2-ea99-11e9-8328-799c817fb96b",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "type": "timeseries",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "VMSS Network In Total [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-64266ec0-eb42-11e9-90ec-112a988266d5",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-674c1d70-83cc-11ea-be84-f5d4d6b9a792.json b/packages/azure_metrics/kibana/visualization/azure_metrics-674c1d70-83cc-11ea-be84-f5d4d6b9a792.json
deleted file mode 100644
index 978b4d51127..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-674c1d70-83cc-11ea-be84-f5d4d6b9a792.json
+++ /dev/null
@@ -1,111 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Database Account Filters [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "controls": [
- {
- "fieldName": "azure.subscription_id",
- "id": "1584710440054",
- "indexPatternRefName": "control_0_index_pattern",
- "label": "Subscription",
- "options": {
- "dynamicOptions": true,
- "multiselect": false,
- "order": "desc",
- "size": 5,
- "type": "terms"
- },
- "parent": "",
- "type": "list"
- },
- {
- "fieldName": "azure.resource.group",
- "id": "1584710497045",
- "indexPatternRefName": "control_1_index_pattern",
- "label": "Resource Group",
- "options": {
- "dynamicOptions": true,
- "multiselect": false,
- "order": "desc",
- "size": 5,
- "type": "terms"
- },
- "parent": "",
- "type": "list"
- },
- {
- "fieldName": "azure.resource.name",
- "id": "1584710535722",
- "indexPatternRefName": "control_2_index_pattern",
- "label": "Resource",
- "options": {
- "dynamicOptions": true,
- "multiselect": false,
- "order": "desc",
- "size": 5,
- "type": "terms"
- },
- "parent": "",
- "type": "list"
- },
- {
- "fieldName": "azure.dimensions.database_name",
- "id": "1587643606086",
- "indexPatternRefName": "control_3_index_pattern",
- "label": "Database",
- "options": {
- "dynamicOptions": true,
- "multiselect": true,
- "order": "desc",
- "size": 5,
- "type": "terms"
- },
- "parent": "1584710535722",
- "type": "list"
- }
- ],
- "pinFilters": false,
- "updateFiltersOnChange": true,
- "useTimeFilter": false
- },
- "title": "Database Account Filters [Azure Metrics]",
- "type": "input_control_vis"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-674c1d70-83cc-11ea-be84-f5d4d6b9a792",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [
- {
- "id": "metrics-*",
- "name": "control_0_index_pattern",
- "type": "index-pattern"
- },
- {
- "id": "metrics-*",
- "name": "control_1_index_pattern",
- "type": "index-pattern"
- },
- {
- "id": "metrics-*",
- "name": "control_2_index_pattern",
- "type": "index-pattern"
- },
- {
- "id": "metrics-*",
- "name": "control_3_index_pattern",
- "type": "index-pattern"
- }
- ],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-685fbeb0-32eb-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/visualization/azure_metrics-685fbeb0-32eb-11ea-a83e-25b8612d00cc.json
deleted file mode 100644
index 0ac7d74962e..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-685fbeb0-32eb-11ea-a83e-25b8612d00cc.json
+++ /dev/null
@@ -1,70 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Storage Success E2E Latency [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "id": "da4459b0-32ea-11ea-be35-cb10be813609",
- "index_pattern": "metrics-*",
- "interval": "5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "bar",
- "color": "#3185FC",
- "fill": 0.5,
- "formatter": "number",
- "id": "da4459b1-32ea-11ea-be35-cb10be813609",
- "label": "Success E2E Latency (ms)",
- "line_width": "1",
- "metrics": [
- {
- "field": "azure.storage_account.success_e2elatency.avg",
- "id": "da4459b2-32ea-11ea-be35-cb10be813609",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "rainbow",
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.dimensions.api_name",
- "terms_order_by": "da4459b2-32ea-11ea-be35-cb10be813609",
- "type": "timeseries",
- "value_template": "{{value}} ms"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "Storage Success E2E Latency [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-685fbeb0-32eb-11ea-a83e-25b8612d00cc",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-686bc990-ea92-11e9-90ec-112a988266d5.json b/packages/azure_metrics/kibana/visualization/azure_metrics-686bc990-ea92-11e9-90ec-112a988266d5.json
deleted file mode 100644
index 0ed079c7edd..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-686bc990-ea92-11e9-90ec-112a988266d5.json
+++ /dev/null
@@ -1,97 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "title": "VMSS Filters [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "controls": [
- {
- "fieldName": "cloud.region",
- "id": "1549397251041",
- "indexPatternRefName": "control_0_index_pattern",
- "label": "Region",
- "options": {
- "dynamicOptions": true,
- "multiselect": true,
- "order": "desc",
- "size": 5,
- "type": "terms"
- },
- "parent": "",
- "type": "list"
- },
- {
- "fieldName": "azure.resource.group",
- "id": "1549512142947",
- "indexPatternRefName": "control_1_index_pattern",
- "label": "Resource Group",
- "options": {
- "dynamicOptions": true,
- "multiselect": true,
- "order": "desc",
- "size": 5,
- "type": "terms"
- },
- "parent": "",
- "type": "list"
- },
- {
- "fieldName": "azure.dimensions.vmname",
- "id": "1570711989416",
- "indexPatternRefName": "control_2_index_pattern",
- "label": "VM Name (dimension)",
- "options": {
- "dynamicOptions": true,
- "multiselect": true,
- "order": "desc",
- "size": 5,
- "type": "terms"
- },
- "parent": "",
- "type": "list"
- }
- ],
- "pinFilters": false,
- "updateFiltersOnChange": true,
- "useTimeFilter": false
- },
- "title": "VMSS Filters [Azure Metrics]",
- "type": "input_control_vis"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-686bc990-ea92-11e9-90ec-112a988266d5",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [
- {
- "id": "metrics-*",
- "name": "control_0_index_pattern",
- "type": "index-pattern"
- },
- {
- "id": "metrics-*",
- "name": "control_1_index_pattern",
- "type": "index-pattern"
- },
- {
- "id": "metrics-*",
- "name": "control_2_index_pattern",
- "type": "index-pattern"
- }
- ],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-6d52a660-eaa4-11e9-90ec-112a988266d5.json b/packages/azure_metrics/kibana/visualization/azure_metrics-6d52a660-eaa4-11e9-90ec-112a988266d5.json
deleted file mode 100644
index d4933c6661b..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-6d52a660-eaa4-11e9-90ec-112a988266d5.json
+++ /dev/null
@@ -1,71 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "ASP.NET Application Error Rates [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type : \"Microsoft.Compute/virtualMachines\" "
- },
- "id": "29576400-eaa4-11e9-a2d3-e7a00bbd3c18",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(244,78,59,1)",
- "fill": "0.2",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "formatter": "number",
- "id": "29578b10-eaa4-11e9-a2d3-e7a00bbd3c18",
- "label": "errors",
- "line_width": "1",
- "metrics": [
- {
- "field": "azure.compute_vm.asp_net_applications_errors_total.avg",
- "id": "29578b11-eaa4-11e9-a2d3-e7a00bbd3c18",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "everything",
- "stacked": "none",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "ASP.NET Application Error Rates [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-6d52a660-eaa4-11e9-90ec-112a988266d5",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-6e2d9930-6d1e-11ea-8fe8-71add5fd7c38.json b/packages/azure_metrics/kibana/visualization/azure_metrics-6e2d9930-6d1e-11ea-8fe8-71add5fd7c38.json
deleted file mode 100644
index 684fa078c23..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-6e2d9930-6d1e-11ea-8fe8-71add5fd7c38.json
+++ /dev/null
@@ -1,67 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Container Service Kube Node Status Allocatable CPU Cores [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type : \"Microsoft.ContainerService/managedClusters\" "
- },
- "id": "61ca57f0-469d-11e7-af02-69e470af7417",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(196,81,0,1)",
- "fill": "0",
- "formatter": "number",
- "id": "61ca57f1-469d-11e7-af02-69e470af7417",
- "label": "Container Service Kube Node Status Allocatable CPU Cores",
- "line_width": "02",
- "metrics": [
- {
- "field": "azure.container_service.kube_node_status_allocatable_cpu_cores.avg",
- "id": "61ca57f2-469d-11e7-af02-69e470af7417",
- "type": "avg"
- }
- ],
- "point_size": "",
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "type": "timeseries"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "Container Service Kube Node Status Allocatable CPU Cores [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-6e2d9930-6d1e-11ea-8fe8-71add5fd7c38",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-707d2660-ff62-11eb-af1d-2505733a31f2.json b/packages/azure_metrics/kibana/visualization/azure_metrics-707d2660-ff62-11eb-af1d-2505733a31f2.json
deleted file mode 100644
index 7e29eff3d01..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-707d2660-ff62-11eb-af1d-2505733a31f2.json
+++ /dev/null
@@ -1,87 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "title": "Azure Compute VM Guest Process Working Set Private",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_position": "left",
- "axis_scale": "normal",
- "drop_last_bucket": 0,
- "filter": {
- "language": "kuery",
- "query": "azure.namespace : \"Azure.VM.Windows.GuestMetrics\" "
- },
- "id": "e90f7dab-0656-40d2-b1e0-f669895c3896",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(145,112,184,1)",
- "fill": 0.5,
- "formatter": "bytes",
- "id": "1d3aba96-1604-449a-97f9-42f7000a424c",
- "label": "Process Working Set Private",
- "line_width": 1,
- "metrics": [
- {
- "field": "azure.compute_vm.process_working_set_private.avg",
- "id": "3c459779-ee47-438a-9931-c543e713478b",
- "type": "avg"
- }
- ],
- "palette": {
- "name": "gradient",
- "params": {
- "colors": [
- "rgba(145,112,184,1)",
- "rgb(92, 63, 126)"
- ],
- "gradient": true
- },
- "type": "palette"
- },
- "point_size": 1,
- "separate_axis": 0,
- "split_color_mode": null,
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "type": "timeseries"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "",
- "time_range_mode": "entire_time_range",
- "tooltip_mode": "show_all",
- "type": "timeseries",
- "use_kibana_indexes": true
- },
- "title": "Azure Compute VM Guest Process Working Set Private",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-707d2660-ff62-11eb-af1d-2505733a31f2",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-7205a4f0-ea95-11e9-90ec-112a988266d5.json b/packages/azure_metrics/kibana/visualization/azure_metrics-7205a4f0-ea95-11e9-90ec-112a988266d5.json
deleted file mode 100644
index ad36ad1ddef..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-7205a4f0-ea95-11e9-90ec-112a988266d5.json
+++ /dev/null
@@ -1,68 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "VM Available Memory [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type : \"Microsoft.Compute/virtualMachines\" "
- },
- "id": "c7e12030-ea94-11e9-bf06-bfc27258c9ad",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(176,188,0,1)",
- "fill": 0,
- "formatter": "bytes",
- "id": "c7e12031-ea94-11e9-bf06-bfc27258c9ad",
- "label": "VM Available Memory",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.compute_vm.available_memory_bytes.avg",
- "id": "c7e12032-ea94-11e9-bf06-bfc27258c9ad",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "VM Available Memory [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-7205a4f0-ea95-11e9-90ec-112a988266d5",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-722ef2f0-3393-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/visualization/azure_metrics-722ef2f0-3393-11ea-a83e-25b8612d00cc.json
deleted file mode 100644
index 4a48009c5b9..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-722ef2f0-3393-11ea-a83e-25b8612d00cc.json
+++ /dev/null
@@ -1,96 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Storage File Count [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "background_color": null,
- "background_color_rules": [
- {
- "id": "71978870-32e4-11ea-af9e-d70582a45bda"
- }
- ],
- "bar_color_rules": [
- {
- "id": "f11cfd90-32e5-11ea-af9e-d70582a45bda"
- }
- ],
- "drilldown_url": "",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "gauge_color_rules": [
- {
- "id": "9c09ed50-32e4-11ea-af9e-d70582a45bda"
- }
- ],
- "gauge_inner_color": null,
- "gauge_inner_width": "6",
- "gauge_style": "circle",
- "gauge_width": "10",
- "hide_last_value_indicator": true,
- "id": "61fb4190-32e4-11ea-b9f8-4d0b340ad993",
- "index_pattern": "metrics-*",
- "interval": "60m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(164,221,0,1)",
- "fill": "1.2",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "formatter": "'0'",
- "id": "61fb4191-32e4-11ea-b9f8-4d0b340ad993",
- "label": "File Count",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.storage_account.file_count.avg",
- "id": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "everything",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
- "type": "timeseries",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "gauge",
- "use_kibana_indexes": false
- },
- "title": "Storage File Count [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-722ef2f0-3393-11ea-a83e-25b8612d00cc",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-74a8e130-6cfa-11ea-8fe8-71add5fd7c38.json b/packages/azure_metrics/kibana/visualization/azure_metrics-74a8e130-6cfa-11ea-8fe8-71add5fd7c38.json
deleted file mode 100644
index 80ba6d76775..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-74a8e130-6cfa-11ea-8fe8-71add5fd7c38.json
+++ /dev/null
@@ -1,72 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Container Instance Network Bytes Transmitted/s [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": "0",
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type : \"Microsoft.ContainerInstance/containerGroups\" "
- },
- "id": "61ca57f0-469d-11e7-af02-69e470af7417",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(128,137,0,1)",
- "fill": "0",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "formatter": "number",
- "id": "61ca57f1-469d-11e7-af02-69e470af7417",
- "label": "Container Instance Network Bytes Transmitted/s",
- "line_width": "2",
- "metrics": [
- {
- "field": "azure.container_instance.network_bytes_transmitted_per_second.avg",
- "id": "61ca57f2-469d-11e7-af02-69e470af7417",
- "type": "avg"
- }
- ],
- "point_size": "",
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "type": "timeseries"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "Container Instance Network Bytes Transmitted/s [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-74a8e130-6cfa-11ea-8fe8-71add5fd7c38",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-787a0a20-eaa8-11e9-90ec-112a988266d5.json b/packages/azure_metrics/kibana/visualization/azure_metrics-787a0a20-eaa8-11e9-90ec-112a988266d5.json
deleted file mode 100644
index 9790eeb223d..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-787a0a20-eaa8-11e9-90ec-112a988266d5.json
+++ /dev/null
@@ -1,90 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "SQL Server Page Reads/Writes [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type : \"Microsoft.Compute/virtualMachines\" "
- },
- "id": "35459a30-eaa8-11e9-a379-c33a712c0373",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(252,196,0,1)",
- "fill": 0,
- "formatter": "number",
- "id": "35459a31-eaa8-11e9-a379-c33a712c0373",
- "label": "Page Reads/s",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.compute_vm.sqlserver_buffer_manager_page_reads_per_sec.avg",
- "id": "35459a32-eaa8-11e9-a379-c33a712c0373",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "everything",
- "stacked": "none",
- "value_template": "{{value}}"
- },
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(176,188,0,1)",
- "fill": 0,
- "formatter": "number",
- "id": "35459a33-eaa8-11e9-a379-c33a712c0373",
- "label": "Page Writes/s",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.compute_vm.sqlserver_buffer_manager_page_writes_per_sec.avg",
- "id": "35459a34-eaa8-11e9-a379-c33a712c0373",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "everything",
- "stacked": "none",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "SQL Server Page Reads/Writes [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-787a0a20-eaa8-11e9-90ec-112a988266d5",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-7972b260-6d07-11ea-8fe8-71add5fd7c38.json b/packages/azure_metrics/kibana/visualization/azure_metrics-7972b260-6d07-11ea-8fe8-71add5fd7c38.json
deleted file mode 100644
index 0c3ecadc434..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-7972b260-6d07-11ea-8fe8-71add5fd7c38.json
+++ /dev/null
@@ -1,67 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Container Registry Successful Pull Count [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type : \"Microsoft.ContainerRegistry/registries\" "
- },
- "id": "61ca57f0-469d-11e7-af02-69e470af7417",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(188,74,0,1)",
- "fill": "0",
- "formatter": "number",
- "id": "61ca57f1-469d-11e7-af02-69e470af7417",
- "label": "Container Registry Successful Pull Count",
- "line_width": "02",
- "metrics": [
- {
- "field": "azure.container_registry.successful_pull_count.total",
- "id": "61ca57f2-469d-11e7-af02-69e470af7417",
- "type": "avg"
- }
- ],
- "point_size": "",
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "type": "timeseries"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "Container Registry Successful Pull Count [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-7972b260-6d07-11ea-8fe8-71add5fd7c38",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-7ddc8350-ff67-11eb-af1d-2505733a31f2.json b/packages/azure_metrics/kibana/visualization/azure_metrics-7ddc8350-ff67-11eb-af1d-2505733a31f2.json
deleted file mode 100644
index d3eb300ce22..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-7ddc8350-ff67-11eb-af1d-2505733a31f2.json
+++ /dev/null
@@ -1,79 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "title": "Azure Compute VM Guest CPU Usage Idle [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_position": "left",
- "axis_scale": "normal",
- "drop_last_bucket": 0,
- "filter": {
- "language": "kuery",
- "query": "azure.namespace : \"Azure.VM.Linux.GuestMetrics\" "
- },
- "id": "816f9129-cb91-44c8-9ea5-45633f4b9b64",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "#68BC00",
- "fill": 0.5,
- "formatter": "number",
- "id": "1d3aba96-1604-449a-97f9-42f7000a424c",
- "label": "CPU Usage Idle",
- "line_width": 1,
- "metrics": [
- {
- "field": "azure.compute_vm.cpu_per_usage_idle.avg",
- "id": "3c459779-ee47-438a-9931-c543e713478b",
- "type": "avg"
- }
- ],
- "palette": {
- "name": "default",
- "type": "palette"
- },
- "point_size": 1,
- "separate_axis": 0,
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "type": "timeseries"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "",
- "time_range_mode": "entire_time_range",
- "tooltip_mode": "show_all",
- "type": "timeseries",
- "use_kibana_indexes": true
- },
- "title": "Azure Compute VM Guest CPU Usage Idle [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-7ddc8350-ff67-11eb-af1d-2505733a31f2",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-81f16b40-32ea-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/visualization/azure_metrics-81f16b40-32ea-11ea-a83e-25b8612d00cc.json
deleted file mode 100644
index 273a93160f8..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-81f16b40-32ea-11ea-a83e-25b8612d00cc.json
+++ /dev/null
@@ -1,70 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Storage Success Server Latency [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "id": "e9a40230-32e9-11ea-bda2-69435df36a5c",
- "index_pattern": "metrics-*",
- "interval": "5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "bar",
- "color": "#3185FC",
- "fill": 0.5,
- "formatter": "number",
- "id": "e9a40231-32e9-11ea-bda2-69435df36a5c",
- "label": "SuccessServerLatency (ms)",
- "line_width": "1",
- "metrics": [
- {
- "field": "azure.storage_account.success_server_latency.avg",
- "id": "e9a40232-32e9-11ea-bda2-69435df36a5c",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "rainbow",
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.dimensions.api_name",
- "terms_order_by": "e9a40232-32e9-11ea-bda2-69435df36a5c",
- "type": "timeseries",
- "value_template": "{{value}} ms"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "Storage Success Server Latency [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-81f16b40-32ea-11ea-a83e-25b8612d00cc",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-81f16b40-32ea-11ea-a83e-25b8612d11cc.json b/packages/azure_metrics/kibana/visualization/azure_metrics-81f16b40-32ea-11ea-a83e-25b8612d11cc.json
deleted file mode 100644
index b67dc024d74..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-81f16b40-32ea-11ea-a83e-25b8612d11cc.json
+++ /dev/null
@@ -1,71 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Database Account Available Storage [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type : \"Microsoft.DocumentDb/databaseAccounts\" "
- },
- "id": "e9a40230-32e9-11ea-bda2-69435df36a5c",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(101,50,148,1)",
- "fill": "0",
- "formatter": "bytes",
- "id": "e9a40231-32e9-11ea-bda2-69435df36a5c",
- "label": "Available storage",
- "line_width": "2",
- "metrics": [
- {
- "field": "azure.database_account.available_storage.total",
- "id": "e9a40232-32e9-11ea-bda2-69435df36a5c",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "rainbow",
- "split_mode": "terms",
- "stacked": "none",
- "terms_exclude": "\"\u003cempty\u003e\"",
- "terms_field": "azure.dimensions.database_name",
- "terms_order_by": "e9a40232-32e9-11ea-bda2-69435df36a5c",
- "type": "timeseries",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "Database Account Available Storage [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-81f16b40-32ea-11ea-a83e-25b8612d11cc",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-8b6b9450-ea99-11e9-90ec-112a988266d5.json b/packages/azure_metrics/kibana/visualization/azure_metrics-8b6b9450-ea99-11e9-90ec-112a988266d5.json
deleted file mode 100644
index 01af3ee8e43..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-8b6b9450-ea99-11e9-90ec-112a988266d5.json
+++ /dev/null
@@ -1,68 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "VM Network In Total [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type : \"Microsoft.Compute/virtualMachines\" "
- },
- "id": "39b6adc0-ea99-11e9-8328-799c817fb96b",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(104,204,202,1)",
- "fill": 0,
- "formatter": "bytes",
- "id": "39b6adc1-ea99-11e9-8328-799c817fb96b",
- "label": "Azure VM Network In Total",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.compute_vm.network_in_total.total",
- "id": "39b6adc2-ea99-11e9-8328-799c817fb96b",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "VM Network In Total [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-8b6b9450-ea99-11e9-90ec-112a988266d5",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-942844b0-6ac5-11ea-af5c-73e8f396b3e9.json b/packages/azure_metrics/kibana/visualization/azure_metrics-942844b0-6ac5-11ea-af5c-73e8f396b3e9.json
deleted file mode 100644
index 999fa79ee34..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-942844b0-6ac5-11ea-af5c-73e8f396b3e9.json
+++ /dev/null
@@ -1,72 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Container Instance Memory Utilization [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": "0",
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type : \"Microsoft.ContainerInstance/containerGroups\" "
- },
- "id": "61ca57f0-469d-11e7-af02-69e470af7417",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "#68BC00",
- "fill": "0",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "formatter": "bytes",
- "id": "61ca57f1-469d-11e7-af02-69e470af7417",
- "label": "Container Instance Memory Utilization",
- "line_width": "2",
- "metrics": [
- {
- "field": "azure.container_instance.memory_usage.avg",
- "id": "61ca57f2-469d-11e7-af02-69e470af7417",
- "type": "avg"
- }
- ],
- "point_size": "0",
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "type": "timeseries"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "Container Instance Memory Utilization [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-942844b0-6ac5-11ea-af5c-73e8f396b3e9",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-94be5bc0-feae-11eb-8fff-87871c582eca.json b/packages/azure_metrics/kibana/visualization/azure_metrics-94be5bc0-feae-11eb-8fff-87871c582eca.json
deleted file mode 100644
index 245a81b8bb2..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-94be5bc0-feae-11eb-8fff-87871c582eca.json
+++ /dev/null
@@ -1,34 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "title": "Navigation Compute VM Memory \u0026 Process Metrics [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "fontSize": 12,
- "markdown": "### Azure Guest Metrics for Windows VM's\n\n[Back to Overview](#/dashboard/azure_metrics-eb3f05f0-ea9a-11e9-90ec-112a988266d5) | [**Memory \u0026 Process**](#/dashboard/azure_metrics-b6b434c0-feae-11eb-8fff-87871c582eca) | [ASP.NET and SQL Server](#/dashboard/azure_metrics-a6f5d430-eaa6-11e9-90ec-112a988266d5) ",
- "openLinksInNewTab": false
- },
- "title": "Navigation Compute VM Memory \u0026 Process Metrics [Azure Metrics]",
- "type": "markdown"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-94be5bc0-feae-11eb-8fff-87871c582eca",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-9c1a1910-ea9a-11e9-90ec-112a988266d5.json b/packages/azure_metrics/kibana/visualization/azure_metrics-9c1a1910-ea9a-11e9-90ec-112a988266d5.json
deleted file mode 100644
index edb9d901773..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-9c1a1910-ea9a-11e9-90ec-112a988266d5.json
+++ /dev/null
@@ -1,69 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "VMSS Disk Read Operations [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type : \"Microsoft.Compute/virtualMachineScaleSets\" "
- },
- "id": "39b6adc0-ea99-11e9-8328-799c817fb96b",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(252,196,0,1)",
- "fill": 0,
- "formatter": "number",
- "id": "39b6adc1-ea99-11e9-8328-799c817fb96b",
- "label": "VM Disk Read Operations/s",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.compute_vm_scaleset.disk_read_operations_per_sec.avg",
- "id": "39b6adc2-ea99-11e9-8328-799c817fb96b",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "type": "timeseries",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "VMSS Disk Read Operations [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-9c1a1910-ea9a-11e9-90ec-112a988266d5",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-9e991b10-3391-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/visualization/azure_metrics-9e991b10-3391-11ea-a83e-25b8612d00cc.json
deleted file mode 100644
index 4cdd05134a0..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-9e991b10-3391-11ea-a83e-25b8612d00cc.json
+++ /dev/null
@@ -1,96 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Storage Container Count [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "background_color": null,
- "background_color_rules": [
- {
- "id": "71978870-32e4-11ea-af9e-d70582a45bda"
- }
- ],
- "bar_color_rules": [
- {
- "id": "f11cfd90-32e5-11ea-af9e-d70582a45bda"
- }
- ],
- "drilldown_url": "",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "gauge_color_rules": [
- {
- "id": "9c09ed50-32e4-11ea-af9e-d70582a45bda"
- }
- ],
- "gauge_inner_color": null,
- "gauge_inner_width": "6",
- "gauge_style": "circle",
- "gauge_width": "10",
- "hide_last_value_indicator": true,
- "id": "61fb4190-32e4-11ea-b9f8-4d0b340ad993",
- "index_pattern": "metrics-*",
- "interval": "60m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(104,188,0,1)",
- "fill": "1.2",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "formatter": "'0'",
- "id": "61fb4191-32e4-11ea-b9f8-4d0b340ad993",
- "label": "Container Count",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.storage_account.container_count.avg",
- "id": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "everything",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
- "type": "timeseries",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "gauge",
- "use_kibana_indexes": false
- },
- "title": "Storage Container Count [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-9e991b10-3391-11ea-a83e-25b8612d00cc",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-a16b5900-8492-11ea-b181-4b1a9e0110f9.json b/packages/azure_metrics/kibana/visualization/azure_metrics-a16b5900-8492-11ea-b181-4b1a9e0110f9.json
deleted file mode 100644
index 7135a9affac..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-a16b5900-8492-11ea-b181-4b1a9e0110f9.json
+++ /dev/null
@@ -1,75 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Database Account Total Requests [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type : \"Microsoft.DocumentDb/databaseAccounts\" "
- },
- "id": "e9a40230-32e9-11ea-bda2-69435df36a5c",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(211,49,21,1)",
- "fill": "0",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "formatter": "number",
- "id": "e9a40231-32e9-11ea-bda2-69435df36a5c",
- "label": "Total Requests",
- "line_width": "2",
- "metrics": [
- {
- "field": "azure.database_account.total_requests.count",
- "id": "e9a40232-32e9-11ea-bda2-69435df36a5c",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "rainbow",
- "split_mode": "terms",
- "stacked": "none",
- "terms_exclude": "\"\u003cempty\u003e\"",
- "terms_field": "azure.dimensions.database_name",
- "terms_order_by": "_count",
- "type": "timeseries",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "Database Account Total Requests [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-a16b5900-8492-11ea-b181-4b1a9e0110f9",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-a49b4e20-8490-11ea-b181-4b1a9e0110f9.json b/packages/azure_metrics/kibana/visualization/azure_metrics-a49b4e20-8490-11ea-b181-4b1a9e0110f9.json
deleted file mode 100644
index 3cfd440155e..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-a49b4e20-8490-11ea-b181-4b1a9e0110f9.json
+++ /dev/null
@@ -1,75 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Database Account Data Usage [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type : \"Microsoft.DocumentDb/databaseAccounts\" "
- },
- "id": "e9a40230-32e9-11ea-bda2-69435df36a5c",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "#3185FC",
- "fill": "0",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "formatter": "bytes",
- "id": "e9a40231-32e9-11ea-bda2-69435df36a5c",
- "label": "Data Usage",
- "line_width": "2",
- "metrics": [
- {
- "field": "azure.database_account.data_usage.total",
- "id": "e9a40232-32e9-11ea-bda2-69435df36a5c",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "rainbow",
- "split_mode": "terms",
- "stacked": "none",
- "terms_exclude": "\"\u003cempty\u003e\"",
- "terms_field": "azure.dimensions.database_name",
- "terms_order_by": "_count",
- "type": "timeseries",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "Database Account Data Usage [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-a49b4e20-8490-11ea-b181-4b1a9e0110f9",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-a4bf9710-3393-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/visualization/azure_metrics-a4bf9710-3393-11ea-a83e-25b8612d00cc.json
deleted file mode 100644
index b9b61b2ef43..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-a4bf9710-3393-11ea-a83e-25b8612d00cc.json
+++ /dev/null
@@ -1,96 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Storage File Share Count [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "background_color": null,
- "background_color_rules": [
- {
- "id": "71978870-32e4-11ea-af9e-d70582a45bda"
- }
- ],
- "bar_color_rules": [
- {
- "id": "f11cfd90-32e5-11ea-af9e-d70582a45bda"
- }
- ],
- "drilldown_url": "",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "gauge_color_rules": [
- {
- "id": "9c09ed50-32e4-11ea-af9e-d70582a45bda"
- }
- ],
- "gauge_inner_color": null,
- "gauge_inner_width": "6",
- "gauge_style": "circle",
- "gauge_width": "10",
- "hide_last_value_indicator": true,
- "id": "61fb4190-32e4-11ea-b9f8-4d0b340ad993",
- "index_pattern": "metrics-*",
- "interval": "60m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(164,221,0,1)",
- "fill": "1.2",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "formatter": "'0'",
- "id": "61fb4191-32e4-11ea-b9f8-4d0b340ad993",
- "label": "File Share Count",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.storage_account.file_share_count.avg",
- "id": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "everything",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
- "type": "timeseries",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "gauge",
- "use_kibana_indexes": false
- },
- "title": "Storage File Share Count [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-a4bf9710-3393-11ea-a83e-25b8612d00cc",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-abd32c30-ea99-11e9-90ec-112a988266d5.json b/packages/azure_metrics/kibana/visualization/azure_metrics-abd32c30-ea99-11e9-90ec-112a988266d5.json
deleted file mode 100644
index 45ded17856a..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-abd32c30-ea99-11e9-90ec-112a988266d5.json
+++ /dev/null
@@ -1,69 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "VM Network Out Total [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type : \"Microsoft.Compute/virtualMachines\" "
- },
- "id": "39b6adc0-ea99-11e9-8328-799c817fb96b",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(115,216,255,1)",
- "fill": 0,
- "formatter": "bytes",
- "id": "39b6adc1-ea99-11e9-8328-799c817fb96b",
- "label": "Azure VM Network Out Total",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.compute_vm.network_out_total.total",
- "id": "39b6adc2-ea99-11e9-8328-799c817fb96b",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "type": "timeseries",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "VM Network Out Total [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-abd32c30-ea99-11e9-90ec-112a988266d5",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-acced050-32d1-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/visualization/azure_metrics-acced050-32d1-11ea-a83e-25b8612d00cc.json
deleted file mode 100644
index 53bc1461128..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-acced050-32d1-11ea-a83e-25b8612d00cc.json
+++ /dev/null
@@ -1,97 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "title": "Storage Filters [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "controls": [
- {
- "fieldName": "azure.subscription_id",
- "id": "1549397251041",
- "indexPatternRefName": "control_0_index_pattern",
- "label": "Subscription",
- "options": {
- "dynamicOptions": true,
- "multiselect": false,
- "order": "desc",
- "size": 5,
- "type": "terms"
- },
- "parent": "",
- "type": "list"
- },
- {
- "fieldName": "azure.resource.group",
- "id": "1549512142947",
- "indexPatternRefName": "control_1_index_pattern",
- "label": "Resource Group",
- "options": {
- "dynamicOptions": true,
- "multiselect": true,
- "order": "desc",
- "size": 5,
- "type": "terms"
- },
- "parent": "",
- "type": "list"
- },
- {
- "fieldName": "azure.resource.name",
- "id": "1578578146383",
- "indexPatternRefName": "control_2_index_pattern",
- "label": "Resource Name",
- "options": {
- "dynamicOptions": true,
- "multiselect": true,
- "order": "desc",
- "size": 5,
- "type": "terms"
- },
- "parent": "",
- "type": "list"
- }
- ],
- "pinFilters": false,
- "updateFiltersOnChange": true,
- "useTimeFilter": false
- },
- "title": "Storage Filters [Azure Metrics]",
- "type": "input_control_vis"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-acced050-32d1-11ea-a83e-25b8612d00cc",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [
- {
- "id": "metrics-*",
- "name": "control_0_index_pattern",
- "type": "index-pattern"
- },
- {
- "id": "metrics-*",
- "name": "control_1_index_pattern",
- "type": "index-pattern"
- },
- {
- "id": "metrics-*",
- "name": "control_2_index_pattern",
- "type": "index-pattern"
- }
- ],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-b45fd8e0-eb42-11e9-90ec-112a988266d5.json b/packages/azure_metrics/kibana/visualization/azure_metrics-b45fd8e0-eb42-11e9-90ec-112a988266d5.json
deleted file mode 100644
index c6edab2685c..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-b45fd8e0-eb42-11e9-90ec-112a988266d5.json
+++ /dev/null
@@ -1,69 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "VMSS Network Out Total [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type : \"Microsoft.Compute/virtualMachineScaleSets\" "
- },
- "id": "39b6adc0-ea99-11e9-8328-799c817fb96b",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(104,188,0,1)",
- "fill": 0,
- "formatter": "bytes",
- "id": "39b6adc1-ea99-11e9-8328-799c817fb96b",
- "label": "Azure VM Network Out Total",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.compute_vm_scaleset.network_out_total.total",
- "id": "39b6adc2-ea99-11e9-8328-799c817fb96b",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "type": "timeseries",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "VMSS Network Out Total [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-b45fd8e0-eb42-11e9-90ec-112a988266d5",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-b5aad170-ff66-11eb-af1d-2505733a31f2.json b/packages/azure_metrics/kibana/visualization/azure_metrics-b5aad170-ff66-11eb-af1d-2505733a31f2.json
deleted file mode 100644
index 1fb081c171c..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-b5aad170-ff66-11eb-af1d-2505733a31f2.json
+++ /dev/null
@@ -1,114 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "title": "Azure Compute VM net/bytes sent/recv [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_position": "left",
- "axis_scale": "normal",
- "drop_last_bucket": 0,
- "filter": {
- "language": "kuery",
- "query": "azure.namespace : \"Azure.VM.Linux.GuestMetrics\" "
- },
- "id": "b71eb3c5-1305-430d-a202-194bde6b17ce",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "#68BC00",
- "fill": 0.5,
- "formatter": "bytes",
- "id": "1d3aba96-1604-449a-97f9-42f7000a424c",
- "label": "net/bytes sent",
- "line_width": 1,
- "metrics": [
- {
- "field": "azure.compute_vm.net_per_bytes_sent.avg",
- "id": "3c459779-ee47-438a-9931-c543e713478b",
- "type": "avg"
- }
- ],
- "palette": {
- "name": "default",
- "type": "palette"
- },
- "point_size": 1,
- "separate_axis": 0,
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "type": "timeseries"
- },
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(170,101,86,1)",
- "fill": 0.5,
- "formatter": "bytes",
- "id": "7fd45120-ff66-11eb-8d10-c71ba6abf264",
- "label": "net/bytes received",
- "line_width": 1,
- "metrics": [
- {
- "field": "azure.compute_vm.net_per_bytes_recv.avg",
- "id": "7fd45121-ff66-11eb-8d10-c71ba6abf264",
- "type": "avg"
- }
- ],
- "palette": {
- "name": "gradient",
- "params": {
- "colors": [
- "rgba(170,101,86,1)",
- "rgb(108, 64, 54)"
- ],
- "gradient": true
- },
- "type": "palette"
- },
- "point_size": 1,
- "separate_axis": 0,
- "split_color_mode": null,
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "type": "timeseries"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "",
- "time_range_mode": "entire_time_range",
- "tooltip_mode": "show_all",
- "type": "timeseries",
- "use_kibana_indexes": true
- },
- "title": "Azure Compute VM net/bytes sent/recv [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-b5aad170-ff66-11eb-af1d-2505733a31f2",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-b88b7f90-6d07-11ea-8fe8-71add5fd7c38.json b/packages/azure_metrics/kibana/visualization/azure_metrics-b88b7f90-6d07-11ea-8fe8-71add5fd7c38.json
deleted file mode 100644
index 5b96d8e540b..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-b88b7f90-6d07-11ea-8fe8-71add5fd7c38.json
+++ /dev/null
@@ -1,67 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Container Registry Successful Push Count [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type : \"Microsoft.ContainerRegistry/registries\" "
- },
- "id": "61ca57f0-469d-11e7-af02-69e470af7417",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(128,137,0,1)",
- "fill": "0",
- "formatter": "number",
- "id": "61ca57f1-469d-11e7-af02-69e470af7417",
- "label": "Container Registry Successful Push Count",
- "line_width": "02",
- "metrics": [
- {
- "field": "azure.container_registry.successful_push_count.total",
- "id": "61ca57f2-469d-11e7-af02-69e470af7417",
- "type": "avg"
- }
- ],
- "point_size": "",
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "type": "timeseries"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "Container Registry Successful Push Count [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-b88b7f90-6d07-11ea-8fe8-71add5fd7c38",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-b9aa9b20-eaa5-11e9-90ec-112a988266d5.json b/packages/azure_metrics/kibana/visualization/azure_metrics-b9aa9b20-eaa5-11e9-90ec-112a988266d5.json
deleted file mode 100644
index a55f32dd332..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-b9aa9b20-eaa5-11e9-90ec-112a988266d5.json
+++ /dev/null
@@ -1,136 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "ASP.NET Application Sessions [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type : \"Microsoft.Compute/virtualMachines\" "
- },
- "id": "6d6575a0-eaa5-11e9-84ad-5919a47b8f34",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "#3185FC",
- "fill": 0,
- "formatter": "number",
- "id": "6d6575a1-eaa5-11e9-84ad-5919a47b8f34",
- "label": "active",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.compute_vm.asp_net_applications_sessions_active.avg",
- "id": "6d6575a2-eaa5-11e9-84ad-5919a47b8f34",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "everything",
- "stacked": "none",
- "value_template": "{{value}}"
- },
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "#DB1374",
- "fill": 0,
- "formatter": "number",
- "id": "6d6575a3-eaa5-11e9-84ad-5919a47b8f34",
- "label": "timed out",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.compute_vm.asp_net_applications_sessions_timed_out.avg",
- "id": "6d6575a4-eaa5-11e9-84ad-5919a47b8f34",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "everything",
- "stacked": "none",
- "value_template": "{{value}}"
- },
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "#00B3A4",
- "fill": 0,
- "formatter": "number",
- "id": "6d6575a5-eaa5-11e9-84ad-5919a47b8f34",
- "label": "abandoned",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.compute_vm.asp_net_applications_sessions_abandoned.avg",
- "id": "6d6575a6-eaa5-11e9-84ad-5919a47b8f34",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "everything",
- "stacked": "none",
- "value_template": "{{value}}"
- },
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "#490092",
- "fill": 0,
- "formatter": "number",
- "id": "6d6575a7-eaa5-11e9-84ad-5919a47b8f34",
- "label": "total",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.compute_vm.asp_net_applications_sessions_total.avg",
- "id": "6d6575a8-eaa5-11e9-84ad-5919a47b8f34",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "everything",
- "stacked": "none",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "ASP.NET Application Sessions [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-b9aa9b20-eaa5-11e9-90ec-112a988266d5",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-bcb236a0-feaf-11eb-8fff-87871c582eca.json b/packages/azure_metrics/kibana/visualization/azure_metrics-bcb236a0-feaf-11eb-8fff-87871c582eca.json
deleted file mode 100644
index 9783d51fc5b..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-bcb236a0-feaf-11eb-8fff-87871c582eca.json
+++ /dev/null
@@ -1,34 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "title": "Navigation Guest Linux Metrics Compute VM [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "fontSize": 12,
- "markdown": "### Azure Compute VM \n\n[Back to Overview](#/dashboard/azure_metrics-eb3f05f0-ea9a-11e9-90ec-112a988266d5) | [**Guest Linux VM Metrics**](#/dashboard/azure_metrics-d8e3c5f0-feaf-11eb-8fff-87871c582eca) ",
- "openLinksInNewTab": false
- },
- "title": "Navigation Guest Linux Metrics Compute VM [Azure Metrics]",
- "type": "markdown"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-bcb236a0-feaf-11eb-8fff-87871c582eca",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-bd1c93b0-6cf7-11ea-8fe8-71add5fd7c38.json b/packages/azure_metrics/kibana/visualization/azure_metrics-bd1c93b0-6cf7-11ea-8fe8-71add5fd7c38.json
deleted file mode 100644
index 24c40a76914..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-bd1c93b0-6cf7-11ea-8fe8-71add5fd7c38.json
+++ /dev/null
@@ -1,72 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Container Instance Network Bytes Received/s [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": "0",
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type : \"Microsoft.ContainerInstance/containerGroups\" "
- },
- "id": "61ca57f0-469d-11e7-af02-69e470af7417",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(251,158,0,1)",
- "fill": "0",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "formatter": "number",
- "id": "61ca57f1-469d-11e7-af02-69e470af7417",
- "label": "Container Instance Network Bytes Received/s",
- "line_width": "2",
- "metrics": [
- {
- "field": "azure.container_instance.network_bytes_received_per_second.avg",
- "id": "61ca57f2-469d-11e7-af02-69e470af7417",
- "type": "avg"
- }
- ],
- "point_size": "",
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "type": "timeseries"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "Container Instance Network Bytes Received/s [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-bd1c93b0-6cf7-11ea-8fe8-71add5fd7c38",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-bda7b580-6d1f-11ea-8fe8-71add5fd7c38.json b/packages/azure_metrics/kibana/visualization/azure_metrics-bda7b580-6d1f-11ea-8fe8-71add5fd7c38.json
deleted file mode 100644
index e1e33bb3554..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-bda7b580-6d1f-11ea-8fe8-71add5fd7c38.json
+++ /dev/null
@@ -1,79 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Container Service Kube Pod Status Phase [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_position": "left",
- "axis_scale": "normal",
- "background_color_rules": [
- {
- "id": "0d772fb0-6d1f-11ea-a156-a582cfb250e8"
- }
- ],
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type : \"Microsoft.ContainerService/managedClusters\" "
- },
- "gauge_color_rules": [
- {
- "id": "0ba507c0-6d1f-11ea-a156-a582cfb250e8"
- }
- ],
- "gauge_inner_width": 10,
- "gauge_style": "half",
- "gauge_width": 10,
- "id": "61ca57f0-469d-11e7-af02-69e470af7417",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(240,213,175,1)",
- "fill": "0",
- "formatter": "number",
- "id": "61ca57f1-469d-11e7-af02-69e470af7417",
- "label": "Container Service Kube Pod Status Phase",
- "line_width": "2",
- "metrics": [
- {
- "field": "azure.container_service.kube_pod_status_phase.avg",
- "id": "61ca57f2-469d-11e7-af02-69e470af7417",
- "type": "avg"
- }
- ],
- "point_size": "00",
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.dimensions.pod"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "Container Service Kube Pod Status Phase [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-bda7b580-6d1f-11ea-8fe8-71add5fd7c38",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-c19586f0-6d1e-11ea-8fe8-71add5fd7c38.json b/packages/azure_metrics/kibana/visualization/azure_metrics-c19586f0-6d1e-11ea-8fe8-71add5fd7c38.json
deleted file mode 100644
index e203bde1647..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-c19586f0-6d1e-11ea-8fe8-71add5fd7c38.json
+++ /dev/null
@@ -1,67 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Container Service Kube Pod Status Ready [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type : \"Microsoft.ContainerService/managedClusters\" "
- },
- "id": "61ca57f0-469d-11e7-af02-69e470af7417",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(200,205,124,1)",
- "fill": "0",
- "formatter": "number",
- "id": "61ca57f1-469d-11e7-af02-69e470af7417",
- "label": "",
- "line_width": "02",
- "metrics": [
- {
- "field": "azure.container_service.kube_pod_status_ready.avg",
- "id": "61ca57f2-469d-11e7-af02-69e470af7417",
- "type": "avg"
- }
- ],
- "point_size": "",
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.dimensions.pod",
- "type": "timeseries"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "Container Service Kube Pod Status Ready [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-c19586f0-6d1e-11ea-8fe8-71add5fd7c38",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-c8a33540-ff5e-11eb-af1d-2505733a31f2.json b/packages/azure_metrics/kibana/visualization/azure_metrics-c8a33540-ff5e-11eb-af1d-2505733a31f2.json
deleted file mode 100644
index 3c6b47dcd74..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-c8a33540-ff5e-11eb-af1d-2505733a31f2.json
+++ /dev/null
@@ -1,89 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "title": "Azure Compute VM Guest Process Count [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_position": "left",
- "axis_scale": "normal",
- "background_color_rules": [
- {
- "id": "aa681a50-ff5e-11eb-8d10-c71ba6abf264"
- }
- ],
- "bar_color_rules": [
- {
- "id": "aad1d8a0-ff5e-11eb-8d10-c71ba6abf264"
- }
- ],
- "drop_last_bucket": 0,
- "filter": {
- "language": "kuery",
- "query": "azure.namespace : \"Azure.VM.Windows.GuestMetrics\" "
- },
- "id": "de3aa68a-00d9-4578-ad37-c2f7943b4243",
- "index_pattern": "metrics-*",
- "interval": "",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(202,142,174,1)",
- "fill": 0.5,
- "formatter": "number",
- "id": "1d3aba96-1604-449a-97f9-42f7000a424c",
- "label": "Process Count Average",
- "line_width": 1,
- "metrics": [
- {
- "field": "azure.compute_vm.system_processes.avg",
- "id": "3c459779-ee47-438a-9931-c543e713478b",
- "type": "avg"
- }
- ],
- "palette": {
- "name": "default",
- "type": "palette"
- },
- "point_size": 1,
- "separate_axis": 0,
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "type": "timeseries"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "",
- "time_range_mode": "entire_time_range",
- "tooltip_mode": "show_all",
- "type": "top_n",
- "use_kibana_indexes": true
- },
- "title": "Azure Compute VM Guest Process Count [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-c8a33540-ff5e-11eb-af1d-2505733a31f2",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-cecd6680-eb41-11e9-90ec-112a988266d5.json b/packages/azure_metrics/kibana/visualization/azure_metrics-cecd6680-eb41-11e9-90ec-112a988266d5.json
deleted file mode 100644
index 54a28806cea..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-cecd6680-eb41-11e9-90ec-112a988266d5.json
+++ /dev/null
@@ -1,68 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "VMSS Available Memory [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type :\"Microsoft.Compute/virtualMachineScaleSets\" "
- },
- "id": "e25fa710-eb3e-11e9-8bf6-ff656bce9010",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(22,165,165,1)",
- "fill": 0,
- "formatter": "bytes",
- "id": "e25fa711-eb3e-11e9-8bf6-ff656bce9010",
- "label": "avg(azure.compute_vm_scaleset.available_memory_bytes.avg)",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.compute_vm_scaleset.available_memory_bytes.avg",
- "id": "e25fa712-eb3e-11e9-8bf6-ff656bce9010",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "VMSS Available Memory [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-cecd6680-eb41-11e9-90ec-112a988266d5",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-cfaedaf0-eb43-11e9-90ec-112a988266d5.json b/packages/azure_metrics/kibana/visualization/azure_metrics-cfaedaf0-eb43-11e9-90ec-112a988266d5.json
deleted file mode 100644
index 30ba9cbde19..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-cfaedaf0-eb43-11e9-90ec-112a988266d5.json
+++ /dev/null
@@ -1,69 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "VMSS Disk Write Operations [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type : \"Microsoft.Compute/virtualMachineScaleSets\" "
- },
- "id": "39b6adc0-ea99-11e9-8328-799c817fb96b",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(104,204,202,1)",
- "fill": 0,
- "formatter": "number",
- "id": "39b6adc1-ea99-11e9-8328-799c817fb96b",
- "label": "VM Disk Write Operations/s",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.compute_vm_scaleset.disk_write_operations_per_sec.avg",
- "id": "39b6adc2-ea99-11e9-8328-799c817fb96b",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "type": "timeseries",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "VMSS Disk Write Operations [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-cfaedaf0-eb43-11e9-90ec-112a988266d5",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-d2801d70-8490-11ea-b181-4b1a9e0110f9.json b/packages/azure_metrics/kibana/visualization/azure_metrics-d2801d70-8490-11ea-b181-4b1a9e0110f9.json
deleted file mode 100644
index 63187d1fb1d..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-d2801d70-8490-11ea-b181-4b1a9e0110f9.json
+++ /dev/null
@@ -1,75 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Database Account Index Usage [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type : \"Microsoft.DocumentDb/databaseAccounts\" "
- },
- "id": "e9a40230-32e9-11ea-bda2-69435df36a5c",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(176,188,0,1)",
- "fill": "0",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "formatter": "bytes",
- "id": "e9a40231-32e9-11ea-bda2-69435df36a5c",
- "label": "Index Usage",
- "line_width": "2",
- "metrics": [
- {
- "field": "azure.database_account.index_usage.total",
- "id": "e9a40232-32e9-11ea-bda2-69435df36a5c",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "rainbow",
- "split_mode": "terms",
- "stacked": "none",
- "terms_exclude": "\"\u003cempty\u003e\"",
- "terms_field": "azure.dimensions.database_name",
- "terms_order_by": "_count",
- "type": "timeseries",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "Database Account Index Usage [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-d2801d70-8490-11ea-b181-4b1a9e0110f9",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-d3ac7d90-8492-11ea-b181-4b1a9e0110f9.json b/packages/azure_metrics/kibana/visualization/azure_metrics-d3ac7d90-8492-11ea-b181-4b1a9e0110f9.json
deleted file mode 100644
index 524a5c2fdaa..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-d3ac7d90-8492-11ea-b181-4b1a9e0110f9.json
+++ /dev/null
@@ -1,75 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Database Account Document Count [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type : \"Microsoft.DocumentDb/databaseAccounts\" "
- },
- "id": "e9a40230-32e9-11ea-bda2-69435df36a5c",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(102,102,102,1)",
- "fill": "0",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "formatter": "number",
- "id": "e9a40231-32e9-11ea-bda2-69435df36a5c",
- "label": "Document Count",
- "line_width": "2",
- "metrics": [
- {
- "field": "azure.database_account.document_count.total",
- "id": "e9a40232-32e9-11ea-bda2-69435df36a5c",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "rainbow",
- "split_mode": "terms",
- "stacked": "none",
- "terms_exclude": "\"\u003cempty\u003e\"",
- "terms_field": "azure.dimensions.database_name",
- "terms_order_by": "_count",
- "type": "timeseries",
- "value_template": "{{value}} "
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "Database Account Document Count [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-d3ac7d90-8492-11ea-b181-4b1a9e0110f9",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-d7ea4290-eaa8-11e9-90ec-112a988266d5.json b/packages/azure_metrics/kibana/visualization/azure_metrics-d7ea4290-eaa8-11e9-90ec-112a988266d5.json
deleted file mode 100644
index 34a4f88bdbe..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-d7ea4290-eaa8-11e9-90ec-112a988266d5.json
+++ /dev/null
@@ -1,67 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "SQL Server Total Server Memory [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type:\"Microsoft.Compute/virtualMachines\" "
- },
- "id": "94af6a00-eaa8-11e9-9269-d92e2d3f77fd",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "#3185FC",
- "fill": 0,
- "formatter": "bytes",
- "id": "94af6a01-eaa8-11e9-9269-d92e2d3f77fd",
- "label": "memory",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.compute_vm.sqlserver_memory_manager_total_server_memory.avg",
- "id": "94af6a02-eaa8-11e9-9269-d92e2d3f77fd",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "everything",
- "stacked": "none",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "SQL Server Total Server Memory [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-d7ea4290-eaa8-11e9-90ec-112a988266d5",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-db9a3490-ea8f-11e9-90ec-112a988266d5.json b/packages/azure_metrics/kibana/visualization/azure_metrics-db9a3490-ea8f-11e9-90ec-112a988266d5.json
deleted file mode 100644
index 7caeec61178..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-db9a3490-ea8f-11e9-90ec-112a988266d5.json
+++ /dev/null
@@ -1,72 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "VM CPU Utilization [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type : \"Microsoft.Compute/virtualMachines\" "
- },
- "id": "4f6c1610-ea8e-11e9-8c73-71740bcf3d8b",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(252,196,0,1)",
- "fill": 0,
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "formatter": "number",
- "id": "4f6c1611-ea8e-11e9-8c73-71740bcf3d8b",
- "label": "Azure VM CPU Utilization",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.compute_vm.percentage_cpu.avg",
- "id": "4f6c1612-ea8e-11e9-8c73-71740bcf3d8b",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "rainbow",
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "value_template": "{{value}}%"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "VM CPU Utilization [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-db9a3490-ea8f-11e9-90ec-112a988266d5",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-ddea7430-6d07-11ea-8fe8-71add5fd7c38.json b/packages/azure_metrics/kibana/visualization/azure_metrics-ddea7430-6d07-11ea-8fe8-71add5fd7c38.json
deleted file mode 100644
index 6b92effe301..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-ddea7430-6d07-11ea-8fe8-71add5fd7c38.json
+++ /dev/null
@@ -1,67 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Container Registry Total Push Count [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type : \"Microsoft.ContainerRegistry/registries\" "
- },
- "id": "61ca57f0-469d-11e7-af02-69e470af7417",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(252,196,0,1)",
- "fill": "0",
- "formatter": "number",
- "id": "61ca57f1-469d-11e7-af02-69e470af7417",
- "label": "Container Registry Total Push Count",
- "line_width": "02",
- "metrics": [
- {
- "field": "azure.container_registry.total_push_count.total",
- "id": "61ca57f2-469d-11e7-af02-69e470af7417",
- "type": "avg"
- }
- ],
- "point_size": "",
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "type": "timeseries"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "Container Registry Total Push Count [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-ddea7430-6d07-11ea-8fe8-71add5fd7c38",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-e159b990-339c-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/visualization/azure_metrics-e159b990-339c-11ea-a83e-25b8612d00cc.json
deleted file mode 100644
index 0f89b222df6..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-e159b990-339c-11ea-a83e-25b8612d00cc.json
+++ /dev/null
@@ -1,100 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Storage Queue Capacity [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "background_color": null,
- "background_color_rules": [
- {
- "id": "71978870-32e4-11ea-af9e-d70582a45bda"
- }
- ],
- "bar_color_rules": [
- {
- "id": "f11cfd90-32e5-11ea-af9e-d70582a45bda"
- }
- ],
- "drilldown_url": "",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "gauge_color_rules": [
- {
- "id": "9c09ed50-32e4-11ea-af9e-d70582a45bda"
- }
- ],
- "gauge_inner_color": null,
- "gauge_inner_width": "6",
- "gauge_style": "circle",
- "gauge_width": "10",
- "hide_last_value_indicator": true,
- "id": "61fb4190-32e4-11ea-b9f8-4d0b340ad993",
- "index_pattern": "metrics-*",
- "interval": "60m",
- "isModelInvalid": false,
- "pivot_id": "azure.resource.name",
- "pivot_label": "Resource Name",
- "pivot_rows": "30",
- "pivot_type": "string",
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(104,204,202,1)",
- "fill": "1.2",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "formatter": "bytes",
- "id": "61fb4191-32e4-11ea-b9f8-4d0b340ad993",
- "label": "Queue Capacity",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.storage_account.queue_capacity.avg",
- "id": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "everything",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
- "type": "timeseries",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "gauge",
- "use_kibana_indexes": false
- },
- "title": "Storage Queue Capacity [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-e159b990-339c-11ea-a83e-25b8612d00cc",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-e4b25ee0-32f6-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/visualization/azure_metrics-e4b25ee0-32f6-11ea-a83e-25b8612d00cc.json
deleted file mode 100644
index d0b28f28315..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-e4b25ee0-32f6-11ea-a83e-25b8612d00cc.json
+++ /dev/null
@@ -1,34 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "title": "Navigation Blob Storage Overview [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "fontSize": 10,
- "markdown": "### Azure Storage\n\n[Overview](#/dashboard/azure_metrics-1a151f80-32db-11ea-a83e-25b8612d00cc) | [**Blob**](#/dashboard/azure_metrics-b165ef60-32f7-11ea-a83e-25b8612d00cc) | [File](#/dashboard/azure_metrics-dff7a080-32f7-11ea-a83e-25b8612d00cc) | [Table](#/dashboard/azure_metrics-ff2fe020-32f7-11ea-a83e-25b8612d00cc) | [Queue](#/dashboard/azure_metrics-10efa340-32f8-11ea-a83e-25b8612d00cc) ",
- "openLinksInNewTab": false
- },
- "title": "Navigation Blob Storage Overview [Azure Metrics]",
- "type": "markdown"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-e4b25ee0-32f6-11ea-a83e-25b8612d00cc",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-e79211c0-6d37-11ea-8fe8-71add5fd7c38.json b/packages/azure_metrics/kibana/visualization/azure_metrics-e79211c0-6d37-11ea-8fe8-71add5fd7c38.json
deleted file mode 100644
index f20c8146e7f..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-e79211c0-6d37-11ea-8fe8-71add5fd7c38.json
+++ /dev/null
@@ -1,232 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index"
- }
- },
- "title": "Container Service Kube Node Status Condition [Azure Metrics]",
- "uiStateJSON": {
- "vis": {
- "defaultColors": {
- "0 - 0.2": "rgb(165,0,38)",
- "0.2 - 0.4": "rgb(244,109,67)",
- "0.4 - 0.6": "rgb(254,224,139)",
- "0.6 - 0.8": "rgb(217,239,139)",
- "0.8 - 1": "rgb(102,189,99)"
- },
- "legendOpen": true
- }
- },
- "version": 1,
- "visState": {
- "aggs": [
- {
- "enabled": true,
- "id": "1",
- "params": {
- "field": "azure.container_service.kube_node_status_condition.avg"
- },
- "schema": "metric",
- "type": "avg"
- },
- {
- "enabled": true,
- "id": "2",
- "params": {
- "filters": [
- {
- "input": {
- "language": "kuery",
- "query": "azure.dimensions.condition : \"Ready\" and azure.dimensions.status : \"true\" "
- },
- "label": "Ready \"true\""
- },
- {
- "input": {
- "language": "kuery",
- "query": "azure.dimensions.condition : \"Ready\" and azure.dimensions.status : \"false\" "
- },
- "label": "Ready \"false\""
- },
- {
- "input": {
- "language": "kuery",
- "query": "azure.dimensions.condition : \"NetworkUnavailable\" and azure.dimensions.status : \"true\" "
- },
- "label": "Network Unavailable \"true\""
- },
- {
- "input": {
- "language": "kuery",
- "query": "azure.dimensions.condition : \"NetworkUnavailable\" and azure.dimensions.status : \"false\" "
- },
- "label": "NetworkUnavailable \"false\""
- },
- {
- "input": {
- "language": "kuery",
- "query": "azure.dimensions.condition : \"OutOfDisk\" and azure.dimensions.status : \"false\" "
- },
- "label": "OutOfDisk \"false\""
- },
- {
- "input": {
- "language": "kuery",
- "query": "azure.dimensions.condition : \"OutOfDisk\" and azure.dimensions.status : \"true\" "
- },
- "label": "OutOfDisk \"true\""
- },
- {
- "input": {
- "language": "kuery",
- "query": "azure.dimensions.condition : \"MemoryPressure\" and azure.dimensions.status : \"true\" "
- },
- "label": "MemoryPressure \"true\""
- },
- {
- "input": {
- "language": "kuery",
- "query": "azure.dimensions.condition : \"MemoryPressure\" and azure.dimensions.status : \"false\" "
- },
- "label": "MemoryPressure \"false\""
- },
- {
- "input": {
- "language": "kuery",
- "query": "azure.dimensions.condition : \"DiskPressure\" and azure.dimensions.status : \"false\" "
- },
- "label": "DiskPressure \"false\""
- },
- {
- "input": {
- "language": "kuery",
- "query": "azure.dimensions.condition : \"DiskPressure\" and azure.dimensions.status : \"true\" "
- },
- "label": "DiskPressure \"true\""
- }
- ]
- },
- "schema": "segment",
- "type": "filters"
- },
- {
- "enabled": true,
- "id": "3",
- "params": {
- "field": "azure.dimensions.node",
- "missingBucket": false,
- "missingBucketLabel": "Missing",
- "order": "desc",
- "orderBy": "1",
- "otherBucket": false,
- "otherBucketLabel": "Other",
- "size": 10
- },
- "schema": "group",
- "type": "terms"
- }
- ],
- "params": {
- "addLegend": true,
- "addTooltip": true,
- "colorSchema": "Green to Red",
- "colorsNumber": 5,
- "colorsRange": [
- {
- "from": 0,
- "to": 10
- }
- ],
- "dimensions": {
- "series": [
- {
- "accessor": 1,
- "aggType": "terms",
- "format": {
- "id": "terms",
- "params": {
- "id": "string",
- "missingBucketLabel": "Missing",
- "otherBucketLabel": "Other",
- "parsedUrl": {
- "basePath": "",
- "origin": "http://localhost:5601",
- "pathname": "/app/kibana"
- }
- }
- },
- "label": "azure.dimensions.node: Descending",
- "params": {}
- }
- ],
- "x": {
- "accessor": 0,
- "aggType": "filters",
- "format": {},
- "label": "filters",
- "params": {}
- },
- "y": [
- {
- "accessor": 2,
- "aggType": "avg",
- "format": {
- "id": "number",
- "params": {
- "parsedUrl": {
- "basePath": "",
- "origin": "http://localhost:5601",
- "pathname": "/app/kibana"
- }
- }
- },
- "label": "Average azure.container_service.kube_node_status_condition.avg",
- "params": {}
- }
- ]
- },
- "enableHover": false,
- "invertColors": true,
- "legendPosition": "right",
- "percentageMode": false,
- "setColorRange": false,
- "times": [],
- "type": "heatmap",
- "valueAxes": [
- {
- "id": "ValueAxis-1",
- "labels": {
- "color": "black",
- "overwriteColor": false,
- "rotate": 0,
- "show": false
- },
- "scale": {
- "defaultYExtents": false,
- "type": "linear"
- },
- "show": false,
- "type": "value"
- }
- ]
- },
- "title": "Container Service Kube Node Status Condition [Azure Metrics]",
- "type": "heatmap"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-e79211c0-6d37-11ea-8fe8-71add5fd7c38",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [
- {
- "id": "metrics-*",
- "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
- "type": "index-pattern"
- }
- ],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-e8ca65c0-eb45-11e9-90ec-112a988266d5.json b/packages/azure_metrics/kibana/visualization/azure_metrics-e8ca65c0-eb45-11e9-90ec-112a988266d5.json
deleted file mode 100644
index 75ba79573b7..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-e8ca65c0-eb45-11e9-90ec-112a988266d5.json
+++ /dev/null
@@ -1,69 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "VM Disk Reads [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type :\"Microsoft.Compute/virtualMachines\" "
- },
- "id": "39b6adc0-ea99-11e9-8328-799c817fb96b",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(252,196,0,1)",
- "fill": 0,
- "formatter": "bytes",
- "id": "39b6adc1-ea99-11e9-8328-799c817fb96b",
- "label": "VM Disk Read bytes",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.compute_vm.disk_read_bytes.total",
- "id": "39b6adc2-ea99-11e9-8328-799c817fb96b",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "type": "timeseries",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "VM Disk Reads [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-e8ca65c0-eb45-11e9-90ec-112a988266d5",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-eaf13b40-feac-11eb-8fff-87871c582eca.json b/packages/azure_metrics/kibana/visualization/azure_metrics-eaf13b40-feac-11eb-8fff-87871c582eca.json
deleted file mode 100644
index 1ca7ed6ce3d..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-eaf13b40-feac-11eb-8fff-87871c582eca.json
+++ /dev/null
@@ -1,34 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "title": "Navigation Compute VM Overview [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "fontSize": 12,
- "markdown": "### Azure Compute VM \n\n[**Overview**](#/dashboard/azure_metrics-1a151f80-32db-11ea-a83e-25b8612d00cc) | [Guest Windows VM Metrics](#/dashboard/azure_metrics-b6b434c0-feae-11eb-8fff-87871c582eca) | [Guest Linux VM Metrics](#/dashboard/azure_metrics-d8e3c5f0-feaf-11eb-8fff-87871c582eca)",
- "openLinksInNewTab": false
- },
- "title": "Navigation Compute VM Overview [Azure Metrics]",
- "type": "markdown"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-eaf13b40-feac-11eb-8fff-87871c582eca",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-eda368d0-6d1d-11ea-8fe8-71add5fd7c38.json b/packages/azure_metrics/kibana/visualization/azure_metrics-eda368d0-6d1d-11ea-8fe8-71add5fd7c38.json
deleted file mode 100644
index 7b6a86dcc4e..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-eda368d0-6d1d-11ea-8fe8-71add5fd7c38.json
+++ /dev/null
@@ -1,67 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Container Service Kube Node Status Allocatable Memory Bytes [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_position": "left",
- "axis_scale": "normal",
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type : \"Microsoft.ContainerService/managedClusters\" "
- },
- "id": "61ca57f0-469d-11e7-af02-69e470af7417",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(176,188,0,1)",
- "fill": "0",
- "formatter": "bytes",
- "id": "61ca57f1-469d-11e7-af02-69e470af7417",
- "label": "Container Service Kube Node Status Allocatable Memory Bytes",
- "line_width": "02",
- "metrics": [
- {
- "field": "azure.container_service.kube_node_status_allocatable_memory_bytes.avg",
- "id": "61ca57f2-469d-11e7-af02-69e470af7417",
- "type": "avg"
- }
- ],
- "point_size": "",
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "type": "timeseries"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "timeseries",
- "use_kibana_indexes": false
- },
- "title": "Container Service Kube Node Status Allocatable Memory Bytes [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-eda368d0-6d1d-11ea-8fe8-71add5fd7c38",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-f18a7cb0-32f6-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/visualization/azure_metrics-f18a7cb0-32f6-11ea-a83e-25b8612d00cc.json
deleted file mode 100644
index 869103c050d..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-f18a7cb0-32f6-11ea-a83e-25b8612d00cc.json
+++ /dev/null
@@ -1,34 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "title": "Navigation File Storage Overview [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "fontSize": 10,
- "markdown": "### Azure Storage\n\n[Overview](#/dashboard/azure_metrics-1a151f80-32db-11ea-a83e-25b8612d00cc) | [Blob](#/dashboard/azure_metrics-b165ef60-32f7-11ea-a83e-25b8612d00cc) | [**File**](#/dashboard/azure_metrics-dff7a080-32f7-11ea-a83e-25b8612d00cc) | [Table](#/dashboard/azure_metrics-ff2fe020-32f7-11ea-a83e-25b8612d00cc) | [Queue](#/dashboard/azure_metrics-10efa340-32f8-11ea-a83e-25b8612d00cc) ",
- "openLinksInNewTab": false
- },
- "title": "Navigation File Storage Overview [Azure Metrics]",
- "type": "markdown"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-f18a7cb0-32f6-11ea-a83e-25b8612d00cc",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-f4367270-ff69-11eb-af1d-2505733a31f2.json b/packages/azure_metrics/kibana/visualization/azure_metrics-f4367270-ff69-11eb-af1d-2505733a31f2.json
deleted file mode 100644
index 250c2bce1b7..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-f4367270-ff69-11eb-af1d-2505733a31f2.json
+++ /dev/null
@@ -1,87 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "title": "Azure Compute VM Guest Diskio Read bytes [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_position": "left",
- "axis_scale": "normal",
- "drop_last_bucket": 0,
- "filter": {
- "language": "kuery",
- "query": "azure.namespace : \"Azure.VM.Linux.GuestMetrics\" "
- },
- "id": "e09ae8d1-cbc7-4737-89cb-3805e1ace186",
- "index_pattern": "metrics-*",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "#68BC00",
- "fill": 0.5,
- "formatter": "bytes",
- "id": "1d3aba96-1604-449a-97f9-42f7000a424c",
- "label": "Diskio Read bytes",
- "line_width": 1,
- "metrics": [
- {
- "field": "azure.compute_vm.diskio_per_read_bytes.avg",
- "id": "3c459779-ee47-438a-9931-c543e713478b",
- "type": "avg"
- }
- ],
- "palette": {
- "name": "gradient",
- "params": {
- "colors": [
- "#68BC00",
- "rgb(0, 0, 0)"
- ],
- "gradient": true
- },
- "type": "palette"
- },
- "point_size": 1,
- "separate_axis": 0,
- "split_color_mode": null,
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "type": "timeseries"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "",
- "time_range_mode": "entire_time_range",
- "tooltip_mode": "show_all",
- "type": "timeseries",
- "use_kibana_indexes": true
- },
- "title": "Azure Compute VM Guest Diskio Read bytes [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-f4367270-ff69-11eb-af1d-2505733a31f2",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-f528e6a0-339a-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/visualization/azure_metrics-f528e6a0-339a-11ea-a83e-25b8612d00cc.json
deleted file mode 100644
index e3d20879dad..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-f528e6a0-339a-11ea-a83e-25b8612d00cc.json
+++ /dev/null
@@ -1,100 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {}
- },
- "title": "Storage Table Capacity [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_min": 0,
- "axis_position": "left",
- "axis_scale": "normal",
- "background_color": null,
- "background_color_rules": [
- {
- "id": "71978870-32e4-11ea-af9e-d70582a45bda"
- }
- ],
- "bar_color_rules": [
- {
- "id": "f11cfd90-32e5-11ea-af9e-d70582a45bda"
- }
- ],
- "drilldown_url": "",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "gauge_color_rules": [
- {
- "id": "9c09ed50-32e4-11ea-af9e-d70582a45bda"
- }
- ],
- "gauge_inner_color": null,
- "gauge_inner_width": "6",
- "gauge_style": "circle",
- "gauge_width": "10",
- "hide_last_value_indicator": true,
- "id": "61fb4190-32e4-11ea-b9f8-4d0b340ad993",
- "index_pattern": "metrics-*",
- "interval": "60m",
- "isModelInvalid": false,
- "pivot_id": "azure.resource.name",
- "pivot_label": "Resource Name",
- "pivot_rows": "30",
- "pivot_type": "string",
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(104,204,202,1)",
- "fill": "1.2",
- "filter": {
- "language": "kuery",
- "query": ""
- },
- "formatter": "bytes",
- "id": "61fb4191-32e4-11ea-b9f8-4d0b340ad993",
- "label": "Table Capacity",
- "line_width": 2,
- "metrics": [
- {
- "field": "azure.storage_account.table_capacity.avg",
- "id": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
- "type": "avg"
- }
- ],
- "point_size": 0,
- "separate_axis": 0,
- "split_color_mode": "gradient",
- "split_mode": "everything",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993",
- "type": "timeseries",
- "value_template": "{{value}}"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "@timestamp",
- "type": "gauge",
- "use_kibana_indexes": false
- },
- "title": "Storage Table Capacity [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-f528e6a0-339a-11ea-a83e-25b8612d00cc",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-fcc24d70-32f5-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/visualization/azure_metrics-fcc24d70-32f5-11ea-a83e-25b8612d00cc.json
deleted file mode 100644
index 4ed5d2b4ea8..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-fcc24d70-32f5-11ea-a83e-25b8612d00cc.json
+++ /dev/null
@@ -1,34 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "title": "Navigation Storage Overview [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "fontSize": 10,
- "markdown": "### Azure Storage\n\n[**Overview**](#/dashboard/azure_metrics-1a151f80-32db-11ea-a83e-25b8612d00cc) | [Blob](#/dashboard/azure_metrics-b165ef60-32f7-11ea-a83e-25b8612d00cc) | [File](#/dashboard/azure_metrics-dff7a080-32f7-11ea-a83e-25b8612d00cc) | [Table](#/dashboard/azure_metrics-ff2fe020-32f7-11ea-a83e-25b8612d00cc) | [Queue](#/dashboard/azure_metrics-10efa340-32f8-11ea-a83e-25b8612d00cc) ",
- "openLinksInNewTab": false
- },
- "title": "Navigation Storage Overview [Azure Metrics]",
- "type": "markdown"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-fcc24d70-32f5-11ea-a83e-25b8612d00cc",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-fdef3f40-32f6-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/visualization/azure_metrics-fdef3f40-32f6-11ea-a83e-25b8612d00cc.json
deleted file mode 100644
index b5a4c951bde..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-fdef3f40-32f6-11ea-a83e-25b8612d00cc.json
+++ /dev/null
@@ -1,34 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "title": "Navigation Table Storage Overview [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "fontSize": 10,
- "markdown": "### Azure Storage\n\n[Overview](#/dashboard/azure_metrics-1a151f80-32db-11ea-a83e-25b8612d00cc) | [Blob](#/dashboard/azure_metrics-b165ef60-32f7-11ea-a83e-25b8612d00cc) | [File](#/dashboard/azure_metrics-dff7a080-32f7-11ea-a83e-25b8612d00cc) | [**Table**](#/dashboard/azure_metrics-ff2fe020-32f7-11ea-a83e-25b8612d00cc) | [Queue](#/dashboard/azure_metrics-10efa340-32f8-11ea-a83e-25b8612d00cc) ",
- "openLinksInNewTab": false
- },
- "title": "Navigation Table Storage Overview [Azure Metrics]",
- "type": "markdown"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-fdef3f40-32f6-11ea-a83e-25b8612d00cc",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/kibana/visualization/azure_metrics-ff303710-6d07-11ea-8fe8-71add5fd7c38.json b/packages/azure_metrics/kibana/visualization/azure_metrics-ff303710-6d07-11ea-8fe8-71add5fd7c38.json
deleted file mode 100644
index 72789c87fec..00000000000
--- a/packages/azure_metrics/kibana/visualization/azure_metrics-ff303710-6d07-11ea-8fe8-71add5fd7c38.json
+++ /dev/null
@@ -1,85 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [],
- "query": {
- "language": "kuery",
- "query": ""
- }
- }
- },
- "title": "Container Registry Successful Pull Count [Azure Metrics]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [],
- "params": {
- "axis_formatter": "number",
- "axis_position": "left",
- "axis_scale": "normal",
- "drop_last_bucket": 0,
- "filter": {
- "language": "kuery",
- "query": "azure.resource.type : \"Microsoft.ContainerRegistry/registries\" "
- },
- "id": "14650224-3115-4ea1-9ab4-ff911b357ebd",
- "index_pattern_ref_name": "metrics_0_index_pattern",
- "interval": "\u003e=5m",
- "isModelInvalid": false,
- "series": [
- {
- "axis_position": "right",
- "chart_type": "line",
- "color": "rgba(211,96,134,1)",
- "fill": 0.5,
- "formatter": "number",
- "id": "dddd4a3a-e26e-4043-8e30-9c0412df4eac",
- "label": "Container Registry Successful Pull Count",
- "line_width": 1,
- "metrics": [
- {
- "field": "azure.container_registry.successful_pull_count.total",
- "id": "d11cd335-b6ff-4d9b-9b95-4f8366436b7d",
- "type": "avg"
- }
- ],
- "palette": {
- "name": "default",
- "type": "palette"
- },
- "point_size": 1,
- "separate_axis": 0,
- "split_mode": "terms",
- "stacked": "none",
- "terms_field": "azure.resource.name",
- "type": "timeseries"
- }
- ],
- "show_grid": 1,
- "show_legend": 1,
- "time_field": "",
- "time_range_mode": "entire_time_range",
- "tooltip_mode": "show_all",
- "type": "timeseries",
- "use_kibana_indexes": true
- },
- "title": "Container Registry Successful Pull Count [Azure Metrics]",
- "type": "metrics"
- }
- },
- "coreMigrationVersion": "7.14.0",
- "id": "azure_metrics-ff303710-6d07-11ea-8fe8-71add5fd7c38",
- "migrationVersion": {
- "visualization": "7.14.0"
- },
- "references": [
- {
- "id": "metrics-*",
- "name": "metrics_0_index_pattern",
- "type": "index-pattern"
- }
- ],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/packages/azure_metrics/manifest.yml b/packages/azure_metrics/manifest.yml
index ddcaa7eacba..b646999a37d 100644
--- a/packages/azure_metrics/manifest.yml
+++ b/packages/azure_metrics/manifest.yml
@@ -1,6 +1,6 @@
name: azure_metrics
title: Azure Resource Metrics
-version: 1.0.16
+version: 1.0.43
release: ga
description: Collect metrics from Azure resources with Elastic Agent.
type: integration
@@ -20,7 +20,7 @@ categories:
- observability
- azure
conditions:
- kibana.version: "^7.14.0 || ^8.0.0"
+ kibana.version: "^8.9.0"
vars:
- name: client_id
type: text
diff --git a/packages/barracuda/_dev/build/build.yml b/packages/barracuda/_dev/build/build.yml
index 074278e5b1f..c8eeec8cacf 100644
--- a/packages/barracuda/_dev/build/build.yml
+++ b/packages/barracuda/_dev/build/build.yml
@@ -1,3 +1,3 @@
dependencies:
ecs:
- reference: git@v8.8.0
+ reference: git@v8.9.0
diff --git a/packages/barracuda/changelog.yml b/packages/barracuda/changelog.yml
index 509bb8183d6..6f030ce73ff 100644
--- a/packages/barracuda/changelog.yml
+++ b/packages/barracuda/changelog.yml
@@ -1,4 +1,19 @@
# newer versions go on top
+- version: 1.7.0
+ changes:
+ - description: "The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest."
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7883
+- version: "1.6.0"
+ changes:
+ - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7789
+- version: "1.5.0"
+ changes:
+ - description: Update package to ECS 8.9.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7107
- version: "1.4.0"
changes:
- description: Update package to ECS 8.8.0.
diff --git a/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-access.log-expected.json b/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-access.log-expected.json
index cc9f930e5b7..4b96f1a5c0e 100644
--- a/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-access.log-expected.json
+++ b/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-access.log-expected.json
@@ -48,7 +48,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -181,7 +181,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -306,7 +306,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -438,7 +438,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -567,7 +567,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -689,7 +689,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
diff --git a/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-audit.log-expected.json b/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-audit.log-expected.json
index 5cc79326080..41e6f4cef3e 100644
--- a/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-audit.log-expected.json
+++ b/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-audit.log-expected.json
@@ -33,7 +33,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -92,7 +92,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
diff --git a/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-network-firewall.log-expected.json b/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-network-firewall.log-expected.json
index 097d9be7ca6..65e93b86f65 100644
--- a/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-network-firewall.log-expected.json
+++ b/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-network-firewall.log-expected.json
@@ -41,7 +41,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "DENY",
@@ -134,7 +134,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "DENY",
@@ -227,7 +227,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "DENY",
@@ -320,7 +320,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "DENY",
diff --git a/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-system.log-expected.json b/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-system.log-expected.json
index 121786b4c08..0c1082aa5f5 100644
--- a/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-system.log-expected.json
+++ b/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-system.log-expected.json
@@ -15,7 +15,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -47,7 +47,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -79,7 +79,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -111,7 +111,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -143,7 +143,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -175,7 +175,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -207,7 +207,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -239,7 +239,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -271,7 +271,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
diff --git a/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-web-firewall.log-expected.json b/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-web-firewall.log-expected.json
index 97ceda8c953..ad10bf1a72f 100644
--- a/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-web-firewall.log-expected.json
+++ b/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-web-firewall.log-expected.json
@@ -44,7 +44,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "LOG",
@@ -163,7 +163,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "LOG",
@@ -283,7 +283,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "LOG",
@@ -398,7 +398,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "LOG",
@@ -514,7 +514,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "DENY",
diff --git a/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/default.yml b/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/default.yml
index 84d63e9a50c..ede23c31789 100644
--- a/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/default.yml
@@ -7,7 +7,7 @@ processors:
ignore_missing: true
- set:
field: ecs.version
- value: "8.8.0"
+ value: "8.9.0"
- grok:
field: event.original
patterns:
diff --git a/packages/barracuda/data_stream/waf/sample_event.json b/packages/barracuda/data_stream/waf/sample_event.json
index 479126715c7..f6aa2291cb6 100644
--- a/packages/barracuda/data_stream/waf/sample_event.json
+++ b/packages/barracuda/data_stream/waf/sample_event.json
@@ -19,7 +19,7 @@
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "11940e5d-16a1-424a-aeb2-97fb8029a5d0",
diff --git a/packages/barracuda/docs/README.md b/packages/barracuda/docs/README.md
index f5427150ac7..abfae7a25a1 100644
--- a/packages/barracuda/docs/README.md
+++ b/packages/barracuda/docs/README.md
@@ -55,7 +55,7 @@ An example event for `waf` looks as following:
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "11940e5d-16a1-424a-aeb2-97fb8029a5d0",
@@ -165,14 +165,14 @@ An example event for `waf` looks as following:
| error.message | Error message. | match_only_text |
| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
-| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
-| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long |
-| event.end | event.end contains the date when the event ended or when the activity was last observed. | date |
+| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date |
+| event.duration | Duration of the event in nanoseconds. If `event.start` and `event.end` are known this value should be the difference between the end and start time. | long |
+| event.end | `event.end` contains the date when the event ended or when the activity was last observed. | date |
| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
-| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword |
| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword |
| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long |
-| event.start | event.start contains the date when the event started or when the activity was first observed. | date |
+| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date |
| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
diff --git a/packages/barracuda/kibana/tags.yml b/packages/barracuda/kibana/tags.yml
new file mode 100644
index 00000000000..47f20a8f551
--- /dev/null
+++ b/packages/barracuda/kibana/tags.yml
@@ -0,0 +1,4 @@
+- text: Security Solution
+ asset_types:
+ - dashboard
+ - search
diff --git a/packages/barracuda/manifest.yml b/packages/barracuda/manifest.yml
index 43dd55f3793..3f039a42dc8 100644
--- a/packages/barracuda/manifest.yml
+++ b/packages/barracuda/manifest.yml
@@ -1,7 +1,7 @@
-format_version: 2.7.0
+format_version: "3.0.0"
name: barracuda
title: "Barracuda Logs"
-version: "1.4.0"
+version: "1.7.0"
description: Ingest Events from Barracuda Web Application Firewall
type: integration
categories:
@@ -11,8 +11,10 @@ categories:
source:
license: "Elastic-2.0"
conditions:
- kibana.version: ^8.4.0
- elastic.subscription: basic
+ kibana:
+ version: ^8.4.0
+ elastic:
+ subscription: basic
screenshots:
- src: /img/barracuda-waf-overview.png
title: Overview
@@ -59,3 +61,4 @@ policy_templates:
description: Collecting syslog from Barracuda via file.
owner:
github: elastic/security-external-integrations
+ type: elastic
diff --git a/packages/barracuda_cloudgen_firewall/_dev/build/build.yml b/packages/barracuda_cloudgen_firewall/_dev/build/build.yml
index 074278e5b1f..c8eeec8cacf 100644
--- a/packages/barracuda_cloudgen_firewall/_dev/build/build.yml
+++ b/packages/barracuda_cloudgen_firewall/_dev/build/build.yml
@@ -1,3 +1,3 @@
dependencies:
ecs:
- reference: git@v8.8.0
+ reference: git@v8.9.0
diff --git a/packages/barracuda_cloudgen_firewall/changelog.yml b/packages/barracuda_cloudgen_firewall/changelog.yml
index 57798857dd1..89e4eab0d3a 100644
--- a/packages/barracuda_cloudgen_firewall/changelog.yml
+++ b/packages/barracuda_cloudgen_firewall/changelog.yml
@@ -1,4 +1,19 @@
# newer versions go on top
+- version: 1.7.0
+ changes:
+ - description: "The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest."
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7883
+- version: "1.6.0"
+ changes:
+ - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7789
+- version: "1.5.0"
+ changes:
+ - description: Update package to ECS 8.9.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7107
- version: "1.4.0"
changes:
- description: Ensure event.kind is correctly set for pipeline errors.
diff --git a/packages/barracuda_cloudgen_firewall/data_stream/log/_dev/test/pipeline/test-firewall.log-expected.json b/packages/barracuda_cloudgen_firewall/data_stream/log/_dev/test/pipeline/test-firewall.log-expected.json
index 9a87d2d8b33..ed18815f3db 100644
--- a/packages/barracuda_cloudgen_firewall/data_stream/log/_dev/test/pipeline/test-firewall.log-expected.json
+++ b/packages/barracuda_cloudgen_firewall/data_stream/log/_dev/test/pipeline/test-firewall.log-expected.json
@@ -32,7 +32,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "End",
diff --git a/packages/barracuda_cloudgen_firewall/data_stream/log/_dev/test/pipeline/test-threat.log-expected.json b/packages/barracuda_cloudgen_firewall/data_stream/log/_dev/test/pipeline/test-threat.log-expected.json
index ed9eced3151..02b681c38a4 100644
--- a/packages/barracuda_cloudgen_firewall/data_stream/log/_dev/test/pipeline/test-threat.log-expected.json
+++ b/packages/barracuda_cloudgen_firewall/data_stream/log/_dev/test/pipeline/test-threat.log-expected.json
@@ -8,7 +8,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "block",
@@ -84,7 +84,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "block",
@@ -160,7 +160,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "block",
diff --git a/packages/barracuda_cloudgen_firewall/data_stream/log/_dev/test/pipeline/test-web.log-expected.json b/packages/barracuda_cloudgen_firewall/data_stream/log/_dev/test/pipeline/test-web.log-expected.json
index 3187e9121f2..9ee8b987731 100644
--- a/packages/barracuda_cloudgen_firewall/data_stream/log/_dev/test/pipeline/test-web.log-expected.json
+++ b/packages/barracuda_cloudgen_firewall/data_stream/log/_dev/test/pipeline/test-web.log-expected.json
@@ -27,7 +27,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "0",
@@ -129,7 +129,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "0",
diff --git a/packages/barracuda_cloudgen_firewall/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/barracuda_cloudgen_firewall/data_stream/log/elasticsearch/ingest_pipeline/default.yml
index 71bcdee4bd5..93b1469b5c7 100644
--- a/packages/barracuda_cloudgen_firewall/data_stream/log/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/barracuda_cloudgen_firewall/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -3,7 +3,7 @@ description: Pipeline for Barracuda CloudGen Firewall
processors:
- set:
field: ecs.version
- value: '8.8.0'
+ value: '8.9.0'
# Metadata about the origin of the event captured from the Lumberjack connection.
- rename:
diff --git a/packages/barracuda_cloudgen_firewall/data_stream/log/sample_event.json b/packages/barracuda_cloudgen_firewall/data_stream/log/sample_event.json
index f1da130f6f6..bd10d57133b 100644
--- a/packages/barracuda_cloudgen_firewall/data_stream/log/sample_event.json
+++ b/packages/barracuda_cloudgen_firewall/data_stream/log/sample_event.json
@@ -42,7 +42,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "70e82165-776e-4b35-98b8-b0c9491f4b6e",
diff --git a/packages/barracuda_cloudgen_firewall/docs/README.md b/packages/barracuda_cloudgen_firewall/docs/README.md
index b92fbf1238b..beb47f01ca5 100644
--- a/packages/barracuda_cloudgen_firewall/docs/README.md
+++ b/packages/barracuda_cloudgen_firewall/docs/README.md
@@ -70,7 +70,7 @@ An example event for `log` looks as following:
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "70e82165-776e-4b35-98b8-b0c9491f4b6e",
diff --git a/packages/barracuda_cloudgen_firewall/kibana/tags.yml b/packages/barracuda_cloudgen_firewall/kibana/tags.yml
new file mode 100644
index 00000000000..47f20a8f551
--- /dev/null
+++ b/packages/barracuda_cloudgen_firewall/kibana/tags.yml
@@ -0,0 +1,4 @@
+- text: Security Solution
+ asset_types:
+ - dashboard
+ - search
diff --git a/packages/barracuda_cloudgen_firewall/manifest.yml b/packages/barracuda_cloudgen_firewall/manifest.yml
index 85c3b980926..15a4195228a 100644
--- a/packages/barracuda_cloudgen_firewall/manifest.yml
+++ b/packages/barracuda_cloudgen_firewall/manifest.yml
@@ -1,12 +1,13 @@
-format_version: 2.7.0
+format_version: "3.0.0"
name: barracuda_cloudgen_firewall
title: Barracuda CloudGen Firewall Logs
-version: "1.4.0"
+version: "1.7.0"
description: Collect logs from Barracuda CloudGen Firewall devices with Elastic Agent.
categories: ["network", "security", "firewall_security"]
type: integration
conditions:
- kibana.version: "^8.5.0"
+ kibana:
+ version: "^8.5.0"
policy_templates:
- name: barracuda_cloudgen_firewall
title: Barracuda CloudGen Firewall Logs
@@ -22,3 +23,4 @@ icons:
type: image/svg+xml
owner:
github: elastic/security-external-integrations
+ type: elastic
diff --git a/packages/bitdefender/_dev/build/build.yml b/packages/bitdefender/_dev/build/build.yml
index 074278e5b1f..c8eeec8cacf 100644
--- a/packages/bitdefender/_dev/build/build.yml
+++ b/packages/bitdefender/_dev/build/build.yml
@@ -1,3 +1,3 @@
dependencies:
ecs:
- reference: git@v8.8.0
+ reference: git@v8.9.0
diff --git a/packages/bitdefender/_dev/deploy/docker/config.yml b/packages/bitdefender/_dev/deploy/docker/config.yml
index ad40197ecb6..8009f8a0213 100644
--- a/packages/bitdefender/_dev/deploy/docker/config.yml
+++ b/packages/bitdefender/_dev/deploy/docker/config.yml
@@ -10,7 +10,6 @@ rules:
Content-Type:
- "application/json"
body: '{"status":"OK"}'
-
- path: /api/v1.0/jsonrpc/push
methods: ["POST"]
request_headers:
diff --git a/packages/bitdefender/changelog.yml b/packages/bitdefender/changelog.yml
index 0a05e7eedae..49ab3611a9d 100644
--- a/packages/bitdefender/changelog.yml
+++ b/packages/bitdefender/changelog.yml
@@ -1,4 +1,34 @@
# newer versions go on top
+- version: 1.5.0
+ changes:
+ - description: "The format_version in the package manifest changed from 2.11.0 to 3.0.0. Added 'owner.type: elastic' to package manifest."
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7883
+- version: "1.4.0"
+ changes:
+ - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7789
+- version: "1.3.1"
+ changes:
+ - description: Remove version attribute from ingest node pipelines.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7807
+- version: "1.3.0"
+ changes:
+ - description: Add support for HTTP request trace logging.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7339
+- version: "1.2.0"
+ changes:
+ - description: Update package to ECS 8.9.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7107
+- version: "1.1.0"
+ changes:
+ - description: Document valid duration units.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6706
- version: "1.0.0"
changes:
- description: Release BitDefender as GA.
diff --git a/packages/bitdefender/data_stream/push_configuration/_dev/test/pipeline/test-push-configuration.json b/packages/bitdefender/data_stream/push_configuration/_dev/test/pipeline/test-push-configuration.json
index 6afd499e574..999ec4a5faa 100644
--- a/packages/bitdefender/data_stream/push_configuration/_dev/test/pipeline/test-push-configuration.json
+++ b/packages/bitdefender/data_stream/push_configuration/_dev/test/pipeline/test-push-configuration.json
@@ -1,7 +1,7 @@
{
- "events": [
- {
- "message": "{\"id\":\"1\",\"jsonrpc\":\"2.0\",\"result\":{\"serviceSettings\":{\"authorization\":\"********\",\"requireValidSslCertificate\":true,\"url\":\"https://webhook.your.tld/push/notifications\"},\"serviceType\":\"jsonRPC\",\"status\":1,\"subscribeToCompanies\":[\"12341234abcd12341234abcd\"],\"subscribeToEventTypes\":{\"adcloud\":true,\"antiexploit\":true,\"aph\":true,\"av\":true,\"avc\":true,\"dp\":true,\"endpoint-moved-in\":true,\"endpoint-moved-out\":true,\"exchange-malware\":true,\"exchange-user-credentials\":true,\"fw\":true,\"hd\":true,\"hwid-change\":true,\"install\":true,\"modules\":true,\"network-monitor\":true,\"network-sandboxing\":true,\"new-incident\":true,\"ransomware-mitigation\":true,\"registration\":true,\"security-container-update-available\":true,\"supa-update-status\":true,\"sva\":true,\"sva-load\":true,\"task-status\":true,\"troubleshooting-activity\":true,\"uc\":true,\"uninstall\":true}}}"
- }
- ]
-}
+ "events": [
+ {
+ "message": "{\"id\":\"1\",\"jsonrpc\":\"2.0\",\"result\":{\"serviceSettings\":{\"authorization\":\"********\",\"requireValidSslCertificate\":true,\"url\":\"https://webhook.your.tld/push/notifications\"},\"serviceType\":\"jsonRPC\",\"status\":1,\"subscribeToCompanies\":[\"12341234abcd12341234abcd\"],\"subscribeToEventTypes\":{\"adcloud\":true,\"antiexploit\":true,\"aph\":true,\"av\":true,\"avc\":true,\"dp\":true,\"endpoint-moved-in\":true,\"endpoint-moved-out\":true,\"exchange-malware\":true,\"exchange-user-credentials\":true,\"fw\":true,\"hd\":true,\"hwid-change\":true,\"install\":true,\"modules\":true,\"network-monitor\":true,\"network-sandboxing\":true,\"new-incident\":true,\"ransomware-mitigation\":true,\"registration\":true,\"security-container-update-available\":true,\"supa-update-status\":true,\"sva\":true,\"sva-load\":true,\"task-status\":true,\"troubleshooting-activity\":true,\"uc\":true,\"uninstall\":true}}}"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/bitdefender/data_stream/push_configuration/_dev/test/pipeline/test-push-configuration.json-expected.json b/packages/bitdefender/data_stream/push_configuration/_dev/test/pipeline/test-push-configuration.json-expected.json
index 8ba18d2e613..07d79b3461d 100644
--- a/packages/bitdefender/data_stream/push_configuration/_dev/test/pipeline/test-push-configuration.json-expected.json
+++ b/packages/bitdefender/data_stream/push_configuration/_dev/test/pipeline/test-push-configuration.json-expected.json
@@ -48,7 +48,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "{\"id\":\"1\",\"jsonrpc\":\"2.0\",\"result\":{\"serviceSettings\":{\"authorization\":\"********\",\"requireValidSslCertificate\":true,\"url\":\"https://webhook.your.tld/push/notifications\"},\"serviceType\":\"jsonRPC\",\"status\":1,\"subscribeToCompanies\":[\"12341234abcd12341234abcd\"],\"subscribeToEventTypes\":{\"adcloud\":true,\"antiexploit\":true,\"aph\":true,\"av\":true,\"avc\":true,\"dp\":true,\"endpoint-moved-in\":true,\"endpoint-moved-out\":true,\"exchange-malware\":true,\"exchange-user-credentials\":true,\"fw\":true,\"hd\":true,\"hwid-change\":true,\"install\":true,\"modules\":true,\"network-monitor\":true,\"network-sandboxing\":true,\"new-incident\":true,\"ransomware-mitigation\":true,\"registration\":true,\"security-container-update-available\":true,\"supa-update-status\":true,\"sva\":true,\"sva-load\":true,\"task-status\":true,\"troubleshooting-activity\":true,\"uc\":true,\"uninstall\":true}}}"
diff --git a/packages/bitdefender/data_stream/push_configuration/agent/stream/httpjson.yml.hbs b/packages/bitdefender/data_stream/push_configuration/agent/stream/httpjson.yml.hbs
index 46b776a8910..bf7a7947a25 100644
--- a/packages/bitdefender/data_stream/push_configuration/agent/stream/httpjson.yml.hbs
+++ b/packages/bitdefender/data_stream/push_configuration/agent/stream/httpjson.yml.hbs
@@ -1,5 +1,8 @@
config_version: 2
interval: {{interval}}
+{{#if enable_request_tracer}}
+request.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson"
+{{/if}}
request.url: {{url}}
request.method: POST
{{#if proxy_url }}
diff --git a/packages/bitdefender/data_stream/push_configuration/elasticsearch/ingest_pipeline/default.yml b/packages/bitdefender/data_stream/push_configuration/elasticsearch/ingest_pipeline/default.yml
index 39cb1ace1c2..5a28088c3eb 100644
--- a/packages/bitdefender/data_stream/push_configuration/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/bitdefender/data_stream/push_configuration/elasticsearch/ingest_pipeline/default.yml
@@ -1,5 +1,4 @@
---
-version: 1
description: Pipeline for BitDefender push notification configuration
processors:
- json:
@@ -10,7 +9,7 @@ processors:
message: missing json object in input document
- set:
field: ecs.version
- value: '8.8.0'
+ value: '8.9.0'
- rename:
field: message
target_field: event.original
diff --git a/packages/bitdefender/data_stream/push_configuration/manifest.yml b/packages/bitdefender/data_stream/push_configuration/manifest.yml
index 23b7a5248fd..551957d2aa5 100644
--- a/packages/bitdefender/data_stream/push_configuration/manifest.yml
+++ b/packages/bitdefender/data_stream/push_configuration/manifest.yml
@@ -38,7 +38,7 @@ streams:
- name: interval
type: text
title: Interval
- description: Duration between requests to the API.
+ description: Duration between requests to the API. Supported units for this parameter are h/m/s.
multi: false
required: true
show_user: false
diff --git a/packages/bitdefender/data_stream/push_configuration/sample_event.json b/packages/bitdefender/data_stream/push_configuration/sample_event.json
index ac1c6aaec46..8b1cff92ce1 100644
--- a/packages/bitdefender/data_stream/push_configuration/sample_event.json
+++ b/packages/bitdefender/data_stream/push_configuration/sample_event.json
@@ -56,7 +56,7 @@
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "f0239f6f-245e-4d57-bada-68e5f564b259",
diff --git a/packages/bitdefender/data_stream/push_notifications/_dev/test/pipeline/test-push-notification.json b/packages/bitdefender/data_stream/push_notifications/_dev/test/pipeline/test-push-notification.json
index 6af67003fe6..5483e573f57 100644
--- a/packages/bitdefender/data_stream/push_notifications/_dev/test/pipeline/test-push-notification.json
+++ b/packages/bitdefender/data_stream/push_notifications/_dev/test/pipeline/test-push-notification.json
@@ -1,88 +1,88 @@
{
- "events": [
- {
- "message": "{\"computer_name\":\"FC-EXCHANGE-01\",\"computer_fqdn\":\"fc-exchange-01.fc.dom\",\"computer_ip\":\"192.168.0.1\",\"computer_id\":\"59b7d9bfa849af3a1465b7e4\",\"product_installed\":\"BEST\",\"aph_type\":\"phishing\",\"url\":\"http://example.com/account/support/\",\"status\":\"aph_blocked\",\"last_blocked\":\"2017-09-14T08:49:43.000Z\",\"count\":1,\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"aph\",\"_testEvent_\":true}"
- },
- {
- "message": "{\"computer_name\":\"FC-EXCHANGE-01\",\"computer_fqdn\":\"fc-exchange-01.fc.dom\",\"computer_ip\":\"192.168.0.1\",\"computer_id\":\"59b7d9bfa849af3a1465b7e4\",\"product_installed\":\"BEST\",\"endpointId\":\"59b7d9bfa849af3a1465b7e3\",\"serverName\":\"FC-EXCHANGE-01\",\"sender\":\"fc_test01@fc.dom\",\"recipients\":[\"fc_test02@fc.dom\"],\"subject\":\"Emailing Sending.. WL-cbe100c9f42a20ef9a4b1c20ed1a59f9-0\",\"detectionTime\":\"2017-09-13T14: 20:37.000Z\",\"malware\":[{\"malwareName\":\"Trojan.Generic.KD.874127\",\"malwareType\":\"virus\",\"actionTaken\":\"quarantine\",\"infectedObject\":\"WL-cbe100c9f42a20ef9a4b1c20ed1a59f9-0\"}],\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"exchange-malware\",\"_testEvent_\":true}"
- },
- {
- "message": "{\"computer_name\":\"FC-EXCHANGE-01\",\"computer_fqdn\":\"fc-exchange-01.fc.dom\",\"computer_ip\":\"192.168.0.1\",\"computer_id\":\"59b7d9bfa849af3a1465b7e4\",\"product_installed\":\"BEST\",\"product_registration\":\"registered\",\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"registration\",\"_testEvent_\":true}"
- },
- {
- "message": "{\"computer_name\":\"FC-WIN7-X64-01\",\"computer_fqdn\":\"fc-win7-x64-01\",\"computer_ip\":\"10.17.46.196\",\"computer_id\":\"59a1604e60369e06733f8abb\",\"product_installed\":\"BEST\",\"malware_type\":\"file\",\"malware_name\":\"EICAR-Test-File (not a virus)\",\"file_path\":\"C:\\\\eicar0000001.txt\",\"hash\":\"8b3f191819931d1f2cef7289239b5f77c00b079847b9c2636e56854d1e5eff71\",\"final_status\":\"deleted\",\"timestamp\":\"2017-09-08T12:01:36.000Z\",\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"av\",\"_testEvent_\":true}"
- },
- {
- "message": "{\"computer_name\":\"FC-WIN7-X64-01\",\"computer_fqdn\":\"fc-win7-x64-01\",\"computer_ip\":\"192.168.0.1\",\"computer_id\":\"59a1604e60369e06733f8abb\",\"product_installed\":\"BEST\",\"exploit_type\":\"AVC Blocked Exploit\",\"exploit_path\":\"C:\\\\Users\\\\admin\\\\Desktop\\\\Tools\\\\avcsim\\\\win32\\\\avcsim32.exe\",\"status\":\"avc_blocked\",\"last_blocked\":\"2017-09-14T07:56:33.000Z\",\"count\":1,\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"avc\",\"_testEvent_\":true}"
- },
- {
- "message": "{\"computer_name\":\"FC-WIN7-X64-01\",\"computer_fqdn\":\"fc-win7-x64-01\",\"computer_ip\":\"192.168.0.1\",\"computer_id\":\"59a1604e60369e06733f8abb\",\"product_installed\":\"BEST\",\"malware_status\":1,\"aph_status\":1,\"firewall_status\":1,\"avc_status\":1,\"uc_web_filtering\":0,\"uc_categ_filtering\":0,\"uc_application_status\":0,\"dp_status\":0,\"pu_status\":1,\"dlp_status\":0,\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"modules\",\"_testEvent_\":true}"
- },
- {
- "message": "{\"computer_name\":\"FC-WIN7-X64-01\",\"computer_fqdn\":\"fc-win7-x64-01\",\"computer_ip\":\"192.168.0.1\",\"computer_id\":\"59a1604e60369e06733f8abb\",\"product_installed\":\"BEST\",\"status\":\"portscan_blocked\",\"protocol_id\":\"6\",\"source_ip\":\"192.168.0.2\",\"last_blocked\":\"2017-09-08T12:52:03.000Z\",\"count\":1,\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"fw\",\"_testEvent_\":true}"
- },
- {
- "message": "{\"computer_name\":\"FC-WIN7-X64-01\",\"computer_fqdn\":\"fc-win7-x64-01\",\"computer_ip\":\"192.168.0.1\",\"computer_id\":\"59a1604e60369e06733f8abb\",\"product_installed\":\"BEST\",\"status\":0,\"fromSupa\":1,\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"supa-update-status\",\"_testEvent_\":true}"
- },
- {
- "message": "{\"computer_name\":\"FC-WIN7-X64-01\",\"computer_fqdn\":\"fc-win7-x64-01\",\"computer_ip\":\"192.168.0.1\",\"computer_id\":\"59a1604e60369e06733f8abb\",\"product_installed\":\"BEST\",\"target_type\":\"http\",\"blocking_rule_name\":\"dv\",\"url\":\"http://example.com/\",\"status\":\"data_protection_blocked\",\"last_blocked\":\"2017-09-11T10:23:43.000Z\",\"count\":1,\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"dp\",\"_testEvent_\":true}"
- },
- {
- "message": "{\"computer_name\":\"FC-WIN7-X64-01\",\"computer_fqdn\":\"fc-win7-x64-01\",\"computer_ip\":\"192.168.0.1\",\"computer_id\":\"59a1604e60369e06733f8abb\",\"product_installed\":\"BEST\",\"uc_type\":\"http\",\"url\":\"http://192.168.0.1:2869/upnphost/udhisapi.dll\",\"block_type\":\"http_timelimiter\",\"categories\":\"\",\"status\":\"uc_site_blocked\",\"last_blocked\":\"2017-09-08T12:46:30.000Z\",\"count\":1,\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"uc\",\"_testEvent_\":true}"
- },
- {
- "message": "{\"computer_name\":\"FC-WIN7-X64-01\",\"computer_fqdn\":\"fc-win7-x64-01\",\"computer_ip\":\"192.168.0.1\",\"computer_id\":\"59a1604e60369e06733f8abb\",\"product_installed\":\"BEST\",\"userId\":\"59a14b2b1da197c6108b4568\",\"taskId\":\"59b28dc81da19711058b4568\",\"taskName\":\"Quick Scan 2017-09-08(sub-task)\",\"taskType\":272,\"targetName\":\"FC-WIN7-X64-01\",\"isSuccessful\":1,\"status\":3,\"errorMessage\":\"\",\"errorCode\":0,\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"task-status\",\"_testEvent_\":true}"
- },
- {
- "message": "{\"computer_name\":\"bitdefender-sva\",\"computer_fqdn\":\"bitdefender-sva\",\"computer_ip\":\"192.168.0.1\",\"computer_id\":\"59b8f3aba849af3a1465b81e\",\"product_installed\":\"SVA\",\"loadAverage\":1,\"cpuUsage\":48,\"memoryUsage\":32,\"networkUsage\":0,\"overallUsage\":48,\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"sva-load\",\"_testEvent_\":true}"
- },
- {
- "message": "{\"computer_name\":\"bitdefender-sva\",\"computer_fqdn\":\"bitdefender-sva\",\"computer_ip\":\"192.168.0.1\",\"computer_id\":\"59b8f3aba849af3a1465b81e\",\"product_installed\":\"SVA\",\"powered_off\":0,\"product_update_available\":1,\"product_reboot_required\":0,\"lastupdate\":\"0\",\"updatesigam\":\"7.72479\",\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"sva\",\"_testEvent_\":true}"
- },
- {
- "message": "{\"endpointId\":\"59a1604e60369e06733f8aba\",\"computerName\":\"FC-WIN7-X64-01\",\"computerIp\":\"192.168.0.1\",\"detectionTime\":1505386969,\"threatType\":\"RANSOMWARE\",\"filePaths\":[\"C:\\\\Users\\\\Administrator\\\\Documents\\\\installer.xml\",\"D:\\\\opt\\\\bitdefender\\\\installer2.xml\",\"D:\\\\sources\\\\console\\\\CommonConsole\\\\app\\\\modules\\\\policies\\\\view\\\\endpoints\\\\networkSandboxing\\\\installer3.xml\"],\"fileSizes\":[\"2614\",\"2615\",\"2616\"],\"remediationActions\":[\"1\",\"\",\"1\"],\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"network-sandboxing\",\"_testEvent_\":true}"
- },
- {
- "message": "{\"endpointId\":\"59b7d9bfa849af3a1465b7e3\",\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"exchange-user-credentials\",\"_testEvent_\":true}"
- },
- {
- "message": "{\"module\":\"hwid-change\",\"product_installed\":\"BEST\",\"companyId\":\"623c18fb12fb8700396d6375\",\"computer_name\":\"A\",\"computer_fqdn\":\"test-endpoint.dsd.ro\",\"computer_ip\":\"81.2.69.144\",\"computer_id\":\"5e284ff5b7e43d387ba54a96\",\"old_hwid\":\"00000000-0000-0000-0000-406186b5bde7\",\"new_hwid\":\"00000000-0000-0000-0000-406186b5bde6\",\"endpointId\":\"5e284ff5b7e43d387ba54a95\",\"_testEvent_\":true}"
- },
- {
- "message": "{\"module\":\"network-monitor\",\"product_installed\":\"BEST\",\"user\":{\"userName\":\"user1@domain.com\",\"userSid\":\"S-1-2-3-4\"},\"computer_name\":\"TEST_ENDPOINT\",\"computer_fqdn\":\"test-endpoint.dsd.ro\",\"computer_ip\":\"10.10.18.226\",\"computer_id\":\"5d639e8f48ac2f04f6e00b1c\",\"actionTaken\":\"reportOnly\",\"detection_name\":\"PrivacyThreat.PasswordStealer.HTTP\",\"detection_attackTechnique\":\"discovery\",\"source_ip\":\"10.17.134.4\",\"victim_ip\":\"67.43.156.1\",\"local_port\":\"80\",\"timestamp\":\"2019-01-24T11:13:04.000Z\",\"companyId\":\"623c18fb12fb8700396d6375\",\"_testEvent_\":true}"
- },
- {
- "message": "{\"module\":\"new-incident\",\"created\":\"2020-07-20T09:36:23.485Z\",\"endpointId\":\"5efb3a520075db7384dfa285\",\"companyId\":\"623c18fb12fb8700396d6375\",\"computer_id\":\"5efb3a520075db7384dfa286\",\"computer_fqdn\":\"desktop-jac14gs\",\"computer_name\":\"DESKTOP-JAC14GS\",\"detection_name\":\"ATC.Malicious\",\"attack_types\":[\"Other\"],\"computer_ip\":\"10.17.23.30\",\"severityScore\":90,\"incident_id\":\"5f1557cbe7b2584f3959ee19\",\"attack_entry\":1688239188,\"parent_process_path\":\"c:\\\\windows\\\\system32\\\\cmd.exe\",\"parent_process_pid\":9636,\"process_path\":\"c:\\\\users\\\\bdadmin\\\\desktop\\\\atcsim\\\\atcsim32.exe\",\"process_pid\":10324,\"username\":\"DESKTOP-JAC14GS\\\\bdadmin\",\"user_sid\":\"S-1-5-21-3349207704-443292085-2237656896-1003\",\"process_command_line\":\"detect\",\"file_hash_md5\":\"ccb1b07bdf330627f02b3c832663a489\",\"file_hash_sha256\":\"d5adc6a65a57d30d3ae70d195983d155e7cd24f26eb1ebebde9b92655251ec55\",\"att_ck_id\":[\"T1036\",\"T1059\",\"T1002\",\"T1012\"],\"severity\":\"high\",\"main_action\":\"no action\",\"_testEvent_\":true}"
- },
- {
- "message": "{\"module\":\"ransomware-mitigation\",\"companyId\":\"623c18fb12fb8700396d6375\",\"product_installed\":\"SVA\",\"user\":{\"name\":\"user\",\"sid\":\"S-11-22-33\"},\"company_name\":\"Bitdefender\",\"computer_name\":\"DC-Nebula\",\"computer_fqdn\":\"undefined\",\"computer_ip\":\"10.17.16.10\",\"computer_id\":\"5ed4d2fef23f7325715dbb22\",\"attack_type\":\"remote\",\"item_count\":\"23\",\"detected_on\":1591007594,\"attack_source\":\"10.10.20.120\",\"_testEvent_\":true}"
- },
- {
- "message": "{\"module\":\"security-container-update-available\",\"product_installed\":\"BEST\",\"companyId\":\"623c18fb12fb8700396d6375\",\"computer_name\":\"security-container-x\",\"computer_fqdn\":\"security-container-x-containers-host.dsd.ro\",\"computer_ip\":\"10.17.15.247\",\"computer_id\":\"60f6ba5e1b3272cce33c3281\",\"host_name\":\"TEST_ENDPOINT_2\",\"_testEvent_\":true}"
- },
- {
- "message": "{\"product_installed\":\"BEST\",\"computer_name\":\"TEST_ENDPOINT\",\"computer_fqdn\":\"test-endpoint.dsd.ro\",\"computer_ip\":\"10.10.18.226\",\"computer_id\":\"59b7d9bfa849af3a1465b7e3\",\"endpointId\":\"5e2085febf255a545e52276a\",\"hwid\":\"5e284ff-5b7e43d387ba-54a95\",\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"endpoint-moved-in\",\"_testEvent_\":true}"
- },
- {
- "message": "{\"product_installed\":\"BEST\",\"computer_name\":\"TEST_ENDPOINT\",\"computer_fqdn\":\"test-endpoint.dsd.ro\",\"computer_ip\":\"10.10.18.226\",\"computer_id\":\"59b7d9bfa849af3a1465b7e4\",\"endpointId\":\"5e2085febf255a545e52276b\",\"hwid\":\"5e284ff-5b7e43d387ba-54a95\",\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"endpoint-moved-out\",\"_testEvent_\":true}"
- },
- {
- "message": "{\"product_installed\":\"BEST\",\"computer_name\":\"TEST_ENDPOINT\",\"computer_fqdn\":\"test-endpoint.dsd.ro\",\"computer_ip\":\"10.10.18.226\",\"computer_id\":\"59b7d9bfa849af3a1465b7e4\",\"endpointId\":\"5e2085febf255a545e52276b\",\"reason\":1,\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"uninstall\",\"_testEvent_\":true}"
- },
- {
- "message": "{\"product_installed\":\"BEST\",\"computer_name\":\"TEST_ENDPOINT\",\"computer_fqdn\":\"test-endpoint.dsd.ro\",\"computer_ip\":\"10.10.18.226\",\"computer_id\":\"5cf51ba5e8ee8c5b1852a9d7\",\"endpointId\":\"5cf51ba5e8ee8c5b1852a9d6\",\"detection_action\":\"kill\",\"detection_threatName\":\"EICAR-Test-File (not a virus)\",\"detection_pid\":\"2000\",\"detection_exploitTechnique\":\"Flash/Generic\",\"detection_parentPid\":\"4000\",\"detection_path\":\"C:\\\\file15c8ba8b90ea1de127962f464.exe\",\"detection_parentPath\":\"C:\\\\file25c8ba8b90ea1de127962f464.exe\",\"detection_cve\":\"cve string\",\"detection_username\":\"user@domain.com\",\"detection_time\":\"2019-06-03T13:58:30.000Z\",\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"antiexploit\",\"_testEvent_\":true}"
- },
- {
- "message": "{\"product_installed\":\"BEST\",\"computer_name\":\"TEST_ENDPOINT\",\"computer_fqdn\":\"test-endpoint.dsd.ro\",\"computer_ip\":\"10.10.18.226\",\"computer_id\":\"5cf51ba5e8ee8c5b1852a9d7\",\"module\":\"install\",\"endpointId\":\"5e2085febf255a545e52276b\",\"hwid\":\"00000000-0000-0000-0000-406186b5bdbdzzz50\",\"companyId\":\"623c18fb12fb8700396d6375\",\"_testEvent_\":true}"
- },
- {
- "message": "{\"product_installed\":\"BEST\",\"computer_name\":\"TEST_ENDPOINT_WINDOWS_10\",\"computer_fqdn\":\"test-endpoint.dsd.ro\",\"computer_ip\":\"10.10.0.101\",\"computer_id\":\"5ee30e2b29a4e218489442b6\",\"taskId\":\"5eea0105f23f731302405833\",\"taskType\":\"Debug Session\",\"errorCode\":3,\"username\":\"test@test.com\",\"localPath\":\"/test/dir\",\"networkSharePath\":\"//1.2.3.4/dir\",\"saveToBitdefenderCloud\":0,\"status\":3,\"stopReason\":2,\"failedStorageType\":1,\"startDate\":\"2020-06-24T06:06:48.000Z\",\"endDate\":\"2020-06-24T06:09:28.000Z\",\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"troubleshooting-activity\",\"_testEvent_\":true}"
- },
- {
- "message": "{\"product_installed\":\"EPS\",\"user\":{\"name\":\"admin\",\"sid\":\"BF410F3B-5F3A-41E1-BF8F-28DE6948A355\"},\"computer_name\":\"Computer 1\",\"computer_fqdn\":\"computer1.local\",\"computer_ip\":\"89.160.20.112\",\"computer_id\":\"5c12612db1a43dc3097b23c6\",\"malware_type\":\"file\",\"malware_name\":\"\",\"final_status\":\"quarantined\",\"file_path\":\"/Users/admin/Desktop/\",\"attack_type\":\"targeted attack\",\"detection_level\":\"permissive\",\"is_fileless_attack\":0,\"hwid\":\"22574006-79523827-7401-9565-1295-798280775872\",\"date\":\"2019-01-17T10:01:02.000Z\",\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"hd\",\"_testEvent_\":true}"
- },
- {
- "message": "{\"syncerId\":\"59b7d9bfa849af3a1465b7e3\",\"issueType\":0,\"lastAdReportDate\":\"2017-09-14T08:03:49.671Z\",\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"adcloud\",\"_testEvent_\":true}"
- }
- ]
-}
+ "events": [
+ {
+ "message": "{\"computer_name\":\"FC-EXCHANGE-01\",\"computer_fqdn\":\"fc-exchange-01.fc.dom\",\"computer_ip\":\"192.168.0.1\",\"computer_id\":\"59b7d9bfa849af3a1465b7e4\",\"product_installed\":\"BEST\",\"aph_type\":\"phishing\",\"url\":\"http://example.com/account/support/\",\"status\":\"aph_blocked\",\"last_blocked\":\"2017-09-14T08:49:43.000Z\",\"count\":1,\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"aph\",\"_testEvent_\":true}"
+ },
+ {
+ "message": "{\"computer_name\":\"FC-EXCHANGE-01\",\"computer_fqdn\":\"fc-exchange-01.fc.dom\",\"computer_ip\":\"192.168.0.1\",\"computer_id\":\"59b7d9bfa849af3a1465b7e4\",\"product_installed\":\"BEST\",\"endpointId\":\"59b7d9bfa849af3a1465b7e3\",\"serverName\":\"FC-EXCHANGE-01\",\"sender\":\"fc_test01@fc.dom\",\"recipients\":[\"fc_test02@fc.dom\"],\"subject\":\"Emailing Sending.. WL-cbe100c9f42a20ef9a4b1c20ed1a59f9-0\",\"detectionTime\":\"2017-09-13T14: 20:37.000Z\",\"malware\":[{\"malwareName\":\"Trojan.Generic.KD.874127\",\"malwareType\":\"virus\",\"actionTaken\":\"quarantine\",\"infectedObject\":\"WL-cbe100c9f42a20ef9a4b1c20ed1a59f9-0\"}],\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"exchange-malware\",\"_testEvent_\":true}"
+ },
+ {
+ "message": "{\"computer_name\":\"FC-EXCHANGE-01\",\"computer_fqdn\":\"fc-exchange-01.fc.dom\",\"computer_ip\":\"192.168.0.1\",\"computer_id\":\"59b7d9bfa849af3a1465b7e4\",\"product_installed\":\"BEST\",\"product_registration\":\"registered\",\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"registration\",\"_testEvent_\":true}"
+ },
+ {
+ "message": "{\"computer_name\":\"FC-WIN7-X64-01\",\"computer_fqdn\":\"fc-win7-x64-01\",\"computer_ip\":\"10.17.46.196\",\"computer_id\":\"59a1604e60369e06733f8abb\",\"product_installed\":\"BEST\",\"malware_type\":\"file\",\"malware_name\":\"EICAR-Test-File (not a virus)\",\"file_path\":\"C:\\\\eicar0000001.txt\",\"hash\":\"8b3f191819931d1f2cef7289239b5f77c00b079847b9c2636e56854d1e5eff71\",\"final_status\":\"deleted\",\"timestamp\":\"2017-09-08T12:01:36.000Z\",\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"av\",\"_testEvent_\":true}"
+ },
+ {
+ "message": "{\"computer_name\":\"FC-WIN7-X64-01\",\"computer_fqdn\":\"fc-win7-x64-01\",\"computer_ip\":\"192.168.0.1\",\"computer_id\":\"59a1604e60369e06733f8abb\",\"product_installed\":\"BEST\",\"exploit_type\":\"AVC Blocked Exploit\",\"exploit_path\":\"C:\\\\Users\\\\admin\\\\Desktop\\\\Tools\\\\avcsim\\\\win32\\\\avcsim32.exe\",\"status\":\"avc_blocked\",\"last_blocked\":\"2017-09-14T07:56:33.000Z\",\"count\":1,\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"avc\",\"_testEvent_\":true}"
+ },
+ {
+ "message": "{\"computer_name\":\"FC-WIN7-X64-01\",\"computer_fqdn\":\"fc-win7-x64-01\",\"computer_ip\":\"192.168.0.1\",\"computer_id\":\"59a1604e60369e06733f8abb\",\"product_installed\":\"BEST\",\"malware_status\":1,\"aph_status\":1,\"firewall_status\":1,\"avc_status\":1,\"uc_web_filtering\":0,\"uc_categ_filtering\":0,\"uc_application_status\":0,\"dp_status\":0,\"pu_status\":1,\"dlp_status\":0,\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"modules\",\"_testEvent_\":true}"
+ },
+ {
+ "message": "{\"computer_name\":\"FC-WIN7-X64-01\",\"computer_fqdn\":\"fc-win7-x64-01\",\"computer_ip\":\"192.168.0.1\",\"computer_id\":\"59a1604e60369e06733f8abb\",\"product_installed\":\"BEST\",\"status\":\"portscan_blocked\",\"protocol_id\":\"6\",\"source_ip\":\"192.168.0.2\",\"last_blocked\":\"2017-09-08T12:52:03.000Z\",\"count\":1,\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"fw\",\"_testEvent_\":true}"
+ },
+ {
+ "message": "{\"computer_name\":\"FC-WIN7-X64-01\",\"computer_fqdn\":\"fc-win7-x64-01\",\"computer_ip\":\"192.168.0.1\",\"computer_id\":\"59a1604e60369e06733f8abb\",\"product_installed\":\"BEST\",\"status\":0,\"fromSupa\":1,\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"supa-update-status\",\"_testEvent_\":true}"
+ },
+ {
+ "message": "{\"computer_name\":\"FC-WIN7-X64-01\",\"computer_fqdn\":\"fc-win7-x64-01\",\"computer_ip\":\"192.168.0.1\",\"computer_id\":\"59a1604e60369e06733f8abb\",\"product_installed\":\"BEST\",\"target_type\":\"http\",\"blocking_rule_name\":\"dv\",\"url\":\"http://example.com/\",\"status\":\"data_protection_blocked\",\"last_blocked\":\"2017-09-11T10:23:43.000Z\",\"count\":1,\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"dp\",\"_testEvent_\":true}"
+ },
+ {
+ "message": "{\"computer_name\":\"FC-WIN7-X64-01\",\"computer_fqdn\":\"fc-win7-x64-01\",\"computer_ip\":\"192.168.0.1\",\"computer_id\":\"59a1604e60369e06733f8abb\",\"product_installed\":\"BEST\",\"uc_type\":\"http\",\"url\":\"http://192.168.0.1:2869/upnphost/udhisapi.dll\",\"block_type\":\"http_timelimiter\",\"categories\":\"\",\"status\":\"uc_site_blocked\",\"last_blocked\":\"2017-09-08T12:46:30.000Z\",\"count\":1,\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"uc\",\"_testEvent_\":true}"
+ },
+ {
+ "message": "{\"computer_name\":\"FC-WIN7-X64-01\",\"computer_fqdn\":\"fc-win7-x64-01\",\"computer_ip\":\"192.168.0.1\",\"computer_id\":\"59a1604e60369e06733f8abb\",\"product_installed\":\"BEST\",\"userId\":\"59a14b2b1da197c6108b4568\",\"taskId\":\"59b28dc81da19711058b4568\",\"taskName\":\"Quick Scan 2017-09-08(sub-task)\",\"taskType\":272,\"targetName\":\"FC-WIN7-X64-01\",\"isSuccessful\":1,\"status\":3,\"errorMessage\":\"\",\"errorCode\":0,\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"task-status\",\"_testEvent_\":true}"
+ },
+ {
+ "message": "{\"computer_name\":\"bitdefender-sva\",\"computer_fqdn\":\"bitdefender-sva\",\"computer_ip\":\"192.168.0.1\",\"computer_id\":\"59b8f3aba849af3a1465b81e\",\"product_installed\":\"SVA\",\"loadAverage\":1,\"cpuUsage\":48,\"memoryUsage\":32,\"networkUsage\":0,\"overallUsage\":48,\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"sva-load\",\"_testEvent_\":true}"
+ },
+ {
+ "message": "{\"computer_name\":\"bitdefender-sva\",\"computer_fqdn\":\"bitdefender-sva\",\"computer_ip\":\"192.168.0.1\",\"computer_id\":\"59b8f3aba849af3a1465b81e\",\"product_installed\":\"SVA\",\"powered_off\":0,\"product_update_available\":1,\"product_reboot_required\":0,\"lastupdate\":\"0\",\"updatesigam\":\"7.72479\",\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"sva\",\"_testEvent_\":true}"
+ },
+ {
+ "message": "{\"endpointId\":\"59a1604e60369e06733f8aba\",\"computerName\":\"FC-WIN7-X64-01\",\"computerIp\":\"192.168.0.1\",\"detectionTime\":1505386969,\"threatType\":\"RANSOMWARE\",\"filePaths\":[\"C:\\\\Users\\\\Administrator\\\\Documents\\\\installer.xml\",\"D:\\\\opt\\\\bitdefender\\\\installer2.xml\",\"D:\\\\sources\\\\console\\\\CommonConsole\\\\app\\\\modules\\\\policies\\\\view\\\\endpoints\\\\networkSandboxing\\\\installer3.xml\"],\"fileSizes\":[\"2614\",\"2615\",\"2616\"],\"remediationActions\":[\"1\",\"\",\"1\"],\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"network-sandboxing\",\"_testEvent_\":true}"
+ },
+ {
+ "message": "{\"endpointId\":\"59b7d9bfa849af3a1465b7e3\",\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"exchange-user-credentials\",\"_testEvent_\":true}"
+ },
+ {
+ "message": "{\"module\":\"hwid-change\",\"product_installed\":\"BEST\",\"companyId\":\"623c18fb12fb8700396d6375\",\"computer_name\":\"A\",\"computer_fqdn\":\"test-endpoint.dsd.ro\",\"computer_ip\":\"81.2.69.144\",\"computer_id\":\"5e284ff5b7e43d387ba54a96\",\"old_hwid\":\"00000000-0000-0000-0000-406186b5bde7\",\"new_hwid\":\"00000000-0000-0000-0000-406186b5bde6\",\"endpointId\":\"5e284ff5b7e43d387ba54a95\",\"_testEvent_\":true}"
+ },
+ {
+ "message": "{\"module\":\"network-monitor\",\"product_installed\":\"BEST\",\"user\":{\"userName\":\"user1@domain.com\",\"userSid\":\"S-1-2-3-4\"},\"computer_name\":\"TEST_ENDPOINT\",\"computer_fqdn\":\"test-endpoint.dsd.ro\",\"computer_ip\":\"10.10.18.226\",\"computer_id\":\"5d639e8f48ac2f04f6e00b1c\",\"actionTaken\":\"reportOnly\",\"detection_name\":\"PrivacyThreat.PasswordStealer.HTTP\",\"detection_attackTechnique\":\"discovery\",\"source_ip\":\"10.17.134.4\",\"victim_ip\":\"67.43.156.1\",\"local_port\":\"80\",\"timestamp\":\"2019-01-24T11:13:04.000Z\",\"companyId\":\"623c18fb12fb8700396d6375\",\"_testEvent_\":true}"
+ },
+ {
+ "message": "{\"module\":\"new-incident\",\"created\":\"2020-07-20T09:36:23.485Z\",\"endpointId\":\"5efb3a520075db7384dfa285\",\"companyId\":\"623c18fb12fb8700396d6375\",\"computer_id\":\"5efb3a520075db7384dfa286\",\"computer_fqdn\":\"desktop-jac14gs\",\"computer_name\":\"DESKTOP-JAC14GS\",\"detection_name\":\"ATC.Malicious\",\"attack_types\":[\"Other\"],\"computer_ip\":\"10.17.23.30\",\"severityScore\":90,\"incident_id\":\"5f1557cbe7b2584f3959ee19\",\"attack_entry\":1688239188,\"parent_process_path\":\"c:\\\\windows\\\\system32\\\\cmd.exe\",\"parent_process_pid\":9636,\"process_path\":\"c:\\\\users\\\\bdadmin\\\\desktop\\\\atcsim\\\\atcsim32.exe\",\"process_pid\":10324,\"username\":\"DESKTOP-JAC14GS\\\\bdadmin\",\"user_sid\":\"S-1-5-21-3349207704-443292085-2237656896-1003\",\"process_command_line\":\"detect\",\"file_hash_md5\":\"ccb1b07bdf330627f02b3c832663a489\",\"file_hash_sha256\":\"d5adc6a65a57d30d3ae70d195983d155e7cd24f26eb1ebebde9b92655251ec55\",\"att_ck_id\":[\"T1036\",\"T1059\",\"T1002\",\"T1012\"],\"severity\":\"high\",\"main_action\":\"no action\",\"_testEvent_\":true}"
+ },
+ {
+ "message": "{\"module\":\"ransomware-mitigation\",\"companyId\":\"623c18fb12fb8700396d6375\",\"product_installed\":\"SVA\",\"user\":{\"name\":\"user\",\"sid\":\"S-11-22-33\"},\"company_name\":\"Bitdefender\",\"computer_name\":\"DC-Nebula\",\"computer_fqdn\":\"undefined\",\"computer_ip\":\"10.17.16.10\",\"computer_id\":\"5ed4d2fef23f7325715dbb22\",\"attack_type\":\"remote\",\"item_count\":\"23\",\"detected_on\":1591007594,\"attack_source\":\"10.10.20.120\",\"_testEvent_\":true}"
+ },
+ {
+ "message": "{\"module\":\"security-container-update-available\",\"product_installed\":\"BEST\",\"companyId\":\"623c18fb12fb8700396d6375\",\"computer_name\":\"security-container-x\",\"computer_fqdn\":\"security-container-x-containers-host.dsd.ro\",\"computer_ip\":\"10.17.15.247\",\"computer_id\":\"60f6ba5e1b3272cce33c3281\",\"host_name\":\"TEST_ENDPOINT_2\",\"_testEvent_\":true}"
+ },
+ {
+ "message": "{\"product_installed\":\"BEST\",\"computer_name\":\"TEST_ENDPOINT\",\"computer_fqdn\":\"test-endpoint.dsd.ro\",\"computer_ip\":\"10.10.18.226\",\"computer_id\":\"59b7d9bfa849af3a1465b7e3\",\"endpointId\":\"5e2085febf255a545e52276a\",\"hwid\":\"5e284ff-5b7e43d387ba-54a95\",\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"endpoint-moved-in\",\"_testEvent_\":true}"
+ },
+ {
+ "message": "{\"product_installed\":\"BEST\",\"computer_name\":\"TEST_ENDPOINT\",\"computer_fqdn\":\"test-endpoint.dsd.ro\",\"computer_ip\":\"10.10.18.226\",\"computer_id\":\"59b7d9bfa849af3a1465b7e4\",\"endpointId\":\"5e2085febf255a545e52276b\",\"hwid\":\"5e284ff-5b7e43d387ba-54a95\",\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"endpoint-moved-out\",\"_testEvent_\":true}"
+ },
+ {
+ "message": "{\"product_installed\":\"BEST\",\"computer_name\":\"TEST_ENDPOINT\",\"computer_fqdn\":\"test-endpoint.dsd.ro\",\"computer_ip\":\"10.10.18.226\",\"computer_id\":\"59b7d9bfa849af3a1465b7e4\",\"endpointId\":\"5e2085febf255a545e52276b\",\"reason\":1,\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"uninstall\",\"_testEvent_\":true}"
+ },
+ {
+ "message": "{\"product_installed\":\"BEST\",\"computer_name\":\"TEST_ENDPOINT\",\"computer_fqdn\":\"test-endpoint.dsd.ro\",\"computer_ip\":\"10.10.18.226\",\"computer_id\":\"5cf51ba5e8ee8c5b1852a9d7\",\"endpointId\":\"5cf51ba5e8ee8c5b1852a9d6\",\"detection_action\":\"kill\",\"detection_threatName\":\"EICAR-Test-File (not a virus)\",\"detection_pid\":\"2000\",\"detection_exploitTechnique\":\"Flash/Generic\",\"detection_parentPid\":\"4000\",\"detection_path\":\"C:\\\\file15c8ba8b90ea1de127962f464.exe\",\"detection_parentPath\":\"C:\\\\file25c8ba8b90ea1de127962f464.exe\",\"detection_cve\":\"cve string\",\"detection_username\":\"user@domain.com\",\"detection_time\":\"2019-06-03T13:58:30.000Z\",\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"antiexploit\",\"_testEvent_\":true}"
+ },
+ {
+ "message": "{\"product_installed\":\"BEST\",\"computer_name\":\"TEST_ENDPOINT\",\"computer_fqdn\":\"test-endpoint.dsd.ro\",\"computer_ip\":\"10.10.18.226\",\"computer_id\":\"5cf51ba5e8ee8c5b1852a9d7\",\"module\":\"install\",\"endpointId\":\"5e2085febf255a545e52276b\",\"hwid\":\"00000000-0000-0000-0000-406186b5bdbdzzz50\",\"companyId\":\"623c18fb12fb8700396d6375\",\"_testEvent_\":true}"
+ },
+ {
+ "message": "{\"product_installed\":\"BEST\",\"computer_name\":\"TEST_ENDPOINT_WINDOWS_10\",\"computer_fqdn\":\"test-endpoint.dsd.ro\",\"computer_ip\":\"10.10.0.101\",\"computer_id\":\"5ee30e2b29a4e218489442b6\",\"taskId\":\"5eea0105f23f731302405833\",\"taskType\":\"Debug Session\",\"errorCode\":3,\"username\":\"test@test.com\",\"localPath\":\"/test/dir\",\"networkSharePath\":\"//1.2.3.4/dir\",\"saveToBitdefenderCloud\":0,\"status\":3,\"stopReason\":2,\"failedStorageType\":1,\"startDate\":\"2020-06-24T06:06:48.000Z\",\"endDate\":\"2020-06-24T06:09:28.000Z\",\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"troubleshooting-activity\",\"_testEvent_\":true}"
+ },
+ {
+ "message": "{\"product_installed\":\"EPS\",\"user\":{\"name\":\"admin\",\"sid\":\"BF410F3B-5F3A-41E1-BF8F-28DE6948A355\"},\"computer_name\":\"Computer 1\",\"computer_fqdn\":\"computer1.local\",\"computer_ip\":\"89.160.20.112\",\"computer_id\":\"5c12612db1a43dc3097b23c6\",\"malware_type\":\"file\",\"malware_name\":\"\",\"final_status\":\"quarantined\",\"file_path\":\"/Users/admin/Desktop/\",\"attack_type\":\"targeted attack\",\"detection_level\":\"permissive\",\"is_fileless_attack\":0,\"hwid\":\"22574006-79523827-7401-9565-1295-798280775872\",\"date\":\"2019-01-17T10:01:02.000Z\",\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"hd\",\"_testEvent_\":true}"
+ },
+ {
+ "message": "{\"syncerId\":\"59b7d9bfa849af3a1465b7e3\",\"issueType\":0,\"lastAdReportDate\":\"2017-09-14T08:03:49.671Z\",\"companyId\":\"623c18fb12fb8700396d6375\",\"module\":\"adcloud\",\"_testEvent_\":true}"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/bitdefender/data_stream/push_notifications/_dev/test/pipeline/test-push-notification.json-expected.json b/packages/bitdefender/data_stream/push_notifications/_dev/test/pipeline/test-push-notification.json-expected.json
index 236756e0933..396cd5a6d6b 100644
--- a/packages/bitdefender/data_stream/push_notifications/_dev/test/pipeline/test-push-notification.json-expected.json
+++ b/packages/bitdefender/data_stream/push_notifications/_dev/test/pipeline/test-push-notification.json-expected.json
@@ -23,7 +23,7 @@
"ip": "192.168.0.1"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "aph_blocked",
@@ -109,7 +109,7 @@
"ip": "192.168.0.1"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"email": {
"sender": {
@@ -181,7 +181,7 @@
"ip": "192.168.0.1"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -246,7 +246,7 @@
"ip": "10.17.46.196"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "deleted",
@@ -326,7 +326,7 @@
"ip": "192.168.0.1"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "avc_blocked",
@@ -405,7 +405,7 @@
"ip": "192.168.0.1"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -469,7 +469,7 @@
"ip": "192.168.0.1"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "portscan_blocked",
@@ -537,7 +537,7 @@
"ip": "192.168.0.1"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "0",
@@ -603,7 +603,7 @@
"ip": "192.168.0.1"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "data_protection_blocked",
@@ -678,7 +678,7 @@
"ip": "192.168.0.1"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "uc_site_blocked",
@@ -756,7 +756,7 @@
"ip": "192.168.0.1"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "3",
@@ -825,7 +825,7 @@
"ip": "192.168.0.1"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -890,7 +890,7 @@
"ip": "192.168.0.1"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -960,7 +960,7 @@
"id": "test1234"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1024,7 +1024,7 @@
"id": "test1234"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1087,7 +1087,7 @@
"ip": "81.2.69.144"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1173,7 +1173,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "reportOnly",
@@ -1283,7 +1283,7 @@
"ip": "10.17.23.30"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "no action",
@@ -1389,7 +1389,7 @@
"ip": "10.17.16.10"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1461,7 +1461,7 @@
"ip": "10.17.15.247"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1523,7 +1523,7 @@
"ip": "10.10.18.226"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1584,7 +1584,7 @@
"ip": "10.10.18.226"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1645,7 +1645,7 @@
"ip": "10.10.18.226"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1715,7 +1715,7 @@
"ip": "10.10.18.226"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "kill",
@@ -1799,7 +1799,7 @@
"ip": "10.10.18.226"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1870,7 +1870,7 @@
"ip": "10.10.0.101"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "3",
@@ -1969,7 +1969,7 @@
"ip": "89.160.20.112"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "quarantined",
@@ -2036,7 +2036,7 @@
"id": "test1234"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
diff --git a/packages/bitdefender/data_stream/push_notifications/elasticsearch/ingest_pipeline/default.yml b/packages/bitdefender/data_stream/push_notifications/elasticsearch/ingest_pipeline/default.yml
index 0bf160b9c6a..3d9403a8e7a 100644
--- a/packages/bitdefender/data_stream/push_notifications/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/bitdefender/data_stream/push_notifications/elasticsearch/ingest_pipeline/default.yml
@@ -1,5 +1,4 @@
---
-version: 2
description: Processes HTTP JSON events from BitDefender
processors:
- json:
@@ -31,7 +30,7 @@ processors:
- set:
field: ecs.version
- value: '8.8.0'
+ value: '8.9.0'
### fix common dumb string/numeric conflicts that we've seen so far, before doing anything else
### NOTE: given the insanity oozing out of the "defined" BitDefender push notification event type formats,
diff --git a/packages/bitdefender/data_stream/push_notifications/manifest.yml b/packages/bitdefender/data_stream/push_notifications/manifest.yml
index 1c7c2934adf..9854c1424f3 100644
--- a/packages/bitdefender/data_stream/push_notifications/manifest.yml
+++ b/packages/bitdefender/data_stream/push_notifications/manifest.yml
@@ -79,3 +79,4 @@ streams:
show_user: false
description: >
Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
diff --git a/packages/bitdefender/data_stream/push_notifications/sample_event.json b/packages/bitdefender/data_stream/push_notifications/sample_event.json
index c17b00dee0d..5f942670760 100644
--- a/packages/bitdefender/data_stream/push_notifications/sample_event.json
+++ b/packages/bitdefender/data_stream/push_notifications/sample_event.json
@@ -24,7 +24,7 @@
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "f0239f6f-245e-4d57-bada-68e5f564b259",
diff --git a/packages/bitdefender/data_stream/push_statistics/_dev/test/pipeline/test-push-statistics.json b/packages/bitdefender/data_stream/push_statistics/_dev/test/pipeline/test-push-statistics.json
index bf98a2f0827..81beee2c41c 100644
--- a/packages/bitdefender/data_stream/push_statistics/_dev/test/pipeline/test-push-statistics.json
+++ b/packages/bitdefender/data_stream/push_statistics/_dev/test/pipeline/test-push-statistics.json
@@ -1,3 +1,7 @@
{
- "events": [{"message":"{\"id\":\"1\",\"jsonrpc\":\"2.0\",\"result\":{\"count\":{\"errorMessages\":0,\"events\":9,\"sentMessages\":7,\"testEvents\":0},\"error\":{\"configurationError\":0,\"connectionError\":0,\"serviceError\":0,\"statusCode2xx\":0,\"statusCode300\":0,\"statusCode400\":0,\"statusCode500\":0,\"timeout\":0},\"lastUpdateTime\":\"2023-01-13T16:26:34\"}}"}]
-}
+ "events": [
+ {
+ "message": "{\"id\":\"1\",\"jsonrpc\":\"2.0\",\"result\":{\"count\":{\"errorMessages\":0,\"events\":9,\"sentMessages\":7,\"testEvents\":0},\"error\":{\"configurationError\":0,\"connectionError\":0,\"serviceError\":0,\"statusCode2xx\":0,\"statusCode300\":0,\"statusCode400\":0,\"statusCode500\":0,\"timeout\":0},\"lastUpdateTime\":\"2023-01-13T16:26:34\"}}"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/bitdefender/data_stream/push_statistics/_dev/test/pipeline/test-push-statistics.json-expected.json b/packages/bitdefender/data_stream/push_statistics/_dev/test/pipeline/test-push-statistics.json-expected.json
index e7c9ba930f7..063b72e17a0 100644
--- a/packages/bitdefender/data_stream/push_statistics/_dev/test/pipeline/test-push-statistics.json-expected.json
+++ b/packages/bitdefender/data_stream/push_statistics/_dev/test/pipeline/test-push-statistics.json-expected.json
@@ -25,7 +25,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "{\"id\":\"1\",\"jsonrpc\":\"2.0\",\"result\":{\"count\":{\"errorMessages\":0,\"events\":9,\"sentMessages\":7,\"testEvents\":0},\"error\":{\"configurationError\":0,\"connectionError\":0,\"serviceError\":0,\"statusCode2xx\":0,\"statusCode300\":0,\"statusCode400\":0,\"statusCode500\":0,\"timeout\":0},\"lastUpdateTime\":\"2023-01-13T16:26:34\"}}"
diff --git a/packages/bitdefender/data_stream/push_statistics/agent/stream/httpjson.yml.hbs b/packages/bitdefender/data_stream/push_statistics/agent/stream/httpjson.yml.hbs
index bddfb9a873b..f410e481d4d 100644
--- a/packages/bitdefender/data_stream/push_statistics/agent/stream/httpjson.yml.hbs
+++ b/packages/bitdefender/data_stream/push_statistics/agent/stream/httpjson.yml.hbs
@@ -1,5 +1,8 @@
config_version: 2
interval: {{interval}}
+{{#if enable_request_tracer}}
+request.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson"
+{{/if}}
request.url: {{url}}
request.method: POST
{{#if proxy_url }}
diff --git a/packages/bitdefender/data_stream/push_statistics/elasticsearch/ingest_pipeline/default.yml b/packages/bitdefender/data_stream/push_statistics/elasticsearch/ingest_pipeline/default.yml
index a0cc03bfa7c..a8ca0f51ca5 100644
--- a/packages/bitdefender/data_stream/push_statistics/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/bitdefender/data_stream/push_statistics/elasticsearch/ingest_pipeline/default.yml
@@ -1,5 +1,4 @@
---
-version: 1
description: Pipeline for BitDefender push notification stats
processors:
- json:
@@ -10,7 +9,7 @@ processors:
message: missing json object in input document
- set:
field: ecs.version
- value: '8.8.0'
+ value: '8.9.0'
- rename:
field: message
target_field: event.original
diff --git a/packages/bitdefender/data_stream/push_statistics/manifest.yml b/packages/bitdefender/data_stream/push_statistics/manifest.yml
index 097eee86b58..f173e4c8dc1 100644
--- a/packages/bitdefender/data_stream/push_statistics/manifest.yml
+++ b/packages/bitdefender/data_stream/push_statistics/manifest.yml
@@ -38,7 +38,7 @@ streams:
- name: interval
type: text
title: Interval
- description: Duration between requests to the API.
+ description: Duration between requests to the API. Supported units for this parameter are h/m/s.
multi: false
required: true
show_user: false
diff --git a/packages/bitdefender/data_stream/push_statistics/sample_event.json b/packages/bitdefender/data_stream/push_statistics/sample_event.json
index 448a682095b..cc11025d982 100644
--- a/packages/bitdefender/data_stream/push_statistics/sample_event.json
+++ b/packages/bitdefender/data_stream/push_statistics/sample_event.json
@@ -36,7 +36,7 @@
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "f0239f6f-245e-4d57-bada-68e5f564b259",
diff --git a/packages/bitdefender/docs/README.md b/packages/bitdefender/docs/README.md
index 03c38dc15ca..a03146d7433 100644
--- a/packages/bitdefender/docs/README.md
+++ b/packages/bitdefender/docs/README.md
@@ -340,10 +340,10 @@ All BitDefender GravityZone log events are available in the `bitdefender_gravity
| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
-| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date |
| event.id | Unique ID to describe the event. | keyword |
| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
-| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword |
| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword |
@@ -466,7 +466,7 @@ An example event for `push_notifications` looks as following:
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "f0239f6f-245e-4d57-bada-68e5f564b259",
@@ -621,7 +621,7 @@ An example event for `push_configuration` looks as following:
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "f0239f6f-245e-4d57-bada-68e5f564b259",
@@ -720,7 +720,7 @@ An example event for `push_statistics` looks as following:
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "f0239f6f-245e-4d57-bada-68e5f564b259",
diff --git a/packages/bitdefender/kibana/tags.yml b/packages/bitdefender/kibana/tags.yml
new file mode 100644
index 00000000000..47f20a8f551
--- /dev/null
+++ b/packages/bitdefender/kibana/tags.yml
@@ -0,0 +1,4 @@
+- text: Security Solution
+ asset_types:
+ - dashboard
+ - search
diff --git a/packages/bitdefender/manifest.yml b/packages/bitdefender/manifest.yml
index 7ada8d2f352..e1c75466f8d 100644
--- a/packages/bitdefender/manifest.yml
+++ b/packages/bitdefender/manifest.yml
@@ -1,7 +1,7 @@
-format_version: 2.7.0
+format_version: "3.0.0"
name: bitdefender
title: "BitDefender"
-version: "1.0.0"
+version: "1.5.0"
source:
license: "Elastic-2.0"
description: "Ingest BitDefender GravityZone logs and data"
@@ -9,8 +9,10 @@ type: integration
categories:
- security
conditions:
- kibana.version: "^8.5.1"
- elastic.subscription: "basic"
+ kibana:
+ version: "^8.5.1"
+ elastic:
+ subscription: "basic"
screenshots:
- src: /img/bitdefender-dashboard-push-notifications.png
title: Push Notifications Dashboard
@@ -72,5 +74,13 @@ policy_templates:
title: BitDefender GravityZone API Key
show_user: true
required: true
+ - name: enable_request_tracer
+ type: bool
+ title: Enable request tracing
+ multi: false
+ required: false
+ show_user: false
+ description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details.
owner:
github: elastic/security-external-integrations
+ type: elastic
diff --git a/packages/bitwarden/_dev/build/build.yml b/packages/bitwarden/_dev/build/build.yml
index 84034dcea1e..c1af686e524 100644
--- a/packages/bitwarden/_dev/build/build.yml
+++ b/packages/bitwarden/_dev/build/build.yml
@@ -1,4 +1,4 @@
dependencies:
ecs:
- reference: git@v8.8.0
+ reference: git@v8.9.0
import_mappings: true
diff --git a/packages/bitwarden/changelog.yml b/packages/bitwarden/changelog.yml
index 06bf3c693c4..984dcfddd30 100644
--- a/packages/bitwarden/changelog.yml
+++ b/packages/bitwarden/changelog.yml
@@ -1,4 +1,34 @@
# newer versions go on top
+- version: 1.5.0
+ changes:
+ - description: "The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest."
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7883
+- version: "1.4.0"
+ changes:
+ - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7789
+- version: "1.3.0"
+ changes:
+ - description: Add support for HTTP request trace logging.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7338
+- version: "1.2.0"
+ changes:
+ - description: Update package to ECS 8.9.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7107
+- version: "1.1.0"
+ changes:
+ - description: Document duration units.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6992
+- version: "1.0.1"
+ changes:
+ - description: Remove confusing error message tag prefix.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7105
- version: "1.0.0"
changes:
- description: Release Bitwarden as GA.
diff --git a/packages/bitwarden/data_stream/collection/_dev/test/pipeline/test-collection.log-expected.json b/packages/bitwarden/data_stream/collection/_dev/test/pipeline/test-collection.log-expected.json
index f8e37c29ed4..a55b9e29fe9 100644
--- a/packages/bitwarden/data_stream/collection/_dev/test/pipeline/test-collection.log-expected.json
+++ b/packages/bitwarden/data_stream/collection/_dev/test/pipeline/test-collection.log-expected.json
@@ -11,7 +11,7 @@
"object": "collection"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
diff --git a/packages/bitwarden/data_stream/collection/agent/stream/httpjson.yml.hbs b/packages/bitwarden/data_stream/collection/agent/stream/httpjson.yml.hbs
index ded1daf0de1..68bc236a7ec 100644
--- a/packages/bitwarden/data_stream/collection/agent/stream/httpjson.yml.hbs
+++ b/packages/bitwarden/data_stream/collection/agent/stream/httpjson.yml.hbs
@@ -1,5 +1,8 @@
config_version: 2
interval: {{interval}}
+{{#if enable_request_tracer}}
+request.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson"
+{{/if}}
request.method: GET
request.url: {{url}}/public/collections
{{#if proxy_url}}
diff --git a/packages/bitwarden/data_stream/collection/elasticsearch/ingest_pipeline/default.yml b/packages/bitwarden/data_stream/collection/elasticsearch/ingest_pipeline/default.yml
index 158b5755ae6..26ab2182e13 100644
--- a/packages/bitwarden/data_stream/collection/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/bitwarden/data_stream/collection/elasticsearch/ingest_pipeline/default.yml
@@ -3,7 +3,7 @@ description: Pipeline for processing collection logs.
processors:
- set:
field: ecs.version
- value: 8.8.0
+ value: 8.9.0
- rename:
field: message
target_field: event.original
@@ -15,7 +15,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- drop:
if: ctx.json?.data != null && ctx.json.data.isEmpty()
- set:
diff --git a/packages/bitwarden/data_stream/collection/manifest.yml b/packages/bitwarden/data_stream/collection/manifest.yml
index 2924b6c660d..a799adc03b2 100644
--- a/packages/bitwarden/data_stream/collection/manifest.yml
+++ b/packages/bitwarden/data_stream/collection/manifest.yml
@@ -17,7 +17,7 @@ streams:
- name: http_client_timeout
type: text
title: HTTP client timeout
- description: "Duration before declaring that the HTTP client connection has timed out. NOTE: Valid time units are ns, us, ms, s, m, h."
+ description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.
multi: false
required: true
show_user: false
diff --git a/packages/bitwarden/data_stream/collection/sample_event.json b/packages/bitwarden/data_stream/collection/sample_event.json
index 5886cfa2358..3899b636d85 100644
--- a/packages/bitwarden/data_stream/collection/sample_event.json
+++ b/packages/bitwarden/data_stream/collection/sample_event.json
@@ -22,7 +22,7 @@
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "ff2a1bfe-20b0-4bab-ad84-8609f33b69f8",
diff --git a/packages/bitwarden/data_stream/event/_dev/test/pipeline/test-event.log-expected.json b/packages/bitwarden/data_stream/event/_dev/test/pipeline/test-event.log-expected.json
index 8294bc26d4e..a83c3b5cc4b 100644
--- a/packages/bitwarden/data_stream/event/_dev/test/pipeline/test-event.log-expected.json
+++ b/packages/bitwarden/data_stream/event/_dev/test/pipeline/test-event.log-expected.json
@@ -36,7 +36,7 @@
"object": "event"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -101,7 +101,7 @@
"object": "event"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -166,7 +166,7 @@
"object": "event"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -224,7 +224,7 @@
"object": "event"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
diff --git a/packages/bitwarden/data_stream/event/agent/stream/httpjson.yml.hbs b/packages/bitwarden/data_stream/event/agent/stream/httpjson.yml.hbs
index d10d4407b21..240208fcbbb 100644
--- a/packages/bitwarden/data_stream/event/agent/stream/httpjson.yml.hbs
+++ b/packages/bitwarden/data_stream/event/agent/stream/httpjson.yml.hbs
@@ -1,5 +1,8 @@
config_version: 2
interval: {{interval}}
+{{#if enable_request_tracer}}
+request.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson"
+{{/if}}
request.method: GET
request.url: {{url}}/public/events
{{#if proxy_url}}
diff --git a/packages/bitwarden/data_stream/event/elasticsearch/ingest_pipeline/default.yml b/packages/bitwarden/data_stream/event/elasticsearch/ingest_pipeline/default.yml
index 91c9fe8e595..739e64f86c9 100644
--- a/packages/bitwarden/data_stream/event/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/bitwarden/data_stream/event/elasticsearch/ingest_pipeline/default.yml
@@ -3,7 +3,7 @@ description: Pipeline for processing event logs.
processors:
- set:
field: ecs.version
- value: 8.8.0
+ value: 8.9.0
- rename:
field: message
target_field: event.original
@@ -18,7 +18,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- drop:
if: ctx.json?.data != null && ctx.json.data.isEmpty()
- fingerprint:
@@ -47,7 +47,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- script:
lang: painless
ignore_failure: false
@@ -601,7 +601,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- date:
field: json.date
target_field: bitwarden.event.date
@@ -612,7 +612,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- convert:
field: json.device
tag: 'convert_device_to_string'
@@ -623,7 +623,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- script:
lang: painless
ignore_failure: false
@@ -671,7 +671,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- append:
field: related.ip
value: '{{{bitwarden.event.ip_address}}}'
diff --git a/packages/bitwarden/data_stream/event/manifest.yml b/packages/bitwarden/data_stream/event/manifest.yml
index 5b79991c2dc..8c203141274 100644
--- a/packages/bitwarden/data_stream/event/manifest.yml
+++ b/packages/bitwarden/data_stream/event/manifest.yml
@@ -25,7 +25,7 @@ streams:
- name: http_client_timeout
type: text
title: HTTP client timeout
- description: "Duration before declaring that the HTTP client connection has timed out. NOTE: Valid time units are ns, us, ms, s, m, h."
+ description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.
multi: false
required: true
show_user: false
diff --git a/packages/bitwarden/data_stream/event/sample_event.json b/packages/bitwarden/data_stream/event/sample_event.json
index 56111bdcda2..a3d6b427cff 100644
--- a/packages/bitwarden/data_stream/event/sample_event.json
+++ b/packages/bitwarden/data_stream/event/sample_event.json
@@ -46,7 +46,7 @@
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "ff2a1bfe-20b0-4bab-ad84-8609f33b69f8",
diff --git a/packages/bitwarden/data_stream/group/_dev/test/pipeline/test-group.log-expected.json b/packages/bitwarden/data_stream/group/_dev/test/pipeline/test-group.log-expected.json
index 20e8d353e7e..4bfbe17f6dc 100644
--- a/packages/bitwarden/data_stream/group/_dev/test/pipeline/test-group.log-expected.json
+++ b/packages/bitwarden/data_stream/group/_dev/test/pipeline/test-group.log-expected.json
@@ -19,7 +19,7 @@
"object": "group"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
diff --git a/packages/bitwarden/data_stream/group/agent/stream/httpjson.yml.hbs b/packages/bitwarden/data_stream/group/agent/stream/httpjson.yml.hbs
index 57380ed6d37..02fe69f6575 100644
--- a/packages/bitwarden/data_stream/group/agent/stream/httpjson.yml.hbs
+++ b/packages/bitwarden/data_stream/group/agent/stream/httpjson.yml.hbs
@@ -1,5 +1,8 @@
config_version: 2
interval: {{interval}}
+{{#if enable_request_tracer}}
+request.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson"
+{{/if}}
request.method: GET
request.url: {{url}}/public/groups
{{#if proxy_url}}
diff --git a/packages/bitwarden/data_stream/group/elasticsearch/ingest_pipeline/default.yml b/packages/bitwarden/data_stream/group/elasticsearch/ingest_pipeline/default.yml
index 738aab447b4..fb6409def1a 100644
--- a/packages/bitwarden/data_stream/group/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/bitwarden/data_stream/group/elasticsearch/ingest_pipeline/default.yml
@@ -3,7 +3,7 @@ description: Pipeline for processing event logs.
processors:
- set:
field: ecs.version
- value: 8.8.0
+ value: 8.9.0
- rename:
field: message
target_field: event.original
@@ -15,7 +15,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- set:
field: event.kind
value: event
@@ -45,7 +45,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- rename:
field: json.externalId
target_field: bitwarden.group.external.id
@@ -78,7 +78,7 @@ processors:
ignore_missing: true
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- foreach:
field: json.collections
if: ctx.json?.collections instanceof List
diff --git a/packages/bitwarden/data_stream/group/manifest.yml b/packages/bitwarden/data_stream/group/manifest.yml
index 9493fe3debf..86229916ad4 100644
--- a/packages/bitwarden/data_stream/group/manifest.yml
+++ b/packages/bitwarden/data_stream/group/manifest.yml
@@ -17,7 +17,7 @@ streams:
- name: http_client_timeout
type: text
title: HTTP client timeout
- description: "Duration before declaring that the HTTP client connection has timed out. NOTE: Valid time units are ns, us, ms, s, m, h."
+ description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.
multi: false
required: true
show_user: false
diff --git a/packages/bitwarden/data_stream/group/sample_event.json b/packages/bitwarden/data_stream/group/sample_event.json
index 007c82b41fb..93e0838fb36 100644
--- a/packages/bitwarden/data_stream/group/sample_event.json
+++ b/packages/bitwarden/data_stream/group/sample_event.json
@@ -30,7 +30,7 @@
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "ff2a1bfe-20b0-4bab-ad84-8609f33b69f8",
diff --git a/packages/bitwarden/data_stream/policy/_dev/test/pipeline/test-policy.log-expected.json b/packages/bitwarden/data_stream/policy/_dev/test/pipeline/test-policy.log-expected.json
index ec324a49133..f30f1b3acdd 100644
--- a/packages/bitwarden/data_stream/policy/_dev/test/pipeline/test-policy.log-expected.json
+++ b/packages/bitwarden/data_stream/policy/_dev/test/pipeline/test-policy.log-expected.json
@@ -30,7 +30,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -60,7 +60,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -99,7 +99,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -129,7 +129,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -159,7 +159,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -186,7 +186,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -213,7 +213,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -240,7 +240,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
diff --git a/packages/bitwarden/data_stream/policy/agent/stream/httpjson.yml.hbs b/packages/bitwarden/data_stream/policy/agent/stream/httpjson.yml.hbs
index d91e0076c85..d5a4199fec3 100644
--- a/packages/bitwarden/data_stream/policy/agent/stream/httpjson.yml.hbs
+++ b/packages/bitwarden/data_stream/policy/agent/stream/httpjson.yml.hbs
@@ -1,5 +1,8 @@
config_version: 2
interval: {{interval}}
+{{#if enable_request_tracer}}
+request.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson"
+{{/if}}
request.method: GET
request.url: {{url}}/public/policies
{{#if proxy_url}}
diff --git a/packages/bitwarden/data_stream/policy/elasticsearch/ingest_pipeline/default.yml b/packages/bitwarden/data_stream/policy/elasticsearch/ingest_pipeline/default.yml
index 4c74c421a91..293f7cde142 100644
--- a/packages/bitwarden/data_stream/policy/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/bitwarden/data_stream/policy/elasticsearch/ingest_pipeline/default.yml
@@ -3,7 +3,7 @@ description: Pipeline for processing policy logs.
processors:
- set:
field: ecs.version
- value: 8.8.0
+ value: 8.9.0
- rename:
field: message
target_field: event.original
@@ -15,7 +15,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- drop:
if: ctx.json?.data != null && ctx.json.data.isEmpty()
- set:
@@ -34,7 +34,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- convert:
field: json.data.autoEnrollEnabled
tag: 'convert_autoEnrollEnabled_to_string'
@@ -45,7 +45,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- convert:
field: json.data.capitalize
tag: 'convert_capitalize_to_string'
@@ -55,7 +55,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- convert:
field: json.data.disableHideEmail
tag: 'convert_disableHideEmail_to_string'
@@ -66,7 +66,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- convert:
field: json.data.includeNumber
tag: 'convert_includeNumber_to_string'
@@ -77,7 +77,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- convert:
field: json.data.minComplexity
tag: 'convert_minComplexity_to_string'
@@ -88,7 +88,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- convert:
field: json.data.minLength
tag: 'convert_minLength_to_string'
@@ -99,7 +99,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- convert:
field: json.data.minNumbers
tag: 'convert_minNumbers_to_string'
@@ -110,7 +110,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- convert:
field: json.data.minNumberWords
tag: 'convert_minNumberWords_to_string'
@@ -121,7 +121,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- convert:
field: json.data.minSpecial
tag: 'convert_minSpecial_to_string'
@@ -132,7 +132,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- convert:
field: json.data.minutes
tag: 'convert_minutes_to_string'
@@ -142,7 +142,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- convert:
field: json.data.requireLower
tag: 'convert_requireLower_to_string'
@@ -153,7 +153,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- convert:
field: json.data.requireNumbers
tag: 'convert_requireNumbers_to_string'
@@ -164,7 +164,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- convert:
field: json.data.requireSpecial
tag: 'convert_requireSpecial_to_string'
@@ -175,7 +175,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- convert:
field: json.data.requireUpper
tag: 'convert_requireUpper_to_string'
@@ -186,7 +186,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- convert:
field: json.data.useLower
tag: 'convert_useLower_to_string'
@@ -197,7 +197,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- convert:
field: json.data.useNumbers
tag: 'convert_useNumbers_to_string'
@@ -208,7 +208,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- convert:
field: json.data.useSpecial
tag: 'convert_useSpecial_to_string'
@@ -219,7 +219,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- convert:
field: json.data.useUpper
tag: 'convert_useUpper_to_string'
@@ -230,7 +230,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- rename:
field: json.data.defaultType
target_field: json.data.default_type
@@ -257,7 +257,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- script:
lang: painless
ignore_failure: false
diff --git a/packages/bitwarden/data_stream/policy/manifest.yml b/packages/bitwarden/data_stream/policy/manifest.yml
index d61ec34bf2a..5b3af4f7d6a 100644
--- a/packages/bitwarden/data_stream/policy/manifest.yml
+++ b/packages/bitwarden/data_stream/policy/manifest.yml
@@ -17,7 +17,7 @@ streams:
- name: http_client_timeout
type: text
title: HTTP client timeout
- description: "Duration before declaring that the HTTP client connection has timed out. NOTE: Valid time units are ns, us, ms, s, m, h."
+ description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.
multi: false
required: true
show_user: false
diff --git a/packages/bitwarden/data_stream/policy/sample_event.json b/packages/bitwarden/data_stream/policy/sample_event.json
index d1a8c6e8307..73847f648f7 100644
--- a/packages/bitwarden/data_stream/policy/sample_event.json
+++ b/packages/bitwarden/data_stream/policy/sample_event.json
@@ -41,7 +41,7 @@
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "ff2a1bfe-20b0-4bab-ad84-8609f33b69f8",
diff --git a/packages/bitwarden/docs/README.md b/packages/bitwarden/docs/README.md
index 9a3ba6937e6..f308bab80e3 100644
--- a/packages/bitwarden/docs/README.md
+++ b/packages/bitwarden/docs/README.md
@@ -73,7 +73,7 @@ An example event for `collection` looks as following:
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "ff2a1bfe-20b0-4bab-ad84-8609f33b69f8",
@@ -179,7 +179,7 @@ An example event for `event` looks as following:
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "ff2a1bfe-20b0-4bab-ad84-8609f33b69f8",
@@ -306,7 +306,7 @@ An example event for `group` looks as following:
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "ff2a1bfe-20b0-4bab-ad84-8609f33b69f8",
@@ -417,7 +417,7 @@ An example event for `policy` looks as following:
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "ff2a1bfe-20b0-4bab-ad84-8609f33b69f8",
diff --git a/packages/bitwarden/kibana/tags.yml b/packages/bitwarden/kibana/tags.yml
new file mode 100644
index 00000000000..47f20a8f551
--- /dev/null
+++ b/packages/bitwarden/kibana/tags.yml
@@ -0,0 +1,4 @@
+- text: Security Solution
+ asset_types:
+ - dashboard
+ - search
diff --git a/packages/bitwarden/manifest.yml b/packages/bitwarden/manifest.yml
index db1583fdf66..56995152079 100644
--- a/packages/bitwarden/manifest.yml
+++ b/packages/bitwarden/manifest.yml
@@ -1,7 +1,7 @@
-format_version: 2.7.0
+format_version: "3.0.0"
name: bitwarden
title: Bitwarden
-version: "1.0.0"
+version: "1.5.0"
source:
license: Elastic-2.0
description: Collect logs from Bitwarden with Elastic Agent.
@@ -10,8 +10,10 @@ categories:
- security
- credential_management
conditions:
- kibana.version: "^8.4.1"
- elastic.subscription: "basic"
+ kibana:
+ version: "^8.4.1"
+ elastic:
+ subscription: "basic"
screenshots:
- src: /img/bitwarden-event-dashboard.png
title: Event dashboard
@@ -105,5 +107,13 @@ policy_templates:
# yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
# sxSmbIUfc2SGJGCJD4I=
# -----END CERTIFICATE-----
+ - name: enable_request_tracer
+ type: bool
+ title: Enable request tracing
+ multi: false
+ required: false
+ show_user: false
+ description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details.
owner:
github: elastic/security-external-integrations
+ type: elastic
diff --git a/packages/box_events/_dev/build/build.yml b/packages/box_events/_dev/build/build.yml
index 074278e5b1f..c8eeec8cacf 100644
--- a/packages/box_events/_dev/build/build.yml
+++ b/packages/box_events/_dev/build/build.yml
@@ -1,3 +1,3 @@
dependencies:
ecs:
- reference: git@v8.8.0
+ reference: git@v8.9.0
diff --git a/packages/box_events/changelog.yml b/packages/box_events/changelog.yml
index a19fa65f2f0..9d6e8dea9f7 100644
--- a/packages/box_events/changelog.yml
+++ b/packages/box_events/changelog.yml
@@ -1,4 +1,24 @@
# newer versions go on top
+- version: "1.9.0"
+ changes:
+ - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7789
+- version: "1.8.0"
+ changes:
+ - description: Update package-spec to 2.10.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7592
+- version: "1.7.0"
+ changes:
+ - description: Update package to ECS 8.9.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7107
+- version: "1.6.0"
+ changes:
+ - description: Document valid duration units.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6706
- version: "1.5.0"
changes:
- description: Ensure event.kind is correctly set for pipeline errors.
diff --git a/packages/box_events/data_stream/events/_dev/test/pipeline/test-anomalous-download.log-expected.json b/packages/box_events/data_stream/events/_dev/test/pipeline/test-anomalous-download.log-expected.json
index 5dde383de54..c5656cd4866 100644
--- a/packages/box_events/data_stream/events/_dev/test/pipeline/test-anomalous-download.log-expected.json
+++ b/packages/box_events/data_stream/events/_dev/test/pipeline/test-anomalous-download.log-expected.json
@@ -47,7 +47,7 @@
"ip": "10.1.2.3"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "SHIELD_ALERT",
@@ -191,7 +191,7 @@
"ip": "10.1.2.3"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "SHIELD_ALERT",
diff --git a/packages/box_events/data_stream/events/_dev/test/pipeline/test-copy.log-expected.json b/packages/box_events/data_stream/events/_dev/test/pipeline/test-copy.log-expected.json
index 916eedad050..dc189c2fb5e 100644
--- a/packages/box_events/data_stream/events/_dev/test/pipeline/test-copy.log-expected.json
+++ b/packages/box_events/data_stream/events/_dev/test/pipeline/test-copy.log-expected.json
@@ -54,7 +54,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ITEM_COPY",
diff --git a/packages/box_events/data_stream/events/_dev/test/pipeline/test-create.log-expected.json b/packages/box_events/data_stream/events/_dev/test/pipeline/test-create.log-expected.json
index 0bb966ccac7..c3cc62b9b50 100644
--- a/packages/box_events/data_stream/events/_dev/test/pipeline/test-create.log-expected.json
+++ b/packages/box_events/data_stream/events/_dev/test/pipeline/test-create.log-expected.json
@@ -66,7 +66,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ITEM_CREATE",
diff --git a/packages/box_events/data_stream/events/_dev/test/pipeline/test-download.log-expected.json b/packages/box_events/data_stream/events/_dev/test/pipeline/test-download.log-expected.json
index da5cfcc32bf..0015d38acb3 100644
--- a/packages/box_events/data_stream/events/_dev/test/pipeline/test-download.log-expected.json
+++ b/packages/box_events/data_stream/events/_dev/test/pipeline/test-download.log-expected.json
@@ -71,7 +71,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ITEM_DOWNLOAD",
diff --git a/packages/box_events/data_stream/events/_dev/test/pipeline/test-event-types.log-expected.json b/packages/box_events/data_stream/events/_dev/test/pipeline/test-event-types.log-expected.json
index b910ced137f..5fe3e70c05e 100644
--- a/packages/box_events/data_stream/events/_dev/test/pipeline/test-event-types.log-expected.json
+++ b/packages/box_events/data_stream/events/_dev/test/pipeline/test-event-types.log-expected.json
@@ -2,7 +2,7 @@
"expected": [
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ACCESS_GRANTED",
@@ -21,7 +21,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ACCESS_REVOKED",
@@ -40,7 +40,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ADD_DEVICE_ASSOCIATION",
@@ -59,7 +59,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ADD_LOGIN_ACTIVITY_DEVICE",
@@ -79,7 +79,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ADMIN_LOGIN",
@@ -97,7 +97,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "APPLICATION_CREATED",
@@ -115,7 +115,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "APPLICATION_PUBLIC_KEY_ADDED",
@@ -135,7 +135,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "APPLICATION_PUBLIC_KEY_DELETED",
@@ -155,7 +155,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "CHANGE_ADMIN_ROLE",
@@ -173,7 +173,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "CHANGE_FOLDER_PERMISSION",
@@ -192,7 +192,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "COLLABORATION_ACCEPT",
@@ -211,7 +211,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "COLLABORATION_EXPIRATION",
@@ -230,7 +230,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "COLLABORATION_INVITE",
@@ -249,7 +249,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "COLLABORATION_REMOVE",
@@ -268,7 +268,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "COLLABORATION_ROLE_CHANGE",
@@ -287,7 +287,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "COLLAB_ADD_COLLABORATOR",
@@ -306,7 +306,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "COLLAB_INVITE_COLLABORATOR",
@@ -324,7 +324,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "COLLAB_REMOVE_COLLABORATOR",
@@ -343,7 +343,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "COLLAB_ROLE_CHANGE",
@@ -362,7 +362,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "COMMENT_CREATE",
@@ -380,7 +380,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "COMMENT_DELETE",
@@ -398,7 +398,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "CONTENT_ACCESS",
@@ -416,7 +416,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "CONTENT_WORKFLOW_ABNORMAL_DOWNLOAD_ACTIVITY",
@@ -437,7 +437,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "CONTENT_WORKFLOW_AUTOMATION_ADD",
@@ -455,7 +455,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "CONTENT_WORKFLOW_AUTOMATION_DELETE",
@@ -473,7 +473,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "CONTENT_WORKFLOW_POLICY_ADD",
@@ -492,7 +492,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "CONTENT_WORKFLOW_SHARING_POLICY_VIOLATION",
@@ -512,7 +512,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "CONTENT_WORKFLOW_UPLOAD_POLICY_VIOLATION",
@@ -532,7 +532,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "COPY",
@@ -550,7 +550,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "DATA_RETENTION_CREATE_RETENTION",
@@ -569,7 +569,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "DATA_RETENTION_REMOVE_RETENTION",
@@ -588,7 +588,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "DELETE",
@@ -606,7 +606,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "DELETE_USER",
@@ -625,7 +625,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "DEVICE_TRUST_CHECK_FAILED",
@@ -645,7 +645,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "DOWNLOAD",
@@ -663,7 +663,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "EDIT",
@@ -682,7 +682,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "EDIT_USER",
@@ -700,7 +700,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "EMAIL_ALIAS_CONFIRM",
@@ -718,7 +718,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "EMAIL_ALIAS_REMOVE",
@@ -736,7 +736,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ENABLE_TWO_FACTOR_AUTH",
@@ -754,7 +754,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ENTERPRISE_APP_AUTHORIZATION_UPDATE",
@@ -773,7 +773,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "FAILED_LOGIN",
@@ -793,7 +793,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "FILE_MARKED_MALICIOUS",
@@ -812,7 +812,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "FILE_WATERMARKED_DOWNLOAD",
@@ -830,7 +830,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "GROUP_ADD_ITEM",
@@ -849,7 +849,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "GROUP_ADD_USER",
@@ -868,7 +868,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "GROUP_CREATION",
@@ -887,7 +887,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "GROUP_DELETION",
@@ -906,7 +906,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "GROUP_EDITED",
@@ -925,7 +925,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "GROUP_REMOVE_ITEM",
@@ -944,7 +944,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "GROUP_REMOVE_USER",
@@ -964,7 +964,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ITEM_COPY",
@@ -982,7 +982,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ITEM_CREATE",
@@ -1000,7 +1000,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ITEM_DOWNLOAD",
@@ -1018,7 +1018,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ITEM_MAKE_CURRENT_VERSION",
@@ -1037,7 +1037,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ITEM_MODIFY",
@@ -1055,7 +1055,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ITEM_MOVE",
@@ -1074,7 +1074,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ITEM_OPEN",
@@ -1092,7 +1092,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ITEM_PREVIEW",
@@ -1110,7 +1110,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ITEM_RENAME",
@@ -1129,7 +1129,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ITEM_SHARED",
@@ -1148,7 +1148,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ITEM_SHARED_CREATE",
@@ -1167,7 +1167,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ITEM_SHARED_UNSHARE",
@@ -1186,7 +1186,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ITEM_SHARED_UPDATE",
@@ -1205,7 +1205,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ITEM_SYNC",
@@ -1224,7 +1224,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ITEM_TRASH",
@@ -1243,7 +1243,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ITEM_UNDELETE_VIA_TRASH",
@@ -1262,7 +1262,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ITEM_UNSYNC",
@@ -1281,7 +1281,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ITEM_UPLOAD",
@@ -1299,7 +1299,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "LEGAL_HOLD_ASSIGNMENT_CREATE",
@@ -1318,7 +1318,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "LEGAL_HOLD_ASSIGNMENT_DELETE",
@@ -1337,7 +1337,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "LEGAL_HOLD_POLICY_CREATE",
@@ -1356,7 +1356,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "LEGAL_HOLD_POLICY_DELETE",
@@ -1375,7 +1375,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "LEGAL_HOLD_POLICY_UPDATE",
@@ -1394,7 +1394,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "LOCK",
@@ -1413,7 +1413,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "LOCK_CREATE",
@@ -1432,7 +1432,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "LOCK_DESTROY",
@@ -1451,7 +1451,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "LOGIN",
@@ -1469,7 +1469,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "MASTER_INVITE_ACCEPT",
@@ -1487,7 +1487,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "MASTER_INVITE_REJECT",
@@ -1505,7 +1505,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "METADATA_INSTANCE_CREATE",
@@ -1523,7 +1523,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "METADATA_INSTANCE_DELETE",
@@ -1541,7 +1541,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "METADATA_INSTANCE_UPDATE",
@@ -1559,7 +1559,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "METADATA_TEMPLATE_CREATE",
@@ -1577,7 +1577,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "METADATA_TEMPLATE_DELETE",
@@ -1595,7 +1595,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "METADATA_TEMPLATE_UPDATE",
@@ -1613,7 +1613,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "MOVE",
@@ -1632,7 +1632,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "NEW_USER",
@@ -1650,7 +1650,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "PREVIEW",
@@ -1668,7 +1668,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "REMOVE_DEVICE_ASSOCIATION",
@@ -1686,7 +1686,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "REMOVE_LOGIN_ACTIVITY_DEVICE",
@@ -1705,7 +1705,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "RENAME",
@@ -1724,7 +1724,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "RETENTION_POLICY_ASSIGNMENT_ADD",
@@ -1743,7 +1743,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "SHARE",
@@ -1762,7 +1762,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "SHARE_EXPIRATION",
@@ -1781,7 +1781,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "SHIELD_ALERT",
@@ -1799,7 +1799,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "SHIELD_EXTERNAL_COLLAB_ACCESS_BLOCKED",
@@ -1818,7 +1818,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "SHIELD_EXTERNAL_COLLAB_ACCESS_BLOCKED_MISSING_JUSTIFICATION",
@@ -1837,7 +1837,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "SHIELD_EXTERNAL_COLLAB_INVITE_BLOCKED",
@@ -1856,7 +1856,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "SHIELD_EXTERNAL_COLLAB_INVITE_BLOCKED_MISSING_JUSTIFICATION",
@@ -1875,7 +1875,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "SHIELD_JUSTIFICATION_APPROVAL",
@@ -1894,7 +1894,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "SIGN_DOCUMENT_ASSIGNED",
@@ -1913,7 +1913,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "SIGN_DOCUMENT_CANCELLED",
@@ -1932,7 +1932,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "SIGN_DOCUMENT_COMPLETED",
@@ -1951,7 +1951,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "SIGN_DOCUMENT_CONVERTED",
@@ -1970,7 +1970,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "SIGN_DOCUMENT_CREATED",
@@ -1989,7 +1989,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "SIGN_DOCUMENT_DECLINED",
@@ -2008,7 +2008,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "SIGN_DOCUMENT_EXPIRED",
@@ -2027,7 +2027,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "SIGN_DOCUMENT_SIGNED",
@@ -2046,7 +2046,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "SIGN_DOCUMENT_VIEWED_BY_SIGNED",
@@ -2065,7 +2065,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "SIGNER_DOWNLOADED",
@@ -2084,7 +2084,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "SIGNER_FORWARDED",
@@ -2103,7 +2103,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "STORAGE_EXPIRATION",
@@ -2121,7 +2121,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "TAG_ITEM_CREATE",
@@ -2140,7 +2140,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "TASK_ASSIGNMENT_CREATE",
@@ -2160,7 +2160,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "TASK_ASSIGNMENT_DELETE",
@@ -2180,7 +2180,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "TASK_ASSIGNMENT_UPDATE",
@@ -2200,7 +2200,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "TASK_CREATE",
@@ -2219,7 +2219,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "TASK_UPDATE",
@@ -2238,7 +2238,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "TERMS_OF_SERVICE_ACCEPT",
@@ -2257,7 +2257,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "TERMS_OF_SERVICE_REJECT",
@@ -2276,7 +2276,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "UNDELETE",
@@ -2294,7 +2294,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "UNLOCK",
@@ -2312,7 +2312,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "UNSHARE",
@@ -2331,7 +2331,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "UPDATE_COLLABORATION_EXPIRATION",
@@ -2351,7 +2351,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "UPDATE_SHARE_EXPIRATION",
@@ -2370,7 +2370,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "UPLOAD",
@@ -2388,7 +2388,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE",
@@ -2408,7 +2408,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "WATERMARK_LABEL_CREATE",
@@ -2427,7 +2427,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "WATERMARK_LABEL_DELETE",
diff --git a/packages/box_events/data_stream/events/_dev/test/pipeline/test-malicious-content.log-expected.json b/packages/box_events/data_stream/events/_dev/test/pipeline/test-malicious-content.log-expected.json
index 642fcf0645f..18300bb3fea 100644
--- a/packages/box_events/data_stream/events/_dev/test/pipeline/test-malicious-content.log-expected.json
+++ b/packages/box_events/data_stream/events/_dev/test/pipeline/test-malicious-content.log-expected.json
@@ -61,7 +61,7 @@
"ip": "10.1.2.3"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "SHIELD_ALERT",
@@ -199,7 +199,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "SHIELD_ALERT",
diff --git a/packages/box_events/data_stream/events/_dev/test/pipeline/test-preview.log-expected.json b/packages/box_events/data_stream/events/_dev/test/pipeline/test-preview.log-expected.json
index 1d5429dc56c..e4027c0ad7a 100644
--- a/packages/box_events/data_stream/events/_dev/test/pipeline/test-preview.log-expected.json
+++ b/packages/box_events/data_stream/events/_dev/test/pipeline/test-preview.log-expected.json
@@ -71,7 +71,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ITEM_PREVIEW",
diff --git a/packages/box_events/data_stream/events/_dev/test/pipeline/test-rename.log-expected.json b/packages/box_events/data_stream/events/_dev/test/pipeline/test-rename.log-expected.json
index 296be954bdc..0953849e882 100644
--- a/packages/box_events/data_stream/events/_dev/test/pipeline/test-rename.log-expected.json
+++ b/packages/box_events/data_stream/events/_dev/test/pipeline/test-rename.log-expected.json
@@ -54,7 +54,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ITEM_RENAME",
diff --git a/packages/box_events/data_stream/events/_dev/test/pipeline/test-suspicious-locations.log-expected.json b/packages/box_events/data_stream/events/_dev/test/pipeline/test-suspicious-locations.log-expected.json
index 8e8af62d4c5..25d5fc70733 100644
--- a/packages/box_events/data_stream/events/_dev/test/pipeline/test-suspicious-locations.log-expected.json
+++ b/packages/box_events/data_stream/events/_dev/test/pipeline/test-suspicious-locations.log-expected.json
@@ -19,7 +19,7 @@
"ip": "67.43.156.0"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "SHIELD_ALERT",
@@ -114,7 +114,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "SHIELD_ALERT",
diff --git a/packages/box_events/data_stream/events/_dev/test/pipeline/test-suspicious-sessions.log-expected.json b/packages/box_events/data_stream/events/_dev/test/pipeline/test-suspicious-sessions.log-expected.json
index 7e93866f12f..41606f2f69c 100644
--- a/packages/box_events/data_stream/events/_dev/test/pipeline/test-suspicious-sessions.log-expected.json
+++ b/packages/box_events/data_stream/events/_dev/test/pipeline/test-suspicious-sessions.log-expected.json
@@ -22,7 +22,7 @@
"ip": "10.1.2.3"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "SHIELD_ALERT",
@@ -116,7 +116,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "SHIELD_ALERT",
diff --git a/packages/box_events/data_stream/events/_dev/test/pipeline/test-trash.log-expected.json b/packages/box_events/data_stream/events/_dev/test/pipeline/test-trash.log-expected.json
index fc76b7d93e1..63413e71bfb 100644
--- a/packages/box_events/data_stream/events/_dev/test/pipeline/test-trash.log-expected.json
+++ b/packages/box_events/data_stream/events/_dev/test/pipeline/test-trash.log-expected.json
@@ -49,7 +49,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ITEM_TRASH",
diff --git a/packages/box_events/data_stream/events/_dev/test/pipeline/test-upload.log-expected.json b/packages/box_events/data_stream/events/_dev/test/pipeline/test-upload.log-expected.json
index 52af96bff9f..e08dba02bc7 100644
--- a/packages/box_events/data_stream/events/_dev/test/pipeline/test-upload.log-expected.json
+++ b/packages/box_events/data_stream/events/_dev/test/pipeline/test-upload.log-expected.json
@@ -78,7 +78,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ITEM_UPLOAD",
diff --git a/packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml b/packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml
index 3ab7fd38c5e..262ca5ec098 100644
--- a/packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml
@@ -3,7 +3,7 @@ description: Pipeline for parsing Box Events
processors:
- set:
field: ecs.version
- value: "8.8.0"
+ value: "8.9.0"
- rename:
field: message
target_field: event.original
diff --git a/packages/box_events/data_stream/events/fields/ecs.yml b/packages/box_events/data_stream/events/fields/ecs.yml
index df901b3be5a..2895f7a0881 100644
--- a/packages/box_events/data_stream/events/fields/ecs.yml
+++ b/packages/box_events/data_stream/events/fields/ecs.yml
@@ -74,8 +74,6 @@
name: threat.enrichments
- external: ecs
name: threat.enrichments.indicator.description
-- external: ecs
- name: threat.enrichments.indicator.ip
- external: ecs
name: threat.enrichments.indicator.first_seen
- external: ecs
diff --git a/packages/box_events/data_stream/events/fields/fields.yml b/packages/box_events/data_stream/events/fields/fields.yml
index d95c59f198b..c84f5678897 100644
--- a/packages/box_events/data_stream/events/fields/fields.yml
+++ b/packages/box_events/data_stream/events/fields/fields.yml
@@ -229,12 +229,6 @@
- name: recorded_at
description: The date and time at which this event occurred
type: date
- - name: created_at
- description: When the event object was created
- type: date
- - name: created_at
- description: When the event object was created
- type: date
- name: session
description: Extend ECS related fields
type: object
@@ -387,13 +381,13 @@
fields:
- name: type
description: Value is always `folder`. This field is an array
- type: array
+ type: keyword
- name: id
description: The unique identifier that represent a folder. This field is an array
- type: array
+ type: keyword
- name: name
description: The name of the folder. This field is an array
- type: array
+ type: keyword
- name: purged_at
description: The time at which this file is expected to be purged from the trash
type: boolean
diff --git a/packages/box_events/data_stream/events/manifest.yml b/packages/box_events/data_stream/events/manifest.yml
index 545a6d09d7d..e0e4d81ad86 100644
--- a/packages/box_events/data_stream/events/manifest.yml
+++ b/packages/box_events/data_stream/events/manifest.yml
@@ -9,7 +9,7 @@ streams:
- name: interval
type: text
title: Interval
- description: This sets the interval between requests to the Target Service, for example `300s` will send a request every 300 seconds. Events will be returned in batches of up to 100, with successive calls on expiry of the configured `interval` so you may wish to specify a lower interval when a substantial number of events are expected, however, we suggest to consider bandwidth when using lower settings
+ description: This sets the interval between requests to the Target Service, for example `300s` will send a request every 300 seconds. Events will be returned in batches of up to 100, with successive calls on expiry of the configured `interval` so you may wish to specify a lower interval when a substantial number of events are expected, however, we suggest to consider bandwidth when using lower settings. Supported units for this parameter are h/m/s.
multi: false
required: true
show_user: true
diff --git a/packages/box_events/data_stream/events/sample_event.json b/packages/box_events/data_stream/events/sample_event.json
index d5a462a486a..fd22e8f92de 100644
--- a/packages/box_events/data_stream/events/sample_event.json
+++ b/packages/box_events/data_stream/events/sample_event.json
@@ -1,11 +1,11 @@
{
"@timestamp": "2019-12-08T08:00:00.000Z",
"agent": {
- "ephemeral_id": "19d0e7ab-6422-44e5-ab1b-a4344fde2a4f",
- "id": "52ca6e8b-8f09-4ce6-a173-ec44c538809f",
+ "ephemeral_id": "764c37eb-8835-4094-ba76-e4a16049d6b9",
+ "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082",
"name": "docker-fleet-agent",
"type": "filebeat",
- "version": "8.6.0"
+ "version": "8.9.1"
},
"box": {
"additional_details": {
@@ -57,12 +57,12 @@
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
- "id": "52ca6e8b-8f09-4ce6-a173-ec44c538809f",
- "snapshot": true,
- "version": "8.6.0"
+ "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082",
+ "snapshot": false,
+ "version": "8.9.1"
},
"event": {
"action": "SHIELD_ALERT",
@@ -71,10 +71,10 @@
"threat",
"file"
],
- "created": "2023-01-13T11:47:22.940Z",
+ "created": "2023-08-29T15:21:44.833Z",
"dataset": "box_events.events",
"id": "97f1b31f-f143-4777-81f8-1b557b39ca33",
- "ingested": "2023-01-13T11:47:24Z",
+ "ingested": "2023-08-29T15:21:47Z",
"kind": "alert",
"risk_score": 77,
"type": [
@@ -84,24 +84,24 @@
},
"host": {
"architecture": "x86_64",
- "containerized": false,
+ "containerized": true,
"hostname": "docker-fleet-agent",
- "id": "4547978d96e74314a1c62b73cc5cad86",
+ "id": "c2615f282eb54b57a5bab10d7ee84193",
"ip": [
- "172.25.0.7"
+ "172.21.0.7"
],
"mac": [
- "02-42-AC-19-00-07"
+ "02-42-AC-15-00-07"
],
"name": "docker-fleet-agent",
"os": {
"codename": "focal",
"family": "debian",
- "kernel": "5.15.49-linuxkit",
+ "kernel": "5.10.47-linuxkit",
"name": "Ubuntu",
"platform": "ubuntu",
"type": "linux",
- "version": "20.04.5 LTS (Focal Fossa)"
+ "version": "20.04.6 LTS (Focal Fossa)"
}
},
"input": {
diff --git a/packages/box_events/docs/README.md b/packages/box_events/docs/README.md
index 188633e6dab..8eee67222b7 100644
--- a/packages/box_events/docs/README.md
+++ b/packages/box_events/docs/README.md
@@ -239,9 +239,9 @@ Preserves a raw copy of the original event, added to the field `event.original`.
| box.source.parent.sequence_id | A numeric identifier that represents the most recent user event that has been applied to this item (parent) | keyword |
| box.source.parent.type | Value is always `folder` | keyword |
| box.source.path_collection.entries | The parent folders for this item | object |
-| box.source.path_collection.entries.id | The unique identifier that represent a folder. This field is an array | array |
-| box.source.path_collection.entries.name | The name of the folder. This field is an array | array |
-| box.source.path_collection.entries.type | Value is always `folder`. This field is an array | array |
+| box.source.path_collection.entries.id | The unique identifier that represent a folder. This field is an array | keyword |
+| box.source.path_collection.entries.name | The name of the folder. This field is an array | keyword |
+| box.source.path_collection.entries.type | Value is always `folder`. This field is an array | keyword |
| box.source.path_collection.total_count | The number of folders in this list | long |
| box.source.phone | Phone number | boolean |
| box.source.purged_at | The time at which this file is expected to be purged from the trash | boolean |
@@ -278,10 +278,10 @@ Preserves a raw copy of the original event, added to the field `event.original`.
| error.message | Error message. | match_only_text |
| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
-| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date |
| event.dataset | Event dataset | constant_keyword |
| event.id | Unique ID to describe the event. | keyword |
-| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword |
| event.module | Event module | constant_keyword |
| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float |
| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long |
diff --git a/packages/box_events/kibana/tags.yml b/packages/box_events/kibana/tags.yml
new file mode 100644
index 00000000000..47f20a8f551
--- /dev/null
+++ b/packages/box_events/kibana/tags.yml
@@ -0,0 +1,4 @@
+- text: Security Solution
+ asset_types:
+ - dashboard
+ - search
diff --git a/packages/box_events/manifest.yml b/packages/box_events/manifest.yml
index be02d031752..2b6ef40b31b 100644
--- a/packages/box_events/manifest.yml
+++ b/packages/box_events/manifest.yml
@@ -1,9 +1,7 @@
-format_version: 1.0.0
+format_version: 2.11.0
name: box_events
title: Box Events
-version: "1.5.0"
-release: ga
-license: basic
+version: "1.9.0"
description: "Collect logs from Box with Elastic Agent"
type: integration
categories:
diff --git a/packages/carbon_black_cloud/_dev/build/build.yml b/packages/carbon_black_cloud/_dev/build/build.yml
index 074278e5b1f..c8eeec8cacf 100644
--- a/packages/carbon_black_cloud/_dev/build/build.yml
+++ b/packages/carbon_black_cloud/_dev/build/build.yml
@@ -1,3 +1,3 @@
dependencies:
ecs:
- reference: git@v8.8.0
+ reference: git@v8.9.0
diff --git a/packages/carbon_black_cloud/changelog.yml b/packages/carbon_black_cloud/changelog.yml
index ef7f04bd098..06a44f94b54 100644
--- a/packages/carbon_black_cloud/changelog.yml
+++ b/packages/carbon_black_cloud/changelog.yml
@@ -1,4 +1,24 @@
# newer versions go on top
+- version: 1.15.0
+ changes:
+ - description: "The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest."
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7883
+- version: "1.14.0"
+ changes:
+ - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7789
+- version: "1.13.0"
+ changes:
+ - description: Update package to ECS 8.9.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7107
+- version: "1.12.0"
+ changes:
+ - description: Document duration units.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6992
- version: "1.11.0"
changes:
- description: Ensure event.kind is correctly set for pipeline errors.
diff --git a/packages/carbon_black_cloud/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json b/packages/carbon_black_cloud/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json
index de351292166..4eecfee619e 100644
--- a/packages/carbon_black_cloud/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json
+++ b/packages/carbon_black_cloud/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json
@@ -61,7 +61,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"end": "2021-01-04T23:25:58.000Z",
@@ -145,7 +145,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"end": "2020-11-17T22:02:16.000Z",
@@ -271,7 +271,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"end": "2021-01-04T22:22:42.000Z",
diff --git a/packages/carbon_black_cloud/data_stream/alert/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/data_stream/alert/elasticsearch/ingest_pipeline/default.yml
index f5e5b695b29..fbacd8de6f9 100644
--- a/packages/carbon_black_cloud/data_stream/alert/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/carbon_black_cloud/data_stream/alert/elasticsearch/ingest_pipeline/default.yml
@@ -3,7 +3,7 @@ description: Pipeline for parsing Carbon Black Cloud alerts.
processors:
- set:
field: ecs.version
- value: '8.8.0'
+ value: '8.9.0'
- rename:
field: message
target_field: event.original
diff --git a/packages/carbon_black_cloud/data_stream/alert/manifest.yml b/packages/carbon_black_cloud/data_stream/alert/manifest.yml
index 6a1c709ade2..d5d4c58ad08 100644
--- a/packages/carbon_black_cloud/data_stream/alert/manifest.yml
+++ b/packages/carbon_black_cloud/data_stream/alert/manifest.yml
@@ -9,7 +9,7 @@ streams:
- name: interval
type: text
title: Interval
- description: Interval to fetch alerts from Carbon Black Cloud. NOTE:- Supported units for this parameter are h/m/s.
+ description: Interval to fetch alerts from Carbon Black Cloud. Supported units for this parameter are h/m/s.
multi: false
required: true
show_user: true
@@ -17,7 +17,7 @@ streams:
- name: initial_interval
type: text
title: Initial Interval
- description: How far back to pull the alerts from the Carbon Black Cloud API. NOTE:- Supported units for this parameter are h/m/s.
+ description: How far back to pull the alerts from the Carbon Black Cloud API. Supported units for this parameter are h/m/s.
default: 24h
multi: false
required: true
@@ -67,7 +67,7 @@ streams:
required: false
show_user: true
default: 1m
- description: Time interval for polling listing of the S3 bucket. NOTE:- Supported units for this parameter are h/m/s.
+ description: Time interval for polling listing of the S3 bucket. Supported units for this parameter are h/m/s.
- name: number_of_workers
type: integer
title: "[S3] Number of Workers"
@@ -83,7 +83,7 @@ streams:
required: false
show_user: true
default: 300s
- description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. NOTE:- Supported units for this parameter are h/m/s.
+ description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. Supported units for this parameter are h/m/s.
- name: api_timeout
type: text
title: "[SQS] API Timeout"
@@ -91,7 +91,7 @@ streams:
required: false
show_user: true
default: 120s
- description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. NOTE:- Supported units for this parameter are h/m/s.
+ description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. Supported units for this parameter are h/m/s.
- name: max_number_of_messages
type: integer
title: "[SQS] Maximum Concurrent SQS Messages"
diff --git a/packages/carbon_black_cloud/data_stream/alert/sample_event.json b/packages/carbon_black_cloud/data_stream/alert/sample_event.json
index 4975573c5d2..708d71d665c 100644
--- a/packages/carbon_black_cloud/data_stream/alert/sample_event.json
+++ b/packages/carbon_black_cloud/data_stream/alert/sample_event.json
@@ -51,7 +51,7 @@
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "c073dde3-4d37-4b40-8161-a008a04d551f",
diff --git a/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/_dev/test/pipeline/test-asset-vulnerability-summary.log-expected.json b/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/_dev/test/pipeline/test-asset-vulnerability-summary.log-expected.json
index b1746cc76ba..f61ca660e34 100644
--- a/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/_dev/test/pipeline/test-asset-vulnerability-summary.log-expected.json
+++ b/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/_dev/test/pipeline/test-asset-vulnerability-summary.log-expected.json
@@ -18,7 +18,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "state",
@@ -67,7 +67,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "state",
@@ -116,7 +116,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "state",
@@ -165,7 +165,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "state",
@@ -214,7 +214,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "state",
@@ -263,7 +263,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "state",
@@ -312,7 +312,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "state",
@@ -361,7 +361,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "state",
diff --git a/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/elasticsearch/ingest_pipeline/default.yml
index 54825d7414a..f333f224392 100644
--- a/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/elasticsearch/ingest_pipeline/default.yml
@@ -7,7 +7,7 @@ processors:
ignore_missing: true
- set:
field: ecs.version
- value: '8.8.0'
+ value: '8.9.0'
- set:
field: event.kind
value: state
diff --git a/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/manifest.yml b/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/manifest.yml
index 1b2c8e26d82..afa402554a2 100644
--- a/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/manifest.yml
+++ b/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/manifest.yml
@@ -9,7 +9,7 @@ streams:
- name: interval
type: text
title: Interval
- description: Interval to query asset vulnerability summary in Carbon Black Cloud. NOTE:- Supported units for this parameter are h/m/s.
+ description: Interval to query asset vulnerability summary in Carbon Black Cloud. Supported units for this parameter are h/m/s.
multi: false
required: true
show_user: true
diff --git a/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/sample_event.json b/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/sample_event.json
index 42dc22f4a0e..872e41eb0d9 100644
--- a/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/sample_event.json
+++ b/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/sample_event.json
@@ -29,7 +29,7 @@
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "45e49275-eb7d-4b20-a8af-d084fb2551c7",
diff --git a/packages/carbon_black_cloud/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json b/packages/carbon_black_cloud/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json
index 1d1bc295592..7e6eb29dcc9 100644
--- a/packages/carbon_black_cloud/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json
+++ b/packages/carbon_black_cloud/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json
@@ -15,7 +15,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"id": "16xxxxxxxxxx8ac7bd",
@@ -51,7 +51,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"id": "21xxxxxxxxxx93ff7c",
@@ -87,7 +87,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"id": "28xxxxxxxxxx8ac7bd",
@@ -123,7 +123,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"id": "34xxxxxxxxxxd9ccf9",
@@ -159,7 +159,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"id": "3axxxxxxxxxx2e5035",
@@ -195,7 +195,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"id": "32xxxxxxxxxx189c6d",
@@ -231,7 +231,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"id": "a9xxxxxxxxxx4b3d2c",
diff --git a/packages/carbon_black_cloud/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
index a0575e52ee3..c3cbc513354 100644
--- a/packages/carbon_black_cloud/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/carbon_black_cloud/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
@@ -3,7 +3,7 @@ description: Pipeline for parsing Carbon Black Cloud audit logs.
processors:
- set:
field: ecs.version
- value: '8.8.0'
+ value: '8.9.0'
- rename:
field: message
target_field: event.original
diff --git a/packages/carbon_black_cloud/data_stream/audit/manifest.yml b/packages/carbon_black_cloud/data_stream/audit/manifest.yml
index d4aa797335c..5d0238e7087 100644
--- a/packages/carbon_black_cloud/data_stream/audit/manifest.yml
+++ b/packages/carbon_black_cloud/data_stream/audit/manifest.yml
@@ -9,7 +9,7 @@ streams:
- name: interval
type: text
title: Interval
- description: Interval to fetch audit logs from Carbon Black Cloud. NOTE:- Supported units for this parameter are h/m/s.
+ description: Interval to fetch audit logs from Carbon Black Cloud. Supported units for this parameter are h/m/s.
multi: false
required: true
show_user: true
diff --git a/packages/carbon_black_cloud/data_stream/audit/sample_event.json b/packages/carbon_black_cloud/data_stream/audit/sample_event.json
index 4fdd39ccf58..db89a77d320 100644
--- a/packages/carbon_black_cloud/data_stream/audit/sample_event.json
+++ b/packages/carbon_black_cloud/data_stream/audit/sample_event.json
@@ -25,7 +25,7 @@
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "45e49275-eb7d-4b20-a8af-d084fb2551c7",
diff --git a/packages/carbon_black_cloud/data_stream/endpoint_event/_dev/test/pipeline/test-endpoint-event.log-expected.json b/packages/carbon_black_cloud/data_stream/endpoint_event/_dev/test/pipeline/test-endpoint-event.log-expected.json
index d2d5fed33ac..c7801e6b96a 100644
--- a/packages/carbon_black_cloud/data_stream/endpoint_event/_dev/test/pipeline/test-endpoint-event.log-expected.json
+++ b/packages/carbon_black_cloud/data_stream/endpoint_event/_dev/test/pipeline/test-endpoint-event.log-expected.json
@@ -37,7 +37,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ACTION_CREATE_KEY",
@@ -139,7 +139,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ACTION_WRITE_VALUE",
@@ -262,7 +262,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ACTION_OPEN_PROCESS_HANDLE",
@@ -385,7 +385,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ACTION_OPEN_PROCESS_HANDLE",
@@ -504,7 +504,7 @@
"path": "c:\\windows\\system32\\fltlib.dll"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ACTION_LOAD_MODULE",
@@ -625,7 +625,7 @@
"path": "c:\\windows\\system32\\dnsapi.dll"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ACTION_LOAD_MODULE",
@@ -746,7 +746,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ACTION_CREATE_PROCESS",
@@ -867,7 +867,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ACTION_CREATE_PROCESS",
@@ -968,7 +968,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ACTION_PROCESS_TERMINATE",
@@ -1067,7 +1067,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ACTION_PROCESS_TERMINATE",
@@ -1162,7 +1162,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ACTION_FILE_MOD_OPEN | ACTION_FILE_OPEN_DELETE",
@@ -1260,7 +1260,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ACTION_FILE_MOD_OPEN | ACTION_FILE_OPEN_READ | ACTION_FILE_OPEN_WRITE",
@@ -1362,7 +1362,7 @@
"port": 62909
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ACTION_CONNECTION_CREATE",
@@ -1470,7 +1470,7 @@
"port": 9716
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ACTION_CONNECTION_LISTEN",
@@ -1588,7 +1588,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ACTION_LOAD_SCRIPT",
diff --git a/packages/carbon_black_cloud/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml
index 2fd86563836..25223d99313 100644
--- a/packages/carbon_black_cloud/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/carbon_black_cloud/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml
@@ -3,7 +3,7 @@ description: Pipeline for parsing Carbon Black Cloud Endpoint Events.
processors:
- set:
field: ecs.version
- value: '8.8.0'
+ value: '8.9.0'
- rename:
field: message
target_field: event.original
diff --git a/packages/carbon_black_cloud/data_stream/endpoint_event/manifest.yml b/packages/carbon_black_cloud/data_stream/endpoint_event/manifest.yml
index 684bb3d1e1d..97d31940eb8 100644
--- a/packages/carbon_black_cloud/data_stream/endpoint_event/manifest.yml
+++ b/packages/carbon_black_cloud/data_stream/endpoint_event/manifest.yml
@@ -21,7 +21,7 @@ streams:
required: false
show_user: true
default: 1m
- description: Time interval for polling listing of the S3 bucket. NOTE:- Supported units for this parameter are h/m/s.
+ description: Time interval for polling listing of the S3 bucket. Supported units for this parameter are h/m/s.
- name: number_of_workers
type: integer
title: "[S3] Number of Workers"
@@ -37,7 +37,7 @@ streams:
required: false
show_user: true
default: 300s
- description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. NOTE:- Supported units for this parameter are h/m/s.
+ description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. Supported units for this parameter are h/m/s.
- name: api_timeout
type: text
title: "[SQS] API Timeout"
@@ -45,7 +45,7 @@ streams:
required: false
show_user: true
default: 120s
- description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. NOTE:- Supported units for this parameter are h/m/s.
+ description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. Supported units for this parameter are h/m/s.
- name: max_number_of_messages
type: integer
title: "[SQS] Maximum Concurrent SQS Messages"
diff --git a/packages/carbon_black_cloud/data_stream/endpoint_event/sample_event.json b/packages/carbon_black_cloud/data_stream/endpoint_event/sample_event.json
index 838d8b9020e..58c029fb454 100644
--- a/packages/carbon_black_cloud/data_stream/endpoint_event/sample_event.json
+++ b/packages/carbon_black_cloud/data_stream/endpoint_event/sample_event.json
@@ -20,7 +20,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"carbon_black_cloud": {
"endpoint_event": {
diff --git a/packages/carbon_black_cloud/data_stream/watchlist_hit/_dev/test/pipeline/test-watchlist-hit.log-expected.json b/packages/carbon_black_cloud/data_stream/watchlist_hit/_dev/test/pipeline/test-watchlist-hit.log-expected.json
index 586973909a5..0913bd09c8b 100644
--- a/packages/carbon_black_cloud/data_stream/watchlist_hit/_dev/test/pipeline/test-watchlist-hit.log-expected.json
+++ b/packages/carbon_black_cloud/data_stream/watchlist_hit/_dev/test/pipeline/test-watchlist-hit.log-expected.json
@@ -67,7 +67,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -203,7 +203,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -333,7 +333,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -455,7 +455,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -576,7 +576,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -683,7 +683,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
diff --git a/packages/carbon_black_cloud/data_stream/watchlist_hit/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/data_stream/watchlist_hit/elasticsearch/ingest_pipeline/default.yml
index bdc34fde78d..4a9ccb7339d 100644
--- a/packages/carbon_black_cloud/data_stream/watchlist_hit/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/carbon_black_cloud/data_stream/watchlist_hit/elasticsearch/ingest_pipeline/default.yml
@@ -3,7 +3,7 @@ description: Pipeline for parsing Carbon Black Cloud watchlist hit.
processors:
- set:
field: ecs.version
- value: '8.8.0'
+ value: '8.9.0'
- set:
field: event.kind
value: event
diff --git a/packages/carbon_black_cloud/data_stream/watchlist_hit/manifest.yml b/packages/carbon_black_cloud/data_stream/watchlist_hit/manifest.yml
index 6fc7b5bef25..24fc8610729 100644
--- a/packages/carbon_black_cloud/data_stream/watchlist_hit/manifest.yml
+++ b/packages/carbon_black_cloud/data_stream/watchlist_hit/manifest.yml
@@ -21,7 +21,7 @@ streams:
required: false
show_user: true
default: 1m
- description: Time interval for polling listing of the S3 bucket. NOTE:- Supported units for this parameter are h/m/s.
+ description: Time interval for polling listing of the S3 bucket. Supported units for this parameter are h/m/s.
- name: number_of_workers
type: integer
title: "[S3] Number of Workers"
@@ -37,7 +37,7 @@ streams:
required: false
show_user: true
default: 300s
- description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. NOTE:- Supported units for this parameter are h/m/s.
+ description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. Supported units for this parameter are h/m/s.
- name: api_timeout
type: text
title: "[SQS] API Timeout"
@@ -45,7 +45,7 @@ streams:
required: false
show_user: true
default: 120s
- description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. NOTE:- Supported units for this parameter are h/m/s.
+ description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. Supported units for this parameter are h/m/s.
- name: max_number_of_messages
type: integer
title: "[SQS] Maximum Concurrent SQS Messages"
diff --git a/packages/carbon_black_cloud/data_stream/watchlist_hit/sample_event.json b/packages/carbon_black_cloud/data_stream/watchlist_hit/sample_event.json
index ec1a8a7de85..438381ec90f 100644
--- a/packages/carbon_black_cloud/data_stream/watchlist_hit/sample_event.json
+++ b/packages/carbon_black_cloud/data_stream/watchlist_hit/sample_event.json
@@ -18,7 +18,7 @@
"version": "8.0.0"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"process": {
"parent": {
diff --git a/packages/carbon_black_cloud/docs/README.md b/packages/carbon_black_cloud/docs/README.md
index 642b15115d5..c95ca443d2a 100644
--- a/packages/carbon_black_cloud/docs/README.md
+++ b/packages/carbon_black_cloud/docs/README.md
@@ -92,7 +92,7 @@ An example event for `audit` looks as following:
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "45e49275-eb7d-4b20-a8af-d084fb2551c7",
@@ -155,7 +155,7 @@ An example event for `audit` looks as following:
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
-| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date |
| event.dataset | Event dataset. | constant_keyword |
| event.id | Unique ID to describe the event. | keyword |
| event.module | Event module. | constant_keyword |
@@ -244,7 +244,7 @@ An example event for `alert` looks as following:
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "c073dde3-4d37-4b40-8161-a008a04d551f",
@@ -374,16 +374,16 @@ An example event for `alert` looks as following:
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
-| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date |
| event.dataset | Event dataset. | constant_keyword |
-| event.end | event.end contains the date when the event ended or when the activity was last observed. | date |
+| event.end | `event.end` contains the date when the event ended or when the activity was last observed. | date |
| event.id | Unique ID to describe the event. | keyword |
-| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword |
| event.module | Event module. | constant_keyword |
| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword |
| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long |
-| event.start | event.start contains the date when the event started or when the activity was first observed. | date |
+| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date |
| host.architecture | Operating system architecture. | keyword |
| host.containerized | If the host is a container. | boolean |
| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
@@ -441,7 +441,7 @@ An example event for `endpoint_event` looks as following:
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"carbon_black_cloud": {
"endpoint_event": {
@@ -602,7 +602,7 @@ An example event for `endpoint_event` looks as following:
| dll.path | Full file path of the library. | keyword |
| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
-| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date |
| event.dataset | Event dataset. | constant_keyword |
| event.id | Unique ID to describe the event. | keyword |
| event.module | Event module. | constant_keyword |
@@ -683,7 +683,7 @@ An example event for `watchlist_hit` looks as following:
"version": "8.0.0"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"process": {
"parent": {
@@ -837,9 +837,9 @@ An example event for `watchlist_hit` looks as following:
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
-| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date |
| event.dataset | Event dataset. | constant_keyword |
-| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword |
| event.module | Event module. | constant_keyword |
| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long |
@@ -919,7 +919,7 @@ An example event for `asset_vulnerability_summary` looks as following:
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "45e49275-eb7d-4b20-a8af-d084fb2551c7",
@@ -996,7 +996,7 @@ An example event for `asset_vulnerability_summary` looks as following:
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
-| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date |
| event.dataset | Event dataset. | constant_keyword |
| event.module | Event module. | constant_keyword |
| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
diff --git a/packages/carbon_black_cloud/kibana/tags.yml b/packages/carbon_black_cloud/kibana/tags.yml
new file mode 100644
index 00000000000..47f20a8f551
--- /dev/null
+++ b/packages/carbon_black_cloud/kibana/tags.yml
@@ -0,0 +1,4 @@
+- text: Security Solution
+ asset_types:
+ - dashboard
+ - search
diff --git a/packages/carbon_black_cloud/manifest.yml b/packages/carbon_black_cloud/manifest.yml
index a68431e819c..d92f2f308a5 100644
--- a/packages/carbon_black_cloud/manifest.yml
+++ b/packages/carbon_black_cloud/manifest.yml
@@ -1,14 +1,15 @@
-format_version: 2.7.0
+format_version: "3.0.0"
name: carbon_black_cloud
title: VMware Carbon Black Cloud
-version: "1.11.0"
+version: "1.15.0"
description: Collect logs from VMWare Carbon Black Cloud with Elastic Agent.
type: integration
categories:
- security
- edr_xdr
conditions:
- kibana.version: ^8.7.1
+ kibana:
+ version: ^8.7.1
screenshots:
- src: /img/carbon_black_cloud-screenshot.png
title: Carbon Black Cloud alert dashboard screenshot
@@ -194,3 +195,4 @@ policy_templates:
description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format.
owner:
github: elastic/security-external-integrations
+ type: elastic
diff --git a/packages/carbonblack_edr/_dev/build/build.yml b/packages/carbonblack_edr/_dev/build/build.yml
index 074278e5b1f..c8eeec8cacf 100644
--- a/packages/carbonblack_edr/_dev/build/build.yml
+++ b/packages/carbonblack_edr/_dev/build/build.yml
@@ -1,3 +1,3 @@
dependencies:
ecs:
- reference: git@v8.8.0
+ reference: git@v8.9.0
diff --git a/packages/carbonblack_edr/changelog.yml b/packages/carbonblack_edr/changelog.yml
index 64685ad9c42..e2567745f3e 100644
--- a/packages/carbonblack_edr/changelog.yml
+++ b/packages/carbonblack_edr/changelog.yml
@@ -1,4 +1,14 @@
# newer versions go on top
+- version: "1.13.0"
+ changes:
+ - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7789
+- version: "1.12.0"
+ changes:
+ - description: Update package to ECS 8.9.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7107
- version: "1.11.0"
changes:
- description: Ensure event.kind is correctly set for pipeline errors.
diff --git a/packages/carbonblack_edr/data_stream/log/_dev/test/pipeline/test-events.json-expected.json b/packages/carbonblack_edr/data_stream/log/_dev/test/pipeline/test-events.json-expected.json
index 9616e53e11a..26bf2a915a8 100644
--- a/packages/carbonblack_edr/data_stream/log/_dev/test/pipeline/test-events.json-expected.json
+++ b/packages/carbonblack_edr/data_stream/log/_dev/test/pipeline/test-events.json-expected.json
@@ -15,7 +15,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "binaryinfo.group.observed",
@@ -53,7 +53,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "binaryinfo.group.observed",
@@ -89,7 +89,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "binaryinfo.observed",
@@ -127,7 +127,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "binaryinfo.group.observed",
@@ -165,7 +165,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "binaryinfo.group.observed",
@@ -201,7 +201,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "binaryinfo.observed",
@@ -239,7 +239,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "binaryinfo.group.observed",
@@ -277,7 +277,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "binaryinfo.group.observed",
@@ -315,7 +315,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "binaryinfo.group.observed",
@@ -361,7 +361,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "unknown",
@@ -428,7 +428,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "binaryinfo.observed",
@@ -470,7 +470,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "binaryinfo.group.observed",
@@ -530,7 +530,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "unknown",
@@ -590,7 +590,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "binaryinfo.observed",
@@ -633,7 +633,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.moduleload",
@@ -665,7 +665,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "binaryinfo.group.observed",
@@ -702,7 +702,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "unknown",
@@ -748,7 +748,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "binaryinfo.observed",
@@ -791,7 +791,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.moduleload",
@@ -823,7 +823,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "binaryinfo.group.observed",
@@ -872,7 +872,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.netconn",
@@ -913,7 +913,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "unknown",
@@ -957,7 +957,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "binaryinfo.observed",
@@ -1000,7 +1000,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.moduleload",
@@ -1032,7 +1032,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "binaryinfo.group.observed",
@@ -1082,7 +1082,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.netconn",
@@ -1136,7 +1136,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "unknown",
@@ -1220,7 +1220,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.regmod",
@@ -1257,7 +1257,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "binaryinfo.observed",
@@ -1300,7 +1300,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.moduleload",
@@ -1334,7 +1334,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "binaryinfo.group.observed",
@@ -1384,7 +1384,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.netconn",
@@ -1452,7 +1452,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "unknown",
@@ -1528,7 +1528,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.regmod",
@@ -1565,7 +1565,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "binaryinfo.observed",
@@ -1601,7 +1601,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.tamper",
@@ -1645,7 +1645,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.moduleload",
@@ -1679,7 +1679,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "binaryinfo.group.observed",
@@ -1731,7 +1731,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.netconn",
@@ -1808,7 +1808,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "unknown",
@@ -1879,7 +1879,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.regmod",
@@ -1916,7 +1916,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "binaryinfo.observed",
@@ -1952,7 +1952,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.tamper",
@@ -1993,7 +1993,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "binaryinfo.host.observed",
@@ -2039,7 +2039,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.moduleload",
@@ -2073,7 +2073,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "binaryinfo.group.observed",
@@ -2123,7 +2123,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.netconn",
@@ -2194,7 +2194,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "unknown",
@@ -2255,7 +2255,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.regmod",
@@ -2292,7 +2292,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "binaryinfo.observed",
@@ -2328,7 +2328,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.tamper",
@@ -2369,7 +2369,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "binaryinfo.host.observed",
@@ -2415,7 +2415,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.moduleload",
@@ -2457,7 +2457,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.module",
@@ -2501,7 +2501,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "binaryinfo.group.observed",
@@ -2551,7 +2551,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.netconn",
@@ -2590,7 +2590,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "unknown",
@@ -2630,7 +2630,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.regmod",
@@ -2667,7 +2667,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "binaryinfo.observed",
@@ -2703,7 +2703,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.tamper",
@@ -2744,7 +2744,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "binaryinfo.host.observed",
@@ -2790,7 +2790,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.moduleload",
@@ -2832,7 +2832,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.module",
@@ -2876,7 +2876,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "binaryinfo.group.observed",
@@ -2925,7 +2925,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.netconn",
@@ -2969,7 +2969,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "unknown",
@@ -3016,7 +3016,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.remotethread",
@@ -3063,7 +3063,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.regmod",
@@ -3100,7 +3100,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "binaryinfo.observed",
@@ -3136,7 +3136,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.tamper",
@@ -3177,7 +3177,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "binaryinfo.host.observed",
@@ -3223,7 +3223,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.moduleload",
@@ -3265,7 +3265,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.module",
@@ -3309,7 +3309,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "binaryinfo.group.observed",
@@ -3359,7 +3359,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.netconn",
@@ -3396,7 +3396,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "unknown",
@@ -3444,7 +3444,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.remotethread",
@@ -3491,7 +3491,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.regmod",
@@ -3542,7 +3542,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.childproc",
@@ -3580,7 +3580,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "binaryinfo.observed",
@@ -3616,7 +3616,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.tamper",
@@ -3661,7 +3661,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "binaryinfo.host.observed",
@@ -3707,7 +3707,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.moduleload",
@@ -3749,7 +3749,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.module",
@@ -3793,7 +3793,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "binaryinfo.group.observed",
@@ -3842,7 +3842,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.netconn",
@@ -3888,7 +3888,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.regmod",
@@ -3942,7 +3942,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.remotethread",
@@ -3989,7 +3989,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.regmod",
@@ -4040,7 +4040,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.childproc",
@@ -4078,7 +4078,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "binaryinfo.observed",
@@ -4127,7 +4127,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.filemod",
@@ -4167,7 +4167,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "binaryinfo.host.observed",
@@ -4213,7 +4213,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.moduleload",
@@ -4255,7 +4255,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.module",
@@ -4299,7 +4299,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "binaryinfo.group.observed",
@@ -4348,7 +4348,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.netconn",
@@ -4396,7 +4396,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.filemod",
@@ -4447,7 +4447,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ingress.event.remotethread",
diff --git a/packages/carbonblack_edr/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/carbonblack_edr/data_stream/log/elasticsearch/ingest_pipeline/default.yml
index 13da825c827..0615e998f92 100644
--- a/packages/carbonblack_edr/data_stream/log/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/carbonblack_edr/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -3,7 +3,7 @@ description: Pipeline for parsing CarbonBlack EDR logs
processors:
- set:
field: ecs.version
- value: '8.8.0'
+ value: '8.9.0'
# Validate that the input document conforms to the expected format
# to avoid repetitive checks.
diff --git a/packages/carbonblack_edr/data_stream/log/sample_event.json b/packages/carbonblack_edr/data_stream/log/sample_event.json
index 88b99c8d7ec..0a3082e3521 100644
--- a/packages/carbonblack_edr/data_stream/log/sample_event.json
+++ b/packages/carbonblack_edr/data_stream/log/sample_event.json
@@ -24,7 +24,7 @@
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "9cb9fa70-f3e9-45d8-b1cb-61425bd93e1a",
diff --git a/packages/carbonblack_edr/docs/README.md b/packages/carbonblack_edr/docs/README.md
index 5b0e093240a..b323ee782c8 100644
--- a/packages/carbonblack_edr/docs/README.md
+++ b/packages/carbonblack_edr/docs/README.md
@@ -58,7 +58,7 @@ An example event for `log` looks as following:
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "9cb9fa70-f3e9-45d8-b1cb-61425bd93e1a",
@@ -267,17 +267,17 @@ An example event for `log` looks as following:
| error.message | Error message. | match_only_text |
| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
-| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date |
| event.dataset | Event dataset | constant_keyword |
-| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long |
-| event.end | event.end contains the date when the event ended or when the activity was last observed. | date |
+| event.duration | Duration of the event in nanoseconds. If `event.start` and `event.end` are known this value should be the difference between the end and start time. | long |
+| event.end | `event.end` contains the date when the event ended or when the activity was last observed. | date |
| event.id | Unique ID to describe the event. | keyword |
| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
-| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword |
| event.module | Event module | constant_keyword |
| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
-| event.start | event.start contains the date when the event started or when the activity was first observed. | date |
+| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date |
| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword |
| file.code_signature.exists | Boolean to capture if a signature is present. | boolean |
diff --git a/packages/carbonblack_edr/kibana/tags.yml b/packages/carbonblack_edr/kibana/tags.yml
new file mode 100644
index 00000000000..47f20a8f551
--- /dev/null
+++ b/packages/carbonblack_edr/kibana/tags.yml
@@ -0,0 +1,4 @@
+- text: Security Solution
+ asset_types:
+ - dashboard
+ - search
diff --git a/packages/carbonblack_edr/manifest.yml b/packages/carbonblack_edr/manifest.yml
index 5ae4caf9471..a07355a4c45 100644
--- a/packages/carbonblack_edr/manifest.yml
+++ b/packages/carbonblack_edr/manifest.yml
@@ -1,9 +1,9 @@
name: carbonblack_edr
title: VMware Carbon Black EDR
-version: "1.11.0"
+version: "1.13.0"
description: Collect logs from VMware Carbon Black EDR with Elastic Agent.
type: integration
-format_version: 2.7.0
+format_version: 2.11.0
categories: [security, edr_xdr]
conditions:
kibana.version: ^7.14.0 || ^8.0.0
diff --git a/packages/cassandra/changelog.yml b/packages/cassandra/changelog.yml
index 37e01152589..abcc1ca4be5 100644
--- a/packages/cassandra/changelog.yml
+++ b/packages/cassandra/changelog.yml
@@ -1,4 +1,19 @@
# newer versions go on top
+- version: "1.9.1"
+ changes:
+ - description: Add null check and ignore_missing check to the rename processor
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7845
+- version: "1.9.0"
+ changes:
+ - description: Enable time series data streams for the metrics datasets. This dramatically reduces storage for metrics and is expected to progressively improve query performance. For more details, see https://www.elastic.co/guide/en/elasticsearch/reference/current/tsds.html.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6860
+- version: "1.8.1"
+ changes:
+ - description: Add metric_type mapping for the fields of `metrics` datastream.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6858
- version: "1.8.0"
changes:
- description: Add dimension fields for metrics datastream for TSDB enablement.
diff --git a/packages/cassandra/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cassandra/data_stream/log/elasticsearch/ingest_pipeline/default.yml
index 4eb089b3e9b..9a90b36d4ca 100644
--- a/packages/cassandra/data_stream/log/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/cassandra/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -20,7 +20,7 @@ processors:
field: message
target_field: event.original
ignore_missing: true
- ignore_failure: true
+ if: 'ctx.event?.original == null'
- grok:
field: event.original
pattern_definitions:
diff --git a/packages/cassandra/data_stream/metrics/fields/fields.yml b/packages/cassandra/data_stream/metrics/fields/fields.yml
index 207dfac6566..ddad0a5f7c5 100644
--- a/packages/cassandra/data_stream/metrics/fields/fields.yml
+++ b/packages/cassandra/data_stream/metrics/fields/fields.yml
@@ -9,21 +9,28 @@
fields:
- name: capacity
type: long
+ metric_type: gauge
- name: one_minute_hit_rate
type: long
+ metric_type: gauge
- name: requests.one_minute_rate
type: long
+ metric_type: gauge
- name: row_cache
type: group
fields:
- name: capacity
type: long
+ metric_type: gauge
- name: one_minute_hit_rate
type: long
+ metric_type: gauge
- name: requests.one_minute_rate
type: long
+ metric_type: gauge
- name: client.connected_native_clients
type: long
+ metric_type: gauge
- name: client_request
type: group
fields:
@@ -32,84 +39,116 @@
fields:
- name: count
type: long
+ metric_type: counter
- name: one_minute_rate
type: double
+ metric_type: gauge
- name: timeoutsms
type: double
+ metric_type: gauge
- name: total_latency
type: double
+ metric_type: counter
- name: timeouts
type: double
+ metric_type: counter
- name: unavailables
type: double
+ metric_type: counter
- name: unavailablesms
type: double
+ metric_type: gauge
- name: read
type: group
fields:
- name: count
type: long
+ metric_type: counter
- name: one_minute_rate
type: double
+ metric_type: gauge
- name: timeouts
description: Number of read timeouts encountered.
type: double
+ metric_type: counter
- name: total_latency
type: double
+ metric_type: counter
- name: timeoutsms
type: double
+ metric_type: gauge
- name: unavailables
description: Number of read unavailables encountered.
type: double
+ metric_type: counter
- name: unavailablesms
type: double
+ metric_type: gauge
- name: range_slice
type: group
fields:
- name: one_minute_rate
type: double
+ metric_type: gauge
- name: total_latency
type: double
+ metric_type: counter
- name: casread.one_minute_rate
type: double
+ metric_type: gauge
- name: caswrite.one_minute_rate
type: double
+ metric_type: gauge
- name: column_family.total_disk_space_used
type: long
+ metric_type: gauge
- name: compaction
type: group
fields:
- name: completed
description: compaction completed tasks.
type: long
+ metric_type: gauge
- name: pending
description: compaction pending tasks.
type: long
+ metric_type: gauge
- name: dropped_message
type: group
fields:
- name: batch_remove
type: long
+ metric_type: counter
- name: batch_store
type: long
+ metric_type: counter
- name: counter_mutation
type: long
+ metric_type: counter
- name: hint
type: long
+ metric_type: counter
- name: mutation
type: long
+ metric_type: counter
- name: paged_range
type: long
+ metric_type: counter
- name: range_slice
type: long
+ metric_type: counter
- name: read
type: long
+ metric_type: counter
- name: read_repair
type: long
+ metric_type: counter
- name: request_response
type: long
+ metric_type: counter
- name: trace
type: long
+ metric_type: counter
- name: gc
type: group
fields:
@@ -118,18 +157,22 @@
fields:
- name: collection_count
type: long
+ metric_type: gauge
description: Total number of CMS collections that have occurred.
- name: collection_time
type: long
+ metric_type: gauge
description: Approximate accumulated CMS collection elapsed time in milliseconds.
- name: par_new
type: group
fields:
- name: collection_count
type: long
+ metric_type: gauge
description: Total number of ParNew collections that have occurred.
- name: collection_time
type: long
+ metric_type: gauge
description: Approximate accumulated ParNew collection elapsed time in milliseconds.
- name: memory
type: group
@@ -140,44 +183,56 @@
- name: committed
description: Committed heap memory usage.
type: long
+ metric_type: gauge
- name: init
description: Initial heap memory usage.
type: long
+ metric_type: gauge
- name: max
description: Max heap memory usage.
type: long
+ metric_type: gauge
- name: used
description: Used heap memory usage.
type: long
+ metric_type: gauge
- name: other_usage
type: group
fields:
- name: committed
description: Committed non-heap memory usage.
type: long
+ metric_type: gauge
- name: init
description: Initial non-heap memory usage.
type: long
+ metric_type: gauge
- name: max
description: Max non-heap memory usage.
type: long
+ metric_type: gauge
- name: used
description: Used non-heap memory usage.
type: long
+ metric_type: gauge
- name: storage
type: group
fields:
- name: exceptions
type: long
+ metric_type: counter
description: The number of the total exceptions.
- name: load
type: long
+ metric_type: counter
description: Storage used for Cassandra data in bytes.
- name: total_hints
type: long
+ metric_type: counter
description: The number of the total hits.
- name: total_hint_in_progress
type: long
+ metric_type: counter
description: The number of the total hits in progress.
- name: system
type: group
@@ -205,24 +260,31 @@
fields:
- name: all_memtables_heap_size
type: long
+ metric_type: gauge
- name: all_memtables_off_heap_size
type: long
+ metric_type: gauge
- name: live_disk_space_used
type: long
+ metric_type: counter
- name: live_ss_table_count
type: long
+ metric_type: gauge
- name: task
type: group
fields:
- name: complete
description: completed tasks.
type: long
+ metric_type: gauge
- name: pending
description: pending tasks.
type: long
+ metric_type: gauge
- name: total_commitlog_size
description: total commitlog size of tasks.
type: long
+ metric_type: gauge
- name: thread_pools
type: group
fields:
@@ -231,33 +293,43 @@
fields:
- name: active
type: long
+ metric_type: gauge
- name: pending
type: long
+ metric_type: gauge
- name: mutation_stage.request
type: group
fields:
- name: active
type: long
+ metric_type: gauge
- name: pending
type: long
+ metric_type: gauge
- name: read_repair_stage.request
type: group
fields:
- name: active
type: long
+ metric_type: gauge
- name: pending
type: long
+ metric_type: gauge
- name: read_stage.request
type: group
fields:
- name: active
type: long
+ metric_type: gauge
- name: pending
type: long
+ metric_type: gauge
- name: request_response_stage.request
type: group
fields:
- name: active
type: long
+ metric_type: gauge
- name: pending
type: long
+ metric_type: gauge
diff --git a/packages/cassandra/data_stream/metrics/manifest.yml b/packages/cassandra/data_stream/metrics/manifest.yml
index d5b25a74526..6a989f92aaa 100644
--- a/packages/cassandra/data_stream/metrics/manifest.yml
+++ b/packages/cassandra/data_stream/metrics/manifest.yml
@@ -13,3 +13,5 @@ streams:
show_user: true
default: 10s
template_path: "stream.yml.hbs"
+elasticsearch:
+ index_mode: "time_series"
\ No newline at end of file
diff --git a/packages/cassandra/docs/README.md b/packages/cassandra/docs/README.md
index 02bd2964af8..e05d3294290 100644
--- a/packages/cassandra/docs/README.md
+++ b/packages/cassandra/docs/README.md
@@ -333,110 +333,110 @@ An example event for `metrics` looks as following:
**Exported fields**
-| Field | Description | Type |
-|---|---|---|
-| @timestamp | Event timestamp. | date |
-| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword |
-| cassandra.metrics.cache.key_cache.capacity | | long |
-| cassandra.metrics.cache.key_cache.one_minute_hit_rate | | long |
-| cassandra.metrics.cache.key_cache.requests.one_minute_rate | | long |
-| cassandra.metrics.cache.row_cache.capacity | | long |
-| cassandra.metrics.cache.row_cache.one_minute_hit_rate | | long |
-| cassandra.metrics.cache.row_cache.requests.one_minute_rate | | long |
-| cassandra.metrics.client.connected_native_clients | | long |
-| cassandra.metrics.client_request.casread.one_minute_rate | | double |
-| cassandra.metrics.client_request.caswrite.one_minute_rate | | double |
-| cassandra.metrics.client_request.range_slice.one_minute_rate | | double |
-| cassandra.metrics.client_request.range_slice.total_latency | | double |
-| cassandra.metrics.client_request.read.count | | long |
-| cassandra.metrics.client_request.read.one_minute_rate | | double |
-| cassandra.metrics.client_request.read.timeouts | Number of read timeouts encountered. | double |
-| cassandra.metrics.client_request.read.timeoutsms | | double |
-| cassandra.metrics.client_request.read.total_latency | | double |
-| cassandra.metrics.client_request.read.unavailables | Number of read unavailables encountered. | double |
-| cassandra.metrics.client_request.read.unavailablesms | | double |
-| cassandra.metrics.client_request.write.count | | long |
-| cassandra.metrics.client_request.write.one_minute_rate | | double |
-| cassandra.metrics.client_request.write.timeouts | | double |
-| cassandra.metrics.client_request.write.timeoutsms | | double |
-| cassandra.metrics.client_request.write.total_latency | | double |
-| cassandra.metrics.client_request.write.unavailables | | double |
-| cassandra.metrics.client_request.write.unavailablesms | | double |
-| cassandra.metrics.column_family.total_disk_space_used | | long |
-| cassandra.metrics.compaction.completed | compaction completed tasks. | long |
-| cassandra.metrics.compaction.pending | compaction pending tasks. | long |
-| cassandra.metrics.dropped_message.batch_remove | | long |
-| cassandra.metrics.dropped_message.batch_store | | long |
-| cassandra.metrics.dropped_message.counter_mutation | | long |
-| cassandra.metrics.dropped_message.hint | | long |
-| cassandra.metrics.dropped_message.mutation | | long |
-| cassandra.metrics.dropped_message.paged_range | | long |
-| cassandra.metrics.dropped_message.range_slice | | long |
-| cassandra.metrics.dropped_message.read | | long |
-| cassandra.metrics.dropped_message.read_repair | | long |
-| cassandra.metrics.dropped_message.request_response | | long |
-| cassandra.metrics.dropped_message.trace | | long |
-| cassandra.metrics.gc.concurrent_mark_sweep.collection_count | Total number of CMS collections that have occurred. | long |
-| cassandra.metrics.gc.concurrent_mark_sweep.collection_time | Approximate accumulated CMS collection elapsed time in milliseconds. | long |
-| cassandra.metrics.gc.par_new.collection_count | Total number of ParNew collections that have occurred. | long |
-| cassandra.metrics.gc.par_new.collection_time | Approximate accumulated ParNew collection elapsed time in milliseconds. | long |
-| cassandra.metrics.memory.heap_usage.committed | Committed heap memory usage. | long |
-| cassandra.metrics.memory.heap_usage.init | Initial heap memory usage. | long |
-| cassandra.metrics.memory.heap_usage.max | Max heap memory usage. | long |
-| cassandra.metrics.memory.heap_usage.used | Used heap memory usage. | long |
-| cassandra.metrics.memory.other_usage.committed | Committed non-heap memory usage. | long |
-| cassandra.metrics.memory.other_usage.init | Initial non-heap memory usage. | long |
-| cassandra.metrics.memory.other_usage.max | Max non-heap memory usage. | long |
-| cassandra.metrics.memory.other_usage.used | Used non-heap memory usage. | long |
-| cassandra.metrics.storage.exceptions | The number of the total exceptions. | long |
-| cassandra.metrics.storage.load | Storage used for Cassandra data in bytes. | long |
-| cassandra.metrics.storage.total_hint_in_progress | The number of the total hits in progress. | long |
-| cassandra.metrics.storage.total_hints | The number of the total hits. | long |
-| cassandra.metrics.system.cluster | | keyword |
-| cassandra.metrics.system.data_center | | keyword |
-| cassandra.metrics.system.joining_nodes | | keyword |
-| cassandra.metrics.system.leaving_nodes | | keyword |
-| cassandra.metrics.system.live_nodes | | keyword |
-| cassandra.metrics.system.moving_nodes | | keyword |
-| cassandra.metrics.system.rack | | keyword |
-| cassandra.metrics.system.unreachable_nodes | | keyword |
-| cassandra.metrics.system.version | | keyword |
-| cassandra.metrics.table.all_memtables_heap_size | | long |
-| cassandra.metrics.table.all_memtables_off_heap_size | | long |
-| cassandra.metrics.table.live_disk_space_used | | long |
-| cassandra.metrics.table.live_ss_table_count | | long |
-| cassandra.metrics.task.complete | completed tasks. | long |
-| cassandra.metrics.task.pending | pending tasks. | long |
-| cassandra.metrics.task.total_commitlog_size | total commitlog size of tasks. | long |
-| cassandra.metrics.thread_pools.counter_mutation_stage.request.active | | long |
-| cassandra.metrics.thread_pools.counter_mutation_stage.request.pending | | long |
-| cassandra.metrics.thread_pools.mutation_stage.request.active | | long |
-| cassandra.metrics.thread_pools.mutation_stage.request.pending | | long |
-| cassandra.metrics.thread_pools.read_repair_stage.request.active | | long |
-| cassandra.metrics.thread_pools.read_repair_stage.request.pending | | long |
-| cassandra.metrics.thread_pools.read_stage.request.active | | long |
-| cassandra.metrics.thread_pools.read_stage.request.pending | | long |
-| cassandra.metrics.thread_pools.request_response_stage.request.active | | long |
-| cassandra.metrics.thread_pools.request_response_stage.request.pending | | long |
-| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
-| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword |
-| cloud.instance.id | Instance ID of the host machine. | keyword |
-| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword |
-| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
-| cloud.region | Region in which this host, resource, or service is located. | keyword |
-| container.id | Unique container id. | keyword |
-| data_stream.dataset | Data stream dataset. | constant_keyword |
-| data_stream.namespace | Data stream namespace. | constant_keyword |
-| data_stream.type | Data stream type. | constant_keyword |
-| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
-| error.message | Error message. | match_only_text |
-| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
-| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
-| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword |
-| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
-| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword |
-| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
-| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
-| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword |
-| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword |
+| Field | Description | Type | Metric Type |
+|---|---|---|---|
+| @timestamp | Event timestamp. | date | |
+| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | |
+| cassandra.metrics.cache.key_cache.capacity | | long | gauge |
+| cassandra.metrics.cache.key_cache.one_minute_hit_rate | | long | gauge |
+| cassandra.metrics.cache.key_cache.requests.one_minute_rate | | long | gauge |
+| cassandra.metrics.cache.row_cache.capacity | | long | gauge |
+| cassandra.metrics.cache.row_cache.one_minute_hit_rate | | long | gauge |
+| cassandra.metrics.cache.row_cache.requests.one_minute_rate | | long | gauge |
+| cassandra.metrics.client.connected_native_clients | | long | gauge |
+| cassandra.metrics.client_request.casread.one_minute_rate | | double | gauge |
+| cassandra.metrics.client_request.caswrite.one_minute_rate | | double | gauge |
+| cassandra.metrics.client_request.range_slice.one_minute_rate | | double | gauge |
+| cassandra.metrics.client_request.range_slice.total_latency | | double | counter |
+| cassandra.metrics.client_request.read.count | | long | counter |
+| cassandra.metrics.client_request.read.one_minute_rate | | double | gauge |
+| cassandra.metrics.client_request.read.timeouts | Number of read timeouts encountered. | double | counter |
+| cassandra.metrics.client_request.read.timeoutsms | | double | gauge |
+| cassandra.metrics.client_request.read.total_latency | | double | counter |
+| cassandra.metrics.client_request.read.unavailables | Number of read unavailables encountered. | double | counter |
+| cassandra.metrics.client_request.read.unavailablesms | | double | gauge |
+| cassandra.metrics.client_request.write.count | | long | counter |
+| cassandra.metrics.client_request.write.one_minute_rate | | double | gauge |
+| cassandra.metrics.client_request.write.timeouts | | double | counter |
+| cassandra.metrics.client_request.write.timeoutsms | | double | gauge |
+| cassandra.metrics.client_request.write.total_latency | | double | counter |
+| cassandra.metrics.client_request.write.unavailables | | double | counter |
+| cassandra.metrics.client_request.write.unavailablesms | | double | gauge |
+| cassandra.metrics.column_family.total_disk_space_used | | long | gauge |
+| cassandra.metrics.compaction.completed | compaction completed tasks. | long | gauge |
+| cassandra.metrics.compaction.pending | compaction pending tasks. | long | gauge |
+| cassandra.metrics.dropped_message.batch_remove | | long | counter |
+| cassandra.metrics.dropped_message.batch_store | | long | counter |
+| cassandra.metrics.dropped_message.counter_mutation | | long | counter |
+| cassandra.metrics.dropped_message.hint | | long | counter |
+| cassandra.metrics.dropped_message.mutation | | long | counter |
+| cassandra.metrics.dropped_message.paged_range | | long | counter |
+| cassandra.metrics.dropped_message.range_slice | | long | counter |
+| cassandra.metrics.dropped_message.read | | long | counter |
+| cassandra.metrics.dropped_message.read_repair | | long | counter |
+| cassandra.metrics.dropped_message.request_response | | long | counter |
+| cassandra.metrics.dropped_message.trace | | long | counter |
+| cassandra.metrics.gc.concurrent_mark_sweep.collection_count | Total number of CMS collections that have occurred. | long | gauge |
+| cassandra.metrics.gc.concurrent_mark_sweep.collection_time | Approximate accumulated CMS collection elapsed time in milliseconds. | long | gauge |
+| cassandra.metrics.gc.par_new.collection_count | Total number of ParNew collections that have occurred. | long | gauge |
+| cassandra.metrics.gc.par_new.collection_time | Approximate accumulated ParNew collection elapsed time in milliseconds. | long | gauge |
+| cassandra.metrics.memory.heap_usage.committed | Committed heap memory usage. | long | gauge |
+| cassandra.metrics.memory.heap_usage.init | Initial heap memory usage. | long | gauge |
+| cassandra.metrics.memory.heap_usage.max | Max heap memory usage. | long | gauge |
+| cassandra.metrics.memory.heap_usage.used | Used heap memory usage. | long | gauge |
+| cassandra.metrics.memory.other_usage.committed | Committed non-heap memory usage. | long | gauge |
+| cassandra.metrics.memory.other_usage.init | Initial non-heap memory usage. | long | gauge |
+| cassandra.metrics.memory.other_usage.max | Max non-heap memory usage. | long | gauge |
+| cassandra.metrics.memory.other_usage.used | Used non-heap memory usage. | long | gauge |
+| cassandra.metrics.storage.exceptions | The number of the total exceptions. | long | counter |
+| cassandra.metrics.storage.load | Storage used for Cassandra data in bytes. | long | counter |
+| cassandra.metrics.storage.total_hint_in_progress | The number of the total hits in progress. | long | counter |
+| cassandra.metrics.storage.total_hints | The number of the total hits. | long | counter |
+| cassandra.metrics.system.cluster | | keyword | |
+| cassandra.metrics.system.data_center | | keyword | |
+| cassandra.metrics.system.joining_nodes | | keyword | |
+| cassandra.metrics.system.leaving_nodes | | keyword | |
+| cassandra.metrics.system.live_nodes | | keyword | |
+| cassandra.metrics.system.moving_nodes | | keyword | |
+| cassandra.metrics.system.rack | | keyword | |
+| cassandra.metrics.system.unreachable_nodes | | keyword | |
+| cassandra.metrics.system.version | | keyword | |
+| cassandra.metrics.table.all_memtables_heap_size | | long | gauge |
+| cassandra.metrics.table.all_memtables_off_heap_size | | long | gauge |
+| cassandra.metrics.table.live_disk_space_used | | long | counter |
+| cassandra.metrics.table.live_ss_table_count | | long | gauge |
+| cassandra.metrics.task.complete | completed tasks. | long | gauge |
+| cassandra.metrics.task.pending | pending tasks. | long | gauge |
+| cassandra.metrics.task.total_commitlog_size | total commitlog size of tasks. | long | gauge |
+| cassandra.metrics.thread_pools.counter_mutation_stage.request.active | | long | gauge |
+| cassandra.metrics.thread_pools.counter_mutation_stage.request.pending | | long | gauge |
+| cassandra.metrics.thread_pools.mutation_stage.request.active | | long | gauge |
+| cassandra.metrics.thread_pools.mutation_stage.request.pending | | long | gauge |
+| cassandra.metrics.thread_pools.read_repair_stage.request.active | | long | gauge |
+| cassandra.metrics.thread_pools.read_repair_stage.request.pending | | long | gauge |
+| cassandra.metrics.thread_pools.read_stage.request.active | | long | gauge |
+| cassandra.metrics.thread_pools.read_stage.request.pending | | long | gauge |
+| cassandra.metrics.thread_pools.request_response_stage.request.active | | long | gauge |
+| cassandra.metrics.thread_pools.request_response_stage.request.pending | | long | gauge |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | |
+| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | |
+| cloud.instance.id | Instance ID of the host machine. | keyword | |
+| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | |
+| cloud.region | Region in which this host, resource, or service is located. | keyword | |
+| container.id | Unique container id. | keyword | |
+| data_stream.dataset | Data stream dataset. | constant_keyword | |
+| data_stream.namespace | Data stream namespace. | constant_keyword | |
+| data_stream.type | Data stream type. | constant_keyword | |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | |
+| error.message | Error message. | match_only_text | |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | |
+| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | |
+| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | |
+| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | |
+| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | |
diff --git a/packages/cassandra/manifest.yml b/packages/cassandra/manifest.yml
index fade1c75cc9..6e3ef6a3557 100644
--- a/packages/cassandra/manifest.yml
+++ b/packages/cassandra/manifest.yml
@@ -1,7 +1,7 @@
format_version: 1.0.0
name: cassandra
title: Cassandra
-version: "1.8.0"
+version: "1.9.1"
license: basic
description: This Elastic integration collects logs and metrics from cassandra.
type: integration
@@ -10,7 +10,7 @@ categories:
- observability
release: ga
conditions:
- kibana.version: "^8.3.0"
+ kibana.version: "^8.8.0"
screenshots:
- src: /img/[Metrics Cassandra] Overview.png
title: Overview Dashboard
diff --git a/packages/cef/_dev/build/build.yml b/packages/cef/_dev/build/build.yml
index 84034dcea1e..c1af686e524 100644
--- a/packages/cef/_dev/build/build.yml
+++ b/packages/cef/_dev/build/build.yml
@@ -1,4 +1,4 @@
dependencies:
ecs:
- reference: git@v8.8.0
+ reference: git@v8.9.0
import_mappings: true
diff --git a/packages/cef/changelog.yml b/packages/cef/changelog.yml
index 4b05d667c03..f80dd344d4f 100644
--- a/packages/cef/changelog.yml
+++ b/packages/cef/changelog.yml
@@ -1,4 +1,19 @@
# newer versions go on top
+- version: 2.14.0
+ changes:
+ - description: "The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest."
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7883
+- version: "2.13.0"
+ changes:
+ - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7789
+- version: "2.12.0"
+ changes:
+ - description: Update package to ECS 8.9.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7107
- version: "2.11.0"
changes:
- description: Ensure event.message is correctly set for pipeline errors.
diff --git a/packages/cef/data_stream/log/_dev/test/pipeline/test-arcsight.json-expected.json b/packages/cef/data_stream/log/_dev/test/pipeline/test-arcsight.json-expected.json
index 566ac9463a6..9a479b230e6 100644
--- a/packages/cef/data_stream/log/_dev/test/pipeline/test-arcsight.json-expected.json
+++ b/packages/cef/data_stream/log/_dev/test/pipeline/test-arcsight.json-expected.json
@@ -50,7 +50,7 @@
"version": "0"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"code": "agent:016",
@@ -132,7 +132,7 @@
"version": "0"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"code": "agent:030",
@@ -206,7 +206,7 @@
"version": "0"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"code": "agent:044",
@@ -287,7 +287,7 @@
"version": "0"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"code": "agent:031",
diff --git a/packages/cef/data_stream/log/_dev/test/pipeline/test-cef.json-expected.json b/packages/cef/data_stream/log/_dev/test/pipeline/test-cef.json-expected.json
index cd3d9b73b44..86d2de6e127 100644
--- a/packages/cef/data_stream/log/_dev/test/pipeline/test-cef.json-expected.json
+++ b/packages/cef/data_stream/log/_dev/test/pipeline/test-cef.json-expected.json
@@ -31,7 +31,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"code": "18",
@@ -146,7 +146,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"code": "18",
@@ -227,7 +227,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"code": "18",
@@ -272,7 +272,7 @@
"ip": "192.168.1.2"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"code": "18",
diff --git a/packages/cef/data_stream/log/_dev/test/pipeline/test-checkpoint.json-expected.json b/packages/cef/data_stream/log/_dev/test/pipeline/test-checkpoint.json-expected.json
index 1770abb5ca2..0bf4f02bcba 100644
--- a/packages/cef/data_stream/log/_dev/test/pipeline/test-checkpoint.json-expected.json
+++ b/packages/cef/data_stream/log/_dev/test/pipeline/test-checkpoint.json-expected.json
@@ -77,7 +77,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Accept",
@@ -168,7 +168,7 @@
"port": 25
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Bypass",
@@ -237,7 +237,7 @@
"ip": "::1"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Drop",
diff --git a/packages/cef/data_stream/log/_dev/test/pipeline/test-cisco-asa.json-expected.json b/packages/cef/data_stream/log/_dev/test/pipeline/test-cisco-asa.json-expected.json
index 0e15e36f05b..e99e6f896e9 100644
--- a/packages/cef/data_stream/log/_dev/test/pipeline/test-cisco-asa.json-expected.json
+++ b/packages/cef/data_stream/log/_dev/test/pipeline/test-cisco-asa.json-expected.json
@@ -88,7 +88,7 @@
"version": "0"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"code": "305012",
diff --git a/packages/cef/data_stream/log/_dev/test/pipeline/test-fp-ngfw-smc.json-expected.json b/packages/cef/data_stream/log/_dev/test/pipeline/test-fp-ngfw-smc.json-expected.json
index 2560e6b01b9..6fde7700b0e 100644
--- a/packages/cef/data_stream/log/_dev/test/pipeline/test-fp-ngfw-smc.json-expected.json
+++ b/packages/cef/data_stream/log/_dev/test/pipeline/test-fp-ngfw-smc.json-expected.json
@@ -21,7 +21,7 @@
"version": "0"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"code": "0",
@@ -68,7 +68,7 @@
"version": "0"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"code": "9005",
@@ -126,7 +126,7 @@
"ip": "10.1.1.40"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Allow",
@@ -219,7 +219,7 @@
"port": 67
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"code": "70019",
@@ -292,7 +292,7 @@
"ip": "192.168.1.1"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Refuse",
@@ -367,7 +367,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"code": "70021",
@@ -428,7 +428,7 @@
"version": "0"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"code": "72714",
@@ -488,7 +488,7 @@
"version": "0"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"code": "72715",
@@ -548,7 +548,7 @@
"version": "0"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"code": "72716",
@@ -607,7 +607,7 @@
"version": "0"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"code": "78002",
diff --git a/packages/cef/data_stream/log/_dev/test/pipeline/test-netscaler.json-expected.json b/packages/cef/data_stream/log/_dev/test/pipeline/test-netscaler.json-expected.json
index 1006a3a7fa4..77525c52cae 100644
--- a/packages/cef/data_stream/log/_dev/test/pipeline/test-netscaler.json-expected.json
+++ b/packages/cef/data_stream/log/_dev/test/pipeline/test-netscaler.json-expected.json
@@ -28,7 +28,7 @@
"version": "0"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "blocked",
@@ -86,7 +86,7 @@
"version": "0"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "not blocked",
@@ -144,7 +144,7 @@
"version": "0"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "transformed",
@@ -202,7 +202,7 @@
"version": "0"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "transformed",
@@ -260,7 +260,7 @@
"version": "0"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "not blocked",
diff --git a/packages/cef/data_stream/log/_dev/test/pipeline/test-syslog.json-expected.json b/packages/cef/data_stream/log/_dev/test/pipeline/test-syslog.json-expected.json
index d7a8e55523b..47745dee203 100644
--- a/packages/cef/data_stream/log/_dev/test/pipeline/test-syslog.json-expected.json
+++ b/packages/cef/data_stream/log/_dev/test/pipeline/test-syslog.json-expected.json
@@ -56,7 +56,7 @@
"domain": "centos7"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Started",
diff --git a/packages/cef/data_stream/log/_dev/test/pipeline/test-trend-micro.json-expected.json b/packages/cef/data_stream/log/_dev/test/pipeline/test-trend-micro.json-expected.json
index ec1da056468..d839dd24ddd 100644
--- a/packages/cef/data_stream/log/_dev/test/pipeline/test-trend-micro.json-expected.json
+++ b/packages/cef/data_stream/log/_dev/test/pipeline/test-trend-micro.json-expected.json
@@ -19,7 +19,7 @@
"version": "0"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"code": "600",
@@ -82,7 +82,7 @@
"version": "0"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Delete",
@@ -143,7 +143,7 @@
"version": "0"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "detectOnly",
@@ -233,7 +233,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Log",
@@ -288,7 +288,7 @@
"version": "0"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "updated",
@@ -381,7 +381,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "IDS:Reset",
@@ -448,7 +448,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"code": "3002795",
@@ -504,7 +504,7 @@
"version": "0"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"code": "5000000",
diff --git a/packages/cef/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cef/data_stream/log/elasticsearch/ingest_pipeline/default.yml
index 65b7eec8174..df4653bb108 100644
--- a/packages/cef/data_stream/log/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/cef/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -3,7 +3,7 @@ description: Pipeline for CEF logs. CEF decoding happens in the Agent. This perf
processors:
- set:
field: ecs.version
- value: 8.8.0
+ value: 8.9.0
- convert:
field: event.id
ignore_missing: true
diff --git a/packages/cef/data_stream/log/sample_event.json b/packages/cef/data_stream/log/sample_event.json
index ca47e166f3f..e78815813cc 100644
--- a/packages/cef/data_stream/log/sample_event.json
+++ b/packages/cef/data_stream/log/sample_event.json
@@ -42,7 +42,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "f1ee4a83-b99b-4611-925d-b83b001f8b86",
diff --git a/packages/cef/docs/README.md b/packages/cef/docs/README.md
index af20b8e1e18..2620d52e1e6 100644
--- a/packages/cef/docs/README.md
+++ b/packages/cef/docs/README.md
@@ -175,7 +175,7 @@ An example event for `log` looks as following:
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "f1ee4a83-b99b-4611-925d-b83b001f8b86",
diff --git a/packages/cef/kibana/tags.yml b/packages/cef/kibana/tags.yml
new file mode 100644
index 00000000000..47f20a8f551
--- /dev/null
+++ b/packages/cef/kibana/tags.yml
@@ -0,0 +1,4 @@
+- text: Security Solution
+ asset_types:
+ - dashboard
+ - search
diff --git a/packages/cef/manifest.yml b/packages/cef/manifest.yml
index 58b72b4695e..e14d1d7f012 100644
--- a/packages/cef/manifest.yml
+++ b/packages/cef/manifest.yml
@@ -1,12 +1,13 @@
name: cef
title: Common Event Format (CEF)
-version: "2.11.0"
+version: "2.14.0"
description: Collect logs from CEF Logs with Elastic Agent.
categories:
- security
conditions:
- kibana.version: ^8.6.1
-format_version: 2.7.0
+ kibana:
+ version: ^8.6.1
+format_version: "3.0.0"
policy_templates:
- name: cef
title: CEF logs
@@ -24,3 +25,4 @@ policy_templates:
type: integration
owner:
github: elastic/security-external-integrations
+ type: elastic
diff --git a/packages/cel/_dev/build/build.yml b/packages/cel/_dev/build/build.yml
index 074278e5b1f..c8eeec8cacf 100644
--- a/packages/cel/_dev/build/build.yml
+++ b/packages/cel/_dev/build/build.yml
@@ -1,3 +1,3 @@
dependencies:
ecs:
- reference: git@v8.8.0
+ reference: git@v8.9.0
diff --git a/packages/cel/_dev/test/system/test-basic-auth-config.yml b/packages/cel/_dev/test/system/test-basic-auth-config.yml
index 1ce9a113c3c..2004434a41e 100644
--- a/packages/cel/_dev/test/system/test-basic-auth-config.yml
+++ b/packages/cel/_dev/test/system/test-basic-auth-config.yml
@@ -1,6 +1,7 @@
vars:
username: test
password: test
+ redact_fields: [foo]
resource_url: http://{{Hostname}}:{{Port}}/testbasicauth/api
program: |
bytes(
diff --git a/packages/cel/_dev/test/system/test-get-config.yml b/packages/cel/_dev/test/system/test-get-config.yml
index 6d0dff57e0a..886fb048a2a 100644
--- a/packages/cel/_dev/test/system/test-get-config.yml
+++ b/packages/cel/_dev/test/system/test-get-config.yml
@@ -1,4 +1,5 @@
vars:
+ redact_fields: [foo]
resource_url: http://{{Hostname}}:{{Port}}/test/api
enable_request_tracer: true
program: |
diff --git a/packages/cel/_dev/test/system/test-oauth-config.yml b/packages/cel/_dev/test/system/test-oauth-config.yml
index 02794885a32..00ce233c598 100644
--- a/packages/cel/_dev/test/system/test-oauth-config.yml
+++ b/packages/cel/_dev/test/system/test-oauth-config.yml
@@ -1,4 +1,5 @@
vars:
+ redact_fields: [foo]
oauth_id: test
oauth_secret: test
oauth_token_url: http://{{Hostname}}:{{Port}}/testoauth/token
diff --git a/packages/cel/_dev/test/system/test-oauth-scope-config.yml b/packages/cel/_dev/test/system/test-oauth-scope-config.yml
index 78bd6ecaeb7..f665bb1114e 100644
--- a/packages/cel/_dev/test/system/test-oauth-scope-config.yml
+++ b/packages/cel/_dev/test/system/test-oauth-scope-config.yml
@@ -1,4 +1,5 @@
vars:
+ redact_fields: [foo]
oauth_id: test
oauth_secret: test
oauth_scopes: ["token_scope"]
diff --git a/packages/cel/agent/input/input.yml.hbs b/packages/cel/agent/input/input.yml.hbs
index 2afb6c2703a..4ad63943255 100644
--- a/packages/cel/agent/input/input.yml.hbs
+++ b/packages/cel/agent/input/input.yml.hbs
@@ -8,6 +8,13 @@ program: {{escape_string program}}
state:
{{state}}
{{/if}}
+redact.delete: {{delete_redacted_fields}}
+{{#if redact_fields}}
+redact.fields:
+{{#each redact_fields as |field|}}
+ - {{field}}
+{{/each}}
+{{/if}}
{{#if regexp}}
regexp:
@@ -110,7 +117,7 @@ resource.rate_limit.burst: {{resource_rate_limit_burst}}
{{/if}}
{{#if enable_request_tracer}}
-resource.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson"
+resource.tracer.filename: "../../logs/cel/http-request-trace-*.ndjson"
{{/if}}
{{#if tags}}
diff --git a/packages/cel/changelog.yml b/packages/cel/changelog.yml
index d319c8cb927..34ebcbf324e 100644
--- a/packages/cel/changelog.yml
+++ b/packages/cel/changelog.yml
@@ -1,3 +1,28 @@
+- version: 1.4.0
+ changes:
+ - description: "The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest."
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7883
+- version: "1.3.0"
+ changes:
+ - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7789
+- version: "1.2.1"
+ changes:
+ - description: Fix location of request trace log destination.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7335
+- version: "1.2.0"
+ changes:
+ - description: Update package to ECS 8.9.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7107
+- version: "1.1.0"
+ changes:
+ - description: Make debug log field redactions available.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6831
- version: "1.0.0"
changes:
- description: Make package GA.
diff --git a/packages/cel/kibana/tags.yml b/packages/cel/kibana/tags.yml
new file mode 100644
index 00000000000..47f20a8f551
--- /dev/null
+++ b/packages/cel/kibana/tags.yml
@@ -0,0 +1,4 @@
+- text: Security Solution
+ asset_types:
+ - dashboard
+ - search
diff --git a/packages/cel/manifest.yml b/packages/cel/manifest.yml
index ae3ac69cd4c..938120c2c43 100644
--- a/packages/cel/manifest.yml
+++ b/packages/cel/manifest.yml
@@ -1,14 +1,16 @@
-format_version: 2.7.0
+format_version: "3.0.0"
name: cel
title: CEL Custom API
description: Collect custom events from an API with Elastic agent
type: input
-version: "1.0.0"
+version: "1.4.0"
categories:
- custom
conditions:
- kibana.version: "^8.8.0"
- elastic.subscription: "basic"
+ kibana:
+ version: "^8.8.0"
+ elastic:
+ subscription: "basic"
policy_templates:
- name: cel
type: logs
@@ -118,6 +120,25 @@ policy_templates:
description: The URL endpoint that will be used to generate the tokens during the oauth2 flow. It is required if no oauth_custom variable is set or provider is not specified in oauth_custom variable.
show_user: true
required: false
+ - name: redact_fields
+ type: text
+ title: Redacted fields
+ description: |
+ Fields to redact in debug logs. When logging at debug-level the input state and CEL evaluation state are included
+ in logs. This may leak secrets, so list sensitive state fields in this configuration.
+ show_user: true
+ multi: true
+ required: false
+ - name: delete_redacted_fields
+ type: bool
+ title: Delete redacted fields
+ description: |
+ The default behavior for field redaction is to replace characters with `*`s. If field value length or presence will
+ leak information, the fields can be deleted from logging by setting this configuration to true.
+ show_user: true
+ multi: false
+ default: false
+ required: true
- name: resource_ssl
type: yaml
title: Resource SSL Configuration
@@ -273,7 +294,6 @@ policy_templates:
show_user: false
description: >
Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
-
- name: tags
type: text
title: Tags
@@ -289,6 +309,6 @@ policy_templates:
show_user: false
description: >
The request tracer logs HTTP requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.
-
owner:
github: elastic/security-external-integrations
+ type: elastic
diff --git a/packages/ceph/_dev/build/docs/README.md b/packages/ceph/_dev/build/docs/README.md
index 9a7ab5ea68e..cb2fbfb83ad 100644
--- a/packages/ceph/_dev/build/docs/README.md
+++ b/packages/ceph/_dev/build/docs/README.md
@@ -87,6 +87,100 @@ In the above JSON, please consider `api` as API User and value of `52dffd92-a103
After the integration is successfully configured, clicking on the Assets tab of the Ceph Integration should display a list of available dashboards. Click on the dashboard available for your configured data stream. It should be populated with the required data.
+### Troubleshooting
+
+If host.ip is shown conflicted under ``logs-*`` data view, then this issue can be solved by reindexing the ``Cluster Disk``, ``Cluster Health``, ``Cluster Status``, ``OSD Performance``, ``OSD Pool Stats``, ``OSD Tree`` and ``Pool Disk`` data stream's indices.
+To reindex the data, the following steps must be performed.
+
+1. Stop the data stream by going to `Integrations -> Ceph -> Integration policies` open the configuration of Ceph and disable the `Collect Ceph metrics` toggle to reindex logs data streams and save the integration.
+
+2. Copy data into the temporary index and delete the existing data stream and index template by performing the following steps in the Dev tools.
+
+```
+POST _reindex
+{
+ "source": {
+ "index": ""
+ },
+ "dest": {
+ "index": "temp_index"
+ }
+}
+```
+Example:
+```
+POST _reindex
+{
+ "source": {
+ "index": "logs-ceph.cluster_disk-default"
+ },
+ "dest": {
+ "index": "temp_index"
+ }
+}
+```
+
+```
+DELETE /_data_stream/
+```
+Example:
+```
+DELETE /_data_stream/logs-ceph.cluster_disk-default
+```
+
+```
+DELETE _index_template/
+```
+Example:
+```
+DELETE _index_template/logs-ceph.cluster_disk
+```
+3. Go to `Integrations -> Ceph -> Settings` and click on `Reinstall Ceph`.
+
+4. Copy data from temporary index to new index by performing the following steps in the Dev tools.
+
+```
+POST _reindex
+{
+ "conflicts": "proceed",
+ "source": {
+ "index": "temp_index"
+ },
+ "dest": {
+ "index": "",
+ "op_type": "create"
+
+ }
+}
+```
+Example:
+```
+POST _reindex
+{
+ "conflicts": "proceed",
+ "source": {
+ "index": "temp_index"
+ },
+ "dest": {
+ "index": "logs-ceph.cluster_disk-default",
+ "op_type": "create"
+
+ }
+}
+```
+
+5. Verify data is reindexed completely.
+
+6. Start the data stream by going to the `Integrations -> Ceph -> Integration policies` and open configuration of integration and enable the `Collect Ceph metrics` toggle and save the integration.
+
+7. Delete temporary index by performing the following step in the Dev tools.
+
+```
+DELETE temp_index
+```
+
+More details about reindexing can be found [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-reindex.html).
+
## Metrics reference
### Cluster Disk
diff --git a/packages/ceph/changelog.yml b/packages/ceph/changelog.yml
index 8abe4f69c59..a6e24b4b85c 100644
--- a/packages/ceph/changelog.yml
+++ b/packages/ceph/changelog.yml
@@ -1,4 +1,19 @@
# newer versions go on top
+- version: "1.0.1"
+ changes:
+ - description: Add null check and ignore_missing check to the rename processor
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7845
+- version: "1.0.0"
+ changes:
+ - description: Make CEPH GA.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7663
+- version: "0.10.1"
+ changes:
+ - description: Resolve host.ip field conflict.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7491
- version: "0.10.0"
changes:
- description: Rename ownership from obs-service-integrations to obs-infraobs-integrations
diff --git a/packages/ceph/data_stream/cluster_disk/elasticsearch/ingest_pipeline/default.yml b/packages/ceph/data_stream/cluster_disk/elasticsearch/ingest_pipeline/default.yml
index 8034534b15c..80afc7ffe18 100644
--- a/packages/ceph/data_stream/cluster_disk/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/ceph/data_stream/cluster_disk/elasticsearch/ingest_pipeline/default.yml
@@ -17,6 +17,7 @@ processors:
field: message
target_field: event.original
ignore_missing: true
+ if: 'ctx.event?.original == null'
- json:
field: event.original
target_field: json
diff --git a/packages/ceph/data_stream/cluster_disk/fields/ecs.yml b/packages/ceph/data_stream/cluster_disk/fields/ecs.yml
index aa9d34a2dae..012a5d2d953 100644
--- a/packages/ceph/data_stream/cluster_disk/fields/ecs.yml
+++ b/packages/ceph/data_stream/cluster_disk/fields/ecs.yml
@@ -18,5 +18,7 @@
name: event.original
- external: ecs
name: event.type
+- external: ecs
+ name: host.ip
- external: ecs
name: service.address
diff --git a/packages/ceph/data_stream/cluster_health/elasticsearch/ingest_pipeline/default.yml b/packages/ceph/data_stream/cluster_health/elasticsearch/ingest_pipeline/default.yml
index 3eeaf0409ff..c2ac84d31ac 100644
--- a/packages/ceph/data_stream/cluster_health/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/ceph/data_stream/cluster_health/elasticsearch/ingest_pipeline/default.yml
@@ -17,6 +17,7 @@ processors:
field: message
target_field: event.original
ignore_missing: true
+ if: 'ctx.event?.original == null'
- json:
field: event.original
target_field: json
diff --git a/packages/ceph/data_stream/cluster_health/fields/ecs.yml b/packages/ceph/data_stream/cluster_health/fields/ecs.yml
index aa9d34a2dae..012a5d2d953 100644
--- a/packages/ceph/data_stream/cluster_health/fields/ecs.yml
+++ b/packages/ceph/data_stream/cluster_health/fields/ecs.yml
@@ -18,5 +18,7 @@
name: event.original
- external: ecs
name: event.type
+- external: ecs
+ name: host.ip
- external: ecs
name: service.address
diff --git a/packages/ceph/data_stream/cluster_status/elasticsearch/ingest_pipeline/default.yml b/packages/ceph/data_stream/cluster_status/elasticsearch/ingest_pipeline/default.yml
index 0dc648922a6..34d72430fbf 100644
--- a/packages/ceph/data_stream/cluster_status/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/ceph/data_stream/cluster_status/elasticsearch/ingest_pipeline/default.yml
@@ -17,6 +17,7 @@ processors:
field: message
target_field: event.original
ignore_missing: true
+ if: 'ctx.event?.original == null'
- json:
field: event.original
target_field: json
diff --git a/packages/ceph/data_stream/cluster_status/fields/ecs.yml b/packages/ceph/data_stream/cluster_status/fields/ecs.yml
index aa9d34a2dae..012a5d2d953 100644
--- a/packages/ceph/data_stream/cluster_status/fields/ecs.yml
+++ b/packages/ceph/data_stream/cluster_status/fields/ecs.yml
@@ -18,5 +18,7 @@
name: event.original
- external: ecs
name: event.type
+- external: ecs
+ name: host.ip
- external: ecs
name: service.address
diff --git a/packages/ceph/data_stream/osd_performance/elasticsearch/ingest_pipeline/default.yml b/packages/ceph/data_stream/osd_performance/elasticsearch/ingest_pipeline/default.yml
index f1c9d431a3f..157f8ce75aa 100644
--- a/packages/ceph/data_stream/osd_performance/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/ceph/data_stream/osd_performance/elasticsearch/ingest_pipeline/default.yml
@@ -17,6 +17,7 @@ processors:
field: message
target_field: event.original
ignore_missing: true
+ if: 'ctx.event?.original == null'
- json:
field: event.original
target_field: json
diff --git a/packages/ceph/data_stream/osd_performance/fields/ecs.yml b/packages/ceph/data_stream/osd_performance/fields/ecs.yml
index aa9d34a2dae..012a5d2d953 100644
--- a/packages/ceph/data_stream/osd_performance/fields/ecs.yml
+++ b/packages/ceph/data_stream/osd_performance/fields/ecs.yml
@@ -18,5 +18,7 @@
name: event.original
- external: ecs
name: event.type
+- external: ecs
+ name: host.ip
- external: ecs
name: service.address
diff --git a/packages/ceph/data_stream/osd_pool_stats/elasticsearch/ingest_pipeline/default.yml b/packages/ceph/data_stream/osd_pool_stats/elasticsearch/ingest_pipeline/default.yml
index 47247849a50..4715ff16970 100644
--- a/packages/ceph/data_stream/osd_pool_stats/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/ceph/data_stream/osd_pool_stats/elasticsearch/ingest_pipeline/default.yml
@@ -17,6 +17,7 @@ processors:
field: message
target_field: event.original
ignore_missing: true
+ if: 'ctx.event?.original == null'
- json:
field: event.original
target_field: json
diff --git a/packages/ceph/data_stream/osd_pool_stats/fields/ecs.yml b/packages/ceph/data_stream/osd_pool_stats/fields/ecs.yml
index aa9d34a2dae..012a5d2d953 100644
--- a/packages/ceph/data_stream/osd_pool_stats/fields/ecs.yml
+++ b/packages/ceph/data_stream/osd_pool_stats/fields/ecs.yml
@@ -18,5 +18,7 @@
name: event.original
- external: ecs
name: event.type
+- external: ecs
+ name: host.ip
- external: ecs
name: service.address
diff --git a/packages/ceph/data_stream/osd_tree/elasticsearch/ingest_pipeline/default.yml b/packages/ceph/data_stream/osd_tree/elasticsearch/ingest_pipeline/default.yml
index e85ec456c5d..726053223b3 100644
--- a/packages/ceph/data_stream/osd_tree/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/ceph/data_stream/osd_tree/elasticsearch/ingest_pipeline/default.yml
@@ -17,6 +17,7 @@ processors:
field: message
target_field: event.original
ignore_missing: true
+ if: 'ctx.event?.original == null'
- json:
field: event.original
target_field: json
diff --git a/packages/ceph/data_stream/osd_tree/fields/ecs.yml b/packages/ceph/data_stream/osd_tree/fields/ecs.yml
index aa9d34a2dae..012a5d2d953 100644
--- a/packages/ceph/data_stream/osd_tree/fields/ecs.yml
+++ b/packages/ceph/data_stream/osd_tree/fields/ecs.yml
@@ -18,5 +18,7 @@
name: event.original
- external: ecs
name: event.type
+- external: ecs
+ name: host.ip
- external: ecs
name: service.address
diff --git a/packages/ceph/data_stream/pool_disk/elasticsearch/ingest_pipeline/default.yml b/packages/ceph/data_stream/pool_disk/elasticsearch/ingest_pipeline/default.yml
index 7a4b3e80c22..2acabcbb65f 100644
--- a/packages/ceph/data_stream/pool_disk/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/ceph/data_stream/pool_disk/elasticsearch/ingest_pipeline/default.yml
@@ -17,6 +17,7 @@ processors:
field: message
target_field: event.original
ignore_missing: true
+ if: 'ctx.event?.original == null'
- json:
field: event.original
target_field: json
diff --git a/packages/ceph/data_stream/pool_disk/fields/ecs.yml b/packages/ceph/data_stream/pool_disk/fields/ecs.yml
index aa9d34a2dae..012a5d2d953 100644
--- a/packages/ceph/data_stream/pool_disk/fields/ecs.yml
+++ b/packages/ceph/data_stream/pool_disk/fields/ecs.yml
@@ -18,5 +18,7 @@
name: event.original
- external: ecs
name: event.type
+- external: ecs
+ name: host.ip
- external: ecs
name: service.address
diff --git a/packages/ceph/docs/README.md b/packages/ceph/docs/README.md
index 9f3999201c0..c801cbc4632 100644
--- a/packages/ceph/docs/README.md
+++ b/packages/ceph/docs/README.md
@@ -87,6 +87,100 @@ In the above JSON, please consider `api` as API User and value of `52dffd92-a103
After the integration is successfully configured, clicking on the Assets tab of the Ceph Integration should display a list of available dashboards. Click on the dashboard available for your configured data stream. It should be populated with the required data.
+### Troubleshooting
+
+If host.ip is shown conflicted under ``logs-*`` data view, then this issue can be solved by reindexing the ``Cluster Disk``, ``Cluster Health``, ``Cluster Status``, ``OSD Performance``, ``OSD Pool Stats``, ``OSD Tree`` and ``Pool Disk`` data stream's indices.
+To reindex the data, the following steps must be performed.
+
+1. Stop the data stream by going to `Integrations -> Ceph -> Integration policies` open the configuration of Ceph and disable the `Collect Ceph metrics` toggle to reindex logs data streams and save the integration.
+
+2. Copy data into the temporary index and delete the existing data stream and index template by performing the following steps in the Dev tools.
+
+```
+POST _reindex
+{
+ "source": {
+ "index": ""
+ },
+ "dest": {
+ "index": "temp_index"
+ }
+}
+```
+Example:
+```
+POST _reindex
+{
+ "source": {
+ "index": "logs-ceph.cluster_disk-default"
+ },
+ "dest": {
+ "index": "temp_index"
+ }
+}
+```
+
+```
+DELETE /_data_stream/
+```
+Example:
+```
+DELETE /_data_stream/logs-ceph.cluster_disk-default
+```
+
+```
+DELETE _index_template/
+```
+Example:
+```
+DELETE _index_template/logs-ceph.cluster_disk
+```
+3. Go to `Integrations -> Ceph -> Settings` and click on `Reinstall Ceph`.
+
+4. Copy data from temporary index to new index by performing the following steps in the Dev tools.
+
+```
+POST _reindex
+{
+ "conflicts": "proceed",
+ "source": {
+ "index": "temp_index"
+ },
+ "dest": {
+ "index": "",
+ "op_type": "create"
+
+ }
+}
+```
+Example:
+```
+POST _reindex
+{
+ "conflicts": "proceed",
+ "source": {
+ "index": "temp_index"
+ },
+ "dest": {
+ "index": "logs-ceph.cluster_disk-default",
+ "op_type": "create"
+
+ }
+}
+```
+
+5. Verify data is reindexed completely.
+
+6. Start the data stream by going to the `Integrations -> Ceph -> Integration policies` and open configuration of integration and enable the `Collect Ceph metrics` toggle and save the integration.
+
+7. Delete temporary index by performing the following step in the Dev tools.
+
+```
+DELETE temp_index
+```
+
+More details about reindexing can be found [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-reindex.html).
+
## Metrics reference
### Cluster Disk
@@ -182,6 +276,7 @@ An example event for `cluster_disk` looks as following:
| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | |
| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | | |
| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | |
+| host.ip | Host ip addresses. | ip | | |
| input.type | Type of Filebeat input. | keyword | | |
| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | |
| tags | List of keywords used to tag each event. | keyword | | |
@@ -272,6 +367,7 @@ An example event for `cluster_health` looks as following:
| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | |
| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | |
| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | |
+| host.ip | Host ip addresses. | ip | |
| input.type | Type of Filebeat input. | keyword | |
| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | |
| tags | List of keywords used to tag each event. | keyword | |
@@ -453,6 +549,7 @@ An example event for `cluster_status` looks as following:
| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | |
| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | | |
| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | |
+| host.ip | Host ip addresses. | ip | | |
| input.type | Type of Filebeat input. | keyword | | |
| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | |
| tags | List of keywords used to tag each event. | keyword | | |
@@ -547,6 +644,7 @@ An example event for `osd_performance` looks as following:
| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | |
| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | | |
| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | |
+| host.ip | Host ip addresses. | ip | | |
| input.type | Type of Filebeat input. | keyword | | |
| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | |
| tags | List of keywords used to tag each event. | keyword | | |
@@ -649,6 +747,7 @@ An example event for `osd_pool_stats` looks as following:
| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | |
| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | | |
| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | |
+| host.ip | Host ip addresses. | ip | | |
| input.type | Type of Filebeat input. | keyword | | |
| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | |
| tags | List of keywords used to tag each event. | keyword | | |
@@ -758,6 +857,7 @@ An example event for `osd_tree` looks as following:
| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | |
| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | |
| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | |
+| host.ip | Host ip addresses. | ip | |
| input.type | Type of Filebeat input. | keyword | |
| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | |
| tags | List of keywords used to tag each event. | keyword | |
@@ -862,6 +962,7 @@ An example event for `pool_disk` looks as following:
| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | |
| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | | |
| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | |
+| host.ip | Host ip addresses. | ip | | |
| input.type | Type of Filebeat input. | keyword | | |
| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | |
| tags | List of keywords used to tag each event. | keyword | | |
diff --git a/packages/ceph/img/ceph-overview-dashboard-cluster-metrics.png b/packages/ceph/img/ceph-overview-dashboard-cluster-metrics.png
new file mode 100644
index 00000000000..61c6c576338
Binary files /dev/null and b/packages/ceph/img/ceph-overview-dashboard-cluster-metrics.png differ
diff --git a/packages/ceph/img/ceph-overview-dashboard-osd-status.png b/packages/ceph/img/ceph-overview-dashboard-osd-status.png
new file mode 100644
index 00000000000..a812d901bc0
Binary files /dev/null and b/packages/ceph/img/ceph-overview-dashboard-osd-status.png differ
diff --git a/packages/ceph/img/ceph-overview-dashboard-pool-metrics.png b/packages/ceph/img/ceph-overview-dashboard-pool-metrics.png
new file mode 100644
index 00000000000..d586cfaef59
Binary files /dev/null and b/packages/ceph/img/ceph-overview-dashboard-pool-metrics.png differ
diff --git a/packages/ceph/img/ceph-overview-dashboard.png b/packages/ceph/img/ceph-overview-dashboard.png
deleted file mode 100644
index 125819d785f..00000000000
Binary files a/packages/ceph/img/ceph-overview-dashboard.png and /dev/null differ
diff --git a/packages/ceph/manifest.yml b/packages/ceph/manifest.yml
index b1f4105ada8..c637ca24a3a 100644
--- a/packages/ceph/manifest.yml
+++ b/packages/ceph/manifest.yml
@@ -1,7 +1,7 @@
format_version: 2.0.0
name: ceph
title: Ceph
-version: "0.10.0"
+version: "1.0.1"
description: This Elastic integration collects metrics from Ceph instance.
type: integration
categories:
@@ -11,8 +11,16 @@ conditions:
kibana.version: ^8.7.1
elastic.subscription: basic
screenshots:
- - src: /img/ceph-overview-dashboard.png
- title: Ceph overview dashboard
+ - src: /img/ceph-overview-dashboard-cluster-metrics.png
+ title: Ceph cluster metrics overview
+ size: 600x600
+ type: image/png
+ - src: /img/ceph-overview-dashboard-pool-metrics.png
+ title: Ceph pool metrics overview
+ size: 600x600
+ type: image/png
+ - src: /img/ceph-overview-dashboard-osd-status.png
+ title: Ceph OSD status overview
size: 600x600
type: image/png
icons:
diff --git a/packages/checkpoint/_dev/build/build.yml b/packages/checkpoint/_dev/build/build.yml
index 074278e5b1f..c8eeec8cacf 100644
--- a/packages/checkpoint/_dev/build/build.yml
+++ b/packages/checkpoint/_dev/build/build.yml
@@ -1,3 +1,3 @@
dependencies:
ecs:
- reference: git@v8.8.0
+ reference: git@v8.9.0
diff --git a/packages/checkpoint/changelog.yml b/packages/checkpoint/changelog.yml
index 76a1c9218e4..9f61686e12a 100644
--- a/packages/checkpoint/changelog.yml
+++ b/packages/checkpoint/changelog.yml
@@ -1,4 +1,24 @@
# newer versions go on top
+- version: 1.26.0
+ changes:
+ - description: "The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest."
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7883
+- version: "1.25.0"
+ changes:
+ - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7789
+- version: "1.24.0"
+ changes:
+ - description: Ensure `checkpoint.subs_exp` is a date.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7714
+- version: "1.23.0"
+ changes:
+ - description: Update package to ECS 8.9.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7107
- version: "1.22.0"
changes:
- description: Avoid data loss from updates with colliding loguid and timestamp.
diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-expected.json b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-expected.json
index 6e0ee260999..9840638968d 100644
--- a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-expected.json
+++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-expected.json
@@ -14,7 +14,7 @@
"port": 514
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Accept",
@@ -94,7 +94,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Drop",
@@ -170,7 +170,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Decrypt",
@@ -256,7 +256,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Decrypt",
diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json
index 672a9e490be..e802f0bd777 100644
--- a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json
+++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json
@@ -6,7 +6,7 @@
"sys_message": "The eth0 interface is not protected by the anti-spoofing feature. Your network may be at risk"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -42,7 +42,7 @@
"sys_message": "installed Standard"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -86,7 +86,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Accept",
@@ -171,7 +171,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Accept",
@@ -245,7 +245,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Accept",
@@ -311,7 +311,7 @@
"status": "Finished"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -364,7 +364,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Accept",
@@ -452,7 +452,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Accept",
@@ -513,7 +513,7 @@
"status": "Started"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -566,7 +566,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Accept",
@@ -640,7 +640,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Accept",
@@ -706,7 +706,7 @@
"status": "Finished"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -745,7 +745,7 @@
"port": 514
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Accept",
@@ -811,7 +811,7 @@
"update_status": "updated"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -846,7 +846,7 @@
"update_status": "updated"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -886,7 +886,7 @@
"port": 138
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Accept",
@@ -968,7 +968,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Drop",
@@ -1025,7 +1025,7 @@
"port": 514
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Accept",
@@ -1096,7 +1096,7 @@
"port": 137
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Accept",
@@ -1167,7 +1167,7 @@
"port": 22
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Accept",
@@ -1238,7 +1238,7 @@
"port": 514
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Accept",
@@ -1309,7 +1309,7 @@
"port": 514
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Accept",
@@ -1374,7 +1374,7 @@
"syslog_severity": "Notice"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1427,7 +1427,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Drop",
@@ -1509,12 +1509,12 @@
"log_id": "4",
"origin_sic_name": "CN=NPFDCA00002,O=NPMDCM00001.domain.com.r44cbg",
"special_properties": "0",
- "subs_exp": "Tue Jan 1 00:00:00 2030",
+ "subs_exp": "2030-01-01T00:00:00.000Z",
"subscription_stat": "valid",
"subscription_stat_desc": "Contract is up to date."
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1583,7 +1583,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Drop",
@@ -1689,7 +1689,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Block",
diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-r80x.log-expected.json b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-r80x.log-expected.json
index 030bc4949c3..3c419191189 100644
--- a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-r80x.log-expected.json
+++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-r80x.log-expected.json
@@ -6,7 +6,7 @@
"origin_sic_name": "CN=xxx-dc-gw-1_gw-vp-ext-7,O=7checkpoint-mng..tstst7"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "logon-failed",
@@ -61,7 +61,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "logged-in",
diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-r81x.log-expected.json b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-r81x.log-expected.json
index 085dff43f4f..f484edf06b2 100644
--- a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-r81x.log-expected.json
+++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-r81x.log-expected.json
@@ -13,7 +13,7 @@
"packets": 30
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Accept",
@@ -78,7 +78,7 @@
"ip": "81.2.69.142"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -161,7 +161,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -255,7 +255,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Accept",
@@ -337,7 +337,7 @@
"ip": "10.0.0.1"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Accept",
@@ -398,7 +398,7 @@
"sendtotrackerasadvancedauditlog": "0"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Accept",
@@ -453,7 +453,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Accept",
@@ -502,7 +502,7 @@
"operation": "Set Object"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -553,7 +553,7 @@
"session_uid": "b08fb9da-a627-48b3-a815-0433f8ce6e06"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Accept",
@@ -608,7 +608,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Accept",
@@ -662,7 +662,7 @@
"system_application": "AutoUpdater"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -702,7 +702,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Accept",
@@ -754,7 +754,7 @@
"stormagentname": "daemon"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -790,7 +790,7 @@
"session_uid": "7ab751aa-66a7-4756-b66b-97a88b0a21fc"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Accept",
@@ -844,7 +844,7 @@
"origin_sic_name": "cn=cp_mgmt,o=gw-0b8ccd..zx8qy7"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -887,7 +887,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Accept",
@@ -976,7 +976,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Block",
@@ -1096,7 +1096,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Block",
diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-trailing-space.log-expected.json b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-trailing-space.log-expected.json
index ce4b21abb09..9b84141ad31 100644
--- a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-trailing-space.log-expected.json
+++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-trailing-space.log-expected.json
@@ -14,7 +14,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Accept",
diff --git a/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml
index 513bcfb0f27..c0ff5838f52 100644
--- a/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml
@@ -3,7 +3,7 @@ description: Pipeline for parsing checkpoint firewall logs
processors:
- set:
field: ecs.version
- value: '8.8.0'
+ value: '8.9.0'
- rename:
field: message
target_field: event.original
@@ -655,6 +655,33 @@ processors:
} else if (iana_number == '132') {
ctx.network.transport = 'sctp';
}
+ - date:
+ field: checkpoint.subs_exp
+ target_field: checkpoint.subs_exp
+ timezone: "{{{ event.timezone }}}"
+ formats:
+ - 'EEE MMM dd HH:mm:ss yyyy'
+ - 'EEE MMM d HH:mm:ss yyyy'
+ - 'EEE MMM d HH:mm:ss yyyy'
+ - ISO8601
+ - UNIX
+ if: "ctx.checkpoint?.subs_exp != null"
+ on_failure:
+ # Try to re-parse as UTC to catch when TZ is invalid or unknown.
+ - date:
+ tag: "date_utc_fallback"
+ field: checkpoint.subs_exp
+ target_field: checkpoint.subs_exp
+ formats:
+ - 'EEE MMM dd HH:mm:ss yyyy'
+ - 'EEE MMM d HH:mm:ss yyyy'
+ - 'EEE MMM d HH:mm:ss yyyy'
+ - ISO8601
+ - UNIX
+ on_failure:
+ - remove:
+ field: checkpoint.subs_exp
+ ignore_missing: true
- convert:
field: checkpoint.packets
type: long
diff --git a/packages/checkpoint/data_stream/firewall/fields/fields.yml b/packages/checkpoint/data_stream/firewall/fields/fields.yml
index c820ff2b1e2..87ea5b39388 100644
--- a/packages/checkpoint/data_stream/firewall/fields/fields.yml
+++ b/packages/checkpoint/data_stream/firewall/fields/fields.yml
@@ -1467,7 +1467,7 @@
description: |
Layer uid.
- name: subs_exp
- type: keyword
+ type: date
- name: subscriber
type: ip
description: |
diff --git a/packages/checkpoint/data_stream/firewall/sample_event.json b/packages/checkpoint/data_stream/firewall/sample_event.json
index 1223e54fa81..2fcc5619863 100644
--- a/packages/checkpoint/data_stream/firewall/sample_event.json
+++ b/packages/checkpoint/data_stream/firewall/sample_event.json
@@ -16,7 +16,7 @@
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "ecc82406-78ce-41c1-b1e2-7c12ce01f525",
diff --git a/packages/checkpoint/docs/README.md b/packages/checkpoint/docs/README.md
index 8af97bb2861..6e23e2a3d6f 100644
--- a/packages/checkpoint/docs/README.md
+++ b/packages/checkpoint/docs/README.md
@@ -68,7 +68,7 @@ An example event for `firewall` looks as following:
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "ecc82406-78ce-41c1-b1e2-7c12ce01f525",
@@ -518,7 +518,7 @@ An example event for `firewall` looks as following:
| checkpoint.stormagentname | | keyword |
| checkpoint.sub_policy_name | Layer name. | keyword |
| checkpoint.sub_policy_uid | Layer uid. | keyword |
-| checkpoint.subs_exp | | keyword |
+| checkpoint.subs_exp | | date |
| checkpoint.subscriber | Source IP before CGNAT. | ip |
| checkpoint.subscription_stat | | keyword |
| checkpoint.subscription_stat_desc | | keyword |
@@ -641,19 +641,19 @@ An example event for `firewall` looks as following:
| error.message | Error message. | match_only_text |
| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
-| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date |
| event.dataset | Event dataset | constant_keyword |
-| event.end | event.end contains the date when the event ended or when the activity was last observed. | date |
+| event.end | `event.end` contains the date when the event ended or when the activity was last observed. | date |
| event.id | Unique ID to describe the event. | keyword |
| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
-| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword |
| event.module | Event module | constant_keyword |
| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float |
| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long |
| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long |
-| event.start | event.start contains the date when the event started or when the activity was first observed. | date |
+| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date |
| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword |
diff --git a/packages/checkpoint/kibana/tags.yml b/packages/checkpoint/kibana/tags.yml
new file mode 100644
index 00000000000..47f20a8f551
--- /dev/null
+++ b/packages/checkpoint/kibana/tags.yml
@@ -0,0 +1,4 @@
+- text: Security Solution
+ asset_types:
+ - dashboard
+ - search
diff --git a/packages/checkpoint/manifest.yml b/packages/checkpoint/manifest.yml
index 59e4a7fe683..c4e125c3e58 100644
--- a/packages/checkpoint/manifest.yml
+++ b/packages/checkpoint/manifest.yml
@@ -1,12 +1,13 @@
name: checkpoint
title: Check Point
-version: "1.22.0"
+version: "1.26.0"
description: Collect logs from Check Point with Elastic Agent.
type: integration
-format_version: 2.7.0
+format_version: "3.0.0"
categories: [security, network, firewall_security]
conditions:
- kibana.version: "^8.6.0"
+ kibana:
+ version: "^8.6.0"
icons:
- src: /img/checkpoint-logo.svg
title: Check Point
@@ -122,3 +123,4 @@ policy_templates:
description: "Collecting firewall logs from Check Point instances (input: udp)"
owner:
github: elastic/security-external-integrations
+ type: elastic
diff --git a/packages/cisco_aironet/_dev/build/build.yml b/packages/cisco_aironet/_dev/build/build.yml
index 074278e5b1f..c8eeec8cacf 100644
--- a/packages/cisco_aironet/_dev/build/build.yml
+++ b/packages/cisco_aironet/_dev/build/build.yml
@@ -1,3 +1,3 @@
dependencies:
ecs:
- reference: git@v8.8.0
+ reference: git@v8.9.0
diff --git a/packages/cisco_aironet/changelog.yml b/packages/cisco_aironet/changelog.yml
index a565c4fca5b..42e87f69de1 100644
--- a/packages/cisco_aironet/changelog.yml
+++ b/packages/cisco_aironet/changelog.yml
@@ -1,4 +1,14 @@
# newer versions go on top
+- version: "1.6.0"
+ changes:
+ - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7789
+- version: "1.5.0"
+ changes:
+ - description: Update package to ECS 8.9.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7107
- version: "1.4.0"
changes:
- description: Ensure event.kind is correctly set for pipeline errors.
diff --git a/packages/cisco_aironet/data_stream/log/_dev/test/pipeline/test-aironet-messages.log-expected.json b/packages/cisco_aironet/data_stream/log/_dev/test/pipeline/test-aironet-messages.log-expected.json
index 79043ac9c1a..4d79d5cc23f 100644
--- a/packages/cisco_aironet/data_stream/log/_dev/test/pipeline/test-aironet-messages.log-expected.json
+++ b/packages/cisco_aironet/data_stream/log/_dev/test/pipeline/test-aironet-messages.log-expected.json
@@ -7,7 +7,7 @@
"mac": "2C-6D-C1-F5-0C-80"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Q_IND",
@@ -49,7 +49,7 @@
"mac": "66-7C-DE-EF-D9-18"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ARP_ORPHANPKT_DETECTED",
@@ -86,7 +86,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "\u003c132\u003eWLC001: -Traceback: 0x11759554 0x1175b0f0 0x1175d2b8 0x11766124 0x116d0cf8 0xfff2ae0888 0xfff29f2cfc"
@@ -116,7 +116,7 @@
"mac": "28-6F-7F-F8-64-E0"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "USER_NAME_DELETED",
@@ -156,7 +156,7 @@
"mac": "28-6F-7F-F8-64-E0"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "USER_NAME_CREATED",
@@ -201,7 +201,7 @@
"ip": "fe80::1e24:cdff:fe11:2f90"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ENTRY_CREATED",
@@ -243,7 +243,7 @@
"ip": "fe80::aee2:d3ff:feba:56a4"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ENTRY_DELETED",
@@ -286,7 +286,7 @@
"mac": "70-EE-50-56-99-99"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ENTRY_CHANGED",
@@ -323,7 +323,7 @@
"mac": "E8-96-06-02-02-99"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Q_IND",
@@ -368,7 +368,7 @@
"ip": "fe80::48d:c1bc:6c01:6e85"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Q_IND",
@@ -423,7 +423,7 @@
"ip": "89.160.20.112"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "AAA_AUTH_ADMIN_USER",
@@ -460,7 +460,7 @@
{
"@timestamp": "2023-08-22T18:14:03.172Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ADMIN_MODE_DISABLE",
@@ -506,7 +506,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "SIG_ALARM_OFF",
@@ -545,7 +545,7 @@
"mac": "4A-B8-CB-63-1D-BD"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "SIG_ALARM_OFF_CONT",
@@ -583,7 +583,7 @@
"mac": "28-6F-7F-F8-64-E0"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "SIG_INFO1",
@@ -630,7 +630,7 @@
"mac": "80-7D-3A-9B-2F-FC"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "MAX_EAPOL_KEY_RETRANS",
@@ -667,7 +667,7 @@
"mac": "CC-73-14-61-B0-8F"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "RRM_LOGMSG",
@@ -701,7 +701,7 @@
{
"@timestamp": "2023-08-29T10:58:28.227Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "RRM_LOGMSG",
@@ -739,7 +739,7 @@
"mac": "DE-FB-48-7C-4F-F7"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ABORT_AUTH",
@@ -784,7 +784,7 @@
"mac": "DE-FB-48-7C-4F-F7"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Q_IND",
@@ -821,7 +821,7 @@
"mac": "DE-FB-48-7C-4F-F7"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Q_IND",
@@ -865,7 +865,7 @@
"mac": "DE-FB-48-7C-4F-F7"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "INVALID_WPA_KEY_STATE",
@@ -902,7 +902,7 @@
"mac": "DE-FB-48-7C-4F-F7"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "WPA_SEND_STATE_ERR",
@@ -939,7 +939,7 @@
"mac": "DE-FB-48-7C-4F-F7"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "INVALID_REPLAY_CTR",
@@ -973,7 +973,7 @@
{
"@timestamp": "2023-08-29T10:47:25.944Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "REPLAY_ERR",
@@ -1010,7 +1010,7 @@
"mac": "DE-FB-48-7C-4F-F7"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "CLIENT_NOT_FOUND",
@@ -1044,7 +1044,7 @@
{
"@timestamp": "2023-08-22T18:14:24.651Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "SIG_ALARM_OFF",
@@ -1075,7 +1075,7 @@
{
"@timestamp": "2023-08-29T10:58:58.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "INVALID_REQUEST",
@@ -1112,7 +1112,7 @@
"mac": "DE-FB-48-7C-4F-F7"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "AAA_AUTH_SEND_FAIL",
@@ -1146,7 +1146,7 @@
{
"@timestamp": "2023-08-20T14:55:28.577Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "MLD_INVALID_IPV6_PKT",
@@ -1180,7 +1180,7 @@
{
"@timestamp": "2023-08-22T10:24:20.959Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "MOBILESTATION_NOT_FOUND",
diff --git a/packages/cisco_aironet/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_aironet/data_stream/log/elasticsearch/ingest_pipeline/default.yml
index e7853dfb5f2..69153bfa943 100644
--- a/packages/cisco_aironet/data_stream/log/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/cisco_aironet/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -8,7 +8,7 @@ processors:
ignore_failure: true
- set:
field: ecs.version
- value: '8.8.0'
+ value: '8.9.0'
- grok:
field: event.original
patterns:
diff --git a/packages/cisco_aironet/data_stream/log/sample_event.json b/packages/cisco_aironet/data_stream/log/sample_event.json
index 92038332a6a..377bb6a8ba7 100644
--- a/packages/cisco_aironet/data_stream/log/sample_event.json
+++ b/packages/cisco_aironet/data_stream/log/sample_event.json
@@ -21,7 +21,7 @@
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "94011a8e-8b26-4bce-a627-d54316798b52",
diff --git a/packages/cisco_aironet/docs/README.md b/packages/cisco_aironet/docs/README.md
index 341442e3cef..2f9af55aea9 100644
--- a/packages/cisco_aironet/docs/README.md
+++ b/packages/cisco_aironet/docs/README.md
@@ -38,7 +38,7 @@ An example event for `log` looks as following:
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "94011a8e-8b26-4bce-a627-d54316798b52",
diff --git a/packages/cisco_aironet/kibana/tags.yml b/packages/cisco_aironet/kibana/tags.yml
new file mode 100644
index 00000000000..47f20a8f551
--- /dev/null
+++ b/packages/cisco_aironet/kibana/tags.yml
@@ -0,0 +1,4 @@
+- text: Security Solution
+ asset_types:
+ - dashboard
+ - search
diff --git a/packages/cisco_aironet/manifest.yml b/packages/cisco_aironet/manifest.yml
index 736241ea13d..dc693e288d2 100644
--- a/packages/cisco_aironet/manifest.yml
+++ b/packages/cisco_aironet/manifest.yml
@@ -1,7 +1,7 @@
-format_version: 2.7.0
+format_version: 2.11.0
name: cisco_aironet
title: "Cisco Aironet"
-version: "1.4.0"
+version: "1.6.0"
description: "Integration for Cisco Aironet WLC Logs"
type: integration
categories:
diff --git a/packages/cisco_asa/_dev/build/build.yml b/packages/cisco_asa/_dev/build/build.yml
index 074278e5b1f..c8eeec8cacf 100644
--- a/packages/cisco_asa/_dev/build/build.yml
+++ b/packages/cisco_asa/_dev/build/build.yml
@@ -1,3 +1,3 @@
dependencies:
ecs:
- reference: git@v8.8.0
+ reference: git@v8.9.0
diff --git a/packages/cisco_asa/changelog.yml b/packages/cisco_asa/changelog.yml
index 00f7fa7abe2..fc70de32b6d 100644
--- a/packages/cisco_asa/changelog.yml
+++ b/packages/cisco_asa/changelog.yml
@@ -1,4 +1,42 @@
# newer versions go on top
+- version: "2.22.0"
+ changes:
+ - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7789
+- version: "2.21.0"
+ changes:
+ - description: Update package-spec to 2.10.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7595
+- version: "2.20.4"
+ changes:
+ - description: Add support for unspecified reason AAA user authenticaton rejection.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7604
+- version: "2.20.3"
+ changes:
+ - description: Add missing geo field mappings
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7264
+- version: "2.20.2"
+ changes:
+ - description: Fix the processing of event 313005 when ports are missing.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7254
+ - description: Collect network.transport for events 722033 and 722034.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7254
+- version: "2.20.1"
+ changes:
+ - description: Fix the handling of spaces in 113005 messages.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7216
+- version: "2.20.0"
+ changes:
+ - description: Update package to ECS 8.9.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7107
- version: "2.19.0"
changes:
- description: Convert dashboard to lens.
diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log
index d500930e841..617dfcf16af 100644
--- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log
+++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log
@@ -12,6 +12,7 @@ May 5 17:51:17 dev01: %FTD-7-710006: VRRP request discarded from 192.168.2.2 to
May 5 17:51:17 dev01: %FTD-4-313005: No matching connection for ICMP error message: icmp src srcif:192.168.2.2 dst dstif:192.168.2.3 (type 3, code 3) on myif interface. Original IP payload: udp src 192.168.2.2/53 dst 192.168.2.3/10872.
May 5 17:51:17 dev01: %FTD-4-313005: No matching connection for ICMP error message: icmp src srcif:192.168.2.2(LOCAL\testgroup\testuser) dst dstif:192.168.2.3 (type 3, code 3) on myif interface. Original IP payload: udp src 192.168.2.2/53 dst 192.168.2.3/10872.
May 5 17:51:17 dev01: %FTD-4-313005: No matching connection for ICMP error message: icmp src srcif:192.168.2.2(LOCAL\testuser) dst dstif:192.168.2.3 (type 3, code 3) on myif interface. Original IP payload: udp src 192.168.2.2/53 dst 192.168.2.3/10872.
+<188>May 5 17:51:17: %ASA-4-313005: No matching connection for ICMP error message: icmp src srcif:192.168.2.2 dst dstif:192.168.2.3 (type 3, code 2) on srcif interface. Original IP payload: icmp src 192.168.2.2 dst 192.168.2.3 (type 0, code 0).
May 5 18:16:21 dev01: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.2/0 gaddr 81.2.69.144/2 laddr 10.10.10.10/2 type 8 code 0
May 5 18:22:35 dev01: %ASA-7-609001: Built local-host net:10.10.10.10
May 5 18:24:31 dev01: %ASA-7-609002: Teardown local-host identity:10.10.10.10 duration 0:00:00
@@ -105,3 +106,4 @@ May 5 19:02:25 dev01: %ASA-6-716039: Group User IP <172.31.9
<190>Mar 03 2023 09:01:16 sac-firewall : %ASA-6-113004: AAA user accounting Successful : server = 192.168.0.8 : user = sample-user
<190>Mar 03 2023 08:50:32 sac-firewall : %ASA-6-113012: AAA user authentication Successful : local database : user = sample.user
<190>Mar 03 2023 09:13:09 sac-firewall : %ASA-6-716039: Group User <*****> IP <192.168.0.8> Authentication: rejected, Session Type: WebVPN.
+<166>Aug 28 2023 15:35:00 fw123-vc456 : %ASA-6-113005: AAA user authentication Rejected : reason = Unspecified : server = 10.1.2.0 : user = user : user IP = 10.1.2.3
diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json
index a000b732916..543299d6562 100644
--- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json
+++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json
@@ -22,7 +22,7 @@
"port": 53500
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -110,7 +110,7 @@
"port": 53500
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -190,7 +190,7 @@
"ip": "10.10.10.10"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-creation",
@@ -252,7 +252,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -313,7 +313,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -377,7 +377,7 @@
"ip": "10.10.10.10"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-creation",
@@ -453,7 +453,7 @@
"port": 111
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -537,7 +537,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -611,7 +611,7 @@
"port": 67
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -688,7 +688,7 @@
"port": 21
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -753,7 +753,7 @@
{
"@timestamp": "2023-05-05T17:51:17.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -805,7 +805,7 @@
"port": 10872
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -883,7 +883,7 @@
"port": 10872
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -972,7 +972,7 @@
"port": 10872
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1043,6 +1043,84 @@
"preserve_original_event"
]
},
+ {
+ "@timestamp": "2023-05-05T17:51:17.000Z",
+ "cisco": {
+ "asa": {
+ "destination_interface": "dstif",
+ "icmp_code": 2,
+ "icmp_type": 3,
+ "source_interface": "srcif"
+ }
+ },
+ "destination": {
+ "ip": "192.168.2.3"
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "action": "firewall-rule",
+ "category": [
+ "network"
+ ],
+ "code": "313005",
+ "kind": "event",
+ "original": "\u003c188\u003eMay 5 17:51:17: %ASA-4-313005: No matching connection for ICMP error message: icmp src srcif:192.168.2.2 dst dstif:192.168.2.3 (type 3, code 2) on srcif interface. Original IP payload: icmp src 192.168.2.2 dst 192.168.2.3 (type 0, code 0).",
+ "severity": 4,
+ "timezone": "UTC",
+ "type": [
+ "info"
+ ]
+ },
+ "input": {
+ "type": "icmp"
+ },
+ "log": {
+ "level": "warning",
+ "syslog": {
+ "facility": {
+ "code": 23
+ },
+ "priority": 188,
+ "severity": {
+ "code": 4
+ }
+ }
+ },
+ "network": {
+ "community_id": "1:E6cKJx0lLYUlU1tO5oQTlY25dBg=",
+ "iana_number": "1",
+ "transport": "icmp"
+ },
+ "observer": {
+ "egress": {
+ "interface": {
+ "name": "dstif"
+ }
+ },
+ "ingress": {
+ "interface": {
+ "name": "srcif"
+ }
+ },
+ "product": "asa",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "related": {
+ "ip": [
+ "192.168.2.2",
+ "192.168.2.3"
+ ]
+ },
+ "source": {
+ "ip": "192.168.2.2"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
{
"@timestamp": "2023-05-05T18:16:21.000Z",
"cisco": {
@@ -1057,7 +1135,7 @@
"ip": "192.168.2.2"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -1120,7 +1198,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -1178,7 +1256,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -1243,7 +1321,7 @@
"ip": "10.10.10.10"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-creation",
@@ -1311,7 +1389,7 @@
"ip": "10.10.10.10"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-creation",
@@ -1380,7 +1458,7 @@
"port": 55225
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -1469,7 +1547,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1549,7 +1627,7 @@
"port": 54230
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -1627,7 +1705,7 @@
"ip": "192.168.2.2"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1698,7 +1776,7 @@
"port": 57006
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1772,7 +1850,7 @@
"port": 14322
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1846,7 +1924,7 @@
"port": 53356
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -1933,7 +2011,7 @@
"port": 161
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2021,7 +2099,7 @@
"port": 161
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2102,7 +2180,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2177,7 +2255,7 @@
"ip": "10.10.10.10"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2246,7 +2324,7 @@
"port": 65020
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2318,7 +2396,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2389,7 +2467,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2460,7 +2538,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2532,7 +2610,7 @@
"port": 10051
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2607,7 +2685,7 @@
"port": 10051
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2682,7 +2760,7 @@
"port": 10051
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2756,7 +2834,7 @@
"port": 10051
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2836,7 +2914,7 @@
"port": 39222
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2910,7 +2988,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2963,7 +3041,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3023,7 +3101,7 @@
"port": 3452
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3101,7 +3179,7 @@
"port": 6007
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3167,7 +3245,7 @@
{
"@timestamp": "2023-05-05T19:02:26.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3207,7 +3285,7 @@
{
"@timestamp": "2023-05-05T19:02:26.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3257,7 +3335,7 @@
"port": 1985
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3318,7 +3396,7 @@
{
"@timestamp": "2023-05-05T19:02:26.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3358,7 +3436,7 @@
{
"@timestamp": "2023-05-05T19:02:26.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3408,7 +3486,7 @@
"ip": "10.10.10.10"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3486,7 +3564,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3537,7 +3615,7 @@
"port": 2
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3613,7 +3691,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3681,7 +3759,7 @@
"ip": "10.20.30.40"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3740,7 +3818,7 @@
"ip": "10.20.30.40"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3799,7 +3877,7 @@
"ip": "10.20.30.40"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3858,7 +3936,7 @@
"ip": "10.20.30.40"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3937,7 +4015,7 @@
"port": 9101
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -4030,7 +4108,7 @@
"port": 51635
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4108,7 +4186,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4173,7 +4251,7 @@
{
"@timestamp": "2023-04-27T02:03:03.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4224,7 +4302,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4287,7 +4365,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4344,7 +4422,7 @@
"ip": "10.10.1.254"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "logon-failed",
@@ -4410,7 +4488,7 @@
{
"@timestamp": "2023-04-27T02:03:03.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "logon-failed",
@@ -4477,7 +4555,7 @@
"ip": "10.10.1.254"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4542,7 +4620,7 @@
{
"@timestamp": "2023-04-27T02:03:03.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "logged-in",
@@ -4600,7 +4678,7 @@
{
"@timestamp": "2023-04-27T02:03:03.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4681,7 +4759,7 @@
"ip": "81.2.69.144"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "client-vpn-disconnected",
@@ -4746,7 +4824,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4809,7 +4887,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4882,7 +4960,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4946,7 +5024,7 @@
"port": 23
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -5030,7 +5108,7 @@
"port": 123123
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "bypass",
@@ -5117,7 +5195,7 @@
"port": 514514
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "drop",
@@ -5195,7 +5273,7 @@
"port": 123412
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -5278,7 +5356,7 @@
"port": 514514
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -5362,7 +5440,7 @@
"ip": "192.168.2.2"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "created",
@@ -5435,7 +5513,7 @@
"ip": "192.168.2.2"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "deleted",
@@ -5513,7 +5591,7 @@
"port": 7777
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-started",
@@ -5587,7 +5665,7 @@
"port": 7777
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "error",
@@ -5655,7 +5733,7 @@
{
"@timestamp": "2020-04-27T02:03:03.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -5705,7 +5783,7 @@
{
"@timestamp": "2020-04-27T02:03:03.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -5753,7 +5831,7 @@
{
"@timestamp": "2020-04-27T02:03:03.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "error",
@@ -5802,7 +5880,7 @@
{
"@timestamp": "2020-04-27T02:03:03.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "error",
@@ -5844,7 +5922,7 @@
{
"@timestamp": "2020-04-27T02:03:03.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -5885,7 +5963,7 @@
{
"@timestamp": "2020-04-27T02:03:03.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "error",
@@ -5927,7 +6005,7 @@
{
"@timestamp": "2020-04-27T02:03:03.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "error",
@@ -5976,7 +6054,7 @@
{
"@timestamp": "2023-04-27T02:03:03.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -6052,7 +6130,7 @@
"ip": "172.31.98.44"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -6148,7 +6226,7 @@
"ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -6248,7 +6326,7 @@
"port": 500
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -6342,7 +6420,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -6395,7 +6473,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -6448,7 +6526,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -6501,7 +6579,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -6562,7 +6640,7 @@
"ip": "81.2.69.144"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "logged-in",
@@ -6637,7 +6715,7 @@
"ip": "81.2.69.144"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "logged-in",
@@ -6707,7 +6785,7 @@
"ip": "81.2.69.144"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "logon-failed",
@@ -6764,7 +6842,7 @@
{
"@timestamp": "2023-05-05T19:02:25.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "logged-in",
@@ -6815,7 +6893,7 @@
{
"@timestamp": "2023-05-05T19:02:25.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "logon-failed",
@@ -6871,7 +6949,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "logon-failed",
@@ -6930,7 +7008,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "logon-failed",
@@ -6989,7 +7067,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "logon-failed",
@@ -7053,7 +7131,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "logon-failed",
@@ -7121,7 +7199,7 @@
"ip": "192.168.0.8"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "logged-in",
@@ -7184,7 +7262,7 @@
{
"@timestamp": "2023-03-03T08:50:32.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "logged-in",
@@ -7249,7 +7327,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "logon-failed",
@@ -7313,6 +7391,76 @@
"tags": [
"preserve_original_event"
]
+ },
+ {
+ "@timestamp": "2023-08-28T15:35:00.000Z",
+ "destination": {
+ "address": "10.1.2.0",
+ "ip": "10.1.2.0"
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "action": "logon-failed",
+ "category": [
+ "authentication",
+ "network"
+ ],
+ "code": "113005",
+ "kind": "event",
+ "original": "\u003c166\u003eAug 28 2023 15:35:00 fw123-vc456 : %ASA-6-113005: AAA user authentication Rejected : reason = Unspecified : server = 10.1.2.0 : user = user : user IP = 10.1.2.3",
+ "outcome": "failure",
+ "severity": 6,
+ "timezone": "UTC",
+ "type": [
+ "denied",
+ "info"
+ ]
+ },
+ "host": {
+ "hostname": "fw123-vc456"
+ },
+ "log": {
+ "level": "informational",
+ "syslog": {
+ "facility": {
+ "code": 20
+ },
+ "priority": 166,
+ "severity": {
+ "code": 6
+ }
+ }
+ },
+ "observer": {
+ "hostname": "fw123-vc456",
+ "product": "asa",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "related": {
+ "hosts": [
+ "fw123-vc456"
+ ],
+ "ip": [
+ "10.1.2.3",
+ "10.1.2.0"
+ ],
+ "user": [
+ "user"
+ ]
+ },
+ "source": {
+ "address": "10.1.2.3",
+ "ip": "10.1.2.3",
+ "user": {
+ "name": "user"
+ }
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
}
]
}
\ No newline at end of file
diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-anyconnect-messages.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-anyconnect-messages.log-expected.json
index 93d61ac5dc2..e55843f7b56 100644
--- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-anyconnect-messages.log-expected.json
+++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-anyconnect-messages.log-expected.json
@@ -3,7 +3,7 @@
{
"@timestamp": "2018-10-10T12:34:56.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "client-vpn-error",
@@ -77,7 +77,7 @@
{
"@timestamp": "2018-10-10T12:34:56.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "client-vpn-error",
@@ -151,7 +151,7 @@
{
"@timestamp": "2018-10-10T12:34:56.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "client-vpn-error",
@@ -225,7 +225,7 @@
{
"@timestamp": "2018-10-10T12:34:56.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "client-vpn-error",
@@ -299,7 +299,7 @@
{
"@timestamp": "2018-10-10T12:34:56.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "client-vpn-error",
@@ -373,7 +373,7 @@
{
"@timestamp": "2018-10-10T12:34:56.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "client-vpn-error",
@@ -447,7 +447,7 @@
{
"@timestamp": "2018-10-10T12:34:56.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "client-vpn-error",
@@ -521,7 +521,7 @@
{
"@timestamp": "2018-10-10T12:34:56.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "client-vpn-error",
@@ -595,7 +595,7 @@
{
"@timestamp": "2018-10-10T12:34:56.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "client-vpn-error",
@@ -641,7 +641,7 @@
{
"@timestamp": "2018-10-10T12:34:56.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "client-vpn-error",
@@ -715,7 +715,7 @@
{
"@timestamp": "2018-10-10T12:34:56.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "client-vpn-connected",
@@ -789,7 +789,7 @@
{
"@timestamp": "2018-10-10T12:34:56.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "client-vpn-error",
@@ -842,7 +842,7 @@
{
"@timestamp": "2022-06-22T13:29:11.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "client-vpn-connected",
diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json
index a670e209c99..d8a5176bd4f 100644
--- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json
+++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json
@@ -17,7 +17,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -103,7 +103,7 @@
"ip": "10.123.123.123"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -179,7 +179,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -250,7 +250,7 @@
"port": 57621
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -325,7 +325,7 @@
"ip": "10.123.123.123"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -381,7 +381,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -455,7 +455,7 @@
"port": 0
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -526,7 +526,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -597,7 +597,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -669,7 +669,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -758,7 +758,7 @@
"port": 8080
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -860,7 +860,7 @@
"port": 9803
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -972,7 +972,7 @@
"port": 9803
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1090,7 +1090,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log
index 2c26d2a111e..d9be81e83dc 100644
--- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log
+++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log
@@ -5,5 +5,6 @@ Aug 6 2020 11:01:37: %ASA-4-722037: Group User
Aug 6 2020 11:01:38: %ASA-4-722051: Group User IP <67.43.156.12> IPv4 Address <67.43.156.12> IPv6 address <::> assigned to session
Oct 20 2021 16:41:52: %ASA-4-722011: Group User <464_0273> IP <192.168.0.1> SVC Message: 17/WARNING: Reconnecting the VPN tunnel..
Oct 20 2021 16:41:52: %ASA-4-722033: Group User <464_0273> IP <192.168.0.1> First UDP SVC connection established for SVC session.
+Oct 20 2021 16:41:52: %ASA-5-722033: Group User <464_0273> IP <192.168.0.1> First TCP SVC connection established for SVC session.
Oct 20 2021 16:41:52: %ASA-4-722034: Group User <464_0273> IP <192.168.0.1> New TCP SVC connection, no existing connection.
Oct 20 2021 16:41:52: %ASA-4-722037: Group User IP <192.168.0.1> SVC closing connection: DPD failure.
diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log-expected.json
index f8b16941b3a..a62ba212178 100644
--- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log-expected.json
+++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log-expected.json
@@ -25,7 +25,7 @@
"ip": "67.43.156.12"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "client-vpn-disconnected",
@@ -100,7 +100,7 @@
"ip": "67.43.156.12"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "client-vpn-disconnected",
@@ -153,7 +153,7 @@
{
"@timestamp": "2019-10-20T15:42:54.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -215,7 +215,7 @@
{
"@timestamp": "2020-08-06T11:01:37.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -270,7 +270,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -331,7 +331,7 @@
{
"@timestamp": "2021-10-20T16:41:52.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -381,7 +381,7 @@
{
"@timestamp": "2021-10-20T16:41:52.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -400,6 +400,63 @@
"log": {
"level": "warning"
},
+ "network": {
+ "iana_number": "17",
+ "transport": "udp"
+ },
+ "observer": {
+ "product": "asa",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "related": {
+ "ip": [
+ "192.168.0.1"
+ ],
+ "user": [
+ "464_0273"
+ ]
+ },
+ "source": {
+ "address": "192.168.0.1",
+ "ip": "192.168.0.1",
+ "user": {
+ "group": {
+ "name": "GroupPolicy_Employee"
+ },
+ "name": "464_0273"
+ }
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2021-10-20T16:41:52.000Z",
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "action": "firewall-rule",
+ "category": [
+ "network"
+ ],
+ "code": "722033",
+ "kind": "event",
+ "original": "Oct 20 2021 16:41:52: %ASA-5-722033: Group \u003cGroupPolicy_Employee\u003e User \u003c464_0273\u003e IP \u003c192.168.0.1\u003e First TCP SVC connection established for SVC session.",
+ "severity": 5,
+ "timezone": "UTC",
+ "type": [
+ "info"
+ ]
+ },
+ "log": {
+ "level": "notification"
+ },
+ "network": {
+ "iana_number": "6",
+ "transport": "tcp"
+ },
"observer": {
"product": "asa",
"type": "firewall",
@@ -430,7 +487,7 @@
{
"@timestamp": "2021-10-20T16:41:52.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -449,6 +506,10 @@
"log": {
"level": "warning"
},
+ "network": {
+ "iana_number": "6",
+ "transport": "tcp"
+ },
"observer": {
"product": "asa",
"type": "firewall",
@@ -479,7 +540,7 @@
{
"@timestamp": "2021-10-20T16:41:52.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json
index 4103dd2d85b..553d149f910 100644
--- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json
+++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json
@@ -14,7 +14,7 @@
"port": 8256
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -98,7 +98,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -179,7 +179,7 @@
"port": 1758
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -265,7 +265,7 @@
"port": 1757
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -351,7 +351,7 @@
"port": 1755
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -437,7 +437,7 @@
"port": 1754
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -523,7 +523,7 @@
"port": 1752
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -609,7 +609,7 @@
"port": 1749
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -695,7 +695,7 @@
"port": 1750
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -781,7 +781,7 @@
"port": 1747
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -867,7 +867,7 @@
"port": 1742
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -953,7 +953,7 @@
"port": 1741
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -1039,7 +1039,7 @@
"port": 1739
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -1125,7 +1125,7 @@
"port": 1740
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -1211,7 +1211,7 @@
"port": 1738
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -1297,7 +1297,7 @@
"port": 1756
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -1383,7 +1383,7 @@
"port": 1737
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -1469,7 +1469,7 @@
"port": 1736
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -1555,7 +1555,7 @@
"port": 1765
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -1640,7 +1640,7 @@
"port": 1188
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1724,7 +1724,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1805,7 +1805,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -1894,7 +1894,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1975,7 +1975,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -2059,7 +2059,7 @@
"port": 8257
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2143,7 +2143,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2223,7 +2223,7 @@
"port": 8258
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2307,7 +2307,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2392,7 +2392,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2477,7 +2477,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2558,7 +2558,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -2643,7 +2643,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -2727,7 +2727,7 @@
"port": 8259
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2811,7 +2811,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2891,7 +2891,7 @@
"port": 1189
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2975,7 +2975,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3060,7 +3060,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3141,7 +3141,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -3226,7 +3226,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -3310,7 +3310,7 @@
"port": 8265
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3394,7 +3394,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3479,7 +3479,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3564,7 +3564,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3645,7 +3645,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -3730,7 +3730,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -3814,7 +3814,7 @@
"port": 8266
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3898,7 +3898,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3979,7 +3979,7 @@
"port": 1453
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -4069,7 +4069,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4150,7 +4150,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -4235,7 +4235,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -4319,7 +4319,7 @@
"port": 8267
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4403,7 +4403,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4483,7 +4483,7 @@
"port": 8268
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4567,7 +4567,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4647,7 +4647,7 @@
"port": 8269
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4731,7 +4731,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4816,7 +4816,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4897,7 +4897,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -4981,7 +4981,7 @@
"port": 8270
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -5065,7 +5065,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -5145,7 +5145,7 @@
"port": 8271
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -5229,7 +5229,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -5314,7 +5314,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -5395,7 +5395,7 @@
"port": 1457
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -5480,7 +5480,7 @@
"port": 8272
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -5564,7 +5564,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -5645,7 +5645,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -5729,7 +5729,7 @@
"port": 8273
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -5813,7 +5813,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -5893,7 +5893,7 @@
"port": 8267
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -5976,7 +5976,7 @@
"port": 8277
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -6060,7 +6060,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -6140,7 +6140,7 @@
"port": 8268
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -6223,7 +6223,7 @@
"port": 8269
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -6306,7 +6306,7 @@
"port": 8270
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -6389,7 +6389,7 @@
"port": 8271
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -6472,7 +6472,7 @@
"port": 8272
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -6555,7 +6555,7 @@
"port": 8273
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -6639,7 +6639,7 @@
"port": 1382
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -6725,7 +6725,7 @@
"port": 1385
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -6810,7 +6810,7 @@
"port": 8278
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -6894,7 +6894,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -6975,7 +6975,7 @@
"port": 8277
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -7057,7 +7057,7 @@
"port": 8277
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -7139,7 +7139,7 @@
"port": 8277
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -7221,7 +7221,7 @@
"port": 8277
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -7303,7 +7303,7 @@
"port": 8277
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -7385,7 +7385,7 @@
"port": 8277
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -7467,7 +7467,7 @@
"port": 8277
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -7549,7 +7549,7 @@
"port": 8277
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -7631,7 +7631,7 @@
"port": 8277
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -7713,7 +7713,7 @@
"port": 8277
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -7795,7 +7795,7 @@
"port": 8277
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -7877,7 +7877,7 @@
"port": 8277
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -7959,7 +7959,7 @@
"port": 8277
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -8040,7 +8040,7 @@
"port": 8279
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -8124,7 +8124,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -8204,7 +8204,7 @@
"port": 1190
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -8288,7 +8288,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -8369,7 +8369,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -8458,7 +8458,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -8539,7 +8539,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -8623,7 +8623,7 @@
"port": 8280
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -8707,7 +8707,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -8787,7 +8787,7 @@
"port": 8281
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -8871,7 +8871,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -8952,7 +8952,7 @@
"port": 1276
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -9037,7 +9037,7 @@
"port": 8282
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -9121,7 +9121,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -9202,7 +9202,7 @@
"port": 1277
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -9287,7 +9287,7 @@
"port": 8283
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -9371,7 +9371,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -9452,7 +9452,7 @@
"port": 1278
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -9538,7 +9538,7 @@
"port": 1279
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -9623,7 +9623,7 @@
"port": 8284
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -9707,7 +9707,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -9788,7 +9788,7 @@
"port": 1280
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -9873,7 +9873,7 @@
"port": 8285
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -9957,7 +9957,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -10037,7 +10037,7 @@
"port": 8286
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -10121,7 +10121,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -10201,7 +10201,7 @@
"port": 8287
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -10285,7 +10285,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -10365,7 +10365,7 @@
"port": 8288
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -10449,7 +10449,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -10530,7 +10530,7 @@
"port": 1281
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -10616,7 +10616,7 @@
"port": 1282
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -10702,7 +10702,7 @@
"port": 1283
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -10787,7 +10787,7 @@
"port": 8289
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -10871,7 +10871,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -10951,7 +10951,7 @@
"port": 8290
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -11035,7 +11035,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -11116,7 +11116,7 @@
"port": 1284
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -11201,7 +11201,7 @@
"port": 8291
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -11285,7 +11285,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -11366,7 +11366,7 @@
"port": 1285
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -11452,7 +11452,7 @@
"port": 1286
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -11542,7 +11542,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -11622,7 +11622,7 @@
"port": 8292
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -11706,7 +11706,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -11787,7 +11787,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -11876,7 +11876,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -11957,7 +11957,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -12041,7 +12041,7 @@
"port": 8293
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -12125,7 +12125,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -12206,7 +12206,7 @@
"port": 1288
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -12292,7 +12292,7 @@
"port": 1287
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -12382,7 +12382,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -12463,7 +12463,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -12547,7 +12547,7 @@
"port": 8294
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -12631,7 +12631,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -12712,7 +12712,7 @@
"port": 68
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -12796,7 +12796,7 @@
"port": 8276
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -12884,7 +12884,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -12969,7 +12969,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -13050,7 +13050,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -13139,7 +13139,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -13220,7 +13220,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -13305,7 +13305,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -13394,7 +13394,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -13475,7 +13475,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -13559,7 +13559,7 @@
"port": 8295
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -13643,7 +13643,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -13728,7 +13728,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -13809,7 +13809,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -13893,7 +13893,7 @@
"port": 8296
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -13977,7 +13977,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -14057,7 +14057,7 @@
"port": 8297
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -14141,7 +14141,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -14221,7 +14221,7 @@
"port": 8298
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -14305,7 +14305,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -14386,7 +14386,7 @@
"port": 1293
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -14471,7 +14471,7 @@
"port": 8299
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -14555,7 +14555,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -14635,7 +14635,7 @@
"port": 8300
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -14719,7 +14719,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -14800,7 +14800,7 @@
"port": 1294
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -14886,7 +14886,7 @@
"port": 1295
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -14972,7 +14972,7 @@
"port": 1296
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -15057,7 +15057,7 @@
"port": 8301
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -15141,7 +15141,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -15221,7 +15221,7 @@
"port": 8302
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -15305,7 +15305,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -15390,7 +15390,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -15471,7 +15471,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -15556,7 +15556,7 @@
"port": 1297
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -15641,7 +15641,7 @@
"port": 8303
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -15725,7 +15725,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -15805,7 +15805,7 @@
"port": 8304
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -15889,7 +15889,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -15970,7 +15970,7 @@
"port": 1298
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -16056,7 +16056,7 @@
"port": 1300
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -16141,7 +16141,7 @@
"port": 8305
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -16225,7 +16225,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -16305,7 +16305,7 @@
"port": 8306
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -16389,7 +16389,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -16469,7 +16469,7 @@
"port": 8280
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -16552,7 +16552,7 @@
"port": 8281
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -16635,7 +16635,7 @@
"port": 8282
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -16718,7 +16718,7 @@
"port": 8283
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -16801,7 +16801,7 @@
"port": 8284
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -16884,7 +16884,7 @@
"port": 8285
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -16967,7 +16967,7 @@
"port": 8286
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -17050,7 +17050,7 @@
"port": 8287
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -17133,7 +17133,7 @@
"port": 8288
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -17216,7 +17216,7 @@
"port": 8289
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -17299,7 +17299,7 @@
"port": 8290
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -17382,7 +17382,7 @@
"port": 8291
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -17465,7 +17465,7 @@
"port": 8292
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -17548,7 +17548,7 @@
"port": 8297
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -17631,7 +17631,7 @@
"port": 8298
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -17714,7 +17714,7 @@
"port": 8308
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -17798,7 +17798,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -17878,7 +17878,7 @@
"port": 8299
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -17961,7 +17961,7 @@
"port": 8300
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -18049,7 +18049,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -18134,7 +18134,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -18215,7 +18215,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -18300,7 +18300,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -18384,7 +18384,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -18468,7 +18468,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -18548,7 +18548,7 @@
"port": 8301
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -18631,7 +18631,7 @@
"port": 8302
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -18714,7 +18714,7 @@
"port": 8303
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -18797,7 +18797,7 @@
"port": 8304
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -18880,7 +18880,7 @@
"port": 8305
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -18963,7 +18963,7 @@
"port": 8306
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -19046,7 +19046,7 @@
"port": 8307
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -19130,7 +19130,7 @@
"port": 1305
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -19216,7 +19216,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -19298,7 +19298,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -19380,7 +19380,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -19461,7 +19461,7 @@
"port": 8310
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -19545,7 +19545,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -19626,7 +19626,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -19708,7 +19708,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -19790,7 +19790,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -19872,7 +19872,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -19954,7 +19954,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -20036,7 +20036,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -20118,7 +20118,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -20200,7 +20200,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -20282,7 +20282,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -20364,7 +20364,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -20446,7 +20446,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -20528,7 +20528,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -20610,7 +20610,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -20692,7 +20692,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -20774,7 +20774,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -20856,7 +20856,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -20938,7 +20938,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -21020,7 +21020,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -21102,7 +21102,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -21184,7 +21184,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -21266,7 +21266,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -21348,7 +21348,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -21430,7 +21430,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -21512,7 +21512,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -21594,7 +21594,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -21676,7 +21676,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -21758,7 +21758,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -21840,7 +21840,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -21922,7 +21922,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -22004,7 +22004,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -22086,7 +22086,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -22168,7 +22168,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -22250,7 +22250,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -22336,7 +22336,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-dap-records.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-dap-records.log-expected.json
index 6ca1492f674..9e8c46336b9 100644
--- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-dap-records.log-expected.json
+++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-dap-records.log-expected.json
@@ -12,7 +12,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "logged-in",
diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json
index 031be4691a2..05bdcc2a4ad 100644
--- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json
+++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json
@@ -3,7 +3,7 @@
{
"@timestamp": "2023-01-01T01:00:27.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -47,7 +47,7 @@
{
"@timestamp": "2023-01-01T01:00:30.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -98,7 +98,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-hostnames.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-hostnames.log-expected.json
index af1d69d5034..5353ed54294 100644
--- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-hostnames.log-expected.json
+++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-hostnames.log-expected.json
@@ -11,7 +11,7 @@
"domain": "target.destination.hostname.local"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -78,7 +78,7 @@
"ip": "192.168.2.15"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-non-canonical.log b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-non-canonical.log
index b8dd5e73906..cdd3ed8ecf3 100644
--- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-non-canonical.log
+++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-non-canonical.log
@@ -17,5 +17,5 @@ Jul 14 01:45:09 81.2.69.142 %ASA-6-302021: Teardown ICMP connection for faddr et
Jul 15 12:18:51 81.2.69.192 %ASA-6-113039: Group User IP <216.160.83.56> AnyConnect parent session started.
Jul 1 09:27:13 216.160.83.56 : %ASA-6-113039: Group User IP <81.2.69.192> AnyConnect parent session started.
Jun 14 01:22:47 81.2.69.142 %ASA-5-304001: 192.168.14.22 Accessed URL mirror:http://mirror.example.com/path/to/resource
-Jul 1 09:27:13 216.160.83.56 : AAA user authentication Rejected : reason = AAA failure : server = 81.2.69.142 : user = 123 : user IP = 89.160.20.112
-Jul 1 09:27:13 216.160.83.56 : AAA user authentication Rejected : reason = Account has been disabled : server = 81.2.69.144 : user = alice : user IP = 89.160.20.128
+Jul 1 09:27:13 216.160.83.56 : %ASA-6-113005: AAA user authentication Rejected : reason = AAA failure : server = 81.2.69.142 : user = 123 : user IP = 89.160.20.112
+Jul 1 09:27:13 216.160.83.56 : %ASA-6-113005: AAA user authentication Rejected : reason = Account has been disabled : server = 81.2.69.144 : user = alice : user IP = 89.160.20.128
\ No newline at end of file
diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-non-canonical.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-non-canonical.log-expected.json
index ec3758a9d41..c068a28506a 100644
--- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-non-canonical.log-expected.json
+++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-non-canonical.log-expected.json
@@ -19,7 +19,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -99,7 +99,7 @@
"port": 10050
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -183,7 +183,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -267,7 +267,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -345,7 +345,7 @@
"port": 54703
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -415,7 +415,7 @@
"port": 25
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -516,7 +516,7 @@
"port": 62409
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -606,7 +606,7 @@
"port": 56421
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -696,7 +696,7 @@
"port": 50578
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -782,7 +782,7 @@
"port": 56570
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -875,7 +875,7 @@
"port": 2511
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -970,7 +970,7 @@
"port": 2511
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1045,7 +1045,7 @@
"domain": "eth0_fw"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-creation",
@@ -1120,7 +1120,7 @@
"domain": "eth0_fw"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-creation",
@@ -1195,7 +1195,7 @@
"domain": "eth0_fw"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -1270,7 +1270,7 @@
"domain": "eth0_fw"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -1335,7 +1335,7 @@
{
"@timestamp": "2023-07-15T12:18:51.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "client-vpn-connected",
@@ -1410,7 +1410,7 @@
{
"@timestamp": "2023-07-01T09:27:13.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "client-vpn-connected",
@@ -1486,7 +1486,7 @@
"domain": "mirror"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1541,25 +1541,47 @@
},
{
"@timestamp": "2023-07-01T09:27:13.000Z",
- "cisco": {
- "asa": {
- "message_id": "",
- "security": {}
- }
+ "destination": {
+ "address": "81.2.69.142",
+ "geo": {
+ "city_name": "London",
+ "continent_name": "Europe",
+ "country_iso_code": "GB",
+ "country_name": "United Kingdom",
+ "location": {
+ "lat": 51.5142,
+ "lon": -0.0931
+ },
+ "region_iso_code": "GB-ENG",
+ "region_name": "England"
+ },
+ "ip": "81.2.69.142"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
- "original": "Jul 1 09:27:13 216.160.83.56 : AAA user authentication Rejected : reason = AAA failure : server = 81.2.69.142 : user = 123 : user IP = 89.160.20.112",
- "severity": 7,
- "timezone": "UTC"
+ "action": "logon-failed",
+ "category": [
+ "authentication",
+ "network"
+ ],
+ "code": "113005",
+ "kind": "event",
+ "original": "Jul 1 09:27:13 216.160.83.56 : %ASA-6-113005: AAA user authentication Rejected : reason = AAA failure : server = 81.2.69.142 : user = 123 : user IP = 89.160.20.112",
+ "outcome": "failure",
+ "severity": 6,
+ "timezone": "UTC",
+ "type": [
+ "denied",
+ "info"
+ ]
},
"host": {
"hostname": "216.160.83.56"
},
"log": {
- "level": "debug"
+ "level": "informational"
},
"observer": {
"hostname": "216.160.83.56",
@@ -1570,33 +1592,87 @@
"related": {
"hosts": [
"216.160.83.56"
+ ],
+ "ip": [
+ "89.160.20.112",
+ "81.2.69.142"
+ ],
+ "user": [
+ "123"
]
},
+ "source": {
+ "address": "89.160.20.112",
+ "as": {
+ "number": 29518,
+ "organization": {
+ "name": "Bredband2 AB"
+ }
+ },
+ "geo": {
+ "city_name": "Linköping",
+ "continent_name": "Europe",
+ "country_iso_code": "SE",
+ "country_name": "Sweden",
+ "location": {
+ "lat": 58.4167,
+ "lon": 15.6167
+ },
+ "region_iso_code": "SE-E",
+ "region_name": "Östergötland County"
+ },
+ "ip": "89.160.20.112",
+ "user": {
+ "name": "123"
+ }
+ },
"tags": [
"preserve_original_event"
]
},
{
"@timestamp": "2023-07-01T09:27:13.000Z",
- "cisco": {
- "asa": {
- "message_id": "",
- "security": {}
- }
+ "destination": {
+ "address": "81.2.69.144",
+ "geo": {
+ "city_name": "London",
+ "continent_name": "Europe",
+ "country_iso_code": "GB",
+ "country_name": "United Kingdom",
+ "location": {
+ "lat": 51.5142,
+ "lon": -0.0931
+ },
+ "region_iso_code": "GB-ENG",
+ "region_name": "England"
+ },
+ "ip": "81.2.69.144"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
- "original": "Jul 1 09:27:13 216.160.83.56 : AAA user authentication Rejected : reason = Account has been disabled : server = 81.2.69.144 : user = alice : user IP = 89.160.20.128",
- "severity": 7,
- "timezone": "UTC"
+ "action": "logon-failed",
+ "category": [
+ "authentication",
+ "network"
+ ],
+ "code": "113005",
+ "kind": "event",
+ "original": "Jul 1 09:27:13 216.160.83.56 : %ASA-6-113005: AAA user authentication Rejected : reason = Account has been disabled : server = 81.2.69.144 : user = alice : user IP = 89.160.20.128",
+ "outcome": "failure",
+ "severity": 6,
+ "timezone": "UTC",
+ "type": [
+ "denied",
+ "info"
+ ]
},
"host": {
"hostname": "216.160.83.56"
},
"log": {
- "level": "debug"
+ "level": "informational"
},
"observer": {
"hostname": "216.160.83.56",
@@ -1607,8 +1683,40 @@
"related": {
"hosts": [
"216.160.83.56"
+ ],
+ "ip": [
+ "89.160.20.128",
+ "81.2.69.144"
+ ],
+ "user": [
+ "alice"
]
},
+ "source": {
+ "address": "89.160.20.128",
+ "as": {
+ "number": 29518,
+ "organization": {
+ "name": "Bredband2 AB"
+ }
+ },
+ "geo": {
+ "city_name": "Linköping",
+ "continent_name": "Europe",
+ "country_iso_code": "SE",
+ "country_name": "Sweden",
+ "location": {
+ "lat": 58.4167,
+ "lon": 15.6167
+ },
+ "region_iso_code": "SE-E",
+ "region_name": "Östergötland County"
+ },
+ "ip": "89.160.20.128",
+ "user": {
+ "name": "alice"
+ }
+ },
"tags": [
"preserve_original_event"
]
diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json
index 6dc7e8de78b..174230beff0 100644
--- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json
+++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json
@@ -27,7 +27,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -105,7 +105,7 @@
"ip": "172.24.177.29"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -178,7 +178,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json
index 6b44d821c12..8f69f3fa5e0 100644
--- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json
+++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json
@@ -15,7 +15,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -86,7 +86,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -158,7 +158,7 @@
"port": 2000
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -228,7 +228,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -306,7 +306,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -383,7 +383,7 @@
"port": 12834
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -456,7 +456,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -528,7 +528,7 @@
"port": 25882
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -604,7 +604,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -677,7 +677,7 @@
"port": 45392
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -750,7 +750,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -825,7 +825,7 @@
"port": 52925
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -904,7 +904,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -985,7 +985,7 @@
"ip": "172.24.177.29"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -1050,7 +1050,7 @@
"port": 10879
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1123,7 +1123,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1191,7 +1191,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1254,7 +1254,7 @@
"port": 2000
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1325,7 +1325,7 @@
"port": 40443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1396,7 +1396,7 @@
"port": 40443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1467,7 +1467,7 @@
"port": 40443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1538,7 +1538,7 @@
"port": 40443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1609,7 +1609,7 @@
"port": 40443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1680,7 +1680,7 @@
"port": 40443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1751,7 +1751,7 @@
"port": 2000
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1822,7 +1822,7 @@
"port": 25
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1893,7 +1893,7 @@
"port": 2000
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1962,7 +1962,7 @@
"port": 137
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2022,7 +2022,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2085,7 +2085,7 @@
"port": 2000
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2156,7 +2156,7 @@
"port": 40443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2227,7 +2227,7 @@
"port": 2000
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2298,7 +2298,7 @@
"port": 2000
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2369,7 +2369,7 @@
"port": 2000
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2440,7 +2440,7 @@
"port": 8111
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2511,7 +2511,7 @@
"port": 8111
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2582,7 +2582,7 @@
"port": 40443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2653,7 +2653,7 @@
"port": 2000
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2725,7 +2725,7 @@
"port": 2000
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2799,7 +2799,7 @@
"port": 11180
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2872,7 +2872,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2946,7 +2946,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3024,7 +3024,7 @@
"port": 1234
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3102,7 +3102,7 @@
"port": 1234
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3176,7 +3176,7 @@
"port": 5678
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -3254,7 +3254,7 @@
"port": 5678
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -3332,7 +3332,7 @@
"port": 5678
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -3408,7 +3408,7 @@
"port": 5679
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3475,7 +3475,7 @@
"port": 5679
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3544,7 +3544,7 @@
"port": 5000
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3622,7 +3622,7 @@
"port": 1234
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3699,7 +3699,7 @@
"port": 1234
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3772,7 +3772,7 @@
"port": 1235
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -3850,7 +3850,7 @@
"port": 500
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -3921,7 +3921,7 @@
"ip": "192.168.99.47"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3985,7 +3985,7 @@
"ip": "192.168.99.57"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4049,7 +4049,7 @@
"ip": "192.168.99.47"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4113,7 +4113,7 @@
"ip": "192.168.99.47"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4177,7 +4177,7 @@
"ip": "192.168.99.57"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4241,7 +4241,7 @@
"ip": "192.168.99.57"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4305,7 +4305,7 @@
"ip": "192.168.1.255"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4369,7 +4369,7 @@
"ip": "192.168.1.255"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4436,7 +4436,7 @@
"port": 25
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4509,7 +4509,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4577,7 +4577,7 @@
"ip": "172.16.1.10"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4647,7 +4647,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4735,7 +4735,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4816,7 +4816,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4883,7 +4883,7 @@
"ip": "192.168.2.1"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4934,7 +4934,7 @@
"ip": "192.168.2.32"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4992,7 +4992,7 @@
"ip": "192.168.0.19"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -5077,7 +5077,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -5148,7 +5148,7 @@
"ip": "172.17.6.211"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -5234,7 +5234,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -5345,7 +5345,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -5458,7 +5458,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-creation",
@@ -5554,7 +5554,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-creation",
@@ -5654,7 +5654,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-creation",
@@ -5748,7 +5748,7 @@
"port": 18449
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -5826,7 +5826,7 @@
"ip": "ff02::1"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -5899,7 +5899,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -5989,7 +5989,7 @@
"port": 50120
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -6093,7 +6093,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -6196,7 +6196,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -6294,7 +6294,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -6402,7 +6402,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -6507,7 +6507,7 @@
"ip": "81.2.69.193"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "deleted",
diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sip.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sip.log-expected.json
index 89039ed7135..13bbb393a90 100644
--- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sip.log-expected.json
+++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sip.log-expected.json
@@ -16,7 +16,7 @@
"port": 5060
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -84,7 +84,7 @@
"port": 5060
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -152,7 +152,7 @@
"port": 5060
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -220,7 +220,7 @@
"port": 5060
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
diff --git a/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml
index 1bb8df8896c..bcefb912542 100644
--- a/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -13,7 +13,7 @@ processors:
message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}"
- set:
field: ecs.version
- value: '8.8.0'
+ value: '8.9.0'
#
# Parse the syslog header
#
@@ -453,9 +453,9 @@ processors:
description: "113005"
field: "message"
patterns:
- - "AAA user authentication Rejected: reason = %{REASON}: server = %{IP:destination.address} : user = ?%{CISCO_USER:source.user.name}: user IP = %{IP:source.address}"
+ - "AAA user authentication Rejected(%{SPACE})?: reason = %{REASON}(%{SPACE})?: server = %{IP:destination.address}(%{SPACE})?: user = ?%{CISCO_USER:source.user.name}(%{SPACE})?: user IP = %{IP:source.address}"
pattern_definitions:
- REASON: (AAA failure|Account has been disabled)
+ REASON: (AAA failure|Account has been disabled|Unspecified)
CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?)
- grok:
if: "ctx._temp_.cisco.message_id == '113012'"
@@ -606,9 +606,9 @@ processors:
field: "message"
description: "313005"
patterns:
- - "No matching connection for ICMP error message: %{NOTSPACE:network.transport} src %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST} dst %{NOTCOLON:_temp_.cisco.destination_interface}:%{IPORHOST} \\(type %{NUMBER:_temp_.cisco.icmp_type}, code %{NUMBER:_temp_.cisco.icmp_code}\\) on %{NOTCOLON} interface.%{SPACE}Original IP payload: %{NOTSPACE:input.type} src %{IPORHOST:source.ip}/%{NUMBER:source.port} dst %{IPORHOST:destination.ip}/%{NUMBER:destination.port}."
- - "No matching connection for ICMP error message: %{NOTSPACE:network.transport} src %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST}\\(%{NOTCOLON:source.user.domain}\\\\%{NOTSPACE:source.user.group.name}\\\\%{NOTSPACE:source.user.name}\\) dst %{NOTCOLON:_temp_.cisco.destination_interface}:%{IPORHOST} \\(type %{NUMBER:_temp_.cisco.icmp_type}, code %{NUMBER:_temp_.cisco.icmp_code}\\) on %{NOTCOLON} interface.%{SPACE}Original IP payload: %{NOTSPACE:input.type} src %{IPORHOST:source.ip}/%{NUMBER:source.port} dst %{IPORHOST:destination.ip}/%{NUMBER:destination.port}."
- - "No matching connection for ICMP error message: %{NOTSPACE:network.transport} src %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST}\\(%{NOTCOLON:source.user.domain}\\\\%{NOTSPACE:source.user.name}\\) dst %{NOTCOLON:_temp_.cisco.destination_interface}:%{IPORHOST} \\(type %{NUMBER:_temp_.cisco.icmp_type}, code %{NUMBER:_temp_.cisco.icmp_code}\\) on %{NOTCOLON} interface.%{SPACE}Original IP payload: %{NOTSPACE:input.type} src %{IPORHOST:source.ip}/%{NUMBER:source.port} dst %{IPORHOST:destination.ip}/%{NUMBER:destination.port}."
+ - "No matching connection for ICMP error message: %{NOTSPACE:network.transport} src %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST} dst %{NOTCOLON:_temp_.cisco.destination_interface}:%{IPORHOST} \\(type %{NUMBER:_temp_.cisco.icmp_type}, code %{NUMBER:_temp_.cisco.icmp_code}\\) on %{NOTCOLON} interface.%{SPACE}Original IP payload: %{NOTSPACE:input.type} src %{IPORHOST:source.ip}(/%{NUMBER:source.port})? dst %{IPORHOST:destination.ip}(/%{NUMBER:destination.port})?[.]?"
+ - "No matching connection for ICMP error message: %{NOTSPACE:network.transport} src %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST}\\(%{NOTCOLON:source.user.domain}\\\\%{NOTSPACE:source.user.group.name}\\\\%{NOTSPACE:source.user.name}\\) dst %{NOTCOLON:_temp_.cisco.destination_interface}:%{IPORHOST} \\(type %{NUMBER:_temp_.cisco.icmp_type}, code %{NUMBER:_temp_.cisco.icmp_code}\\) on %{NOTCOLON} interface.%{SPACE}Original IP payload: %{NOTSPACE:input.type} src %{IPORHOST:source.ip}(/%{NUMBER:source.port})? dst %{IPORHOST:destination.ip}(/%{NUMBER:destination.port})?[.]?"
+ - "No matching connection for ICMP error message: %{NOTSPACE:network.transport} src %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST}\\(%{NOTCOLON:source.user.domain}\\\\%{NOTSPACE:source.user.name}\\) dst %{NOTCOLON:_temp_.cisco.destination_interface}:%{IPORHOST} \\(type %{NUMBER:_temp_.cisco.icmp_type}, code %{NUMBER:_temp_.cisco.icmp_code}\\) on %{NOTCOLON} interface.%{SPACE}Original IP payload: %{NOTSPACE:input.type} src %{IPORHOST:source.ip}(/%{NUMBER:source.port})? dst %{IPORHOST:destination.ip}(/%{NUMBER:destination.port})?[.]?"
pattern_definitions:
NOTCOLON: "[^:]*"
HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)"
@@ -904,15 +904,15 @@ processors:
field: "message"
description: "722033"
patterns:
- - 'Group <%{NOTSPACE:source.user.group.name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> First UDP SVC connection established for SVC session\.'
- - 'Group %{NOTSPACE:source.user.group.name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} First UDP SVC connection established for SVC session\.'
+ - 'Group <%{NOTSPACE:source.user.group.name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> First %{NOTSPACE:network.transport} SVC connection established for SVC session\.'
+ - 'Group %{NOTSPACE:source.user.group.name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} First %{NOTSPACE:network.transport} SVC connection established for SVC session\.'
- grok:
if: "ctx._temp_.cisco.message_id == '722034'"
field: "message"
description: "722034"
patterns:
- - 'Group <%{NOTSPACE:source.user.group.name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> New TCP SVC connection, no existing connection\.'
- - 'Group %{NOTSPACE:source.user.group.name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} New TCP SVC connection, no existing connection\.'
+ - 'Group <%{NOTSPACE:source.user.group.name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> New %{NOTSPACE:network.transport} SVC connection, no existing connection\.'
+ - 'Group %{NOTSPACE:source.user.group.name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} New %{NOTSPACE:network.transport} SVC connection, no existing connection\.'
- grok:
if: "ctx._temp_.cisco.message_id == '722037'"
field: "message"
diff --git a/packages/cisco_asa/data_stream/log/fields/ecs.yml b/packages/cisco_asa/data_stream/log/fields/ecs.yml
index a405431823d..101e0194ce3 100644
--- a/packages/cisco_asa/data_stream/log/fields/ecs.yml
+++ b/packages/cisco_asa/data_stream/log/fields/ecs.yml
@@ -14,6 +14,8 @@
name: destination.domain
- external: ecs
name: destination.geo.city_name
+- external: ecs
+ name: destination.geo.continent_code
- external: ecs
name: destination.geo.continent_name
- external: ecs
@@ -22,10 +24,16 @@
name: destination.geo.country_name
- external: ecs
name: destination.geo.location
+- external: ecs
+ name: destination.geo.name
+- external: ecs
+ name: destination.geo.postal_code
- external: ecs
name: destination.geo.region_iso_code
- external: ecs
name: destination.geo.region_name
+- external: ecs
+ name: destination.geo.timezone
- external: ecs
name: destination.ip
- external: ecs
@@ -106,6 +114,28 @@
name: observer.egress.interface.name
- external: ecs
name: observer.egress.zone
+- external: ecs
+ name: observer.geo.city_name
+- external: ecs
+ name: observer.geo.continent_code
+- external: ecs
+ name: observer.geo.continent_name
+- external: ecs
+ name: observer.geo.country_iso_code
+- external: ecs
+ name: observer.geo.country_name
+- external: ecs
+ name: observer.geo.location
+- external: ecs
+ name: observer.geo.name
+- external: ecs
+ name: observer.geo.postal_code
+- external: ecs
+ name: observer.geo.region_iso_code
+- external: ecs
+ name: observer.geo.region_name
+- external: ecs
+ name: observer.geo.timezone
- external: ecs
name: observer.hostname
- external: ecs
@@ -146,6 +176,8 @@
name: source.domain
- external: ecs
name: source.geo.city_name
+- external: ecs
+ name: source.geo.continent_code
- external: ecs
name: source.geo.continent_name
- external: ecs
@@ -154,10 +186,16 @@
name: source.geo.country_name
- external: ecs
name: source.geo.location
+- external: ecs
+ name: source.geo.name
+- external: ecs
+ name: source.geo.postal_code
- external: ecs
name: source.geo.region_iso_code
- external: ecs
name: source.geo.region_name
+- external: ecs
+ name: source.geo.timezone
- external: ecs
name: source.ip
- external: ecs
diff --git a/packages/cisco_asa/data_stream/log/sample_event.json b/packages/cisco_asa/data_stream/log/sample_event.json
index 6ed0df99709..76f1831353c 100644
--- a/packages/cisco_asa/data_stream/log/sample_event.json
+++ b/packages/cisco_asa/data_stream/log/sample_event.json
@@ -1,11 +1,11 @@
{
"@timestamp": "2018-10-10T12:34:56.000Z",
"agent": {
- "ephemeral_id": "527259e1-8f53-40d5-a1b7-eeeae2bd0e5b",
- "id": "d8aa4cb0-4002-48c4-abf4-14c12d2e4be1",
+ "ephemeral_id": "bf92e689-48fb-4249-92c2-e3a34105ed72",
+ "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082",
"name": "docker-fleet-agent",
"type": "filebeat",
- "version": "8.1.0"
+ "version": "8.9.1"
},
"cisco": {
"asa": {
@@ -25,12 +25,12 @@
"port": 8256
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
- "id": "d8aa4cb0-4002-48c4-abf4-14c12d2e4be1",
+ "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082",
"snapshot": false,
- "version": "8.1.0"
+ "version": "8.9.1"
},
"event": {
"action": "firewall-rule",
@@ -40,7 +40,7 @@
],
"code": "305011",
"dataset": "cisco_asa.log",
- "ingested": "2023-06-01T10:41:28Z",
+ "ingested": "2023-08-29T16:16:14Z",
"kind": "event",
"original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256",
"severity": 6,
@@ -58,7 +58,7 @@
"log": {
"level": "informational",
"source": {
- "address": "172.31.0.4:45752"
+ "address": "172.21.0.4:41604"
}
},
"network": {
diff --git a/packages/cisco_asa/docs/README.md b/packages/cisco_asa/docs/README.md
index 98e048a064c..4a866f9be28 100644
--- a/packages/cisco_asa/docs/README.md
+++ b/packages/cisco_asa/docs/README.md
@@ -17,11 +17,11 @@ An example event for `log` looks as following:
{
"@timestamp": "2018-10-10T12:34:56.000Z",
"agent": {
- "ephemeral_id": "527259e1-8f53-40d5-a1b7-eeeae2bd0e5b",
- "id": "d8aa4cb0-4002-48c4-abf4-14c12d2e4be1",
+ "ephemeral_id": "bf92e689-48fb-4249-92c2-e3a34105ed72",
+ "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082",
"name": "docker-fleet-agent",
"type": "filebeat",
- "version": "8.1.0"
+ "version": "8.9.1"
},
"cisco": {
"asa": {
@@ -41,12 +41,12 @@ An example event for `log` looks as following:
"port": 8256
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
- "id": "d8aa4cb0-4002-48c4-abf4-14c12d2e4be1",
+ "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082",
"snapshot": false,
- "version": "8.1.0"
+ "version": "8.9.1"
},
"event": {
"action": "firewall-rule",
@@ -56,7 +56,7 @@ An example event for `log` looks as following:
],
"code": "305011",
"dataset": "cisco_asa.log",
- "ingested": "2023-06-01T10:41:28Z",
+ "ingested": "2023-08-29T16:16:14Z",
"kind": "event",
"original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256",
"severity": 6,
@@ -74,7 +74,7 @@ An example event for `log` looks as following:
"log": {
"level": "informational",
"source": {
- "address": "172.31.0.4:45752"
+ "address": "172.21.0.4:41604"
}
},
"network": {
@@ -202,12 +202,16 @@ An example event for `log` looks as following:
| destination.bytes | Bytes sent from the destination to the source. | long |
| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
| destination.geo.city_name | City name. | keyword |
+| destination.geo.continent_code | Two-letter code representing continent's name. | keyword |
| destination.geo.continent_name | Name of the continent. | keyword |
| destination.geo.country_iso_code | Country ISO code. | keyword |
| destination.geo.country_name | Country name. | keyword |
| destination.geo.location | Longitude and latitude. | geo_point |
+| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| destination.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword |
| destination.geo.region_iso_code | Region ISO code. | keyword |
| destination.geo.region_name | Region name. | keyword |
+| destination.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword |
| destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip |
| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long |
@@ -219,16 +223,16 @@ An example event for `log` looks as following:
| error.message | Error message. | match_only_text |
| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
-| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date |
| event.dataset | Event dataset | constant_keyword |
-| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long |
-| event.end | event.end contains the date when the event ended or when the activity was last observed. | date |
+| event.duration | Duration of the event in nanoseconds. If `event.start` and `event.end` are known this value should be the difference between the end and start time. | long |
+| event.end | `event.end` contains the date when the event ended or when the activity was last observed. | date |
| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
-| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword |
| event.module | Event module | constant_keyword |
| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword |
| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long |
-| event.start | event.start contains the date when the event started or when the activity was first observed. | date |
+| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date |
| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
@@ -272,6 +276,17 @@ An example event for `log` looks as following:
| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword |
| observer.egress.interface.name | Interface name as reported by the system. | keyword |
| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword |
+| observer.geo.city_name | City name. | keyword |
+| observer.geo.continent_code | Two-letter code representing continent's name. | keyword |
+| observer.geo.continent_name | Name of the continent. | keyword |
+| observer.geo.country_iso_code | Country ISO code. | keyword |
+| observer.geo.country_name | Country name. | keyword |
+| observer.geo.location | Longitude and latitude. | geo_point |
+| observer.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| observer.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword |
+| observer.geo.region_iso_code | Region ISO code. | keyword |
+| observer.geo.region_name | Region name. | keyword |
+| observer.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword |
| observer.hostname | Hostname of the observer. | keyword |
| observer.ingress.interface.name | Interface name as reported by the system. | keyword |
| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword |
@@ -300,12 +315,16 @@ An example event for `log` looks as following:
| source.bytes | Bytes sent from the source to the destination. | long |
| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
| source.geo.city_name | City name. | keyword |
+| source.geo.continent_code | Two-letter code representing continent's name. | keyword |
| source.geo.continent_name | Name of the continent. | keyword |
| source.geo.country_iso_code | Country ISO code. | keyword |
| source.geo.country_name | Country name. | keyword |
| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword |
| source.geo.region_iso_code | Region ISO code. | keyword |
| source.geo.region_name | Region name. | keyword |
+| source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword |
| source.ip | IP address of the source (IPv4 or IPv6). | ip |
| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip |
| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long |
diff --git a/packages/cisco_asa/kibana/tags.yml b/packages/cisco_asa/kibana/tags.yml
new file mode 100644
index 00000000000..47f20a8f551
--- /dev/null
+++ b/packages/cisco_asa/kibana/tags.yml
@@ -0,0 +1,4 @@
+- text: Security Solution
+ asset_types:
+ - dashboard
+ - search
diff --git a/packages/cisco_asa/manifest.yml b/packages/cisco_asa/manifest.yml
index 35434e7e8c4..fe5608c94b7 100644
--- a/packages/cisco_asa/manifest.yml
+++ b/packages/cisco_asa/manifest.yml
@@ -1,15 +1,13 @@
-format_version: 1.0.0
+format_version: 2.11.0
name: cisco_asa
title: Cisco ASA
-version: "2.19.0"
-license: basic
+version: "2.22.0"
description: Collect logs from Cisco ASA with Elastic Agent.
type: integration
categories:
- network
- security
- firewall_security
-release: ga
conditions:
kibana.version: "^8.7.1"
screenshots:
diff --git a/packages/cisco_duo/_dev/build/build.yml b/packages/cisco_duo/_dev/build/build.yml
index 074278e5b1f..c8eeec8cacf 100644
--- a/packages/cisco_duo/_dev/build/build.yml
+++ b/packages/cisco_duo/_dev/build/build.yml
@@ -1,3 +1,3 @@
dependencies:
ecs:
- reference: git@v8.8.0
+ reference: git@v8.9.0
diff --git a/packages/cisco_duo/changelog.yml b/packages/cisco_duo/changelog.yml
index bc52b2a1a31..e18618514b7 100644
--- a/packages/cisco_duo/changelog.yml
+++ b/packages/cisco_duo/changelog.yml
@@ -1,4 +1,19 @@
# newer versions go on top
+- version: 1.17.0
+ changes:
+ - description: "The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest."
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7883
+- version: "1.16.0"
+ changes:
+ - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7789
+- version: "1.15.0"
+ changes:
+ - description: Update package to ECS 8.9.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7107
- version: "1.14.0"
changes:
- description: Convert to lens.
diff --git a/packages/cisco_duo/data_stream/admin/_dev/test/pipeline/test-admin.log-expected.json b/packages/cisco_duo/data_stream/admin/_dev/test/pipeline/test-admin.log-expected.json
index 7e91e0c1af0..4d544886696 100644
--- a/packages/cisco_duo/data_stream/admin/_dev/test/pipeline/test-admin.log-expected.json
+++ b/packages/cisco_duo/data_stream/admin/_dev/test/pipeline/test-admin.log-expected.json
@@ -11,7 +11,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "activation_begin",
@@ -43,7 +43,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "admin_activate_duo_push",
@@ -77,7 +77,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "activation_begin",
@@ -111,7 +111,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "activation_set_password",
@@ -155,7 +155,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "admin_self_activate",
@@ -200,7 +200,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "admin_update",
@@ -246,7 +246,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "user_update",
@@ -295,7 +295,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "user_update",
diff --git a/packages/cisco_duo/data_stream/admin/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_duo/data_stream/admin/elasticsearch/ingest_pipeline/default.yml
index 01859a7fa5c..d71ba384b25 100644
--- a/packages/cisco_duo/data_stream/admin/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/cisco_duo/data_stream/admin/elasticsearch/ingest_pipeline/default.yml
@@ -3,7 +3,7 @@ description: Pipeline for parsing cisco_duo administrator logs
processors:
- set:
field: ecs.version
- value: '8.8.0'
+ value: '8.9.0'
- rename:
field: message
target_field: event.original
diff --git a/packages/cisco_duo/data_stream/admin/sample_event.json b/packages/cisco_duo/data_stream/admin/sample_event.json
index 1c2c30364a7..267b5321a7e 100644
--- a/packages/cisco_duo/data_stream/admin/sample_event.json
+++ b/packages/cisco_duo/data_stream/admin/sample_event.json
@@ -21,7 +21,7 @@
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "cdda426a-7e47-48c4-b2f5-b9f1ad5bf08a",
diff --git a/packages/cisco_duo/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json b/packages/cisco_duo/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json
index c93d10d3b27..7b97a4f9480 100644
--- a/packages/cisco_duo/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json
+++ b/packages/cisco_duo/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json
@@ -40,7 +40,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -173,7 +173,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -304,7 +304,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -434,7 +434,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -562,7 +562,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -674,7 +674,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -795,7 +795,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -907,7 +907,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1020,7 +1020,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1133,7 +1133,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1246,7 +1246,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1359,7 +1359,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1472,7 +1472,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1581,7 +1581,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1686,7 +1686,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1791,7 +1791,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1886,7 +1886,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
diff --git a/packages/cisco_duo/data_stream/auth/_dev/test/pipeline/test-empty.log-expected.json b/packages/cisco_duo/data_stream/auth/_dev/test/pipeline/test-empty.log-expected.json
index 5af64a83c8a..1dfa105c68f 100644
--- a/packages/cisco_duo/data_stream/auth/_dev/test/pipeline/test-empty.log-expected.json
+++ b/packages/cisco_duo/data_stream/auth/_dev/test/pipeline/test-empty.log-expected.json
@@ -2,7 +2,7 @@
"expected": [
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
diff --git a/packages/cisco_duo/data_stream/auth/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_duo/data_stream/auth/elasticsearch/ingest_pipeline/default.yml
index 8ada49cba17..24ccabe1541 100644
--- a/packages/cisco_duo/data_stream/auth/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/cisco_duo/data_stream/auth/elasticsearch/ingest_pipeline/default.yml
@@ -3,7 +3,7 @@ description: Pipeline for parsing cisco_duo authentication logs
processors:
- set:
field: ecs.version
- value: '8.8.0'
+ value: '8.9.0'
- rename:
field: message
target_field: event.original
diff --git a/packages/cisco_duo/data_stream/auth/sample_event.json b/packages/cisco_duo/data_stream/auth/sample_event.json
index a2cb929ae68..83a726ca97f 100644
--- a/packages/cisco_duo/data_stream/auth/sample_event.json
+++ b/packages/cisco_duo/data_stream/auth/sample_event.json
@@ -50,7 +50,7 @@
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "cdda426a-7e47-48c4-b2f5-b9f1ad5bf08a",
diff --git a/packages/cisco_duo/data_stream/offline_enrollment/_dev/test/pipeline/test-offline-enrollment.log-expected.json b/packages/cisco_duo/data_stream/offline_enrollment/_dev/test/pipeline/test-offline-enrollment.log-expected.json
index a8f06810109..3b7db334064 100644
--- a/packages/cisco_duo/data_stream/offline_enrollment/_dev/test/pipeline/test-offline-enrollment.log-expected.json
+++ b/packages/cisco_duo/data_stream/offline_enrollment/_dev/test/pipeline/test-offline-enrollment.log-expected.json
@@ -17,7 +17,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "{\"action\": \"o2fa_user_provisioned\",\"description\": \"{\\\"user_agent\\\": \\\"DuoCredProv/4.0.6.413 (Windows NT 6.3.9600; x64; Server)\\\", \\\"hostname\\\": \\\"WKSW10x64\\\", \\\"factor\\\": \\\"duo_otp\\\"}\",\"isotimestamp\": \"2019-08-30T16:10:05+00:00\",\"object\": \"Acme Laptop Windows Logon\",\"timestamp\": 1567181405,\"username\": \"narroway\"}"
diff --git a/packages/cisco_duo/data_stream/offline_enrollment/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_duo/data_stream/offline_enrollment/elasticsearch/ingest_pipeline/default.yml
index 847dafae4e3..e2dbad09c0c 100644
--- a/packages/cisco_duo/data_stream/offline_enrollment/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/cisco_duo/data_stream/offline_enrollment/elasticsearch/ingest_pipeline/default.yml
@@ -3,7 +3,7 @@ description: Pipeline for parsing cisco_duo offline enrollment logs
processors:
- set:
field: ecs.version
- value: '8.8.0'
+ value: '8.9.0'
- rename:
field: message
target_field: event.original
diff --git a/packages/cisco_duo/data_stream/offline_enrollment/sample_event.json b/packages/cisco_duo/data_stream/offline_enrollment/sample_event.json
index 3b374331274..9a7fbc72204 100644
--- a/packages/cisco_duo/data_stream/offline_enrollment/sample_event.json
+++ b/packages/cisco_duo/data_stream/offline_enrollment/sample_event.json
@@ -27,7 +27,7 @@
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "cdda426a-7e47-48c4-b2f5-b9f1ad5bf08a",
diff --git a/packages/cisco_duo/data_stream/summary/_dev/test/pipeline/test-summary.log-expected.json b/packages/cisco_duo/data_stream/summary/_dev/test/pipeline/test-summary.log-expected.json
index 96e857f8bf3..f67c4f39f28 100644
--- a/packages/cisco_duo/data_stream/summary/_dev/test/pipeline/test-summary.log-expected.json
+++ b/packages/cisco_duo/data_stream/summary/_dev/test/pipeline/test-summary.log-expected.json
@@ -1,7 +1,7 @@
{
"expected": [
{
- "@timestamp": "2023-05-25T20:17:35.337427076Z",
+ "@timestamp": "2023-09-20T13:25:56.851210996Z",
"cisco_duo": {
"summary": {
"admin_count": 6,
@@ -11,7 +11,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "{\"response\":{\"admin_count\":6,\"integration_count\":5,\"telephony_credits_remaining\":473,\"user_count\":4},\"stat\":\"OK\"}"
@@ -21,7 +21,7 @@
]
},
{
- "@timestamp": "2023-05-25T20:17:35.337435532Z",
+ "@timestamp": "2023-09-20T13:25:56.851227178Z",
"cisco_duo": {
"summary": {
"admin_count": 3,
@@ -31,7 +31,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "{\"response\":{\"admin_count\":3,\"integration_count\":9,\"telephony_credits_remaining\":960,\"user_count\":8},\"stat\":\"OK\"}"
diff --git a/packages/cisco_duo/data_stream/summary/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_duo/data_stream/summary/elasticsearch/ingest_pipeline/default.yml
index b5de4495974..abe9789f8cd 100644
--- a/packages/cisco_duo/data_stream/summary/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/cisco_duo/data_stream/summary/elasticsearch/ingest_pipeline/default.yml
@@ -3,7 +3,7 @@ description: Pipeline for parsing cisco_duo summary logs
processors:
- set:
field: ecs.version
- value: '8.8.0'
+ value: '8.9.0'
- set:
field: "@timestamp"
value: "{{{_ingest.timestamp}}}"
diff --git a/packages/cisco_duo/data_stream/summary/sample_event.json b/packages/cisco_duo/data_stream/summary/sample_event.json
index 40e24a40a99..b6133faf089 100644
--- a/packages/cisco_duo/data_stream/summary/sample_event.json
+++ b/packages/cisco_duo/data_stream/summary/sample_event.json
@@ -21,7 +21,7 @@
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "cdda426a-7e47-48c4-b2f5-b9f1ad5bf08a",
diff --git a/packages/cisco_duo/data_stream/telephony/_dev/test/pipeline/test-telephony.log-expected.json b/packages/cisco_duo/data_stream/telephony/_dev/test/pipeline/test-telephony.log-expected.json
index 699270b7b88..dbd1f37ec9b 100644
--- a/packages/cisco_duo/data_stream/telephony/_dev/test/pipeline/test-telephony.log-expected.json
+++ b/packages/cisco_duo/data_stream/telephony/_dev/test/pipeline/test-telephony.log-expected.json
@@ -11,7 +11,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -32,7 +32,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -53,7 +53,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
diff --git a/packages/cisco_duo/data_stream/telephony/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_duo/data_stream/telephony/elasticsearch/ingest_pipeline/default.yml
index 3ce81f74b77..0f0dc03b8ff 100644
--- a/packages/cisco_duo/data_stream/telephony/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/cisco_duo/data_stream/telephony/elasticsearch/ingest_pipeline/default.yml
@@ -3,7 +3,7 @@ description: Pipeline for parsing cisco_duo telephony logs
processors:
- set:
field: ecs.version
- value: '8.8.0'
+ value: '8.9.0'
- set:
field: event.kind
value: event
diff --git a/packages/cisco_duo/data_stream/telephony/sample_event.json b/packages/cisco_duo/data_stream/telephony/sample_event.json
index 7ae3bfc264b..abe52e166e2 100644
--- a/packages/cisco_duo/data_stream/telephony/sample_event.json
+++ b/packages/cisco_duo/data_stream/telephony/sample_event.json
@@ -21,7 +21,7 @@
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "cdda426a-7e47-48c4-b2f5-b9f1ad5bf08a",
diff --git a/packages/cisco_duo/docs/README.md b/packages/cisco_duo/docs/README.md
index 24cbb148aea..cb3accf1511 100644
--- a/packages/cisco_duo/docs/README.md
+++ b/packages/cisco_duo/docs/README.md
@@ -54,7 +54,7 @@ An example event for `admin` looks as following:
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "cdda426a-7e47-48c4-b2f5-b9f1ad5bf08a",
@@ -121,9 +121,9 @@ An example event for `admin` looks as following:
| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
| event.agent_id_status | Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. | keyword |
| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
-| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date |
| event.dataset | Event dataset | constant_keyword |
-| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword |
| event.module | Event module | constant_keyword |
| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
@@ -223,7 +223,7 @@ An example event for `auth` looks as following:
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "cdda426a-7e47-48c4-b2f5-b9f1ad5bf08a",
@@ -377,9 +377,9 @@ An example event for `auth` looks as following:
| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
| event.agent_id_status | Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. | keyword |
| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
-| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date |
| event.dataset | Event dataset | constant_keyword |
-| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword |
| event.module | Event module | constant_keyword |
| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
@@ -473,7 +473,7 @@ An example event for `offline_enrollment` looks as following:
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "cdda426a-7e47-48c4-b2f5-b9f1ad5bf08a",
@@ -537,7 +537,7 @@ An example event for `offline_enrollment` looks as following:
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
-| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date |
| event.dataset | Event dataset | constant_keyword |
| event.module | Event module | constant_keyword |
| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
@@ -597,7 +597,7 @@ An example event for `summary` looks as following:
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "cdda426a-7e47-48c4-b2f5-b9f1ad5bf08a",
@@ -648,7 +648,7 @@ An example event for `summary` looks as following:
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
-| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date |
| event.dataset | Event dataset | constant_keyword |
| event.module | Event module | constant_keyword |
| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
@@ -704,7 +704,7 @@ An example event for `telephony` looks as following:
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "cdda426a-7e47-48c4-b2f5-b9f1ad5bf08a",
@@ -756,9 +756,9 @@ An example event for `telephony` looks as following:
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
-| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date |
| event.dataset | Event dataset | constant_keyword |
-| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword |
| event.module | Event module | constant_keyword |
| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
| host.architecture | Operating system architecture. | keyword |
diff --git a/packages/cisco_duo/kibana/tags.yml b/packages/cisco_duo/kibana/tags.yml
new file mode 100644
index 00000000000..47f20a8f551
--- /dev/null
+++ b/packages/cisco_duo/kibana/tags.yml
@@ -0,0 +1,4 @@
+- text: Security Solution
+ asset_types:
+ - dashboard
+ - search
diff --git a/packages/cisco_duo/manifest.yml b/packages/cisco_duo/manifest.yml
index 6f7d0d689a7..feae2338366 100644
--- a/packages/cisco_duo/manifest.yml
+++ b/packages/cisco_duo/manifest.yml
@@ -1,14 +1,15 @@
-format_version: 2.7.0
+format_version: "3.0.0"
name: cisco_duo
title: Cisco Duo
-version: "1.14.0"
+version: "1.17.0"
description: Collect logs from Cisco Duo with Elastic Agent.
type: integration
categories:
- security
- iam
conditions:
- kibana.version: ^8.7.1
+ kibana:
+ version: ^8.7.1
screenshots:
- src: /img/cisco_duo-screenshot.png
title: Cisco Duo authentication log dashboard
@@ -60,3 +61,4 @@ policy_templates:
description: Collect Cisco Duo Administrator, Authentication, Offline Enrollment, Summary, and Telephony logs
owner:
github: elastic/security-external-integrations
+ type: elastic
diff --git a/packages/cisco_ftd/_dev/build/build.yml b/packages/cisco_ftd/_dev/build/build.yml
index 074278e5b1f..c8eeec8cacf 100644
--- a/packages/cisco_ftd/_dev/build/build.yml
+++ b/packages/cisco_ftd/_dev/build/build.yml
@@ -1,3 +1,3 @@
dependencies:
ecs:
- reference: git@v8.8.0
+ reference: git@v8.9.0
diff --git a/packages/cisco_ftd/changelog.yml b/packages/cisco_ftd/changelog.yml
index 870c39e38b2..55136922761 100644
--- a/packages/cisco_ftd/changelog.yml
+++ b/packages/cisco_ftd/changelog.yml
@@ -1,4 +1,34 @@
# newer versions go on top
+- version: "2.16.0"
+ changes:
+ - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7789
+- version: "2.15.0"
+ changes:
+ - description: Update package-spec to 2.10.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7596
+- version: "2.14.1"
+ changes:
+ - description: Add missing geo field mappings
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7267
+- version: "2.14.0"
+ changes:
+ - description: Update package to ECS 8.9.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7107
+- version: "2.13.2"
+ changes:
+ - description: Fix source.bytes and destination.bytes type
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/6929
+- version: "2.13.1"
+ changes:
+ - description: Remove Invalid ID
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/6669
- version: "2.13.0"
changes:
- description: Ensure event.kind is correctly set for pipeline errors.
diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json
index 0b821087be9..4dd57f4e30e 100644
--- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json
+++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json
@@ -17,7 +17,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -103,7 +103,7 @@
"ip": "10.123.123.123"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -179,7 +179,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -250,7 +250,7 @@
"port": 57621
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -325,7 +325,7 @@
"ip": "10.123.123.123"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -385,7 +385,7 @@
"ip": "10.10.10.10"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-creation",
diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json
index 868d07bdc07..834ab23ad27 100644
--- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json
+++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json
@@ -14,7 +14,7 @@
"port": 8256
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -98,7 +98,7 @@
"port": 1772
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -178,7 +178,7 @@
"port": 1758
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -264,7 +264,7 @@
"port": 1757
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -350,7 +350,7 @@
"port": 1755
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -436,7 +436,7 @@
"port": 1754
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -522,7 +522,7 @@
"port": 1752
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -608,7 +608,7 @@
"port": 1749
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -694,7 +694,7 @@
"port": 1750
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -780,7 +780,7 @@
"port": 1747
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -866,7 +866,7 @@
"port": 1742
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -952,7 +952,7 @@
"port": 1741
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -1038,7 +1038,7 @@
"port": 1739
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -1124,7 +1124,7 @@
"port": 1740
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -1210,7 +1210,7 @@
"port": 1738
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -1296,7 +1296,7 @@
"port": 1756
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -1382,7 +1382,7 @@
"port": 1737
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -1468,7 +1468,7 @@
"port": 1736
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -1554,7 +1554,7 @@
"port": 1765
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -1639,7 +1639,7 @@
"port": 1188
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1723,7 +1723,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1803,7 +1803,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -1892,7 +1892,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1972,7 +1972,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -2056,7 +2056,7 @@
"port": 8257
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2140,7 +2140,7 @@
"port": 1773
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2219,7 +2219,7 @@
"port": 8258
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2303,7 +2303,7 @@
"port": 1774
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2387,7 +2387,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2471,7 +2471,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2551,7 +2551,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -2636,7 +2636,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -2720,7 +2720,7 @@
"port": 8259
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2804,7 +2804,7 @@
"port": 1775
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2883,7 +2883,7 @@
"port": 1189
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2967,7 +2967,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3051,7 +3051,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3131,7 +3131,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -3216,7 +3216,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -3300,7 +3300,7 @@
"port": 8265
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3384,7 +3384,7 @@
"port": 1452
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3468,7 +3468,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3552,7 +3552,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3632,7 +3632,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -3717,7 +3717,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -3801,7 +3801,7 @@
"port": 8266
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3885,7 +3885,7 @@
"port": 1453
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3965,7 +3965,7 @@
"port": 1453
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -4055,7 +4055,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4135,7 +4135,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -4220,7 +4220,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -4304,7 +4304,7 @@
"port": 8267
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4388,7 +4388,7 @@
"port": 1454
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4467,7 +4467,7 @@
"port": 8268
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4551,7 +4551,7 @@
"port": 1455
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4630,7 +4630,7 @@
"port": 8269
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4714,7 +4714,7 @@
"port": 1456
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4798,7 +4798,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4878,7 +4878,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -4962,7 +4962,7 @@
"port": 8270
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -5046,7 +5046,7 @@
"port": 1457
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -5125,7 +5125,7 @@
"port": 8271
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -5209,7 +5209,7 @@
"port": 1458
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -5293,7 +5293,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -5373,7 +5373,7 @@
"port": 1457
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -5458,7 +5458,7 @@
"port": 8272
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -5542,7 +5542,7 @@
"port": 1459
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -5622,7 +5622,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -5706,7 +5706,7 @@
"port": 8273
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -5790,7 +5790,7 @@
"port": 1460
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -5869,7 +5869,7 @@
"port": 8267
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -5952,7 +5952,7 @@
"port": 8277
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -6036,7 +6036,7 @@
"port": 1385
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -6115,7 +6115,7 @@
"port": 8268
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -6198,7 +6198,7 @@
"port": 8269
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -6281,7 +6281,7 @@
"port": 8270
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -6364,7 +6364,7 @@
"port": 8271
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -6447,7 +6447,7 @@
"port": 8272
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -6530,7 +6530,7 @@
"port": 8273
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -6614,7 +6614,7 @@
"port": 1382
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -6700,7 +6700,7 @@
"port": 1385
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -6785,7 +6785,7 @@
"port": 8278
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -6869,7 +6869,7 @@
"port": 1386
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -6949,7 +6949,7 @@
"port": 8277
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -7031,7 +7031,7 @@
"port": 8277
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -7113,7 +7113,7 @@
"port": 8277
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -7195,7 +7195,7 @@
"port": 8277
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -7277,7 +7277,7 @@
"port": 8277
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -7359,7 +7359,7 @@
"port": 8277
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -7441,7 +7441,7 @@
"port": 8277
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -7523,7 +7523,7 @@
"port": 8277
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -7605,7 +7605,7 @@
"port": 8277
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -7687,7 +7687,7 @@
"port": 8277
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -7769,7 +7769,7 @@
"port": 8277
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -7851,7 +7851,7 @@
"port": 8277
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -7933,7 +7933,7 @@
"port": 8277
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -8014,7 +8014,7 @@
"port": 8279
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -8098,7 +8098,7 @@
"port": 1275
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -8177,7 +8177,7 @@
"port": 1190
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -8261,7 +8261,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -8341,7 +8341,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -8430,7 +8430,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -8510,7 +8510,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -8594,7 +8594,7 @@
"port": 8280
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -8678,7 +8678,7 @@
"port": 1276
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -8757,7 +8757,7 @@
"port": 8281
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -8841,7 +8841,7 @@
"port": 1277
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -8921,7 +8921,7 @@
"port": 1276
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -9006,7 +9006,7 @@
"port": 8282
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -9090,7 +9090,7 @@
"port": 1278
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -9170,7 +9170,7 @@
"port": 1277
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -9255,7 +9255,7 @@
"port": 8283
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -9339,7 +9339,7 @@
"port": 1279
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -9419,7 +9419,7 @@
"port": 1278
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -9505,7 +9505,7 @@
"port": 1279
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -9590,7 +9590,7 @@
"port": 8284
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -9674,7 +9674,7 @@
"port": 1280
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -9754,7 +9754,7 @@
"port": 1280
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -9839,7 +9839,7 @@
"port": 8285
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -9923,7 +9923,7 @@
"port": 1281
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -10002,7 +10002,7 @@
"port": 8286
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -10086,7 +10086,7 @@
"port": 1282
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -10165,7 +10165,7 @@
"port": 8287
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -10249,7 +10249,7 @@
"port": 1283
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -10328,7 +10328,7 @@
"port": 8288
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -10412,7 +10412,7 @@
"port": 1284
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -10492,7 +10492,7 @@
"port": 1281
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -10578,7 +10578,7 @@
"port": 1282
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -10664,7 +10664,7 @@
"port": 1283
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -10749,7 +10749,7 @@
"port": 8289
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -10833,7 +10833,7 @@
"port": 1285
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -10912,7 +10912,7 @@
"port": 8290
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -10996,7 +10996,7 @@
"port": 1286
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -11076,7 +11076,7 @@
"port": 1284
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -11161,7 +11161,7 @@
"port": 8291
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -11245,7 +11245,7 @@
"port": 1287
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -11325,7 +11325,7 @@
"port": 1285
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -11411,7 +11411,7 @@
"port": 1286
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -11501,7 +11501,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -11580,7 +11580,7 @@
"port": 8292
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -11664,7 +11664,7 @@
"port": 1288
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -11744,7 +11744,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -11833,7 +11833,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -11913,7 +11913,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -11997,7 +11997,7 @@
"port": 8293
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -12081,7 +12081,7 @@
"port": 1289
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -12161,7 +12161,7 @@
"port": 1288
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -12247,7 +12247,7 @@
"port": 1287
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -12337,7 +12337,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -12417,7 +12417,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -12501,7 +12501,7 @@
"port": 8294
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -12585,7 +12585,7 @@
"port": 1290
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -12665,7 +12665,7 @@
"port": 68
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -12749,7 +12749,7 @@
"port": 8276
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -12837,7 +12837,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -12921,7 +12921,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -13001,7 +13001,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -13090,7 +13090,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -13170,7 +13170,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -13255,7 +13255,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -13344,7 +13344,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -13424,7 +13424,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -13508,7 +13508,7 @@
"port": 8295
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -13592,7 +13592,7 @@
"port": 1291
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -13676,7 +13676,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -13756,7 +13756,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -13840,7 +13840,7 @@
"port": 8296
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -13924,7 +13924,7 @@
"port": 1292
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -14003,7 +14003,7 @@
"port": 8297
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -14087,7 +14087,7 @@
"port": 1293
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -14166,7 +14166,7 @@
"port": 8298
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -14250,7 +14250,7 @@
"port": 1294
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -14330,7 +14330,7 @@
"port": 1293
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -14415,7 +14415,7 @@
"port": 8299
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -14499,7 +14499,7 @@
"port": 1295
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -14578,7 +14578,7 @@
"port": 8300
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -14662,7 +14662,7 @@
"port": 1296
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -14742,7 +14742,7 @@
"port": 1294
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -14828,7 +14828,7 @@
"port": 1295
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -14914,7 +14914,7 @@
"port": 1296
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -14999,7 +14999,7 @@
"port": 8301
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -15083,7 +15083,7 @@
"port": 1297
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -15162,7 +15162,7 @@
"port": 8302
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -15246,7 +15246,7 @@
"port": 1298
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -15330,7 +15330,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -15410,7 +15410,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -15495,7 +15495,7 @@
"port": 1297
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -15580,7 +15580,7 @@
"port": 8303
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -15664,7 +15664,7 @@
"port": 1299
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -15743,7 +15743,7 @@
"port": 8304
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -15827,7 +15827,7 @@
"port": 1300
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -15907,7 +15907,7 @@
"port": 1298
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -15993,7 +15993,7 @@
"port": 1300
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -16078,7 +16078,7 @@
"port": 8305
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -16162,7 +16162,7 @@
"port": 1301
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -16241,7 +16241,7 @@
"port": 8306
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -16325,7 +16325,7 @@
"port": 1302
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -16404,7 +16404,7 @@
"port": 8280
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -16487,7 +16487,7 @@
"port": 8281
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -16570,7 +16570,7 @@
"port": 8282
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -16653,7 +16653,7 @@
"port": 8283
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -16736,7 +16736,7 @@
"port": 8284
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -16819,7 +16819,7 @@
"port": 8285
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -16902,7 +16902,7 @@
"port": 8286
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -16985,7 +16985,7 @@
"port": 8287
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -17068,7 +17068,7 @@
"port": 8288
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -17151,7 +17151,7 @@
"port": 8289
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -17234,7 +17234,7 @@
"port": 8290
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -17317,7 +17317,7 @@
"port": 8291
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -17400,7 +17400,7 @@
"port": 8292
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -17483,7 +17483,7 @@
"port": 8297
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -17566,7 +17566,7 @@
"port": 8298
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -17649,7 +17649,7 @@
"port": 8308
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -17733,7 +17733,7 @@
"port": 1304
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -17812,7 +17812,7 @@
"port": 8299
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -17895,7 +17895,7 @@
"port": 8300
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -17983,7 +17983,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -18067,7 +18067,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -18147,7 +18147,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -18232,7 +18232,7 @@
"port": 56132
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -18316,7 +18316,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -18400,7 +18400,7 @@
"port": 1305
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -18479,7 +18479,7 @@
"port": 8301
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -18562,7 +18562,7 @@
"port": 8302
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -18645,7 +18645,7 @@
"port": 8303
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -18728,7 +18728,7 @@
"port": 8304
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -18811,7 +18811,7 @@
"port": 8305
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -18894,7 +18894,7 @@
"port": 8306
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -18977,7 +18977,7 @@
"port": 8307
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -19061,7 +19061,7 @@
"port": 1305
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -19147,7 +19147,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -19229,7 +19229,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -19311,7 +19311,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -19392,7 +19392,7 @@
"port": 8310
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -19476,7 +19476,7 @@
"port": 1306
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -19556,7 +19556,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -19638,7 +19638,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -19720,7 +19720,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -19802,7 +19802,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -19884,7 +19884,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -19966,7 +19966,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -20048,7 +20048,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -20130,7 +20130,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -20212,7 +20212,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -20294,7 +20294,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -20376,7 +20376,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -20458,7 +20458,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -20540,7 +20540,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -20622,7 +20622,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -20704,7 +20704,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -20786,7 +20786,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -20868,7 +20868,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -20950,7 +20950,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -21032,7 +21032,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -21114,7 +21114,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -21196,7 +21196,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -21278,7 +21278,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -21360,7 +21360,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -21442,7 +21442,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -21524,7 +21524,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -21606,7 +21606,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -21688,7 +21688,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -21770,7 +21770,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -21852,7 +21852,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -21934,7 +21934,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -22016,7 +22016,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -22098,7 +22098,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -22180,7 +22180,7 @@
"port": 8309
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-dns.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-dns.log-expected.json
index fd8c6c33ac5..43b73477b57 100644
--- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-dns.log-expected.json
+++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-dns.log-expected.json
@@ -68,7 +68,7 @@
"response_code": "NOERROR"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -214,7 +214,7 @@
"response_code": "NOERROR"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -358,7 +358,7 @@
"response_code": "NOERROR"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -505,7 +505,7 @@
"response_code": "NOERROR"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -650,7 +650,7 @@
"response_code": "NOERROR"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -794,7 +794,7 @@
"response_code": "NOERROR"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -941,7 +941,7 @@
"response_code": "NXDOMAIN"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -1085,7 +1085,7 @@
"response_code": "NOERROR"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -1230,7 +1230,7 @@
"response_code": "SERVFAIL"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -1376,7 +1376,7 @@
"response_code": "NOERROR"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -1520,7 +1520,7 @@
"response_code": "REFUSED"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -1656,7 +1656,7 @@
"response_code": "SERVFAIL"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -1802,7 +1802,7 @@
"response_code": "NXDOMAIN"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -1947,7 +1947,7 @@
"response_code": "NOERROR"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -2093,7 +2093,7 @@
"response_code": "NXDOMAIN"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -2239,7 +2239,7 @@
"response_code": "NOERROR"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -2383,7 +2383,7 @@
"response_code": "NOERROR"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -2527,7 +2527,7 @@
"response_code": "NOERROR"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -2671,7 +2671,7 @@
"response_code": "NOERROR"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -2811,7 +2811,7 @@
"response_code": "NOERROR"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -2957,7 +2957,7 @@
"response_code": "NOERROR"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json
index bcafb746450..765608ea4ce 100644
--- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json
+++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json
@@ -3,7 +3,7 @@
{
"@timestamp": "2019-01-01T01:00:27.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -47,7 +47,7 @@
{
"@timestamp": "2019-01-01T01:00:30.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-firepower-management.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-firepower-management.log-expected.json
index 710beea7d8c..1df47f91eed 100644
--- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-firepower-management.log-expected.json
+++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-firepower-management.log-expected.json
@@ -3,7 +3,7 @@
{
"@timestamp": "2019-08-14T13:56:30.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "\u003c14\u003eAug 14 2019 13:56:30 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=AuditLog, Page View\u0000x0a\u0000x00",
@@ -40,7 +40,7 @@
{
"@timestamp": "2019-08-14T13:57:19.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "\u003c14\u003eAug 14 2019 13:57:19 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=Banner, Page View\u0000x0a\u0000x00",
@@ -77,7 +77,7 @@
{
"@timestamp": "2019-08-14T13:57:26.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "\u003c14\u003eAug 14 2019 13:57:26 ChangeReconciliation.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/ChangeReconciliation.cgi, Page View\u0000x0a\u0000x00",
@@ -114,7 +114,7 @@
{
"@timestamp": "2019-08-14T13:57:34.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "\u003c14\u003eAug 14 2019 13:57:34 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=IntrusionPolicyPrefs, Page View\u0000x0a\u0000x00",
@@ -151,7 +151,7 @@
{
"@timestamp": "2019-08-14T13:57:43.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "\u003c14\u003eAug 14 2019 13:57:43 lights_out_mgmt.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /admin/lights_out_mgmt.cgi, Page View\u0000x0a\u0000x00",
@@ -188,7 +188,7 @@
{
"@timestamp": "2019-08-14T13:58:02.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "\u003c14\u003eAug 14 2019 13:58:02 mojo_server.pl: siem-management: admin@10.0.255.31, Cloud Services, View url filtering settings\u0000x0a\u0000x00",
@@ -225,7 +225,7 @@
{
"@timestamp": "2019-08-14T13:58:02.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "\u003c14\u003eAug 14 2019 13:58:02 mojo_server.pl: siem-management: admin@10.0.255.31, Cloud Services, View amp settings\u0000x0a\u0000x00",
@@ -262,7 +262,7 @@
{
"@timestamp": "2019-08-14T13:58:20.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "\u003c14\u003eAug 14 2019 13:58:20 mojo_server.pl: siem-management: admin@10.0.255.31, System \u003e Monitoring \u003e Syslog, Page View\u0000x0a\u0000x00",
@@ -299,7 +299,7 @@
{
"@timestamp": "2019-08-14T13:58:41.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "\u003c14\u003eAug 14 2019 13:58:41 mojo_server.pl: siem-management: admin@10.0.255.31, Devices \u003e Device Management, Page View\u0000x0a\u0000x00",
@@ -336,7 +336,7 @@
{
"@timestamp": "2019-08-14T13:58:47.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "\u003c14\u003eAug 14 2019 13:58:47 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Device Management \u003e NGFW Interfaces, Page View\u0000x0a\u0000x00",
@@ -373,7 +373,7 @@
{
"@timestamp": "2019-08-14T13:58:52.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "\u003c14\u003eAug 14 2019 13:58:52 mojo_server.pl: siem-management: admin@10.0.255.31, Devices \u003e Device Management \u003e NGFW Device Summary, Page View\u0000x0a\u0000x00",
@@ -410,7 +410,7 @@
{
"@timestamp": "2019-08-14T13:58:54.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "\u003c14\u003eAug 14 2019 13:58:54 mojo_server.pl: siem-management: admin@10.0.255.31, Devices \u003e Device Management \u003e NGFW Device Summary, Page View\u0000x0a\u0000x00",
@@ -447,7 +447,7 @@
{
"@timestamp": "2019-08-14T13:59:10.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "\u003c14\u003eAug 14 2019 13:59:10 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings, Page View\u0000x0a\u0000x00",
@@ -484,7 +484,7 @@
{
"@timestamp": "2019-08-14T13:59:15.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "\u003c14\u003eAug 14 2019 13:59:15 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Page View\u0000x0a\u0000x00",
@@ -521,7 +521,7 @@
{
"@timestamp": "2019-08-14T14:00:37.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "\u003c14\u003eAug 14 2019 14:00:37 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Save Policy ftd-policy\u0000x0a\u0000x00",
@@ -558,7 +558,7 @@
{
"@timestamp": "2019-08-14T14:00:37.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "\u003c14\u003eAug 14 2019 14:00:37 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Modified: Syslog\u0000x0a\u0000x00",
@@ -595,7 +595,7 @@
{
"@timestamp": "2019-08-14T14:00:37.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "\u003c14\u003eAug 14 2019 14:00:37 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Page View\u0000x0a\u0000x00",
@@ -632,7 +632,7 @@
{
"@timestamp": "2019-08-14T14:01:12.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "\u003c14\u003eAug 14 2019 14:01:12 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Save Policy ftd-policy\u0000x0a\u0000x00",
@@ -669,7 +669,7 @@
{
"@timestamp": "2019-08-14T14:01:12.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "\u003c14\u003eAug 14 2019 14:01:12 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Modified: Syslog\u0000x0a\u0000x00",
@@ -706,7 +706,7 @@
{
"@timestamp": "2019-08-14T14:01:13.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "\u003c14\u003eAug 14 2019 14:01:13 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Page View\u0000x0a\u0000x00",
@@ -743,7 +743,7 @@
{
"@timestamp": "2019-08-14T14:01:20.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "\u003c14\u003eAug 14 2019 14:01:20 sfdccsm: siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00",
@@ -780,7 +780,7 @@
{
"@timestamp": "2019-08-14T14:01:31.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "\u003c14\u003eAug 14 2019 14:01:31 ActionQueueScrape.pl: siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00",
@@ -817,7 +817,7 @@
{
"@timestamp": "2019-08-14T14:01:31.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "\u003c14\u003eAug 14 2019 14:01:31 ActionQueueScrape.pl: siem-management: admin@localhost, Task Queue, Successful task completion : Pre-deploy Global Configuration Generation\u0000x0a\u0000x00",
@@ -854,7 +854,7 @@
{
"@timestamp": "2019-08-14T14:01:35.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "\u003c14\u003eAug 14 2019 14:01:35 ActionQueueScrape.pl: siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00",
@@ -891,7 +891,7 @@
{
"@timestamp": "2019-08-14T14:01:36.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "\u003c14\u003eAug 14 2019 14:01:36 ActionQueueScrape.pl: siem-management: admin@localhost, Task Queue, Successful task completion : Pre-deploy Device Configuration for siem-ftd\u0000x0a\u0000x00",
@@ -928,7 +928,7 @@
{
"@timestamp": "2019-08-14T14:01:55.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "\u003c14\u003eAug 14 2019 14:01:55 mojo_server.pl: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration, Page View\u0000x0a\u0000x00",
@@ -965,7 +965,7 @@
{
"@timestamp": "2019-08-14T14:01:56.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "\u003c14\u003eAug 14 2019 14:01:56 sfdccsm: siem-management: admin@localhost, Task Queue, Policy Deployment to siem-ftd - SUCCESS\u0000x0a\u0000x00",
@@ -1002,7 +1002,7 @@
{
"@timestamp": "2019-08-14T14:01:57.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "\u003c14\u003eAug 14 2019 14:01:57 sfdccsm: siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00",
@@ -1039,7 +1039,7 @@
{
"@timestamp": "2019-08-14T14:02:03.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "\u003c14\u003eAug 14 2019 14:02:03 mojo_server.pl: siem-management: admin@10.0.255.31, System \u003e Monitoring \u003e Syslog, Page View\u0000x0a\u0000x00",
@@ -1076,7 +1076,7 @@
{
"@timestamp": "2019-08-14T14:02:11.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "\u003c14\u003eAug 14 2019 14:02:11 index.cgi: siem-management: admin@10.0.255.31, System \u003e Monitoring \u003e Audit, Page View\u0000x0a\u0000x00",
@@ -1113,7 +1113,7 @@
{
"@timestamp": "2019-08-14T14:02:19.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "\u003c14\u003eAug 14 2019 14:02:19 mojo_server.pl: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration, Page View\u0000x0a\u0000x00",
@@ -1150,7 +1150,7 @@
{
"@timestamp": "2019-08-14T14:02:31.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "\u003c14\u003eAug 14 2019 14:02:31 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=AuditLog, Page View\u0000x0a\u0000x00",
@@ -1187,7 +1187,7 @@
{
"@timestamp": "2019-08-14T14:02:38.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "\u003c14\u003eAug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Local System Configuration, Save Local System Configuration\u0000x0a\u0000x00",
@@ -1223,7 +1223,7 @@
},
{
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"original": "\u003c14.2\u003eAug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Audit Log Settings \u003e Modified: Send Audit Log to Syslog enabled \u003e Disabled",
diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-endpoint-profile.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-endpoint-profile.log-expected.json
index 3e196868b16..691a36567e1 100644
--- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-endpoint-profile.log-expected.json
+++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-endpoint-profile.log-expected.json
@@ -47,7 +47,7 @@
"manufacturer": "Microsoft"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -173,7 +173,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -299,7 +299,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -425,7 +425,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -551,7 +551,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -677,7 +677,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -806,7 +806,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -935,7 +935,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -1064,7 +1064,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -1193,7 +1193,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -1322,7 +1322,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -1451,7 +1451,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -1574,7 +1574,7 @@
"manufacturer": "Konica"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -1697,7 +1697,7 @@
"manufacturer": "Android"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -1817,7 +1817,7 @@
"manufacturer": "Android"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -1940,7 +1940,7 @@
"manufacturer": "Android"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -2063,7 +2063,7 @@
"manufacturer": "Android"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -2186,7 +2186,7 @@
"manufacturer": "Android"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -2312,7 +2312,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -2438,7 +2438,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -2564,7 +2564,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -2693,7 +2693,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -2819,7 +2819,7 @@
"manufacturer": "Apple"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -2939,7 +2939,7 @@
"manufacturer": "Apple"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -3062,7 +3062,7 @@
"manufacturer": "Apple"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -3185,7 +3185,7 @@
"manufacturer": "Apple"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -3311,7 +3311,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -3437,7 +3437,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -3560,7 +3560,7 @@
"manufacturer": "Cisco"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -3683,7 +3683,7 @@
"manufacturer": "Cisco"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -3806,7 +3806,7 @@
"manufacturer": "Cisco"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -3932,7 +3932,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -4055,7 +4055,7 @@
"manufacturer": "Google"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -4178,7 +4178,7 @@
"manufacturer": "RaspberryPi"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -4298,7 +4298,7 @@
"manufacturer": "Intel"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -4418,7 +4418,7 @@
"manufacturer": "HP"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -4535,7 +4535,7 @@
"port": 631
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -4655,7 +4655,7 @@
"manufacturer": "Nortel"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -4775,7 +4775,7 @@
"manufacturer": "Dell"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -4895,7 +4895,7 @@
"manufacturer": "ChromeBook"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -5021,7 +5021,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -5144,7 +5144,7 @@
"manufacturer": "American Power Conversion"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -5264,7 +5264,7 @@
"manufacturer": "Microsoft"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -5390,7 +5390,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -5513,7 +5513,7 @@
"manufacturer": "RICOH"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -5632,11 +5632,8 @@
"packets": 0,
"port": 631
},
- "device": {
- "manufacturer": "Invalid ID"
- },
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-fix.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-fix.log-expected.json
index 1e937a90c9d..d3c1e2e8305 100644
--- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-fix.log-expected.json
+++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-fix.log-expected.json
@@ -12,7 +12,7 @@
"ip": "192.168.0.38"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "created",
@@ -81,7 +81,7 @@
"ip": "192.168.0.139"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "deleted",
diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-inbound-outbound.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-inbound-outbound.log-expected.json
index 86c6d63e037..49e13c48f38 100644
--- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-inbound-outbound.log-expected.json
+++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-inbound-outbound.log-expected.json
@@ -37,7 +37,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -168,7 +168,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -267,7 +267,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -384,7 +384,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-intrusion.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-intrusion.log-expected.json
index abc325770c9..59cf13b3bd8 100644
--- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-intrusion.log-expected.json
+++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-intrusion.log-expected.json
@@ -41,7 +41,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "intrusion-detected",
@@ -154,7 +154,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "intrusion-detected",
@@ -265,7 +265,7 @@
"port": 39114
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "intrusion-detected",
@@ -374,7 +374,7 @@
"port": 40740
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "intrusion-detected",
diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-no-type-id.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-no-type-id.log-expected.json
index 0f8134b2e4b..f701ef7a646 100644
--- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-no-type-id.log-expected.json
+++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-no-type-id.log-expected.json
@@ -18,7 +18,7 @@
"ip": "10.8.12.47"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "intrusion-detected",
@@ -83,7 +83,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "intrusion-detected",
@@ -141,7 +141,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-started",
@@ -212,7 +212,7 @@
"port": 64311
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "malware-detected",
diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json
index 1a0d4e8040f..7dcfca5746e 100644
--- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json
+++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json
@@ -27,7 +27,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -105,7 +105,7 @@
"ip": "172.24.177.29"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -178,7 +178,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json
index 18ea65b40fa..5da604ecf7a 100644
--- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json
+++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json
@@ -15,7 +15,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -86,7 +86,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -158,7 +158,7 @@
"port": 2000
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -228,7 +228,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -306,7 +306,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -383,7 +383,7 @@
"port": 12834
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -459,7 +459,7 @@
"port": 4952
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -527,7 +527,7 @@
"port": 25882
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -603,7 +603,7 @@
"port": 52925
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -675,7 +675,7 @@
"port": 45392
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -752,7 +752,7 @@
"port": 4953
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -822,7 +822,7 @@
"port": 52925
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -901,7 +901,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -982,7 +982,7 @@
"ip": "172.24.177.29"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -1047,7 +1047,7 @@
"port": 10879
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1124,7 +1124,7 @@
"port": 4954
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1187,7 +1187,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1249,7 +1249,7 @@
"port": 2000
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1320,7 +1320,7 @@
"port": 40443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1391,7 +1391,7 @@
"port": 40443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1462,7 +1462,7 @@
"port": 40443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1533,7 +1533,7 @@
"port": 40443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1604,7 +1604,7 @@
"port": 40443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1675,7 +1675,7 @@
"port": 40443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1746,7 +1746,7 @@
"port": 2000
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1817,7 +1817,7 @@
"port": 25
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1888,7 +1888,7 @@
"port": 2000
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -1957,7 +1957,7 @@
"port": 137
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2016,7 +2016,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2078,7 +2078,7 @@
"port": 2000
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2149,7 +2149,7 @@
"port": 40443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2220,7 +2220,7 @@
"port": 2000
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2291,7 +2291,7 @@
"port": 2000
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2362,7 +2362,7 @@
"port": 2000
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2433,7 +2433,7 @@
"port": 8111
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2504,7 +2504,7 @@
"port": 8111
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2575,7 +2575,7 @@
"port": 40443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2646,7 +2646,7 @@
"port": 2000
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2718,7 +2718,7 @@
"port": 2000
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2792,7 +2792,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2868,7 +2868,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -2946,7 +2946,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3028,7 +3028,7 @@
"port": 5678
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3107,7 +3107,7 @@
"port": 5678
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3182,7 +3182,7 @@
"port": 5678
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -3264,7 +3264,7 @@
"port": 5678
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -3346,7 +3346,7 @@
"port": 5678
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -3426,7 +3426,7 @@
"port": 5679
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3497,7 +3497,7 @@
"port": 5679
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3570,7 +3570,7 @@
"port": 5000
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3652,7 +3652,7 @@
"port": 65000
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3732,7 +3732,7 @@
"port": 65000
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -3808,7 +3808,7 @@
"port": 1235
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -3890,7 +3890,7 @@
"port": 500
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "flow-expiration",
@@ -3961,7 +3961,7 @@
"ip": "192.168.99.47"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4025,7 +4025,7 @@
"ip": "192.168.99.57"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4089,7 +4089,7 @@
"ip": "192.168.99.47"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4153,7 +4153,7 @@
"ip": "192.168.99.47"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4217,7 +4217,7 @@
"ip": "192.168.99.57"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4281,7 +4281,7 @@
"ip": "192.168.99.57"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4345,7 +4345,7 @@
"ip": "192.168.1.255"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4409,7 +4409,7 @@
"ip": "192.168.1.255"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4476,7 +4476,7 @@
"port": 25
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4549,7 +4549,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4617,7 +4617,7 @@
"ip": "172.16.1.10"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4687,7 +4687,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4778,7 +4778,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4863,7 +4863,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4930,7 +4930,7 @@
"ip": "192.168.2.1"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -4981,7 +4981,7 @@
"ip": "192.168.2.32"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -5038,7 +5038,7 @@
"ip": "192.168.0.19"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -5125,7 +5125,7 @@
"port": 1433
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "firewall-rule",
@@ -5191,7 +5191,7 @@
"ip": "192.168.0.8"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "logged-in",
@@ -5245,7 +5245,7 @@
{
"@timestamp": "2023-03-03T08:50:32.000Z",
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "logged-in",
@@ -5301,7 +5301,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "logon-failed",
diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log
index 312450d2381..c78948cac2f 100644
--- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log
+++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log
@@ -12,3 +12,4 @@ Aug 14 2019 15:09:41 siem-ftd %FTD-1-430003: AccessControlRuleAction: Block, Ac
2023-03-27T08:54:54Z %FTD-1-430003: EventPriority: Low, DeviceUUID: 5c120000-ca5e-11e7-ab3c-ad268d8b0000, InstanceID: 5, FirstPacketSecond: 2023-03-27T08:54:54Z, ConnectionID: 56696, AccessControlRuleAction: Block with reset, SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 50815, DstPort: 7680, Protocol: tcp, IngressInterface: Inside, EgressInterface: Outside, IngressZone: Inside, EgressZone: Outside, IngressVRF: Global, EgressVRF: Global, ACPolicy: ProductionPolicy, AccessControlRuleName: BlockReset-Policy, Prefilter Policy: Default Prefilter Policy, User: Not Found, Client: Windows Update client, ApplicationProtocol: Windows Update, ConnectionDuration: 0, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 261, ResponderBytes: 66, NAPPolicy: Balanced Security and Connectivity
2023-03-27T08:55:09Z %FTD-1-430003: EventPriority: Low, DeviceUUID: 5c120000-ca5e-11e7-ab3c-ad268d8b0000, InstanceID: 1, FirstPacketSecond: 2023-03-27T08:54:39Z, ConnectionID: 57475, AccessControlRuleAction: Trust, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 44998, DstPort: 8193, Protocol: tcp, IngressInterface: Outside, EgressInterface: Inside, IngressZone: Outside, EgressZone: Inside, IngressVRF: Global, EgressVRF: Global, ACPolicy: ProductionPolicy, AccessControlRuleName: Exposed-Server1, Prefilter Policy: Default Prefilter Policy, User: PassiveAuth\user2, ConnectionDuration: 30, InitiatorPackets: 4, ResponderPackets: 0, InitiatorBytes: 0, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity
2023-03-27T12:26:00Z : %FTD-1-430001: DeviceUUID: 00009fd0-de50-11ea-b566-e4821b710000, InstanceID: 8, FirstPacketSecond: 2023-03-27T12:26:00Z, ConnectionID: 1309, SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 54967, DstPort: 80, Protocol: tcp, IngressInterface: Inside, EgressInterface: Outside, IngressZone: Inside, EgressZone: Outside, Priority: 3, GID: 119, SID: 6, Revision: 3, Message: (http_inspect) URI has two-byte or three-byte UTF-8 encoding, Classification: Not Suspicious Traffic, User: Not Found, IntrusionPolicy: Inline IPS Policy, ACPolicy: FTD-ACP, AccessControlRuleName: PassRule, NAPPolicy: Balanced Security and Connectivity, InlineResult: Pass, IngressVRF: Global, EgressVRF: Global
+2019-08-16T09:33:15Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 3000000000, ResponderBytes: 3000000000, NAPPolicy: Balanced Security and Connectivity
\ No newline at end of file
diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log-expected.json
index 2ca27b02a47..3c6a780a6a9 100644
--- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log-expected.json
+++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log-expected.json
@@ -42,7 +42,7 @@
"packets": 0
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-started",
@@ -157,7 +157,7 @@
"packets": 1
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -299,7 +299,7 @@
"response_code": "NOERROR"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-started",
@@ -439,7 +439,7 @@
"response_code": "NXDOMAIN"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -568,7 +568,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-started",
@@ -701,7 +701,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -848,7 +848,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-started",
@@ -980,7 +980,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -1111,7 +1111,7 @@
"packets": 0
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-started",
@@ -1232,7 +1232,7 @@
"port": 8000
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -1377,7 +1377,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -1498,7 +1498,7 @@
"port": 7680
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -1610,7 +1610,7 @@
"port": 8193
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
@@ -1727,7 +1727,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "intrusion-detected",
@@ -1793,6 +1793,130 @@
"tags": [
"preserve_original_event"
]
+ },
+ {
+ "@timestamp": "2019-08-16T09:33:15.000Z",
+ "cisco": {
+ "ftd": {
+ "destination_interface": "outside",
+ "rule_name": [
+ "default",
+ "Rule-1"
+ ],
+ "security": {
+ "ac_policy": "default",
+ "access_control_rule_action": "Allow",
+ "access_control_rule_name": "Rule-1",
+ "dst_ip": "81.2.69.144",
+ "dst_port": "80",
+ "egress_interface": "outside",
+ "egress_zone": "output-zone",
+ "ingress_interface": "inside",
+ "ingress_zone": "input-zone",
+ "initiator_bytes": "3000000000",
+ "initiator_packets": "2",
+ "nap_policy": "Balanced Security and Connectivity",
+ "prefilter_policy": "Default Prefilter Policy",
+ "protocol": "tcp",
+ "responder_bytes": "3000000000",
+ "responder_packets": "1",
+ "src_ip": "10.0.1.20",
+ "src_port": "46000",
+ "user": "No Authentication Required"
+ },
+ "source_interface": "inside"
+ }
+ },
+ "destination": {
+ "address": "81.2.69.144",
+ "bytes": 3000000000,
+ "geo": {
+ "city_name": "London",
+ "continent_name": "Europe",
+ "country_iso_code": "GB",
+ "country_name": "United Kingdom",
+ "location": {
+ "lat": 51.5142,
+ "lon": -0.0931
+ },
+ "region_iso_code": "GB-ENG",
+ "region_name": "England"
+ },
+ "ip": "81.2.69.144",
+ "packets": 1,
+ "port": 80
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "action": "connection-started",
+ "category": [
+ "network"
+ ],
+ "code": "430002",
+ "kind": "event",
+ "original": "2019-08-16T09:33:15Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 3000000000, ResponderBytes: 3000000000, NAPPolicy: Balanced Security and Connectivity",
+ "outcome": "success",
+ "severity": 1,
+ "timezone": "UTC",
+ "type": [
+ "connection",
+ "start",
+ "allowed"
+ ]
+ },
+ "host": {
+ "hostname": "firepower"
+ },
+ "log": {
+ "level": "alert"
+ },
+ "network": {
+ "bytes": 6000000000,
+ "community_id": "1:Xumx4bGQqJmLtaW2LNJT/b/cOm8=",
+ "iana_number": "6",
+ "transport": "tcp"
+ },
+ "observer": {
+ "egress": {
+ "interface": {
+ "name": "outside"
+ }
+ },
+ "hostname": "firepower",
+ "ingress": {
+ "interface": {
+ "name": "inside"
+ }
+ },
+ "product": "ftd",
+ "type": "idps",
+ "vendor": "Cisco"
+ },
+ "related": {
+ "hosts": [
+ "firepower"
+ ],
+ "ip": [
+ "10.0.1.20",
+ "81.2.69.144"
+ ]
+ },
+ "rule": {
+ "name": "Rule-1",
+ "ruleset": "default"
+ },
+ "source": {
+ "address": "10.0.1.20",
+ "bytes": 3000000000,
+ "ip": "10.0.1.20",
+ "packets": 2,
+ "port": 46000
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
}
]
}
\ No newline at end of file
diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log-expected.json
index 0118ec6df4c..34bdb1c1b29 100644
--- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log-expected.json
+++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log-expected.json
@@ -31,7 +31,7 @@
"port": 8000
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "file-detected",
@@ -130,7 +130,7 @@
"port": 8000
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "file-detected",
@@ -229,7 +229,7 @@
"port": 8000
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "file-detected",
@@ -328,7 +328,7 @@
"port": 8000
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "file-detected",
@@ -431,7 +431,7 @@
"port": 8000
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "file-detected",
@@ -541,7 +541,7 @@
"port": 8000
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "file-detected",
@@ -655,7 +655,7 @@
"port": 8000
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "malware-detected",
@@ -780,7 +780,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "malware-detected",
@@ -893,7 +893,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "malware-detected",
@@ -1018,7 +1018,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "malware-detected",
@@ -1146,7 +1146,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "malware-detected",
diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-malware-site.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-malware-site.log-expected.json
index f8507b7a02e..427f2be4397 100644
--- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-malware-site.log-expected.json
+++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-malware-site.log-expected.json
@@ -64,7 +64,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "connection-finished",
diff --git a/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml
index 59eedc7a026..ac2989053df 100644
--- a/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -7,7 +7,7 @@ processors:
ignore_missing: true
- set:
field: ecs.version
- value: '8.8.0'
+ value: '8.9.0'
#
# Parse the syslog header
#
@@ -1463,20 +1463,20 @@ processors:
value: "{{{event.duration}}}"
ignore_empty_value: true
#
- # Ensure source.bytes is integer
+ # Ensure source.bytes is long
#
- convert:
if: "ctx.source?.bytes != null"
field: "source.bytes"
- type: "integer"
+ type: "long"
#
- # Ensure destination.bytes is integer
+ # Ensure destination.bytes is long
#
- convert:
if: "ctx.destination?.bytes != null"
field: "destination.bytes"
- type: "integer"
+ type: "long"
#
# Sum source.bytes and destination.bytes in network.bytes
@@ -1484,7 +1484,7 @@ processors:
- script:
lang: painless
source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes"
- if: ctx.source?.bytes != null && ctx.destination?.bytes != null && ctx.network != null && ctx.network.bytes == null
+ if: ctx.source?.bytes != null && ctx.destination?.bytes != null && ctx.network?.bytes == null
#
# Process the flow duration "hh:mm:ss" present in some messages
@@ -2037,7 +2037,7 @@ processors:
# Define ECS Host and Device fields from Cisco ISE pxGrid Endpoint Profile data
- remove:
field: _temp_.host.type
- if: "ctx._temp_?.host?.type != null && ctx.host?.type == 'Invalid ID'"
+ if: "ctx._temp_?.host?.type != null && ctx._temp_.host.type == 'Invalid ID'"
- gsub:
field: _temp_.host.type
pattern: "Device"
diff --git a/packages/cisco_ftd/data_stream/log/fields/ecs.yml b/packages/cisco_ftd/data_stream/log/fields/ecs.yml
index cb2124eec53..7fe033fbe11 100644
--- a/packages/cisco_ftd/data_stream/log/fields/ecs.yml
+++ b/packages/cisco_ftd/data_stream/log/fields/ecs.yml
@@ -14,6 +14,8 @@
name: destination.domain
- external: ecs
name: destination.geo.city_name
+- external: ecs
+ name: destination.geo.continent_code
- external: ecs
name: destination.geo.continent_name
- external: ecs
@@ -22,10 +24,16 @@
name: destination.geo.country_name
- external: ecs
name: destination.geo.location
+- external: ecs
+ name: destination.geo.name
+- external: ecs
+ name: destination.geo.postal_code
- external: ecs
name: destination.geo.region_iso_code
- external: ecs
name: destination.geo.region_name
+- external: ecs
+ name: destination.geo.timezone
- external: ecs
name: destination.ip
- external: ecs
@@ -102,10 +110,6 @@
name: http.request.referrer
- external: ecs
name: http.response.status_code
-- external: ecs
- name: host.type
-- external: ecs
- name: host.os.name
- external: ecs
name: host.os.full
- external: ecs
@@ -150,6 +154,28 @@
name: observer.egress.interface.name
- external: ecs
name: observer.egress.zone
+- external: ecs
+ name: observer.geo.city_name
+- external: ecs
+ name: observer.geo.continent_code
+- external: ecs
+ name: observer.geo.continent_name
+- external: ecs
+ name: observer.geo.country_iso_code
+- external: ecs
+ name: observer.geo.country_name
+- external: ecs
+ name: observer.geo.location
+- external: ecs
+ name: observer.geo.name
+- external: ecs
+ name: observer.geo.postal_code
+- external: ecs
+ name: observer.geo.region_iso_code
+- external: ecs
+ name: observer.geo.region_name
+- external: ecs
+ name: observer.geo.timezone
- external: ecs
name: observer.hostname
- external: ecs
@@ -202,6 +228,8 @@
name: source.domain
- external: ecs
name: source.geo.city_name
+- external: ecs
+ name: source.geo.continent_code
- external: ecs
name: source.geo.continent_name
- external: ecs
@@ -210,10 +238,16 @@
name: source.geo.country_name
- external: ecs
name: source.geo.location
+- external: ecs
+ name: source.geo.name
+- external: ecs
+ name: source.geo.postal_code
- external: ecs
name: source.geo.region_iso_code
- external: ecs
name: source.geo.region_name
+- external: ecs
+ name: source.geo.timezone
- external: ecs
name: source.ip
- external: ecs
diff --git a/packages/cisco_ftd/data_stream/log/sample_event.json b/packages/cisco_ftd/data_stream/log/sample_event.json
index c65a2c63e79..1c2aa103e79 100644
--- a/packages/cisco_ftd/data_stream/log/sample_event.json
+++ b/packages/cisco_ftd/data_stream/log/sample_event.json
@@ -1,11 +1,11 @@
{
"@timestamp": "2019-08-16T09:39:03.000Z",
"agent": {
- "ephemeral_id": "1aa46b02-06eb-46e3-a2ab-b19097155335",
- "id": "edaff8cc-3bee-4424-9e62-8372293e3aac",
+ "ephemeral_id": "26eb6818-fd18-4fc7-aa90-b1b53cefb42c",
+ "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082",
"name": "docker-fleet-agent",
"type": "filebeat",
- "version": "8.0.0"
+ "version": "8.9.1"
},
"cisco": {
"ftd": {
@@ -60,12 +60,12 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
- "id": "edaff8cc-3bee-4424-9e62-8372293e3aac",
+ "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082",
"snapshot": false,
- "version": "8.0.0"
+ "version": "8.9.1"
},
"event": {
"action": "malware-detected",
@@ -76,7 +76,7 @@
],
"code": "430005",
"dataset": "cisco_ftd.log",
- "ingested": "2023-06-01T10:53:44Z",
+ "ingested": "2023-08-29T16:38:11Z",
"kind": "event",
"original": "2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip",
"severity": 1,
@@ -102,7 +102,7 @@
"log": {
"level": "alert",
"source": {
- "address": "192.168.176.4:45358"
+ "address": "172.21.0.4:45378"
}
},
"network": {
diff --git a/packages/cisco_ftd/docs/README.md b/packages/cisco_ftd/docs/README.md
index 61780f8d236..e9ffe4ae536 100644
--- a/packages/cisco_ftd/docs/README.md
+++ b/packages/cisco_ftd/docs/README.md
@@ -22,11 +22,11 @@ An example event for `log` looks as following:
{
"@timestamp": "2019-08-16T09:39:03.000Z",
"agent": {
- "ephemeral_id": "1aa46b02-06eb-46e3-a2ab-b19097155335",
- "id": "edaff8cc-3bee-4424-9e62-8372293e3aac",
+ "ephemeral_id": "26eb6818-fd18-4fc7-aa90-b1b53cefb42c",
+ "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082",
"name": "docker-fleet-agent",
"type": "filebeat",
- "version": "8.0.0"
+ "version": "8.9.1"
},
"cisco": {
"ftd": {
@@ -81,12 +81,12 @@ An example event for `log` looks as following:
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
- "id": "edaff8cc-3bee-4424-9e62-8372293e3aac",
+ "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082",
"snapshot": false,
- "version": "8.0.0"
+ "version": "8.9.1"
},
"event": {
"action": "malware-detected",
@@ -97,7 +97,7 @@ An example event for `log` looks as following:
],
"code": "430005",
"dataset": "cisco_ftd.log",
- "ingested": "2023-06-01T10:53:44Z",
+ "ingested": "2023-08-29T16:38:11Z",
"kind": "event",
"original": "2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip",
"severity": 1,
@@ -123,7 +123,7 @@ An example event for `log` looks as following:
"log": {
"level": "alert",
"source": {
- "address": "192.168.176.4:45358"
+ "address": "172.21.0.4:45378"
}
},
"network": {
@@ -248,12 +248,16 @@ An example event for `log` looks as following:
| destination.bytes | Bytes sent from the destination to the source. | long |
| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
| destination.geo.city_name | City name. | keyword |
+| destination.geo.continent_code | Two-letter code representing continent's name. | keyword |
| destination.geo.continent_name | Name of the continent. | keyword |
| destination.geo.country_iso_code | Country ISO code. | keyword |
| destination.geo.country_name | Country name. | keyword |
| destination.geo.location | Longitude and latitude. | geo_point |
+| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| destination.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword |
| destination.geo.region_iso_code | Region ISO code. | keyword |
| destination.geo.region_name | Region name. | keyword |
+| destination.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword |
| destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip |
| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long |
@@ -274,19 +278,19 @@ An example event for `log` looks as following:
| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
-| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date |
| event.dataset | Event dataset | constant_keyword |
-| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long |
-| event.end | event.end contains the date when the event ended or when the activity was last observed. | date |
+| event.duration | Duration of the event in nanoseconds. If `event.start` and `event.end` are known this value should be the difference between the end and start time. | long |
+| event.end | `event.end` contains the date when the event ended or when the activity was last observed. | date |
| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
-| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword |
| event.module | Event module | constant_keyword |
| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword |
| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword |
| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long |
-| event.start | event.start contains the date when the event started or when the activity was first observed. | date |
+| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date |
| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
| file.hash.sha256 | SHA256 hash. | keyword |
@@ -309,7 +313,7 @@ An example event for `log` looks as following:
| host.os.full.text | Multi-field of `host.os.full`. | match_only_text |
| host.os.kernel | Operating system kernel version as a raw string. | keyword |
| host.os.name | Operating system name, without the version. | keyword |
-| host.os.name.text | Multi-field of `host.os.name`. | match_only_text |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword |
| host.os.version | Operating system version as a raw string. | keyword |
@@ -339,6 +343,17 @@ An example event for `log` looks as following:
| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword |
| observer.egress.interface.name | Interface name as reported by the system. | keyword |
| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword |
+| observer.geo.city_name | City name. | keyword |
+| observer.geo.continent_code | Two-letter code representing continent's name. | keyword |
+| observer.geo.continent_name | Name of the continent. | keyword |
+| observer.geo.country_iso_code | Country ISO code. | keyword |
+| observer.geo.country_name | Country name. | keyword |
+| observer.geo.location | Longitude and latitude. | geo_point |
+| observer.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| observer.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword |
+| observer.geo.region_iso_code | Region ISO code. | keyword |
+| observer.geo.region_name | Region name. | keyword |
+| observer.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword |
| observer.hostname | Hostname of the observer. | keyword |
| observer.ingress.interface.name | Interface name as reported by the system. | keyword |
| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword |
@@ -373,12 +388,16 @@ An example event for `log` looks as following:
| source.bytes | Bytes sent from the source to the destination. | long |
| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
| source.geo.city_name | City name. | keyword |
+| source.geo.continent_code | Two-letter code representing continent's name. | keyword |
| source.geo.continent_name | Name of the continent. | keyword |
| source.geo.country_iso_code | Country ISO code. | keyword |
| source.geo.country_name | Country name. | keyword |
| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword |
| source.geo.region_iso_code | Region ISO code. | keyword |
| source.geo.region_name | Region name. | keyword |
+| source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword |
| source.ip | IP address of the source (IPv4 or IPv6). | ip |
| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip |
| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long |
diff --git a/packages/cisco_ftd/kibana/tags.yml b/packages/cisco_ftd/kibana/tags.yml
new file mode 100644
index 00000000000..47f20a8f551
--- /dev/null
+++ b/packages/cisco_ftd/kibana/tags.yml
@@ -0,0 +1,4 @@
+- text: Security Solution
+ asset_types:
+ - dashboard
+ - search
diff --git a/packages/cisco_ftd/manifest.yml b/packages/cisco_ftd/manifest.yml
index 04773befa48..ec1942b9047 100644
--- a/packages/cisco_ftd/manifest.yml
+++ b/packages/cisco_ftd/manifest.yml
@@ -1,15 +1,13 @@
-format_version: 1.0.0
+format_version: 2.11.0
name: cisco_ftd
title: Cisco FTD
-version: "2.13.0"
-license: basic
+version: "2.16.0"
description: Collect logs from Cisco FTD with Elastic Agent.
type: integration
categories:
- network
- security
- firewall_security
-release: ga
conditions:
kibana.version: "^7.16.0 || ^8.0.0"
icons:
diff --git a/packages/cisco_ios/_dev/build/build.yml b/packages/cisco_ios/_dev/build/build.yml
index 074278e5b1f..c8eeec8cacf 100644
--- a/packages/cisco_ios/_dev/build/build.yml
+++ b/packages/cisco_ios/_dev/build/build.yml
@@ -1,3 +1,3 @@
dependencies:
ecs:
- reference: git@v8.8.0
+ reference: git@v8.9.0
diff --git a/packages/cisco_ios/changelog.yml b/packages/cisco_ios/changelog.yml
index 16a470a557f..c55f3c4b54b 100644
--- a/packages/cisco_ios/changelog.yml
+++ b/packages/cisco_ios/changelog.yml
@@ -1,4 +1,39 @@
# newer versions go on top
+- version: 1.21.0
+ changes:
+ - description: "The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest."
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7883
+- version: "1.20.0"
+ changes:
+ - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7789
+- version: "1.19.0"
+ changes:
+ - description: Support ingesting IOSXE-*-PLATFORM messages.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7688
+- version: "1.18.0"
+ changes:
+ - description: Support ingesting NTP log messages.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7466
+- version: "1.17.0"
+ changes:
+ - description: Update package to ECS 8.9.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7107
+- version: "1.16.2"
+ changes:
+ - description: Fix parsing error when message_count is missing
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/6919
+- version: "1.16.1"
+ changes:
+ - description: Fix grok to be aware of fman_fp_image
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/6930
- version: "1.16.0"
changes:
- description: Adding Timezone Map advanced configuration option
diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-asr920.log-expected.json b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-asr920.log-expected.json
index aa4abad53f9..776d285a401 100644
--- a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-asr920.log-expected.json
+++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-asr920.log-expected.json
@@ -14,7 +14,7 @@
"port": 22
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -80,7 +80,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -146,7 +146,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -207,7 +207,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -250,7 +250,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -292,7 +292,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -340,7 +340,7 @@
"port": 0
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "deny",
@@ -418,7 +418,7 @@
"ip": "224.0.0.18"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "deny",
@@ -496,7 +496,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-cisco-ios.log b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-cisco-ios.log
index 17ba60830b8..c69a2050754 100644
--- a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-cisco-ios.log
+++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-cisco-ios.log
@@ -16,4 +16,11 @@ Mar 24 18:06:00 192.168.100.2 1991220: Mar 24 18:06:00.364 UTC: %SYS-6-LOGOUT: U
Mar 24 17:37:39 192.168.100.2 1991221: Mar 24 17:37:39 UTC: %PIM-SW1-6-INVALID_RP_JOIN: Received (*, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3
Mar 24 17:37:39 192.168.100.2 1991221: Mar 24 17:37:39 UTC: %PIM-SW1-6-INVALID_RP_JOIN: Received (10.50.22.5, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3
Mar 24 12:09:35 192.168.100.2 1991217: Mar 24 12:09:35.367: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface eth0
-Mar 24 12:06:47 192.168.100.2 1991218: Mar 24 12:06:47.099: %CCH323-6-CALL_PRESERVED: cch323_h225_handle_conn_loss: H.323 call preserved due to socket closure or error, Call Id = 6527, fd = 19
\ No newline at end of file
+Mar 24 12:06:47 192.168.100.2 1991218: Mar 24 12:06:47.099: %CCH323-6-CALL_PRESERVED: cch323_h225_handle_conn_loss: H.323 call preserved due to socket closure or error, Call Id = 6527, fd = 19
+Jul 11 09:34:00 my-router-hostname 1663312: Jul 11 09:34:00.020: %FMANFP-6-IPACCESSLOGP: R0/0: fman_fp_image: list internet_in_gig0 permitted tcp 172.16.0.26(59144) -> 10.100.8.34(1103), 1 packet
+Jul 11 09:31:03 my-router-hostname 1663410: Jul 11 09:31:03.762: %FMANFP-6-IPACCESSLOGP: R0/0: fman_fp_image: list 110 denied tcp 10.100.8.34(59120) -> 172.16.0.26(7774), 1 packet
+Jul 11 09:34:00 my-router-hostname 1663469: Jul 11 09:34:00.334: %FMANFP-6-IPACCESSLOGP: R0/0: fman_fp_image: list internet_in_gig0 permitted udp 172.16.0.26(1985) -> 10.100.8.34(1985), 327 packets
+Jul 11 09:34:00 my-router-hostname 1663511: Jul 11 09:34:00.209: %FMANFP-6-IPACCESSLOGP: R0/0: fman_fp_image: list internet_in_gig0 denied udp 10.100.8.34(1985) -> 172.16.0.26(1985), 342 packets
+Jun 10 23:34:58 10.0.0.1 1663511: Jun 10 23:34:58.206: %FMANFP-6-IPACCESSLOGP: SIP0: fman_fp_image: list ACL denied udp 10.10.10.10(52361) -> 10.100.8.34(10001), 1 packet
+Jun 10 23:34:58 10.0.0.1 1663511: Jun 10 23:34:58.206: %FMANFP-6-IPACCESSLOGDP: F0: fman_fp_image: list ACL_TEST permitted icmp 172.16.0.26 -> 10.100.8.34 (8/0), 2 packets
+Jun 10 23:34:58 10.0.0.1 1663511: Jun 10 23:35:28.207: %FMANFP-6-IPACCESSLOGDP: F0: fman_fp_image: list ACL_TEST permitted icmp 10.100.8.34 -> 172.16.0.26 (8/0), 1 packet
\ No newline at end of file
diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-cisco-ios.log-expected.json b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-cisco-ios.log-expected.json
index bf45c0b7530..f252c81ffcd 100644
--- a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-cisco-ios.log-expected.json
+++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-cisco-ios.log-expected.json
@@ -14,7 +14,7 @@
"ip": "224.0.0.22"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "deny",
@@ -33,10 +33,7 @@
]
},
"log": {
- "level": "informational",
- "syslog": {
- "hostname": "192.168.100.2"
- }
+ "level": "informational"
},
"message": "list 177 denied igmp 192.168.100.197 -\u003e 224.0.0.22, 1 packet",
"network": {
@@ -79,7 +76,7 @@
"ip": "224.0.0.2"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "deny",
@@ -101,10 +98,7 @@
"type": "20"
},
"log": {
- "level": "informational",
- "syslog": {
- "hostname": "192.168.100.2"
- }
+ "level": "informational"
},
"message": "list INBOUND-ON-F11 denied igmp 192.168.100.2 -\u003e 224.0.0.2 (20), 1 packet",
"network": {
@@ -147,7 +141,7 @@
"ip": "255.255.255.255"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "deny",
@@ -166,10 +160,7 @@
]
},
"log": {
- "level": "informational",
- "syslog": {
- "hostname": "192.168.100.2"
- }
+ "level": "informational"
},
"message": "list 171 denied 0 192.168.100.1 -\u003e 255.255.255.255, 1 packet",
"network": {
@@ -221,7 +212,7 @@
"port": 22
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "allow",
@@ -240,10 +231,7 @@
]
},
"log": {
- "level": "informational",
- "syslog": {
- "hostname": "192.168.100.2"
- }
+ "level": "informational"
},
"message": "list ACL-IPv6-E0/0-IN/10 permitted tcp 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6(1027) -\u003e 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6(22), 9 packets",
"network": {
@@ -296,7 +284,7 @@
"port": 15600
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "deny",
@@ -315,10 +303,7 @@
]
},
"log": {
- "level": "informational",
- "syslog": {
- "hostname": "192.168.100.2"
- }
+ "level": "informational"
},
"message": "list 177 denied udp 192.168.100.195(55250) -\u003e 192.168.100.255(15600), 1 packet",
"network": {
@@ -362,7 +347,7 @@
"ip": "192.168.100.2"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "deny",
@@ -385,10 +370,7 @@
"type": "3"
},
"log": {
- "level": "informational",
- "syslog": {
- "hostname": "192.168.100.2"
- }
+ "level": "informational"
},
"message": "list 151 denied icmp 192.168.100.1 -\u003e 192.168.100.2 (3/4), 1 packet",
"network": {
@@ -432,7 +414,7 @@
"port": 15600
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "deny",
@@ -451,10 +433,7 @@
]
},
"log": {
- "level": "informational",
- "syslog": {
- "hostname": "192.168.100.2"
- }
+ "level": "informational"
},
"message": "list 177 denied udp 192.168.100.195(54309) -\u003e 192.168.100.255(15600), 1 packet",
"network": {
@@ -493,7 +472,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -510,10 +489,7 @@
]
},
"log": {
- "level": "informational",
- "syslog": {
- "hostname": "192.168.100.2"
- }
+ "level": "informational"
},
"message": "access-list logging rate-limited or missed 18 packets",
"observer": {
@@ -540,7 +516,7 @@
"port": 15600
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "deny",
@@ -559,10 +535,7 @@
]
},
"log": {
- "level": "informational",
- "syslog": {
- "hostname": "192.168.100.2"
- }
+ "level": "informational"
},
"message": "list 177 denied udp 192.168.100.195(43989) -\u003e 192.168.100.255(15600), 1 packet",
"network": {
@@ -619,7 +592,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "deny",
@@ -638,10 +611,7 @@
]
},
"log": {
- "level": "informational",
- "syslog": {
- "hostname": "192.168.100.2"
- }
+ "level": "informational"
},
"message": "list 150 denied tcp 192.168.100.12(59832) -\u003e 81.2.69.144(80), 1 packet",
"network": {
@@ -680,7 +650,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -697,10 +667,7 @@
]
},
"log": {
- "level": "informational",
- "syslog": {
- "hostname": "192.168.100.2"
- }
+ "level": "informational"
},
"message": "access-list logging rate-limited or missed 23 packets",
"observer": {
@@ -726,7 +693,7 @@
"ip": "192.168.100.1"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "deny",
@@ -749,10 +716,7 @@
"type": "3"
},
"log": {
- "level": "informational",
- "syslog": {
- "hostname": "192.168.100.2"
- }
+ "level": "informational"
},
"message": "list 150 denied icmp 192.168.100.12 -\u003e 192.168.100.1 (3/3), 32 packets",
"network": {
@@ -808,7 +772,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "deny",
@@ -827,10 +791,7 @@
]
},
"log": {
- "level": "informational",
- "syslog": {
- "hostname": "192.168.100.2"
- }
+ "level": "informational"
},
"message": "list 150 denied tcp 192.168.100.12(59834) -\u003e 81.2.69.144(80), 1 packet",
"network": {
@@ -873,7 +834,7 @@
"port": 22
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -890,10 +851,7 @@
]
},
"log": {
- "level": "notification",
- "syslog": {
- "hostname": "192.168.100.2"
- }
+ "level": "notification"
},
"message": "Login Success [user: john.smith] [Source: 10.2.55.3] [localport: 22] at 12:06:03 MST Wed Mar 24 2021",
"network": {
@@ -937,7 +895,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -954,10 +912,7 @@
]
},
"log": {
- "level": "informational",
- "syslog": {
- "hostname": "192.168.100.2"
- }
+ "level": "informational"
},
"message": "User john.smith has exited tty session 5(10.5.36.9)",
"network": {
@@ -1007,7 +962,7 @@
"ip": "10.3.66.3"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "multicast-join",
@@ -1027,10 +982,7 @@
]
},
"log": {
- "level": "informational",
- "syslog": {
- "hostname": "192.168.100.2"
- }
+ "level": "informational"
},
"message": "Received (*, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3",
"network": {
@@ -1078,7 +1030,7 @@
"ip": "10.3.66.3"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "multicast-join",
@@ -1098,10 +1050,7 @@
]
},
"log": {
- "level": "informational",
- "syslog": {
- "hostname": "192.168.100.2"
- }
+ "level": "informational"
},
"message": "Received (10.50.22.5, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3",
"network": {
@@ -1135,7 +1084,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1152,10 +1101,7 @@
]
},
"log": {
- "level": "warning",
- "syslog": {
- "hostname": "192.168.100.2"
- }
+ "level": "warning"
},
"message": "No valid authentication send key is available on interface eth0",
"observer": {
@@ -1176,7 +1122,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1192,18 +1138,479 @@
"info"
]
},
+ "log": {
+ "level": "informational"
+ },
+ "message": "H.323 call preserved due to socket closure or error, Call Id = 6527, fd = 19",
+ "observer": {
+ "product": "IOS",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-07-11T09:34:00.020Z",
+ "cisco": {
+ "ios": {
+ "access_list": "internet_in_gig0",
+ "facility": "FMANFP",
+ "sequence": "1663312"
+ }
+ },
+ "destination": {
+ "address": "10.100.8.34",
+ "ip": "10.100.8.34",
+ "port": 1103
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "action": "allow",
+ "category": [
+ "network"
+ ],
+ "code": "IPACCESSLOGP",
+ "original": "Jul 11 09:34:00 my-router-hostname 1663312: Jul 11 09:34:00.020: %FMANFP-6-IPACCESSLOGP: R0/0: fman_fp_image: list internet_in_gig0 permitted tcp 172.16.0.26(59144) -\u003e 10.100.8.34(1103), 1 packet",
+ "provider": "firewall",
+ "sequence": 1663312,
+ "severity": 6,
+ "timezone": "UTC",
+ "type": [
+ "info",
+ "allowed"
+ ]
+ },
+ "log": {
+ "level": "informational",
+ "syslog": {
+ "hostname": "my-router-hostname"
+ }
+ },
+ "message": "list internet_in_gig0 permitted tcp 172.16.0.26(59144) -\u003e 10.100.8.34(1103), 1 packet",
+ "network": {
+ "community_id": "1:KXW3u/74dvvbFZ7Ewo9z4chd5T4=",
+ "packets": 1,
+ "transport": "tcp",
+ "type": "ipv4"
+ },
+ "observer": {
+ "product": "IOS",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "related": {
+ "ip": [
+ "172.16.0.26",
+ "10.100.8.34"
+ ]
+ },
+ "source": {
+ "address": "172.16.0.26",
+ "ip": "172.16.0.26",
+ "packets": 1,
+ "port": 59144
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-07-11T09:31:03.762Z",
+ "cisco": {
+ "ios": {
+ "access_list": "110",
+ "facility": "FMANFP",
+ "sequence": "1663410"
+ }
+ },
+ "destination": {
+ "address": "172.16.0.26",
+ "ip": "172.16.0.26",
+ "port": 7774
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "action": "deny",
+ "category": [
+ "network"
+ ],
+ "code": "IPACCESSLOGP",
+ "original": "Jul 11 09:31:03 my-router-hostname 1663410: Jul 11 09:31:03.762: %FMANFP-6-IPACCESSLOGP: R0/0: fman_fp_image: list 110 denied tcp 10.100.8.34(59120) -\u003e 172.16.0.26(7774), 1 packet",
+ "provider": "firewall",
+ "sequence": 1663410,
+ "severity": 6,
+ "timezone": "UTC",
+ "type": [
+ "info",
+ "denied"
+ ]
+ },
+ "log": {
+ "level": "informational",
+ "syslog": {
+ "hostname": "my-router-hostname"
+ }
+ },
+ "message": "list 110 denied tcp 10.100.8.34(59120) -\u003e 172.16.0.26(7774), 1 packet",
+ "network": {
+ "community_id": "1:e8Y05uGbOy3+E9kG3gX0ri93utw=",
+ "packets": 1,
+ "transport": "tcp",
+ "type": "ipv4"
+ },
+ "observer": {
+ "product": "IOS",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "related": {
+ "ip": [
+ "10.100.8.34",
+ "172.16.0.26"
+ ]
+ },
+ "source": {
+ "address": "10.100.8.34",
+ "ip": "10.100.8.34",
+ "packets": 1,
+ "port": 59120
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-07-11T09:34:00.334Z",
+ "cisco": {
+ "ios": {
+ "access_list": "internet_in_gig0",
+ "facility": "FMANFP",
+ "sequence": "1663469"
+ }
+ },
+ "destination": {
+ "address": "10.100.8.34",
+ "ip": "10.100.8.34",
+ "port": 1985
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "action": "allow",
+ "category": [
+ "network"
+ ],
+ "code": "IPACCESSLOGP",
+ "original": "Jul 11 09:34:00 my-router-hostname 1663469: Jul 11 09:34:00.334: %FMANFP-6-IPACCESSLOGP: R0/0: fman_fp_image: list internet_in_gig0 permitted udp 172.16.0.26(1985) -\u003e 10.100.8.34(1985), 327 packets",
+ "provider": "firewall",
+ "sequence": 1663469,
+ "severity": 6,
+ "timezone": "UTC",
+ "type": [
+ "info",
+ "allowed"
+ ]
+ },
"log": {
"level": "informational",
"syslog": {
- "hostname": "192.168.100.2"
+ "hostname": "my-router-hostname"
}
},
- "message": "cch323_h225_handle_conn_loss: H.323 call preserved due to socket closure or error, Call Id = 6527, fd = 19",
+ "message": "list internet_in_gig0 permitted udp 172.16.0.26(1985) -\u003e 10.100.8.34(1985), 327 packets",
+ "network": {
+ "community_id": "1:4IV7i5VTdXeQIUxYQNz2lfhh9eE=",
+ "packets": 327,
+ "transport": "udp",
+ "type": "ipv4"
+ },
"observer": {
"product": "IOS",
"type": "firewall",
"vendor": "Cisco"
},
+ "related": {
+ "ip": [
+ "172.16.0.26",
+ "10.100.8.34"
+ ]
+ },
+ "source": {
+ "address": "172.16.0.26",
+ "ip": "172.16.0.26",
+ "packets": 327,
+ "port": 1985
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-07-11T09:34:00.209Z",
+ "cisco": {
+ "ios": {
+ "access_list": "internet_in_gig0",
+ "facility": "FMANFP",
+ "sequence": "1663511"
+ }
+ },
+ "destination": {
+ "address": "172.16.0.26",
+ "ip": "172.16.0.26",
+ "port": 1985
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "action": "deny",
+ "category": [
+ "network"
+ ],
+ "code": "IPACCESSLOGP",
+ "original": "Jul 11 09:34:00 my-router-hostname 1663511: Jul 11 09:34:00.209: %FMANFP-6-IPACCESSLOGP: R0/0: fman_fp_image: list internet_in_gig0 denied udp 10.100.8.34(1985) -\u003e 172.16.0.26(1985), 342 packets",
+ "provider": "firewall",
+ "sequence": 1663511,
+ "severity": 6,
+ "timezone": "UTC",
+ "type": [
+ "info",
+ "denied"
+ ]
+ },
+ "log": {
+ "level": "informational",
+ "syslog": {
+ "hostname": "my-router-hostname"
+ }
+ },
+ "message": "list internet_in_gig0 denied udp 10.100.8.34(1985) -\u003e 172.16.0.26(1985), 342 packets",
+ "network": {
+ "community_id": "1:4IV7i5VTdXeQIUxYQNz2lfhh9eE=",
+ "packets": 342,
+ "transport": "udp",
+ "type": "ipv4"
+ },
+ "observer": {
+ "product": "IOS",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "related": {
+ "ip": [
+ "10.100.8.34",
+ "172.16.0.26"
+ ]
+ },
+ "source": {
+ "address": "10.100.8.34",
+ "ip": "10.100.8.34",
+ "packets": 342,
+ "port": 1985
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-10T23:34:58.206Z",
+ "cisco": {
+ "ios": {
+ "access_list": "ACL",
+ "facility": "FMANFP",
+ "sequence": "1663511"
+ }
+ },
+ "destination": {
+ "address": "10.100.8.34",
+ "ip": "10.100.8.34",
+ "port": 10001
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "action": "deny",
+ "category": [
+ "network"
+ ],
+ "code": "IPACCESSLOGP",
+ "original": "Jun 10 23:34:58 10.0.0.1 1663511: Jun 10 23:34:58.206: %FMANFP-6-IPACCESSLOGP: SIP0: fman_fp_image: list ACL denied udp 10.10.10.10(52361) -\u003e 10.100.8.34(10001), 1 packet",
+ "provider": "firewall",
+ "sequence": 1663511,
+ "severity": 6,
+ "timezone": "UTC",
+ "type": [
+ "info",
+ "denied"
+ ]
+ },
+ "log": {
+ "level": "informational"
+ },
+ "message": "list ACL denied udp 10.10.10.10(52361) -\u003e 10.100.8.34(10001), 1 packet",
+ "network": {
+ "community_id": "1:7HdATA0Zd7fB8RBwRLEo/zNyyLQ=",
+ "packets": 1,
+ "transport": "udp",
+ "type": "ipv4"
+ },
+ "observer": {
+ "product": "IOS",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "related": {
+ "ip": [
+ "10.10.10.10",
+ "10.100.8.34"
+ ]
+ },
+ "source": {
+ "address": "10.10.10.10",
+ "ip": "10.10.10.10",
+ "packets": 1,
+ "port": 52361
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-10T23:34:58.206Z",
+ "cisco": {
+ "ios": {
+ "access_list": "ACL_TEST",
+ "facility": "FMANFP",
+ "sequence": "1663511"
+ }
+ },
+ "destination": {
+ "address": "10.100.8.34",
+ "ip": "10.100.8.34"
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "action": "allow",
+ "category": [
+ "network"
+ ],
+ "code": "IPACCESSLOGDP",
+ "original": "Jun 10 23:34:58 10.0.0.1 1663511: Jun 10 23:34:58.206: %FMANFP-6-IPACCESSLOGDP: F0: fman_fp_image: list ACL_TEST permitted icmp 172.16.0.26 -\u003e 10.100.8.34 (8/0), 2 packets",
+ "provider": "firewall",
+ "sequence": 1663511,
+ "severity": 6,
+ "timezone": "UTC",
+ "type": [
+ "info",
+ "allowed"
+ ]
+ },
+ "icmp": {
+ "code": "0",
+ "type": "8"
+ },
+ "log": {
+ "level": "informational"
+ },
+ "message": "list ACL_TEST permitted icmp 172.16.0.26 -\u003e 10.100.8.34 (8/0), 2 packets",
+ "network": {
+ "community_id": "1:OvCASybztHusF+Fy8s345w5/IZw=",
+ "packets": 2,
+ "transport": "icmp",
+ "type": "ipv4"
+ },
+ "observer": {
+ "product": "IOS",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "related": {
+ "ip": [
+ "172.16.0.26",
+ "10.100.8.34"
+ ]
+ },
+ "source": {
+ "address": "172.16.0.26",
+ "ip": "172.16.0.26",
+ "packets": 2
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-06-10T23:35:28.207Z",
+ "cisco": {
+ "ios": {
+ "access_list": "ACL_TEST",
+ "facility": "FMANFP",
+ "sequence": "1663511"
+ }
+ },
+ "destination": {
+ "address": "172.16.0.26",
+ "ip": "172.16.0.26"
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "action": "allow",
+ "category": [
+ "network"
+ ],
+ "code": "IPACCESSLOGDP",
+ "original": "Jun 10 23:34:58 10.0.0.1 1663511: Jun 10 23:35:28.207: %FMANFP-6-IPACCESSLOGDP: F0: fman_fp_image: list ACL_TEST permitted icmp 10.100.8.34 -\u003e 172.16.0.26 (8/0), 1 packet",
+ "provider": "firewall",
+ "sequence": 1663511,
+ "severity": 6,
+ "timezone": "UTC",
+ "type": [
+ "info",
+ "allowed"
+ ]
+ },
+ "icmp": {
+ "code": "0",
+ "type": "8"
+ },
+ "log": {
+ "level": "informational"
+ },
+ "message": "list ACL_TEST permitted icmp 10.100.8.34 -\u003e 172.16.0.26 (8/0), 1 packet",
+ "network": {
+ "community_id": "1:0NC2mwr4V+bYFoMF3BsibI/mn0Y=",
+ "packets": 1,
+ "transport": "icmp",
+ "type": "ipv4"
+ },
+ "observer": {
+ "product": "IOS",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "related": {
+ "ip": [
+ "10.100.8.34",
+ "172.16.0.26"
+ ]
+ },
+ "source": {
+ "address": "10.100.8.34",
+ "ip": "10.100.8.34",
+ "packets": 1
+ },
"tags": [
"preserve_original_event"
]
diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-date-format-tzoffset.log-expected.json b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-date-format-tzoffset.log-expected.json
index 6bdf6ff54ad..9d6cd2bab07 100644
--- a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-date-format-tzoffset.log-expected.json
+++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-date-format-tzoffset.log-expected.json
@@ -9,7 +9,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -51,7 +51,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -93,7 +93,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-date-format.log-expected.json b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-date-format.log-expected.json
index f5d6e396ae3..1fd0b4e0268 100644
--- a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-date-format.log-expected.json
+++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-date-format.log-expected.json
@@ -9,7 +9,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -51,7 +51,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -93,7 +93,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -135,7 +135,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -177,7 +177,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -219,7 +219,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -261,7 +261,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -303,7 +303,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -345,7 +345,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -387,7 +387,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -429,7 +429,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -471,7 +471,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -513,7 +513,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -555,7 +555,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -597,7 +597,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -639,7 +639,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -681,7 +681,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -723,7 +723,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog-header.log b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog-header.log
new file mode 100644
index 00000000000..aa0fa741539
--- /dev/null
+++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog-header.log
@@ -0,0 +1,17 @@
+<190>3132517: Jul 13 08:23:43 192.168.100.2 sw01: 3132779: Jul 14 2023 08:23:43.398 UTC: %FOO-6-BAR: Test header format
+<190>Jul 13 08:23:43 192.168.100.2 sw01: 3132779: Jul 14 2023 08:23:43.398 UTC: %FOO-6-BAR: Test header format
+<190>3132517: 192.168.100.2 3132513: Jul 14 2023 08:23:43.398 UTC: %FOO-6-BAR: Test header format
+<190>3132783: 2a02:cf40::: 3132779: Jul 14 2023 08:23:43.398 UTC: %FOO-6-BAR: Test header format
+<190>3132811: sw01: 3132807: Jul 14 2023 08:23:43.398 UTC: %FOO-6-BAR: Test header format
+<190>3132517: 3132513: Jul 14 2023 08:23:43.398 UTC: %FOO-6-BAR: Test header format
+<190>2361044: sw01: Jul 14 2023 08:23:43.398 UTC: %FOO-6-BAR: Test header format
+<190>sw01: Jul 14 2023 08:23:43.398 UTC: %FOO-6-BAR: Test header format
+<190>2361044: Jul 14 2023 08:23:43.398 UTC: %FOO-6-BAR: Test header format
+<190>: sw01: Jul 14 2023 08:23:43.398 UTC: %FOO-6-BAR: Test header format
+<190>: Jul 14 2023 08:23:43.398 UTC: %FOO-6-BAR: Test header format
+<190>Jul 14 2023 08:23:43.398 UTC: %FOO-6-BAR: Test header format
+<190>*Jul 14 2023 08:23:43.398 UTC: %FOO-6-BAR: Test header format
+<190>3132517: sw01: 3132513: 2y10w: %FOO-6-BAR: Test header format
+<190>Jul 13 08:23:43 192.168.100.2 585917: Jul 14 2023 08:23:43 UTC: %FOO-6-BAR: Test header format
+Jul 13 08:23:43 192.168.100.2 585917: Jul 14 2023 08:23:43 UTC: %FOO-6-BAR: Test header format
+Jul 13 08:23:43 sw01 1663410: Jul 14 2023 08:23:43 UTC: %FOO-6-BAR: Test header format
\ No newline at end of file
diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog-header.log-expected.json b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog-header.log-expected.json
new file mode 100644
index 00000000000..7f3bf494402
--- /dev/null
+++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog-header.log-expected.json
@@ -0,0 +1,701 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2023-07-14T08:23:43.398Z",
+ "cisco": {
+ "ios": {
+ "facility": "FOO",
+ "message_count": 3132517,
+ "sequence": "3132779"
+ }
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "category": [
+ "network"
+ ],
+ "code": "BAR",
+ "original": "\u003c190\u003e3132517: Jul 13 08:23:43 192.168.100.2 sw01: 3132779: Jul 14 2023 08:23:43.398 UTC: %FOO-6-BAR: Test header format",
+ "provider": "firewall",
+ "sequence": 3132779,
+ "severity": 6,
+ "timezone": "UTC",
+ "type": [
+ "info"
+ ]
+ },
+ "log": {
+ "level": "informational",
+ "syslog": {
+ "hostname": "sw01",
+ "priority": 190
+ }
+ },
+ "message": "Test header format",
+ "observer": {
+ "product": "IOS",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-07-14T08:23:43.398Z",
+ "cisco": {
+ "ios": {
+ "facility": "FOO",
+ "sequence": "3132779"
+ }
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "category": [
+ "network"
+ ],
+ "code": "BAR",
+ "original": "\u003c190\u003eJul 13 08:23:43 192.168.100.2 sw01: 3132779: Jul 14 2023 08:23:43.398 UTC: %FOO-6-BAR: Test header format",
+ "provider": "firewall",
+ "sequence": 3132779,
+ "severity": 6,
+ "timezone": "UTC",
+ "type": [
+ "info"
+ ]
+ },
+ "log": {
+ "level": "informational",
+ "syslog": {
+ "hostname": "sw01",
+ "priority": 190
+ }
+ },
+ "message": "Test header format",
+ "observer": {
+ "product": "IOS",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-07-14T08:23:43.398Z",
+ "cisco": {
+ "ios": {
+ "facility": "FOO",
+ "message_count": 3132517,
+ "sequence": "3132513"
+ }
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "category": [
+ "network"
+ ],
+ "code": "BAR",
+ "original": "\u003c190\u003e3132517: 192.168.100.2 3132513: Jul 14 2023 08:23:43.398 UTC: %FOO-6-BAR: Test header format",
+ "provider": "firewall",
+ "sequence": 3132513,
+ "severity": 6,
+ "timezone": "UTC",
+ "type": [
+ "info"
+ ]
+ },
+ "log": {
+ "level": "informational",
+ "syslog": {
+ "priority": 190
+ }
+ },
+ "message": "Test header format",
+ "observer": {
+ "product": "IOS",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-07-14T08:23:43.398Z",
+ "cisco": {
+ "ios": {
+ "facility": "FOO",
+ "message_count": 3132783,
+ "sequence": "3132779"
+ }
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "category": [
+ "network"
+ ],
+ "code": "BAR",
+ "original": "\u003c190\u003e3132783: 2a02:cf40::: 3132779: Jul 14 2023 08:23:43.398 UTC: %FOO-6-BAR: Test header format",
+ "provider": "firewall",
+ "sequence": 3132779,
+ "severity": 6,
+ "timezone": "UTC",
+ "type": [
+ "info"
+ ]
+ },
+ "log": {
+ "level": "informational",
+ "syslog": {
+ "priority": 190
+ }
+ },
+ "message": "Test header format",
+ "observer": {
+ "product": "IOS",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-07-14T08:23:43.398Z",
+ "cisco": {
+ "ios": {
+ "facility": "FOO",
+ "message_count": 3132811,
+ "sequence": "3132807"
+ }
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "category": [
+ "network"
+ ],
+ "code": "BAR",
+ "original": "\u003c190\u003e3132811: sw01: 3132807: Jul 14 2023 08:23:43.398 UTC: %FOO-6-BAR: Test header format",
+ "provider": "firewall",
+ "sequence": 3132807,
+ "severity": 6,
+ "timezone": "UTC",
+ "type": [
+ "info"
+ ]
+ },
+ "log": {
+ "level": "informational",
+ "syslog": {
+ "hostname": "sw01",
+ "priority": 190
+ }
+ },
+ "message": "Test header format",
+ "observer": {
+ "product": "IOS",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-07-14T08:23:43.398Z",
+ "cisco": {
+ "ios": {
+ "facility": "FOO",
+ "message_count": 3132517,
+ "sequence": "3132513"
+ }
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "category": [
+ "network"
+ ],
+ "code": "BAR",
+ "original": "\u003c190\u003e3132517: 3132513: Jul 14 2023 08:23:43.398 UTC: %FOO-6-BAR: Test header format",
+ "provider": "firewall",
+ "sequence": 3132513,
+ "severity": 6,
+ "timezone": "UTC",
+ "type": [
+ "info"
+ ]
+ },
+ "log": {
+ "level": "informational",
+ "syslog": {
+ "priority": 190
+ }
+ },
+ "message": "Test header format",
+ "observer": {
+ "product": "IOS",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-07-14T08:23:43.398Z",
+ "cisco": {
+ "ios": {
+ "facility": "FOO",
+ "message_count": 2361044
+ }
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "category": [
+ "network"
+ ],
+ "code": "BAR",
+ "original": "\u003c190\u003e2361044: sw01: Jul 14 2023 08:23:43.398 UTC: %FOO-6-BAR: Test header format",
+ "provider": "firewall",
+ "sequence": 2361044,
+ "severity": 6,
+ "timezone": "UTC",
+ "type": [
+ "info"
+ ]
+ },
+ "log": {
+ "level": "informational",
+ "syslog": {
+ "hostname": "sw01",
+ "priority": 190
+ }
+ },
+ "message": "Test header format",
+ "observer": {
+ "product": "IOS",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-07-14T08:23:43.398Z",
+ "cisco": {
+ "ios": {
+ "facility": "FOO"
+ }
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "category": [
+ "network"
+ ],
+ "code": "BAR",
+ "original": "\u003c190\u003esw01: Jul 14 2023 08:23:43.398 UTC: %FOO-6-BAR: Test header format",
+ "provider": "firewall",
+ "severity": 6,
+ "timezone": "UTC",
+ "type": [
+ "info"
+ ]
+ },
+ "log": {
+ "level": "informational",
+ "syslog": {
+ "hostname": "sw01",
+ "priority": 190
+ }
+ },
+ "message": "Test header format",
+ "observer": {
+ "product": "IOS",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-07-14T08:23:43.398Z",
+ "cisco": {
+ "ios": {
+ "facility": "FOO",
+ "message_count": 2361044
+ }
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "category": [
+ "network"
+ ],
+ "code": "BAR",
+ "original": "\u003c190\u003e2361044: Jul 14 2023 08:23:43.398 UTC: %FOO-6-BAR: Test header format",
+ "provider": "firewall",
+ "sequence": 2361044,
+ "severity": 6,
+ "timezone": "UTC",
+ "type": [
+ "info"
+ ]
+ },
+ "log": {
+ "level": "informational",
+ "syslog": {
+ "priority": 190
+ }
+ },
+ "message": "Test header format",
+ "observer": {
+ "product": "IOS",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-07-14T08:23:43.398Z",
+ "cisco": {
+ "ios": {
+ "facility": "FOO"
+ }
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "category": [
+ "network"
+ ],
+ "code": "BAR",
+ "original": "\u003c190\u003e: sw01: Jul 14 2023 08:23:43.398 UTC: %FOO-6-BAR: Test header format",
+ "provider": "firewall",
+ "severity": 6,
+ "timezone": "UTC",
+ "type": [
+ "info"
+ ]
+ },
+ "log": {
+ "level": "informational",
+ "syslog": {
+ "hostname": "sw01",
+ "priority": 190
+ }
+ },
+ "message": "Test header format",
+ "observer": {
+ "product": "IOS",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-07-14T08:23:43.398Z",
+ "cisco": {
+ "ios": {
+ "facility": "FOO"
+ }
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "category": [
+ "network"
+ ],
+ "code": "BAR",
+ "original": "\u003c190\u003e: Jul 14 2023 08:23:43.398 UTC: %FOO-6-BAR: Test header format",
+ "provider": "firewall",
+ "severity": 6,
+ "timezone": "UTC",
+ "type": [
+ "info"
+ ]
+ },
+ "log": {
+ "level": "informational",
+ "syslog": {
+ "priority": 190
+ }
+ },
+ "message": "Test header format",
+ "observer": {
+ "product": "IOS",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-07-14T08:23:43.398Z",
+ "cisco": {
+ "ios": {
+ "facility": "FOO"
+ }
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "category": [
+ "network"
+ ],
+ "code": "BAR",
+ "original": "\u003c190\u003eJul 14 2023 08:23:43.398 UTC: %FOO-6-BAR: Test header format",
+ "provider": "firewall",
+ "severity": 6,
+ "timezone": "UTC",
+ "type": [
+ "info"
+ ]
+ },
+ "log": {
+ "level": "informational",
+ "syslog": {
+ "priority": 190
+ }
+ },
+ "message": "Test header format",
+ "observer": {
+ "product": "IOS",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-07-14T08:23:43.398Z",
+ "cisco": {
+ "ios": {
+ "facility": "FOO"
+ }
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "category": [
+ "network"
+ ],
+ "code": "BAR",
+ "original": "\u003c190\u003e*Jul 14 2023 08:23:43.398 UTC: %FOO-6-BAR: Test header format",
+ "provider": "firewall",
+ "severity": 6,
+ "timezone": "UTC",
+ "type": [
+ "info"
+ ]
+ },
+ "log": {
+ "level": "informational",
+ "syslog": {
+ "priority": 190
+ }
+ },
+ "message": "Test header format",
+ "observer": {
+ "product": "IOS",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "cisco": {
+ "ios": {
+ "facility": "FOO",
+ "message_count": 3132517,
+ "sequence": "3132513",
+ "uptime": "2y10w"
+ }
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "category": [
+ "network"
+ ],
+ "code": "BAR",
+ "original": "\u003c190\u003e3132517: sw01: 3132513: 2y10w: %FOO-6-BAR: Test header format",
+ "provider": "firewall",
+ "sequence": 3132513,
+ "severity": 6,
+ "timezone": "UTC",
+ "type": [
+ "info"
+ ]
+ },
+ "log": {
+ "level": "informational",
+ "syslog": {
+ "hostname": "sw01",
+ "priority": 190
+ }
+ },
+ "message": "Test header format",
+ "observer": {
+ "product": "IOS",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-07-14T08:23:43.000Z",
+ "cisco": {
+ "ios": {
+ "facility": "FOO",
+ "sequence": "585917"
+ }
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "category": [
+ "network"
+ ],
+ "code": "BAR",
+ "original": "\u003c190\u003eJul 13 08:23:43 192.168.100.2 585917: Jul 14 2023 08:23:43 UTC: %FOO-6-BAR: Test header format",
+ "provider": "firewall",
+ "sequence": 585917,
+ "severity": 6,
+ "timezone": "UTC",
+ "type": [
+ "info"
+ ]
+ },
+ "log": {
+ "level": "informational",
+ "syslog": {
+ "priority": 190
+ }
+ },
+ "message": "Test header format",
+ "observer": {
+ "product": "IOS",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-07-14T08:23:43.000Z",
+ "cisco": {
+ "ios": {
+ "facility": "FOO",
+ "sequence": "585917"
+ }
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "category": [
+ "network"
+ ],
+ "code": "BAR",
+ "original": "Jul 13 08:23:43 192.168.100.2 585917: Jul 14 2023 08:23:43 UTC: %FOO-6-BAR: Test header format",
+ "provider": "firewall",
+ "sequence": 585917,
+ "severity": 6,
+ "timezone": "UTC",
+ "type": [
+ "info"
+ ]
+ },
+ "log": {
+ "level": "informational"
+ },
+ "message": "Test header format",
+ "observer": {
+ "product": "IOS",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-07-14T08:23:43.000Z",
+ "cisco": {
+ "ios": {
+ "facility": "FOO",
+ "sequence": "1663410"
+ }
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "category": [
+ "network"
+ ],
+ "code": "BAR",
+ "original": "Jul 13 08:23:43 sw01 1663410: Jul 14 2023 08:23:43 UTC: %FOO-6-BAR: Test header format",
+ "provider": "firewall",
+ "sequence": 1663410,
+ "severity": 6,
+ "timezone": "UTC",
+ "type": [
+ "info"
+ ]
+ },
+ "log": {
+ "level": "informational",
+ "syslog": {
+ "hostname": "sw01"
+ }
+ },
+ "message": "Test header format",
+ "observer": {
+ "product": "IOS",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log
index a7aa0660769..b8f69dd5332 100644
--- a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log
+++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log
@@ -1,4 +1,9 @@
<189>2360957: Jan 6 2022 20:52:12.861: %SYS-5-CONFIG_I: Configured from console by akroh on vty0 (10.100.11.10)
<189>: Jan 6 2022 20:54:26.961: %SYS-5-CONFIG_I: Configured from console by akroh on vty0 (10.100.11.10)
<190>: Jan 6 2022 20:55:50.671: %SEC-6-IPACCESSLOGDP: list 100 denied icmp 172.16.0.26 -> 10.100.8.34 (3/3), 20 packets
-<189>: sw01: Jan 6 2022 21:01:34.964: %SYS-5-CONFIG_I: Configured from console by akroh on vty0 (10.100.11.10)
\ No newline at end of file
+<189>: sw01: Jan 6 2022 21:01:34.964: %SYS-5-CONFIG_I: Configured from console by akroh on vty0 (10.100.11.10)
+<191>2637085: rt401-rk30409: Aug 18 07:15:04.461 CEST: NTP Core (NOTICE): Clock synchronization lost.
+<191>2637086: rt401-rk30409: Aug 18 07:15:04.461 CEST: NTP Core (INFO): 10.200.1.105 961A 8A sys_peer
+<191>2637087: rt401-rk30409: Aug 18 07:15:04.461 CEST: NTP Core (NOTICE): Clock is synchronized.
+<190>3352436: 3352457: Aug 12 2023 12:14:24.412 mdt: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:001 TS:00013807766185951588 %FW-6-SESS_AUDIT_TRAIL: (target:class) (ZP_PROCESS_TO_CORPORATE:CM_PROCESS_TO_CORPORATE):Stop dns session: initiator (10.50.14.44:33207) sent 48 bytes -- responder (10.120.42.6:53) sent 40 bytes, from GigabitEthernet10/0/2.6
+<190>3352460: 3352481: Aug 12 2023 12:15:33.963 mdt: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:001 TS:00013807835737559120 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet1/0/2.6 10.50.14.44:53836 => 89.160.20.128:80(target:class)-(ZP_PROCESS_TO_CORPORATE:class-default) due to Policy drop:classify result with ip ident 13017 tcp flag 0x2, seq 4266642156, ack 0
diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log-expected.json b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log-expected.json
index f1c41d6d8ab..55f9c82f496 100644
--- a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log-expected.json
+++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log-expected.json
@@ -9,7 +9,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -49,7 +49,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -93,7 +93,7 @@
"ip": "10.100.8.34"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "deny",
@@ -155,7 +155,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -186,6 +186,265 @@
"tags": [
"preserve_original_event"
]
+ },
+ {
+ "@timestamp": "2023-08-18T07:15:04.461Z",
+ "cisco": {
+ "ios": {
+ "message_count": 2637085
+ }
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "category": [
+ "network"
+ ],
+ "original": "\u003c191\u003e2637085: rt401-rk30409: Aug 18 07:15:04.461 CEST: NTP Core (NOTICE): Clock synchronization lost.",
+ "provider": "firewall",
+ "sequence": 2637085,
+ "timezone": "UTC",
+ "type": [
+ "info"
+ ]
+ },
+ "log": {
+ "syslog": {
+ "hostname": "rt401-rk30409",
+ "priority": 191
+ }
+ },
+ "message": "NTP Core (NOTICE): Clock synchronization lost.",
+ "observer": {
+ "product": "IOS",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-08-18T07:15:04.461Z",
+ "cisco": {
+ "ios": {
+ "message_count": 2637086
+ }
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "category": [
+ "network"
+ ],
+ "original": "\u003c191\u003e2637086: rt401-rk30409: Aug 18 07:15:04.461 CEST: NTP Core (INFO): 10.200.1.105 961A 8A sys_peer",
+ "provider": "firewall",
+ "sequence": 2637086,
+ "timezone": "UTC",
+ "type": [
+ "info"
+ ]
+ },
+ "log": {
+ "syslog": {
+ "hostname": "rt401-rk30409",
+ "priority": 191
+ }
+ },
+ "message": "NTP Core (INFO): 10.200.1.105 961A 8A sys_peer",
+ "observer": {
+ "product": "IOS",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-08-18T07:15:04.461Z",
+ "cisco": {
+ "ios": {
+ "message_count": 2637087
+ }
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "category": [
+ "network"
+ ],
+ "original": "\u003c191\u003e2637087: rt401-rk30409: Aug 18 07:15:04.461 CEST: NTP Core (NOTICE): Clock is synchronized.",
+ "provider": "firewall",
+ "sequence": 2637087,
+ "timezone": "UTC",
+ "type": [
+ "info"
+ ]
+ },
+ "log": {
+ "syslog": {
+ "hostname": "rt401-rk30409",
+ "priority": 191
+ }
+ },
+ "message": "NTP Core (NOTICE): Clock is synchronized.",
+ "observer": {
+ "product": "IOS",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-08-12T12:14:24.412Z",
+ "cisco": {
+ "ios": {
+ "facility": "FW",
+ "interface": {
+ "name": "GigabitEthernet10/0/2.6"
+ },
+ "message_count": 3352436,
+ "sequence": "3352457"
+ }
+ },
+ "destination": {
+ "bytes": 40,
+ "ip": "10.120.42.6",
+ "port": 53
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "category": [
+ "network"
+ ],
+ "code": "SESS_AUDIT_TRAIL",
+ "original": "\u003c190\u003e3352436: 3352457: Aug 12 2023 12:14:24.412 mdt: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:001 TS:00013807766185951588 %FW-6-SESS_AUDIT_TRAIL: (target:class) (ZP_PROCESS_TO_CORPORATE:CM_PROCESS_TO_CORPORATE):Stop dns session: initiator (10.50.14.44:33207) sent 48 bytes -- responder (10.120.42.6:53) sent 40 bytes, from GigabitEthernet10/0/2.6",
+ "provider": "firewall",
+ "sequence": 3352457,
+ "severity": 6,
+ "timezone": "UTC",
+ "type": [
+ "info"
+ ]
+ },
+ "log": {
+ "level": "informational",
+ "syslog": {
+ "priority": 190
+ }
+ },
+ "message": "(target:class) (ZP_PROCESS_TO_CORPORATE:CM_PROCESS_TO_CORPORATE):Stop dns session: initiator (10.50.14.44:33207) sent 48 bytes -- responder (10.120.42.6:53) sent 40 bytes, from GigabitEthernet10/0/2.6",
+ "network": {
+ "bytes": 88,
+ "type": "ipv4"
+ },
+ "observer": {
+ "product": "IOS",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "related": {
+ "ip": [
+ "10.50.14.44",
+ "10.120.42.6"
+ ]
+ },
+ "source": {
+ "bytes": 48,
+ "ip": "10.50.14.44",
+ "port": 33207
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-08-12T12:15:33.963Z",
+ "cisco": {
+ "ios": {
+ "facility": "FW",
+ "interface": {
+ "name": "GigabitEthernet1/0/2.6"
+ },
+ "message_count": 3352460,
+ "sequence": "3352481"
+ }
+ },
+ "destination": {
+ "as": {
+ "number": 29518,
+ "organization": {
+ "name": "Bredband2 AB"
+ }
+ },
+ "geo": {
+ "city_name": "Linköping",
+ "continent_name": "Europe",
+ "country_iso_code": "SE",
+ "country_name": "Sweden",
+ "location": {
+ "lat": 58.4167,
+ "lon": 15.6167
+ },
+ "region_iso_code": "SE-E",
+ "region_name": "Östergötland County"
+ },
+ "ip": "89.160.20.128",
+ "port": 80
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "category": [
+ "network"
+ ],
+ "code": "DROP_PKT",
+ "original": "\u003c190\u003e3352460: 3352481: Aug 12 2023 12:15:33.963 mdt: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:001 TS:00013807835737559120 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet1/0/2.6 10.50.14.44:53836 =\u003e 89.160.20.128:80(target:class)-(ZP_PROCESS_TO_CORPORATE:class-default) due to Policy drop:classify result with ip ident 13017 tcp flag 0x2, seq 4266642156, ack 0",
+ "provider": "firewall",
+ "sequence": 3352481,
+ "severity": 6,
+ "timezone": "UTC",
+ "type": [
+ "info"
+ ]
+ },
+ "log": {
+ "level": "informational",
+ "syslog": {
+ "priority": 190
+ }
+ },
+ "message": "Dropping tcp pkt from GigabitEthernet1/0/2.6 10.50.14.44:53836 =\u003e 89.160.20.128:80(target:class)-(ZP_PROCESS_TO_CORPORATE:class-default) due to Policy drop:classify result with ip ident 13017 tcp flag 0x2, seq 4266642156, ack 0",
+ "network": {
+ "type": "ipv4"
+ },
+ "observer": {
+ "product": "IOS",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "related": {
+ "ip": [
+ "10.50.14.44",
+ "89.160.20.128"
+ ]
+ },
+ "source": {
+ "ip": "10.50.14.44",
+ "port": 53836
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
}
]
}
\ No newline at end of file
diff --git a/packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml
index d65a748de6b..345e5037cff 100644
--- a/packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -4,7 +4,7 @@ description: Pipeline for Cisco IOS logs.
processors:
- set:
field: ecs.version
- value: '8.8.0'
+ value: '8.9.0'
- set:
field: event.category
value: [network]
@@ -31,19 +31,37 @@ processors:
- remove:
field: message
ignore_missing: true
- - dissect:
+ - grok:
field: event.original
- pattern: '%{_temp_.header} %%{message}'
+ patterns:
+ - '%{DATA:_temp_.header} %%{GREEDYDATA:message}'
+ - '%{DATA:_temp_.header} %{NTP_MESSAGE:ntp_message}'
+ pattern_definitions:
+ NTP_MESSAGE: 'NTP %{GREEDYDATA}'
tag: dissect_header
- grok:
field: _temp_.header
tag: grok_header
patterns:
- - '^<%{NONNEGINT:log.syslog.priority:long}>%{NUMBER:cisco.ios.message_count}?: (?:%{SYSLOGHOST:log.syslog.hostname}: )?(?:%{NUMBER:cisco.ios.sequence}: )?(%{CISCO_TIMESTAMP}|%{NOTSPACE:cisco.ios.uptime}:)'
- - '%{SYSLOGHOST:log.syslog.hostname} (%{NUMBER:cisco.ios.sequence}: )?%{CISCO_TIMESTAMP}'
+ - '^(%{SYSLOGTIMESTAMP}[:]? )?(%{IP}[:]? )?(%{HOSTNAME:log.syslog.hostname}[:]? )?%{NUMBER:cisco.ios.sequence}: (%{CISCO_TIMESTAMP}|%{NOTSPACE:cisco.ios.uptime}:)'
+ - '^(<%{NONNEGINT:log.syslog.priority:long}>)?(?:%{NUMBER:cisco.ios.message_count}: |: )(%{SYSLOGTIMESTAMP}[:]? )?(%{IP}[:]? )?(%{HOSTNAME:log.syslog.hostname}: )?%{NUMBER:cisco.ios.sequence}: (%{CISCO_TIMESTAMP}|%{NOTSPACE:cisco.ios.uptime}:)'
+ - '^(<%{NONNEGINT:log.syslog.priority:long}>)?(?:%{NUMBER:cisco.ios.message_count}: |: )(%{SYSLOGTIMESTAMP}[:]? )?(%{IP}[:]? )?(%{HOSTNAME:log.syslog.hostname}: )?(%{NUMBER:cisco.ios.sequence}: )?(%{CISCO_TIMESTAMP}|%{NOTSPACE:cisco.ios.uptime}:)'
+ - '^(<%{NONNEGINT:log.syslog.priority:long}>)?(?:%{NUMBER:cisco.ios.message_count}: |: )?(%{SYSLOGTIMESTAMP}[:]? )?(%{IP}[:]? )?%{HOSTNAME:log.syslog.hostname}: %{NUMBER:cisco.ios.sequence}: (%{CISCO_TIMESTAMP}|%{NOTSPACE:cisco.ios.uptime}:)'
+ - '^(<%{NONNEGINT:log.syslog.priority:long}>)?(?:%{NUMBER:cisco.ios.message_count}: |: )?(%{SYSLOGTIMESTAMP}[:]? )?(%{IP}[:]? )?%{NUMBER:cisco.ios.sequence}: (%{CISCO_TIMESTAMP}|%{NOTSPACE:cisco.ios.uptime}:)'
+ - '^(<%{NONNEGINT:log.syslog.priority:long}>)?(?:%{NUMBER:cisco.ios.message_count}: |: )?(%{SYSLOGTIMESTAMP}[:]? )?(%{IP}[:]? )?%{HOSTNAME:log.syslog.hostname}: (%{CISCO_TIMESTAMP}|%{NOTSPACE:cisco.ios.uptime}:)'
+ - '^(<%{NONNEGINT:log.syslog.priority:long}>)?(?:%{NUMBER:cisco.ios.message_count}: |: )?(%{SYSLOGTIMESTAMP}[:]? )?(%{IP}[:]? )?(%{HOSTNAME:log.syslog.hostname}: )?(%{NUMBER:cisco.ios.sequence}: )?(%{CISCO_TIMESTAMP}|%{NOTSPACE:cisco.ios.uptime}:)'
pattern_definitions:
- CISCO_TIMESTAMP: '%{CISCOTIMESTAMP:_temp_.cisco_timestamp}(?: %{CISCO_TZ:_temp_.tz})?'
+ CISCO_TIMESTAMP: '[*]?%{CISCOTIMESTAMP:_temp_.cisco_timestamp}(?: %{CISCO_TZ:_temp_.tz})?'
CISCO_TZ: '[a-zA-Z]{1,4}'
+ on_failure:
+ - append:
+ field: error.message
+ value: |-
+ Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}"
+ - remove:
+ field: _temp_.header
+ ignore_missing: true
+ tag: on_failure_remove_header
- set:
field: event.sequence
@@ -120,7 +138,34 @@ processors:
field: message
tag: grok_message
patterns:
- - "%{DATA:cisco.ios.facility}-%{POSINT:event.severity}-%{DATA:event.code}: %{GREEDYDATA:message}"
+ - '%{DATA:cisco.ios.facility}-%{POSINT:event.severity}-%{DATA:event.code}:\s+(\w+\d+(/\d+)?\:\s+)?([a-zA-Z0-9_]+\:\s+)?%{GREEDYDATA:message}'
+ ignore_missing: true
+ - grok:
+ field: message
+ tag: grok_child_message
+ patterns:
+ - '%%{DATA:cisco.ios.facility}-%{POSINT:event.severity}-%{DATA:event.code}:\s+(\w+\d+(/\d+)?\:\s+)?([a-zA-Z0-9_]+\:\s+)?%{GREEDYDATA:message}'
+ ignore_missing: true
+ if: ctx.cisco?.ios?.facility == 'IOSXE' && ctx.event?.code == 'PLATFORM'
+ - grok:
+ field: message
+ tag: grok_audit_details
+ patterns:
+ - 'initiator \(%{IP:source.ip}:%{NUMBER:source.port:long}\) sent %{NUMBER:source.bytes:long} bytes -- responder \(%{IP:destination.ip}:%{NUMBER:destination.port:long}\) sent %{NUMBER:destination.bytes:long} bytes, from %{NOTSPACE:cisco.ios.interface.name}'
+ ignore_missing: true
+ if: ctx.cisco?.ios?.facility == 'FW' && ctx.event?.code == 'SESS_AUDIT_TRAIL'
+ - grok:
+ field: message
+ tag: grok_drop_details
+ patterns:
+ - '^Dropping %{WORD} %{WORD} from %{NOTSPACE:cisco.ios.interface.name} %{IP:source.ip}:%{NUMBER:source.port:long} ?=> ?%{IP:destination.ip}:%{NUMBER:destination.port:long}'
+ ignore_missing: true
+ if: ctx.cisco?.ios?.facility == 'FW' && ctx.event?.code == 'DROP_PKT'
+ - rename:
+ field: ntp_message
+ target_field: message
+ tag: rename_ntp_message
+ if: ctx.ntp_message != null
- convert:
field: event.severity
type: long
@@ -226,6 +271,22 @@ processors:
type: long
tag: convert_destination_port
ignore_missing: true
+ - script:
+ lang: painless
+ source: |
+ long n = 0;
+ if (ctx.source?.bytes != null) {
+ n += ctx.source.bytes
+ }
+ if (ctx.destination?.bytes != null) {
+ n += ctx.destination.bytes
+ }
+ if (ctx.network == null) {
+ ctx.network = new HashMap();
+ }
+ ctx.network.bytes = n;
+ if: ctx.source?.bytes != null || ctx.destination?.bytes != null
+ ignore_failure: true
- set:
field: network.packets
copy_from: source.packets
diff --git a/packages/cisco_ios/data_stream/log/fields/ecs.yml b/packages/cisco_ios/data_stream/log/fields/ecs.yml
index 05d7f3d85a0..528ae122641 100644
--- a/packages/cisco_ios/data_stream/log/fields/ecs.yml
+++ b/packages/cisco_ios/data_stream/log/fields/ecs.yml
@@ -2,6 +2,8 @@
name: '@timestamp'
- external: ecs
name: destination.address
+- external: ecs
+ name: destination.bytes
- external: ecs
name: destination.as.number
- external: ecs
@@ -62,6 +64,8 @@
name: log.level
- external: ecs
name: message
+- external: ecs
+ name: network.bytes
- external: ecs
name: network.community_id
- external: ecs
@@ -84,6 +88,8 @@
name: related.user
- external: ecs
name: source.address
+- external: ecs
+ name: source.bytes
- external: ecs
name: source.ip
- external: ecs
@@ -114,3 +120,5 @@
name: tags
- external: ecs
name: log.syslog.priority
+- external: ecs
+ name: log.syslog.hostname
diff --git a/packages/cisco_ios/data_stream/log/fields/fields.yml b/packages/cisco_ios/data_stream/log/fields/fields.yml
index 1eac30828a4..1ebe861b1f7 100644
--- a/packages/cisco_ios/data_stream/log/fields/fields.yml
+++ b/packages/cisco_ios/data_stream/log/fields/fields.yml
@@ -13,6 +13,12 @@
type: keyword
description: |
The facility to which the message refers (for example, SNMP, SYS, and so forth). A facility can be a hardware device, a protocol, or a module of the system software. It denotes the source or the cause of the system message.
+ - name: interface
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the network interface.
- name: pim
type: group
fields:
@@ -60,6 +66,3 @@
- name: igmp.type
type: keyword
description: IGMP type.
-- name: log.syslog.hostname
- type: keyword
- description: Hostname parsed from syslog header.
diff --git a/packages/cisco_ios/data_stream/log/sample_event.json b/packages/cisco_ios/data_stream/log/sample_event.json
index 56aa524fc5e..1017a27b459 100644
--- a/packages/cisco_ios/data_stream/log/sample_event.json
+++ b/packages/cisco_ios/data_stream/log/sample_event.json
@@ -1,16 +1,16 @@
{
- "@timestamp": "2022-01-06T22:11:43.398+11:00",
+ "@timestamp": "2022-01-06T20:52:12.861Z",
"agent": {
- "ephemeral_id": "b4eeb540-5cc1-4878-b94d-09d0a0d440dd",
- "id": "7fcefa24-63f3-457e-b11c-ccf7f1edaad6",
+ "ephemeral_id": "960a0fda-a7b7-4362-9018-34b1d0d119c4",
+ "id": "f00ff835-626e-4a18-a8a2-0bb3ebb7503f",
"name": "docker-fleet-agent",
"type": "filebeat",
- "version": "8.6.2"
+ "version": "8.0.0"
},
"cisco": {
"ios": {
- "facility": "FOO",
- "message_count": 2361044
+ "facility": "SYS",
+ "message_count": 2360957
}
},
"data_stream": {
@@ -19,45 +19,43 @@
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
- "id": "7fcefa24-63f3-457e-b11c-ccf7f1edaad6",
+ "id": "f00ff835-626e-4a18-a8a2-0bb3ebb7503f",
"snapshot": false,
- "version": "8.6.2"
+ "version": "8.0.0"
},
"event": {
"agent_id_status": "verified",
"category": [
"network"
],
- "code": "BAR",
+ "code": "CONFIG_I",
"dataset": "cisco_ios.log",
- "ingested": "2023-06-01T11:59:13Z",
- "original": "\u003c190\u003e2361044: sw01: Jan 6 2022 22:11:43.398 AEST: %FOO-6-BAR: Test date format.",
+ "ingested": "2023-07-13T09:20:48Z",
+ "original": "\u003c189\u003e2360957: Jan 6 2022 20:52:12.861: %SYS-5-CONFIG_I: Configured from console by akroh on vty0 (10.100.11.10)",
"provider": "firewall",
- "sequence": 2361044,
- "severity": 6,
- "timezone": "Australia/Sydney",
+ "sequence": 2360957,
+ "severity": 5,
+ "timezone": "+00:00",
"type": [
"info"
]
},
"input": {
- "type": "log"
+ "type": "tcp"
},
"log": {
- "file": {
- "path": "/tmp/service_logs/cisco-ios-timezones.log"
+ "level": "notification",
+ "source": {
+ "address": "172.25.0.4:46792"
},
- "level": "informational",
- "offset": 0,
"syslog": {
- "hostname": "sw01",
- "priority": 190
+ "priority": 189
}
},
- "message": "Test date format.",
+ "message": "Configured from console by akroh on vty0 (10.100.11.10)",
"observer": {
"product": "IOS",
"type": "firewall",
diff --git a/packages/cisco_ios/docs/README.md b/packages/cisco_ios/docs/README.md
index 35016ebd54b..df850359b23 100644
--- a/packages/cisco_ios/docs/README.md
+++ b/packages/cisco_ios/docs/README.md
@@ -24,18 +24,18 @@ An example event for `log` looks as following:
```json
{
- "@timestamp": "2022-01-06T22:11:43.398+11:00",
+ "@timestamp": "2022-01-06T20:52:12.861Z",
"agent": {
- "ephemeral_id": "b4eeb540-5cc1-4878-b94d-09d0a0d440dd",
- "id": "7fcefa24-63f3-457e-b11c-ccf7f1edaad6",
+ "ephemeral_id": "960a0fda-a7b7-4362-9018-34b1d0d119c4",
+ "id": "f00ff835-626e-4a18-a8a2-0bb3ebb7503f",
"name": "docker-fleet-agent",
"type": "filebeat",
- "version": "8.6.2"
+ "version": "8.0.0"
},
"cisco": {
"ios": {
- "facility": "FOO",
- "message_count": 2361044
+ "facility": "SYS",
+ "message_count": 2360957
}
},
"data_stream": {
@@ -44,45 +44,43 @@ An example event for `log` looks as following:
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
- "id": "7fcefa24-63f3-457e-b11c-ccf7f1edaad6",
+ "id": "f00ff835-626e-4a18-a8a2-0bb3ebb7503f",
"snapshot": false,
- "version": "8.6.2"
+ "version": "8.0.0"
},
"event": {
"agent_id_status": "verified",
"category": [
"network"
],
- "code": "BAR",
+ "code": "CONFIG_I",
"dataset": "cisco_ios.log",
- "ingested": "2023-06-01T11:59:13Z",
- "original": "\u003c190\u003e2361044: sw01: Jan 6 2022 22:11:43.398 AEST: %FOO-6-BAR: Test date format.",
+ "ingested": "2023-07-13T09:20:48Z",
+ "original": "\u003c189\u003e2360957: Jan 6 2022 20:52:12.861: %SYS-5-CONFIG_I: Configured from console by akroh on vty0 (10.100.11.10)",
"provider": "firewall",
- "sequence": 2361044,
- "severity": 6,
- "timezone": "Australia/Sydney",
+ "sequence": 2360957,
+ "severity": 5,
+ "timezone": "+00:00",
"type": [
"info"
]
},
"input": {
- "type": "log"
+ "type": "tcp"
},
"log": {
- "file": {
- "path": "/tmp/service_logs/cisco-ios-timezones.log"
+ "level": "notification",
+ "source": {
+ "address": "172.25.0.4:46792"
},
- "level": "informational",
- "offset": 0,
"syslog": {
- "hostname": "sw01",
- "priority": 190
+ "priority": 189
}
},
- "message": "Test date format.",
+ "message": "Configured from console by akroh on vty0 (10.100.11.10)",
"observer": {
"product": "IOS",
"type": "firewall",
@@ -104,6 +102,7 @@ An example event for `log` looks as following:
| cisco.ios.access_list | Name of the IP access list. | keyword |
| cisco.ios.action | Action taken by the device | keyword |
| cisco.ios.facility | The facility to which the message refers (for example, SNMP, SYS, and so forth). A facility can be a hardware device, a protocol, or a module of the system software. It denotes the source or the cause of the system message. | keyword |
+| cisco.ios.interface.name | The name of the network interface. | keyword |
| cisco.ios.message_count | Message count number provided by the device when the device's service message-counter global configuration is set. | long |
| cisco.ios.outcome | The result of the event | keyword |
| cisco.ios.pim.group.ip | Multicast group IP | ip |
@@ -132,6 +131,7 @@ An example event for `log` looks as following:
| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
| destination.as.organization.name | Organization name. | keyword |
| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text |
+| destination.bytes | Bytes sent from the destination to the source. | long |
| destination.geo.city_name | City name. | keyword |
| destination.geo.continent_name | Name of the continent. | keyword |
| destination.geo.country_iso_code | Country ISO code. | keyword |
@@ -148,17 +148,17 @@ An example event for `log` looks as following:
| error.message | Error message. | match_only_text |
| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
-| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date |
| event.dataset | Event dataset | constant_keyword |
-| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long |
-| event.end | event.end contains the date when the event ended or when the activity was last observed. | date |
+| event.duration | Duration of the event in nanoseconds. If `event.start` and `event.end` are known this value should be the difference between the end and start time. | long |
+| event.end | `event.end` contains the date when the event ended or when the activity was last observed. | date |
| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
-| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword |
| event.module | Event module | constant_keyword |
| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword |
| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long |
-| event.start | event.start contains the date when the event started or when the activity was first observed. | date |
+| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date |
| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
| host.architecture | Operating system architecture. | keyword |
@@ -188,9 +188,10 @@ An example event for `log` looks as following:
| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
| log.offset | | long |
| log.source.address | | keyword |
-| log.syslog.hostname | Hostname parsed from syslog header. | keyword |
+| log.syslog.hostname | The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector. | keyword |
| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long |
| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long |
| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword |
| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword |
| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long |
@@ -206,6 +207,7 @@ An example event for `log` looks as following:
| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
| source.as.organization.name | Organization name. | keyword |
| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.bytes | Bytes sent from the source to the destination. | long |
| source.geo.city_name | City name. | keyword |
| source.geo.continent_name | Name of the continent. | keyword |
| source.geo.country_iso_code | Country ISO code. | keyword |
diff --git a/packages/cisco_ios/kibana/tags.yml b/packages/cisco_ios/kibana/tags.yml
new file mode 100644
index 00000000000..47f20a8f551
--- /dev/null
+++ b/packages/cisco_ios/kibana/tags.yml
@@ -0,0 +1,4 @@
+- text: Security Solution
+ asset_types:
+ - dashboard
+ - search
diff --git a/packages/cisco_ios/manifest.yml b/packages/cisco_ios/manifest.yml
index c713241c013..2a68d2eda45 100644
--- a/packages/cisco_ios/manifest.yml
+++ b/packages/cisco_ios/manifest.yml
@@ -1,14 +1,15 @@
-format_version: 2.7.0
+format_version: "3.0.0"
name: cisco_ios
title: Cisco IOS
-version: "1.16.0"
+version: "1.21.0"
description: Collect logs from Cisco IOS with Elastic Agent.
type: integration
categories:
- network
- security
conditions:
- kibana.version: "^7.16.0 || ^8.0.0"
+ kibana:
+ version: "^7.16.0 || ^8.0.0"
icons:
- src: /img/cisco.svg
title: cisco
@@ -30,3 +31,4 @@ policy_templates:
description: Collecting logs from Cisco IOS via file
owner:
github: elastic/security-external-integrations
+ type: elastic
diff --git a/packages/cisco_ise/_dev/build/build.yml b/packages/cisco_ise/_dev/build/build.yml
index 074278e5b1f..c8eeec8cacf 100644
--- a/packages/cisco_ise/_dev/build/build.yml
+++ b/packages/cisco_ise/_dev/build/build.yml
@@ -1,3 +1,3 @@
dependencies:
ecs:
- reference: git@v8.8.0
+ reference: git@v8.9.0
diff --git a/packages/cisco_ise/_dev/deploy/docker/docker-compose.yml b/packages/cisco_ise/_dev/deploy/docker/docker-compose.yml
index d28a7f6a2be..a6aa39d0b79 100644
--- a/packages/cisco_ise/_dev/deploy/docker/docker-compose.yml
+++ b/packages/cisco_ise/_dev/deploy/docker/docker-compose.yml
@@ -1,5 +1,11 @@
version: "2.3"
services:
+ cisco_ise-log-filestream:
+ image: alpine
+ volumes:
+ - ./sample_logs:/sample_logs:ro
+ - ${SERVICE_LOGS_DIR}:/var/log
+ command: /bin/sh -c "cp /sample_logs/* /var/log/"
cisco_ise-log-tcp:
image: docker.elastic.co/observability/stream:v0.8.0
volumes:
diff --git a/packages/cisco_ise/changelog.yml b/packages/cisco_ise/changelog.yml
index 11296bacaab..fde248c4676 100644
--- a/packages/cisco_ise/changelog.yml
+++ b/packages/cisco_ise/changelog.yml
@@ -1,4 +1,34 @@
# newer versions go on top
+- version: 1.15.0
+ changes:
+ - description: "The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest."
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7883
+- version: "1.14.0"
+ changes:
+ - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7789
+- version: "1.13.0"
+ changes:
+ - description: Update package-spec to 2.10.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7597
+- version: "1.12.0"
+ changes:
+ - description: Add support for filestream input.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7394
+- version: "1.11.1"
+ changes:
+ - description: Add missing ECS field mappings
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7269
+- version: "1.11.0"
+ changes:
+ - description: Update package to ECS 8.9.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7107
- version: "1.10.0"
changes:
- description: Convert dashboard to lens.
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-ad-connector.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-ad-connector.log-expected.json
index 8648168909c..9e381760bb2 100644
--- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-ad-connector.log-expected.json
+++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-ad-connector.log-expected.json
@@ -34,7 +34,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ad-connector",
@@ -105,7 +105,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ad-connector",
@@ -178,7 +178,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ad-connector",
@@ -246,7 +246,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ad-connector",
@@ -311,7 +311,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ad-connector",
@@ -379,7 +379,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ad-connector",
@@ -444,7 +444,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ad-connector",
@@ -513,7 +513,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ad-connector",
@@ -580,7 +580,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ad-connector",
@@ -642,7 +642,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ad-connector",
@@ -706,7 +706,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ad-connector",
@@ -768,7 +768,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -817,7 +817,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-administrative-and-operational-audit.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-administrative-and-operational-audit.log-expected.json
index 527701806d4..1680ff807ce 100644
--- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-administrative-and-operational-audit.log-expected.json
+++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-administrative-and-operational-audit.log-expected.json
@@ -35,7 +35,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "administrator-login",
@@ -53,7 +53,9 @@
]
},
"host": {
- "ip": "81.2.69.143"
+ "ip": [
+ "81.2.69.143"
+ ]
},
"log": {
"level": "notice",
@@ -112,7 +114,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "administrator-login",
@@ -130,7 +132,9 @@
]
},
"host": {
- "ip": "81.2.69.143"
+ "ip": [
+ "81.2.69.143"
+ ]
},
"log": {
"level": "notice",
@@ -188,7 +192,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "administrator-login",
@@ -264,7 +268,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "administrator-login",
@@ -347,7 +351,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "configuration-changes",
@@ -431,7 +435,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "configuration-changes",
@@ -518,7 +522,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "configuration-changes",
@@ -599,7 +603,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "feedservice",
@@ -659,7 +663,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "feedservice",
@@ -733,7 +737,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "mydevices",
@@ -751,7 +755,9 @@
},
"host": {
"hostname": "isehost",
- "ip": "81.2.69.143"
+ "ip": [
+ "81.2.69.143"
+ ]
},
"log": {
"level": "notice",
@@ -810,7 +816,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "system-management",
@@ -891,7 +897,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "system-management",
@@ -968,7 +974,7 @@
"ip": "10.0.9.204"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "eap-tls",
@@ -1044,7 +1050,7 @@
"ip": "10.0.9.204"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "eap-tls",
@@ -1123,7 +1129,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "mydevices",
@@ -1141,7 +1147,9 @@
},
"host": {
"hostname": "isehost",
- "ip": "81.2.69.143"
+ "ip": [
+ "81.2.69.143"
+ ]
},
"log": {
"level": "notice",
@@ -1225,7 +1233,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "configuration-changes",
@@ -1307,7 +1315,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "mydevices",
@@ -1325,7 +1333,9 @@
},
"host": {
"hostname": "isehost",
- "ip": "172.16.17.255"
+ "ip": [
+ "172.16.17.255"
+ ]
},
"log": {
"level": "notice",
@@ -1399,7 +1409,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "process-management",
@@ -1480,7 +1490,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "system-management",
@@ -1560,7 +1570,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "system-management",
@@ -1640,7 +1650,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "system-management",
@@ -1715,7 +1725,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "administrator-login",
@@ -1790,7 +1800,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "administrator-login",
@@ -1866,7 +1876,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "administrator-login",
@@ -1942,7 +1952,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "administrator-login",
@@ -2018,7 +2028,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "administrator-login",
@@ -2086,7 +2096,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -2145,7 +2155,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -2220,7 +2230,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "configuration-changes",
@@ -2327,7 +2337,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "configuration-changes",
@@ -2420,7 +2430,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "configuration-changes",
@@ -2509,7 +2519,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "configuration-changes",
@@ -2593,7 +2603,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "configuration-changes",
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-authentication-flow-diagnostics.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-authentication-flow-diagnostics.log-expected.json
index 8a9b6c24c12..0851af92306 100644
--- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-authentication-flow-diagnostics.log-expected.json
+++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-authentication-flow-diagnostics.log-expected.json
@@ -62,7 +62,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "workflow",
@@ -169,7 +169,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "workflow",
@@ -274,7 +274,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "authentication",
@@ -379,7 +379,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "workflow",
@@ -486,7 +486,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "workflow",
@@ -591,7 +591,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "workflow",
@@ -706,7 +706,7 @@
"ip": "10.0.9.204"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "workflow",
@@ -816,7 +816,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "workflow",
@@ -907,7 +907,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "authentication",
@@ -987,7 +987,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-failed-attempts.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-failed-attempts.log-expected.json
index 76605d6ad29..5805e3175a0 100644
--- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-failed-attempts.log-expected.json
+++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-failed-attempts.log-expected.json
@@ -83,7 +83,7 @@
"port": 1812
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "failed-attempt",
@@ -267,7 +267,7 @@
"ip": "81.2.69.145"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "failed-attempt",
@@ -352,7 +352,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "guest",
@@ -491,7 +491,7 @@
"port": 1812
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "radius",
@@ -675,7 +675,7 @@
"ip": "81.2.69.145"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "radius",
@@ -1106,7 +1106,7 @@
"port": 1645
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "failed-attempt",
@@ -1190,7 +1190,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-guest.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-guest.log-expected.json
index 309155922cd..47e27b67639 100644
--- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-guest.log-expected.json
+++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-guest.log-expected.json
@@ -45,7 +45,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "guest",
@@ -134,7 +134,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "guest",
@@ -215,7 +215,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -265,7 +265,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -318,7 +318,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-identity-stores-diagnostics.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-identity-stores-diagnostics.log-expected.json
index 7c7ab6aaec8..b046afe3884 100644
--- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-identity-stores-diagnostics.log-expected.json
+++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-identity-stores-diagnostics.log-expected.json
@@ -49,7 +49,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "local-user-db",
@@ -139,7 +139,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "local-user-db",
@@ -232,7 +232,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "local-user-db",
@@ -327,7 +327,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "local-user-db",
@@ -420,7 +420,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "local-user-db",
@@ -489,7 +489,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "external-active-directory",
@@ -549,7 +549,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "external-active-directory",
@@ -609,7 +609,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "external-active-directory",
@@ -669,7 +669,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "external-active-directory",
@@ -730,7 +730,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "external-active-directory",
@@ -813,7 +813,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "external-active-directory",
@@ -904,7 +904,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "external-active-directory",
@@ -994,7 +994,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "local-user-db",
@@ -1085,7 +1085,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "local-user-db",
@@ -1179,7 +1179,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "external-active-directory",
@@ -1248,7 +1248,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "external-active-directory",
@@ -1325,7 +1325,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-internal-operations-diagnostics.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-internal-operations-diagnostics.log-expected.json
index 35835badd80..bf211b4c029 100644
--- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-internal-operations-diagnostics.log-expected.json
+++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-internal-operations-diagnostics.log-expected.json
@@ -28,7 +28,7 @@
"port": 9025
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "system-management",
@@ -87,7 +87,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "profiler",
@@ -152,7 +152,7 @@
"port": 9005
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "system-management",
@@ -217,7 +217,7 @@
"port": 9005
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "system-management",
@@ -282,7 +282,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "logging",
@@ -339,7 +339,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-my-devices.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-my-devices.log-expected.json
index 6a3ec4830d3..080c9f065d5 100644
--- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-my-devices.log-expected.json
+++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-my-devices.log-expected.json
@@ -54,7 +54,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "mydevices",
@@ -154,7 +154,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "mydevices",
@@ -233,7 +233,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "mydevices",
@@ -304,7 +304,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log-expected.json
index 9190eb80123..356343a45e7 100644
--- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log-expected.json
+++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log-expected.json
@@ -196,7 +196,7 @@
"port": 1812
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "passed-authentication",
@@ -295,7 +295,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "guest",
@@ -455,7 +455,7 @@
"port": 1645
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "passed-authentication",
@@ -539,7 +539,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "radius",
@@ -610,7 +610,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-policy-diagnostics.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-policy-diagnostics.log-expected.json
index 37fc5355720..1b9ee95db76 100644
--- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-policy-diagnostics.log-expected.json
+++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-policy-diagnostics.log-expected.json
@@ -41,7 +41,7 @@
"ip": "81.2.69.143"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "policy",
@@ -138,7 +138,7 @@
"ip": "81.2.69.143"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "policy",
@@ -259,7 +259,7 @@
"ip": "81.2.69.143"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "policy",
@@ -373,7 +373,7 @@
"ip": "81.2.69.143"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "policy",
@@ -467,7 +467,7 @@
"ip": "81.2.69.143"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "policy",
@@ -566,7 +566,7 @@
"ip": "81.2.69.143"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "policy",
@@ -658,7 +658,7 @@
"ip": "81.2.69.143"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "policy",
@@ -744,7 +744,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-posture-client-provisioning-audit.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-posture-client-provisioning-audit.log-expected.json
index c8d29ef6d93..37b8204d8d6 100644
--- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-posture-client-provisioning-audit.log-expected.json
+++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-posture-client-provisioning-audit.log-expected.json
@@ -32,7 +32,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "eps",
@@ -102,7 +102,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-accounting.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-accounting.log-expected.json
index ed038e600fa..ddf370c12f5 100644
--- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-accounting.log-expected.json
+++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-accounting.log-expected.json
@@ -114,7 +114,7 @@
"ip": "81.2.69.145"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "radius-accounting",
@@ -231,7 +231,7 @@
"ip": "81.2.69.145"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "radius-accounting",
@@ -346,7 +346,7 @@
"ip": "81.2.69.144"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-diagnostics.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-diagnostics.log-expected.json
index 0882acec565..1cf9651f2e1 100644
--- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-diagnostics.log-expected.json
+++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-diagnostics.log-expected.json
@@ -58,7 +58,7 @@
"port": 1812
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "radius",
@@ -181,7 +181,7 @@
"port": 1812
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "radius",
@@ -266,7 +266,7 @@
"port": 1813
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "radius",
@@ -375,7 +375,7 @@
"port": 1813
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "radius",
@@ -496,7 +496,7 @@
"port": 1812
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "radius",
@@ -599,7 +599,7 @@
"port": 73
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "radius",
@@ -677,7 +677,7 @@
"port": 1812
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "radius",
@@ -776,7 +776,7 @@
"port": 1812
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "radius",
@@ -885,7 +885,7 @@
"port": 1812
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "radius",
@@ -984,7 +984,7 @@
"port": 1812
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "radius",
@@ -1087,7 +1087,7 @@
"port": 1813
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "radius",
@@ -1185,7 +1185,7 @@
"port": 1812
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "radius",
@@ -1300,7 +1300,7 @@
"port": 1812
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "eap",
@@ -1423,7 +1423,7 @@
"port": 72
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "eap",
@@ -1538,7 +1538,7 @@
"port": 1812
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "eap",
@@ -1653,7 +1653,7 @@
"port": 1812
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "eap",
@@ -1771,7 +1771,7 @@
"port": 1812
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "eap",
@@ -1895,7 +1895,7 @@
"port": 1812
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "eap",
@@ -2019,7 +2019,7 @@
"port": 1812
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "eap",
@@ -2144,7 +2144,7 @@
"port": 1812
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "eap",
@@ -2263,7 +2263,7 @@
"port": 1812
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "eap",
@@ -2377,7 +2377,7 @@
"port": 1812
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "eap",
@@ -2496,7 +2496,7 @@
"port": 1812
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "eap",
@@ -2614,7 +2614,7 @@
"port": 1812
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "eap",
@@ -2732,7 +2732,7 @@
"port": 1812
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "eap",
@@ -2851,7 +2851,7 @@
"port": 1812
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "eap",
@@ -2964,7 +2964,7 @@
"port": 1892
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-system-statistics.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-system-statistics.log-expected.json
index 0f72cf4abe6..bd90423c1e8 100644
--- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-system-statistics.log-expected.json
+++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-system-statistics.log-expected.json
@@ -77,7 +77,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -172,7 +172,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -190,7 +190,9 @@
]
},
"host": {
- "ip": "81.2.69.143"
+ "ip": [
+ "81.2.69.143"
+ ]
},
"log": {
"level": "notice",
@@ -313,7 +315,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -404,7 +406,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -491,7 +493,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
@@ -562,7 +564,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": [
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-tacacs-accounting.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-tacacs-accounting.log-expected.json
index 64a920296a0..b085cbd09a4 100644
--- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-tacacs-accounting.log-expected.json
+++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-tacacs-accounting.log-expected.json
@@ -112,7 +112,7 @@
"ip": "81.2.69.144"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "tacacs-accounting",
@@ -263,7 +263,7 @@
"ip": "81.2.69.144"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "tacacs-accounting",
@@ -433,7 +433,7 @@
"ip": "81.2.69.144"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "tacacs-accounting",
@@ -578,7 +578,7 @@
"ip": "81.2.69.144"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-threat-centric-nac.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-threat-centric-nac.log-expected.json
index 7af29a333c6..dc405395817 100644
--- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-threat-centric-nac.log-expected.json
+++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-threat-centric-nac.log-expected.json
@@ -28,7 +28,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "irf",
@@ -94,7 +94,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "irf",
@@ -153,7 +153,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "radius",
@@ -210,7 +210,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/system/test-filestream-config.yml b/packages/cisco_ise/data_stream/log/_dev/test/system/test-filestream-config.yml
new file mode 100644
index 00000000000..ab621b50029
--- /dev/null
+++ b/packages/cisco_ise/data_stream/log/_dev/test/system/test-filestream-config.yml
@@ -0,0 +1,8 @@
+service: cisco_ise-log-filestream
+input: filestream
+data_stream:
+ vars:
+ preserve_original_event: true
+ preserve_duplicate_custom_fields: true
+ paths:
+ - '{{SERVICE_LOGS_DIR}}/*.log'
diff --git a/packages/cisco_ise/data_stream/log/agent/stream/filestream.yml.hbs b/packages/cisco_ise/data_stream/log/agent/stream/filestream.yml.hbs
new file mode 100644
index 00000000000..9fcdf9bb7ac
--- /dev/null
+++ b/packages/cisco_ise/data_stream/log/agent/stream/filestream.yml.hbs
@@ -0,0 +1,19 @@
+paths:
+{{#each paths as |path|}}
+- {{path}}
+{{/each}}
+prospector.scanner.exclude_files: [".gz$"]
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/default.yml
index 733030c6999..fc8b07cb4b2 100644
--- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -3,7 +3,7 @@ description: Pipeline for Cisco ISE logs.
processors:
- set:
field: ecs.version
- value: '8.8.0'
+ value: '8.9.0'
- rename:
field: message
target_field: event.original
@@ -123,6 +123,10 @@ processors:
- pipeline:
name: '{{ IngestPipeline "pipeline_identity_stores_diagnostics" }}'
if: ctx.cisco_ise?.log?.category?.name == "CISE_Identity_Stores_Diagnostics"
+ - set:
+ field: host.ip
+ value: ['{{{host.ip}}}']
+ if: ctx.host?.ip instanceof String
- convert:
field: cisco_ise.log.log_details.ConfigVersionId
target_field: cisco_ise.log.config_version.id
diff --git a/packages/cisco_ise/data_stream/log/fields/ecs.yml b/packages/cisco_ise/data_stream/log/fields/ecs.yml
index ff71e50dacf..6a5d79b5731 100644
--- a/packages/cisco_ise/data_stream/log/fields/ecs.yml
+++ b/packages/cisco_ise/data_stream/log/fields/ecs.yml
@@ -1,13 +1,75 @@
+- external: ecs
+ name: client.geo.city_name
+- external: ecs
+ name: client.geo.continent_code
+- external: ecs
+ name: client.geo.continent_name
+- external: ecs
+ name: client.geo.country_iso_code
+- external: ecs
+ name: client.geo.country_name
+- external: ecs
+ name: client.geo.location
+- external: ecs
+ name: client.geo.name
+- external: ecs
+ name: client.geo.postal_code
+- external: ecs
+ name: client.geo.region_iso_code
+- external: ecs
+ name: client.geo.region_name
+- external: ecs
+ name: client.geo.timezone
- external: ecs
name: client.ip
- external: ecs
name: client.port
- external: ecs
name: client.user.name
+- external: ecs
+ name: destination.address
+- external: ecs
+ name: destination.as.number
+- external: ecs
+ name: destination.as.organization.name
+- external: ecs
+ name: destination.bytes
+- external: ecs
+ name: destination.domain
+- external: ecs
+ name: destination.geo.city_name
+- external: ecs
+ name: destination.geo.continent_code
+- external: ecs
+ name: destination.geo.continent_name
+- external: ecs
+ name: destination.geo.country_iso_code
+- external: ecs
+ name: destination.geo.country_name
+- external: ecs
+ name: destination.geo.location
+- external: ecs
+ name: destination.geo.name
+- external: ecs
+ name: destination.geo.postal_code
+- external: ecs
+ name: destination.geo.region_iso_code
+- external: ecs
+ name: destination.geo.region_name
+- external: ecs
+ name: destination.geo.timezone
- external: ecs
name: destination.ip
+- external: ecs
+ name: destination.nat.ip
+- external: ecs
+ name: destination.nat.port
+- external: ecs
+ name: destination.packets
- external: ecs
name: destination.port
+- external: ecs
+ name: destination.user.name
- external: ecs
name: ecs.version
- external: ecs
@@ -22,10 +84,34 @@
name: event.sequence
- external: ecs
name: event.type
+- external: ecs
+ name: host.geo.city_name
+- external: ecs
+ name: host.geo.continent_code
+- external: ecs
+ name: host.geo.continent_name
+- external: ecs
+ name: host.geo.country_iso_code
+- external: ecs
+ name: host.geo.country_name
+- external: ecs
+ name: host.geo.location
+- external: ecs
+ name: host.geo.name
+- external: ecs
+ name: host.geo.postal_code
+- external: ecs
+ name: host.geo.region_iso_code
+- external: ecs
+ name: host.geo.region_name
+- external: ecs
+ name: host.geo.timezone
- external: ecs
name: host.hostname
- external: ecs
name: host.ip
+- external: ecs
+ name: log.file.path
- external: ecs
name: log.level
- external: ecs
@@ -46,8 +132,52 @@
name: related.user
- external: ecs
name: service.type
+- external: ecs
+ name: source.address
+- external: ecs
+ name: source.as.number
+- external: ecs
+ name: source.as.organization.name
+- external: ecs
+ name: source.bytes
+- external: ecs
+ name: source.domain
+- external: ecs
+ name: source.geo.city_name
+- external: ecs
+ name: source.geo.continent_code
+- external: ecs
+ name: source.geo.continent_name
+- external: ecs
+ name: source.geo.country_iso_code
+- external: ecs
+ name: source.geo.country_name
+- external: ecs
+ name: source.geo.location
+- external: ecs
+ name: source.geo.name
+- external: ecs
+ name: source.geo.postal_code
+- external: ecs
+ name: source.geo.region_iso_code
+- external: ecs
+ name: source.geo.region_name
+- external: ecs
+ name: source.geo.timezone
- external: ecs
name: source.ip
+- external: ecs
+ name: source.nat.ip
+- external: ecs
+ name: source.nat.port
+- external: ecs
+ name: source.packets
+- external: ecs
+ name: source.port
+- external: ecs
+ name: source.user.name
+- external: ecs
+ name: source.user.group.name
- external: ecs
name: tags
- external: ecs
diff --git a/packages/cisco_ise/data_stream/log/manifest.yml b/packages/cisco_ise/data_stream/log/manifest.yml
index d4378868946..64484360d6b 100644
--- a/packages/cisco_ise/data_stream/log/manifest.yml
+++ b/packages/cisco_ise/data_stream/log/manifest.yml
@@ -72,3 +72,41 @@ streams:
show_user: false
description: >-
Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+ - input: filestream
+ template_path: filestream.yml.hbs
+ title: Cisco_ISE logs
+ description: Collect Cisco ISE logs via TCP input.
+ vars:
+ - name: paths
+ title: Paths
+ type: text
+ required: true
+ show_user: true
+ multi: true
+ default:
+ - /var/log/cisco_ise*
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - cisco_ise-log
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`.
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >-
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
diff --git a/packages/cisco_ise/data_stream/log/sample_event.json b/packages/cisco_ise/data_stream/log/sample_event.json
index 6afac451a23..7e470891c43 100644
--- a/packages/cisco_ise/data_stream/log/sample_event.json
+++ b/packages/cisco_ise/data_stream/log/sample_event.json
@@ -1,160 +1,164 @@
{
- "@timestamp": "2020-02-21T19:13:08.328Z",
+ "@timestamp": "2020-04-27T11:11:47.028-08:00",
"agent": {
- "ephemeral_id": "88645c33-21f7-47a1-a1e6-b4a53f32ec43",
- "id": "94011a8e-8b26-4bce-a627-d54316798b52",
+ "ephemeral_id": "86f518cd-51e3-4798-9fa5-e8947dc5d209",
+ "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082",
"name": "docker-fleet-agent",
"type": "filebeat",
- "version": "8.6.0"
+ "version": "8.9.1"
},
"cisco_ise": {
"log": {
"acct": {
- "request": {
- "flags": "Stop"
+ "authentic": "RADIUS",
+ "session": {
+ "id": "00000000/d4:ca:6d:14:87:3b/20879"
+ },
+ "status": {
+ "type": "Start"
}
},
"acs": {
"session": {
- "id": "ldnnacpsn1/359344348/952729"
+ "id": "hijk.xyz.com/176956368/1092777"
+ }
+ },
+ "airespace": {
+ "wlan": {
+ "id": 1
}
},
- "authen_method": "TacacsPlus",
- "avpair": {
- "priv_lvl": 15,
- "start_time": "2020-03-26T01:17:12.000Z",
- "task_id": "2962",
- "timezone": "GMT"
+ "allowed_protocol": {
+ "matched": {
+ "rule": "Default"
+ }
+ },
+ "called_station": {
+ "id": "00-24-97-69-7a-c0"
+ },
+ "calling_station": {
+ "id": "d4-ca-6d-14-87-3b"
},
"category": {
- "name": "CISE_TACACS_Accounting"
+ "name": "CISE_RADIUS_Accounting"
},
- "cmdset": "[ CmdAV=show mac-address-table \u003ccr\u003e ]",
+ "class": "CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772",
"config_version": {
- "id": 1829
+ "id": 33
},
"cpm": {
"session": {
- "id": "81.2.69.144Accounting306034364"
+ "id": "0a222bc0000000d123e111f0"
}
},
- "device": {
- "type": [
- "Device Type#All Device Types#Routers",
- "Device Type#All Device Types#Routers"
- ]
+ "event": {
+ "timestamp": "2014-01-10T07:59:55.000Z"
},
- "ipsec": [
- "IPSEC#Is IPSEC Device",
- "IPSEC#Is IPSEC Device"
- ],
- "location": [
- "Location#All Locations#EMEA",
- "Location#All Locations#EMEA"
- ],
- "message": {
- "code": "3300",
- "description": "Tacacs-Accounting: TACACS+ Accounting with Command",
- "id": "0000000001"
+ "framed": {
+ "ip": "81.2.69.145"
},
- "model": {
- "name": "Unknown"
+ "location": "Location#All Locations#SJC#WNBU",
+ "message": {
+ "code": "3000",
+ "description": "Radius-Accounting: RADIUS Accounting start request",
+ "id": "0000070618"
+ },
+ "nas": {
+ "identifier": "Acme_fe:56:00",
+ "ip": "81.2.69.145",
+ "port": {
+ "number": 13,
+ "type": "Wireless - IEEE 802.11"
+ }
},
"network": {
"device": {
"groups": [
- "Location#All Locations#EMEA",
- "Device Type#All Device Types#Routers",
- "IPSEC#Is IPSEC Device"
+ "Location#All Locations#SJC#WNBU",
+ "Device Type#All Device Types#Wireless#WLC"
],
- "name": "wlnwan1",
- "profile": [
- "Cisco",
- "Cisco"
- ]
+ "name": "WNBU-WLC1"
}
},
- "port": "tty10",
- "privilege": {
- "level": 15
- },
"request": {
- "latency": 1
- },
- "response": {
- "AcctReply-Status": "Success"
+ "latency": 6
},
"segment": {
"number": 0,
- "total": 4
+ "total": 1
},
"selected": {
"access": {
- "service": "Device Admin - TACACS"
+ "service": "Default Network Access"
}
},
- "service": {
- "argument": "shell",
- "name": "Login"
- },
- "software": {
- "version": "Unknown"
- },
"step": [
- "13006",
+ "11004",
+ "11017",
"15049",
"15008",
"15048",
- "13035"
+ "15048",
+ "15048",
+ "15004",
+ "15006",
+ "11005"
],
- "type": "Accounting"
+ "tunnel": {
+ "medium": {
+ "type": "(tag=0) 802"
+ },
+ "private": {
+ "group_id": "(tag=0) 70"
+ },
+ "type": "(tag=0) VLAN"
+ }
}
},
"client": {
- "ip": "81.2.69.144"
+ "ip": "81.2.69.145"
},
"data_stream": {
"dataset": "cisco_ise.log",
"namespace": "ep",
"type": "logs"
},
- "destination": {
- "ip": "81.2.69.144"
- },
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
- "id": "94011a8e-8b26-4bce-a627-d54316798b52",
- "snapshot": true,
- "version": "8.6.0"
+ "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082",
+ "snapshot": false,
+ "version": "8.9.1"
},
"event": {
- "action": "tacacs-accounting",
+ "action": "radius-accounting",
"agent_id_status": "verified",
"category": [
"configuration"
],
"dataset": "cisco_ise.log",
- "ingested": "2023-01-13T12:14:37Z",
+ "ingested": "2023-08-29T17:11:24Z",
"kind": "event",
- "sequence": 18415781,
- "timezone": "+00:00",
+ "original": "\u003c182\u003eApr 27 11:11:47 hijk.xyz.com CISE_RADIUS_Accounting 0000070618 1 0 2020-04-27 11:11:47.028075 -08:00 0091827141 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ConfigVersionId=33, Device IP Address=81.2.69.145, RequestLatency=6, NetworkDeviceName=WNBU-WLC1, User-Name=nisehorrrrn, NAS-IP-Address=81.2.69.145, NAS-Port=13, Framed-IP-Address=81.2.69.145, Class=CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=d4-ca-6d-14-87-3b, NAS-Identifier=Acme_fe:56:00, Acct-Status-Type=Start, Acct-Session-Id=00000000/d4:ca:6d:14:87:3b/20879, Acct-Authentic=RADIUS, Event-Timestamp=1389340795, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 70, Airespace-Wlan-Id=1, AcsSessionID=hijk.xyz.com/176956368/1092777, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15004, Step=15006, Step=11005, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, CPMSessionID=0a222bc0000000d123e111f0, AllowedProtocolMatchedRule=Default, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC",
+ "sequence": 91827141,
+ "timezone": "-08:00",
"type": [
"info"
]
},
"host": {
- "hostname": "cisco-ise-host"
+ "hostname": "hijk.xyz.com"
},
"input": {
- "type": "udp"
+ "type": "filestream"
},
"log": {
- "level": "notice",
- "source": {
- "address": "172.27.0.4:59237"
+ "file": {
+ "path": "/tmp/service_logs/log.log"
},
+ "level": "notice",
+ "offset": 44899,
"syslog": {
"priority": 182,
"severity": {
@@ -162,23 +166,24 @@
}
}
},
- "message": "2020-02-21 19:13:08.328 +00:00 0018415781 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=1829, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show mac-address-table \u003ccr\u003e ], RequestLatency=1, NetworkDeviceName=wlnwan1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxvne, Port=tty10, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=2962, AVPair=timezone=GMT, AVPair=start_time=1585185432, AVPair=priv-lvl=15, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/952729, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Routers, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting306034364, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }",
+ "message": "2020-04-27 11:11:47.028075 -08:00 0091827141 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ConfigVersionId=33, Device IP Address=81.2.69.145, RequestLatency=6, NetworkDeviceName=WNBU-WLC1, User-Name=nisehorrrrn, NAS-IP-Address=81.2.69.145, NAS-Port=13, Framed-IP-Address=81.2.69.145, Class=CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=d4-ca-6d-14-87-3b, NAS-Identifier=Acme_fe:56:00, Acct-Status-Type=Start, Acct-Session-Id=00000000/d4:ca:6d:14:87:3b/20879, Acct-Authentic=RADIUS, Event-Timestamp=1389340795, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 70, Airespace-Wlan-Id=1, AcsSessionID=hijk.xyz.com/176956368/1092777, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15004, Step=15006, Step=11005, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, CPMSessionID=0a222bc0000000d123e111f0, AllowedProtocolMatchedRule=Default, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC",
"related": {
"hosts": [
- "cisco-ise-host"
+ "hijk.xyz.com"
],
"ip": [
- "81.2.69.144"
+ "81.2.69.145"
],
"user": [
- "psxvne"
+ "nisehorrrrn"
]
},
"tags": [
+ "preserve_original_event",
"forwarded",
"cisco_ise-log"
],
"user": {
- "name": "psxvne"
+ "name": "nisehorrrrn"
}
}
\ No newline at end of file
diff --git a/packages/cisco_ise/docs/README.md b/packages/cisco_ise/docs/README.md
index 12f8bed9608..f68ff3a5c1c 100644
--- a/packages/cisco_ise/docs/README.md
+++ b/packages/cisco_ise/docs/README.md
@@ -35,162 +35,166 @@ An example event for `log` looks as following:
```json
{
- "@timestamp": "2020-02-21T19:13:08.328Z",
+ "@timestamp": "2020-04-27T11:11:47.028-08:00",
"agent": {
- "ephemeral_id": "88645c33-21f7-47a1-a1e6-b4a53f32ec43",
- "id": "94011a8e-8b26-4bce-a627-d54316798b52",
+ "ephemeral_id": "86f518cd-51e3-4798-9fa5-e8947dc5d209",
+ "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082",
"name": "docker-fleet-agent",
"type": "filebeat",
- "version": "8.6.0"
+ "version": "8.9.1"
},
"cisco_ise": {
"log": {
"acct": {
- "request": {
- "flags": "Stop"
+ "authentic": "RADIUS",
+ "session": {
+ "id": "00000000/d4:ca:6d:14:87:3b/20879"
+ },
+ "status": {
+ "type": "Start"
}
},
"acs": {
"session": {
- "id": "ldnnacpsn1/359344348/952729"
+ "id": "hijk.xyz.com/176956368/1092777"
+ }
+ },
+ "airespace": {
+ "wlan": {
+ "id": 1
+ }
+ },
+ "allowed_protocol": {
+ "matched": {
+ "rule": "Default"
}
},
- "authen_method": "TacacsPlus",
- "avpair": {
- "priv_lvl": 15,
- "start_time": "2020-03-26T01:17:12.000Z",
- "task_id": "2962",
- "timezone": "GMT"
+ "called_station": {
+ "id": "00-24-97-69-7a-c0"
+ },
+ "calling_station": {
+ "id": "d4-ca-6d-14-87-3b"
},
"category": {
- "name": "CISE_TACACS_Accounting"
+ "name": "CISE_RADIUS_Accounting"
},
- "cmdset": "[ CmdAV=show mac-address-table \u003ccr\u003e ]",
+ "class": "CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772",
"config_version": {
- "id": 1829
+ "id": 33
},
"cpm": {
"session": {
- "id": "81.2.69.144Accounting306034364"
+ "id": "0a222bc0000000d123e111f0"
}
},
- "device": {
- "type": [
- "Device Type#All Device Types#Routers",
- "Device Type#All Device Types#Routers"
- ]
+ "event": {
+ "timestamp": "2014-01-10T07:59:55.000Z"
},
- "ipsec": [
- "IPSEC#Is IPSEC Device",
- "IPSEC#Is IPSEC Device"
- ],
- "location": [
- "Location#All Locations#EMEA",
- "Location#All Locations#EMEA"
- ],
+ "framed": {
+ "ip": "81.2.69.145"
+ },
+ "location": "Location#All Locations#SJC#WNBU",
"message": {
- "code": "3300",
- "description": "Tacacs-Accounting: TACACS+ Accounting with Command",
- "id": "0000000001"
+ "code": "3000",
+ "description": "Radius-Accounting: RADIUS Accounting start request",
+ "id": "0000070618"
},
- "model": {
- "name": "Unknown"
+ "nas": {
+ "identifier": "Acme_fe:56:00",
+ "ip": "81.2.69.145",
+ "port": {
+ "number": 13,
+ "type": "Wireless - IEEE 802.11"
+ }
},
"network": {
"device": {
"groups": [
- "Location#All Locations#EMEA",
- "Device Type#All Device Types#Routers",
- "IPSEC#Is IPSEC Device"
+ "Location#All Locations#SJC#WNBU",
+ "Device Type#All Device Types#Wireless#WLC"
],
- "name": "wlnwan1",
- "profile": [
- "Cisco",
- "Cisco"
- ]
+ "name": "WNBU-WLC1"
}
},
- "port": "tty10",
- "privilege": {
- "level": 15
- },
"request": {
- "latency": 1
- },
- "response": {
- "AcctReply-Status": "Success"
+ "latency": 6
},
"segment": {
"number": 0,
- "total": 4
+ "total": 1
},
"selected": {
"access": {
- "service": "Device Admin - TACACS"
+ "service": "Default Network Access"
}
},
- "service": {
- "argument": "shell",
- "name": "Login"
- },
- "software": {
- "version": "Unknown"
- },
"step": [
- "13006",
+ "11004",
+ "11017",
"15049",
"15008",
"15048",
- "13035"
+ "15048",
+ "15048",
+ "15004",
+ "15006",
+ "11005"
],
- "type": "Accounting"
+ "tunnel": {
+ "medium": {
+ "type": "(tag=0) 802"
+ },
+ "private": {
+ "group_id": "(tag=0) 70"
+ },
+ "type": "(tag=0) VLAN"
+ }
}
},
"client": {
- "ip": "81.2.69.144"
+ "ip": "81.2.69.145"
},
"data_stream": {
"dataset": "cisco_ise.log",
"namespace": "ep",
"type": "logs"
},
- "destination": {
- "ip": "81.2.69.144"
- },
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
- "id": "94011a8e-8b26-4bce-a627-d54316798b52",
- "snapshot": true,
- "version": "8.6.0"
+ "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082",
+ "snapshot": false,
+ "version": "8.9.1"
},
"event": {
- "action": "tacacs-accounting",
+ "action": "radius-accounting",
"agent_id_status": "verified",
"category": [
"configuration"
],
"dataset": "cisco_ise.log",
- "ingested": "2023-01-13T12:14:37Z",
+ "ingested": "2023-08-29T17:11:24Z",
"kind": "event",
- "sequence": 18415781,
- "timezone": "+00:00",
+ "original": "\u003c182\u003eApr 27 11:11:47 hijk.xyz.com CISE_RADIUS_Accounting 0000070618 1 0 2020-04-27 11:11:47.028075 -08:00 0091827141 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ConfigVersionId=33, Device IP Address=81.2.69.145, RequestLatency=6, NetworkDeviceName=WNBU-WLC1, User-Name=nisehorrrrn, NAS-IP-Address=81.2.69.145, NAS-Port=13, Framed-IP-Address=81.2.69.145, Class=CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=d4-ca-6d-14-87-3b, NAS-Identifier=Acme_fe:56:00, Acct-Status-Type=Start, Acct-Session-Id=00000000/d4:ca:6d:14:87:3b/20879, Acct-Authentic=RADIUS, Event-Timestamp=1389340795, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 70, Airespace-Wlan-Id=1, AcsSessionID=hijk.xyz.com/176956368/1092777, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15004, Step=15006, Step=11005, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, CPMSessionID=0a222bc0000000d123e111f0, AllowedProtocolMatchedRule=Default, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC",
+ "sequence": 91827141,
+ "timezone": "-08:00",
"type": [
"info"
]
},
"host": {
- "hostname": "cisco-ise-host"
+ "hostname": "hijk.xyz.com"
},
"input": {
- "type": "udp"
+ "type": "filestream"
},
"log": {
- "level": "notice",
- "source": {
- "address": "172.27.0.4:59237"
+ "file": {
+ "path": "/tmp/service_logs/log.log"
},
+ "level": "notice",
+ "offset": 44899,
"syslog": {
"priority": 182,
"severity": {
@@ -198,24 +202,25 @@ An example event for `log` looks as following:
}
}
},
- "message": "2020-02-21 19:13:08.328 +00:00 0018415781 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=1829, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show mac-address-table \u003ccr\u003e ], RequestLatency=1, NetworkDeviceName=wlnwan1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxvne, Port=tty10, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=2962, AVPair=timezone=GMT, AVPair=start_time=1585185432, AVPair=priv-lvl=15, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/952729, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Routers, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting306034364, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }",
+ "message": "2020-04-27 11:11:47.028075 -08:00 0091827141 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ConfigVersionId=33, Device IP Address=81.2.69.145, RequestLatency=6, NetworkDeviceName=WNBU-WLC1, User-Name=nisehorrrrn, NAS-IP-Address=81.2.69.145, NAS-Port=13, Framed-IP-Address=81.2.69.145, Class=CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=d4-ca-6d-14-87-3b, NAS-Identifier=Acme_fe:56:00, Acct-Status-Type=Start, Acct-Session-Id=00000000/d4:ca:6d:14:87:3b/20879, Acct-Authentic=RADIUS, Event-Timestamp=1389340795, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 70, Airespace-Wlan-Id=1, AcsSessionID=hijk.xyz.com/176956368/1092777, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15004, Step=15006, Step=11005, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, CPMSessionID=0a222bc0000000d123e111f0, AllowedProtocolMatchedRule=Default, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC",
"related": {
"hosts": [
- "cisco-ise-host"
+ "hijk.xyz.com"
],
"ip": [
- "81.2.69.144"
+ "81.2.69.145"
],
"user": [
- "psxvne"
+ "nisehorrrrn"
]
},
"tags": [
+ "preserve_original_event",
"forwarded",
"cisco_ise-log"
],
"user": {
- "name": "psxvne"
+ "name": "nisehorrrrn"
}
}
```
@@ -434,6 +439,17 @@ An example event for `log` looks as following:
| cisco_ise.log.usecase | | keyword |
| cisco_ise.log.user.type | | keyword |
| cisco_ise.log.workflow | | flattened |
+| client.geo.city_name | City name. | keyword |
+| client.geo.continent_code | Two-letter code representing continent's name. | keyword |
+| client.geo.continent_name | Name of the continent. | keyword |
+| client.geo.country_iso_code | Country ISO code. | keyword |
+| client.geo.country_name | Country name. | keyword |
+| client.geo.location | Longitude and latitude. | geo_point |
+| client.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| client.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword |
+| client.geo.region_iso_code | Region ISO code. | keyword |
+| client.geo.region_name | Region name. | keyword |
+| client.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword |
| client.ip | IP address of the client (IPv4 or IPv6). | ip |
| client.port | Port of the client. | long |
| client.user.name | Short name or login of the user. | keyword |
@@ -454,13 +470,35 @@ An example event for `log` looks as following:
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| destination.as.organization.name | Organization name. | keyword |
+| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text |
+| destination.bytes | Bytes sent from the destination to the source. | long |
+| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.continent_code | Two-letter code representing continent's name. | keyword |
+| destination.geo.continent_name | Name of the continent. | keyword |
+| destination.geo.country_iso_code | Country ISO code. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location | Longitude and latitude. | geo_point |
+| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| destination.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword |
+| destination.geo.region_iso_code | Region ISO code. | keyword |
+| destination.geo.region_name | Region name. | keyword |
+| destination.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword |
| destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
+| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip |
+| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long |
+| destination.packets | Packets sent from the destination to the source. | long |
| destination.port | Port of the destination. | long |
+| destination.user.name | Short name or login of the user. | keyword |
+| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text |
| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
-| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date |
| event.dataset | Event dataset. | constant_keyword |
-| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword |
| event.module | Event module. | constant_keyword |
| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long |
@@ -468,6 +506,17 @@ An example event for `log` looks as following:
| host.architecture | Operating system architecture. | keyword |
| host.containerized | If the host is a container. | boolean |
| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.geo.city_name | City name. | keyword |
+| host.geo.continent_code | Two-letter code representing continent's name. | keyword |
+| host.geo.continent_name | Name of the continent. | keyword |
+| host.geo.country_iso_code | Country ISO code. | keyword |
+| host.geo.country_name | Country name. | keyword |
+| host.geo.location | Longitude and latitude. | geo_point |
+| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword |
+| host.geo.region_iso_code | Region ISO code. | keyword |
+| host.geo.region_name | Region name. | keyword |
+| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword |
| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
| host.ip | Host ip addresses. | ip |
@@ -483,6 +532,7 @@ An example event for `log` looks as following:
| host.os.version | Operating system version as a raw string. | keyword |
| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
| input.type | Input type | keyword |
+| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword |
| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword |
| log.offset | Log offset | long |
@@ -495,7 +545,31 @@ An example event for `log` looks as following:
| related.ip | All of the IPs seen on your event. | ip |
| related.user | All the user names or other user identifiers seen on the event. | keyword |
| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.bytes | Bytes sent from the source to the destination. | long |
+| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_code | Two-letter code representing continent's name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword |
| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip |
+| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long |
+| source.packets | Packets sent from the source to the destination. | long |
+| source.port | Port of the source. | long |
+| source.user.group.name | Name of the group. | keyword |
+| source.user.name | Short name or login of the user. | keyword |
+| source.user.name.text | Multi-field of `source.user.name`. | match_only_text |
| tags | List of keywords used to tag each event. | keyword |
| user.full_name | User's full name, if available. | keyword |
| user.full_name.text | Multi-field of `user.full_name`. | match_only_text |
diff --git a/packages/cisco_ise/kibana/tags.yml b/packages/cisco_ise/kibana/tags.yml
new file mode 100644
index 00000000000..47f20a8f551
--- /dev/null
+++ b/packages/cisco_ise/kibana/tags.yml
@@ -0,0 +1,4 @@
+- text: Security Solution
+ asset_types:
+ - dashboard
+ - search
diff --git a/packages/cisco_ise/manifest.yml b/packages/cisco_ise/manifest.yml
index ad410853a85..db8e130eb07 100644
--- a/packages/cisco_ise/manifest.yml
+++ b/packages/cisco_ise/manifest.yml
@@ -1,16 +1,15 @@
-format_version: 1.0.0
+format_version: "3.0.0"
name: cisco_ise
title: Cisco ISE
-version: "1.10.0"
-license: basic
+version: "1.15.0"
description: Collect logs from Cisco ISE with Elastic Agent.
type: integration
categories:
- security
- network
-release: ga
conditions:
- kibana.version: ^8.7.1
+ kibana:
+ version: ^8.7.1
screenshots:
- src: /img/cisco-ise-screenshot.png
title: Cisco ISE dashboard screenshot
@@ -95,5 +94,9 @@ policy_templates:
required: true
show_user: true
default: 9026
+ - type: filestream
+ title: Collect Cisco ISE logs using filestream input
+ description: Collecting Cisco ISE logs using filestream input.
owner:
github: elastic/security-external-integrations
+ type: elastic
diff --git a/packages/cisco_meraki/_dev/build/build.yml b/packages/cisco_meraki/_dev/build/build.yml
index 074278e5b1f..c8eeec8cacf 100644
--- a/packages/cisco_meraki/_dev/build/build.yml
+++ b/packages/cisco_meraki/_dev/build/build.yml
@@ -1,3 +1,3 @@
dependencies:
ecs:
- reference: git@v8.8.0
+ reference: git@v8.9.0
diff --git a/packages/cisco_meraki/changelog.yml b/packages/cisco_meraki/changelog.yml
index 648c79f6358..044b5d47e48 100644
--- a/packages/cisco_meraki/changelog.yml
+++ b/packages/cisco_meraki/changelog.yml
@@ -1,4 +1,30 @@
# newer versions go on top
+- version: "1.13.0"
+ changes:
+ - description: Handle blocked ARP packet messages.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7771
+ - description: Handle auth event subtype.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7771
+ - description: Handle port event subtype.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7771
+- version: "1.12.0"
+ changes:
+ - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7789
+- version: "1.11.1"
+ changes:
+ - description: Fix flows pipeline according to new Firmware MX18.101.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7391
+- version: "1.11.0"
+ changes:
+ - description: Update package to ECS 8.9.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7107
- version: "1.10.0"
changes:
- description: Ensure event.kind is correctly set for pipeline errors.
diff --git a/packages/cisco_meraki/data_stream/events/_dev/test/pipeline/test-mx-events.json-expected.json b/packages/cisco_meraki/data_stream/events/_dev/test/pipeline/test-mx-events.json-expected.json
index c1280f9d04a..222b141a6ae 100644
--- a/packages/cisco_meraki/data_stream/events/_dev/test/pipeline/test-mx-events.json-expected.json
+++ b/packages/cisco_meraki/data_stream/events/_dev/test/pipeline/test-mx-events.json-expected.json
@@ -27,7 +27,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Cellular came up",
@@ -79,7 +79,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Insight Alert",
@@ -137,7 +137,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Failover event detected",
diff --git a/packages/cisco_meraki/data_stream/events/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_meraki/data_stream/events/elasticsearch/ingest_pipeline/default.yml
index b5392d174b5..bc3a058698a 100644
--- a/packages/cisco_meraki/data_stream/events/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/cisco_meraki/data_stream/events/elasticsearch/ingest_pipeline/default.yml
@@ -3,7 +3,7 @@ description: Pipeline for processing Cisco Meraki events
processors:
- set:
field: ecs.version
- value: '8.8.0'
+ value: '8.9.0'
- set:
field: observer.serial_number
copy_from: json.deviceSerial
diff --git a/packages/cisco_meraki/data_stream/events/sample_event.json b/packages/cisco_meraki/data_stream/events/sample_event.json
index 9f07808081c..c644d1d2cfe 100644
--- a/packages/cisco_meraki/data_stream/events/sample_event.json
+++ b/packages/cisco_meraki/data_stream/events/sample_event.json
@@ -37,7 +37,7 @@
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "878982e9-a174-4ed8-abe3-19378c1473de",
diff --git a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-airmarshal-events.log-expected.json b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-airmarshal-events.log-expected.json
index b4123c20ebc..522b9da69b0 100644
--- a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-airmarshal-events.log-expected.json
+++ b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-airmarshal-events.log-expected.json
@@ -14,7 +14,7 @@
"mac": "6A-3A-3E-85-D9-F6"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -61,7 +61,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -108,7 +108,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -156,7 +156,7 @@
"mac": "E2-CB-9C-B5-DD-BE"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ssid-spoofing-detected",
@@ -198,7 +198,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -245,7 +245,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -293,7 +293,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -340,7 +340,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -387,7 +387,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -435,7 +435,7 @@
"mac": "AE-17-E8-C7-DF-FD"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ssid-spoofing-detected",
@@ -477,7 +477,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -524,7 +524,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -571,7 +571,7 @@
"mac": "6A-3A-3E-85-D9-F6"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -619,7 +619,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -666,7 +666,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -713,7 +713,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -760,7 +760,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -807,7 +807,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -854,7 +854,7 @@
"mac": "78-55-CD-18-8F-76"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -903,7 +903,7 @@
"mac": "78-28-CA-AA-6A-4A"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ssid-spoofing-detected",
@@ -945,7 +945,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -992,7 +992,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -1040,7 +1040,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -1088,7 +1088,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -1136,7 +1136,7 @@
"mac": "AE-17-E8-C7-D8-51"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -1183,7 +1183,7 @@
"mac": "E2-CB-9C-B5-D4-1E"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -1231,7 +1231,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -1278,7 +1278,7 @@
"mac": "5C-AA-FD-5D-76-0E"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -1326,7 +1326,7 @@
"mac": "E2-CB-9C-B5-C5-68"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -1374,7 +1374,7 @@
"mac": "78-28-CA-AA-6A-0A"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ssid-spoofing-detected",
@@ -1416,7 +1416,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -1463,7 +1463,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -1510,7 +1510,7 @@
"mac": "0E-8D-FB-70-0F-A8"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -1557,7 +1557,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -1605,7 +1605,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -1653,7 +1653,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ssid-spoofing-detected",
@@ -1695,7 +1695,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -1742,7 +1742,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -1789,7 +1789,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -1836,7 +1836,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -1883,7 +1883,7 @@
"mac": "E2-CB-9C-B5-DC-6E"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -1930,7 +1930,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -1977,7 +1977,7 @@
"mac": "6A-3A-3E-85-CA-4E"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -2025,7 +2025,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -2072,7 +2072,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -2120,7 +2120,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ssid-spoofing-detected",
@@ -2163,7 +2163,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ssid-spoofing-detected",
@@ -2205,7 +2205,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -2252,7 +2252,7 @@
"mac": "6A-3A-3E-85-D7-D4"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -2299,7 +2299,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -2346,7 +2346,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -2393,7 +2393,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -2440,7 +2440,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -2488,7 +2488,7 @@
"mac": "90-AC-3F-02-31-59"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ssid-spoofing-detected",
@@ -2530,7 +2530,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -2577,7 +2577,7 @@
"mac": "78-28-CA-AA-6A-4A"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -2625,7 +2625,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -2672,7 +2672,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -2719,7 +2719,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -2767,7 +2767,7 @@
"mac": "08-A7-C0-3B-5A-95"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ssid-spoofing-detected",
@@ -2809,7 +2809,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -2857,7 +2857,7 @@
"mac": "78-28-CA-AA-69-96"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -2905,7 +2905,7 @@
"mac": "AE-17-E8-C7-E2-9D"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -2953,7 +2953,7 @@
"mac": "E2-CB-9C-B5-DC-6E"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -3000,7 +3000,7 @@
"mac": "AE-17-E8-C7-DF-FD"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -3047,7 +3047,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -3094,7 +3094,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -3142,7 +3142,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -3189,7 +3189,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -3236,7 +3236,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -3284,7 +3284,7 @@
"mac": "6E-DA-36-A2-39-71"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ssid-spoofing-detected",
@@ -3326,7 +3326,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -3373,7 +3373,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -3420,7 +3420,7 @@
"mac": "E2-CB-9C-B5-C5-68"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -3468,7 +3468,7 @@
"mac": "E2-CB-9C-B5-C5-68"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -3516,7 +3516,7 @@
"mac": "E2-CB-9C-B5-C5-68"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -3565,7 +3565,7 @@
"mac": "78-28-CA-AA-6A-4A"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ssid-spoofing-detected",
@@ -3607,7 +3607,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -3654,7 +3654,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -3701,7 +3701,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -3748,7 +3748,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -3795,7 +3795,7 @@
"mac": "E2-CB-9C-B5-C5-68"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -3842,7 +3842,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -3889,7 +3889,7 @@
"mac": "5C-AA-FD-5D-76-0E"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -3937,7 +3937,7 @@
"mac": "E2-CB-9C-B5-DC-6E"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -3984,7 +3984,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -4031,7 +4031,7 @@
"mac": "E2-CB-9C-B5-DA-7A"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -4079,7 +4079,7 @@
"mac": "E2-CB-9C-B5-DA-7A"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -4127,7 +4127,7 @@
"mac": "6A-3A-3E-85-D7-D4"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -4175,7 +4175,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -4223,7 +4223,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -4270,7 +4270,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -4317,7 +4317,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -4364,7 +4364,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -4412,7 +4412,7 @@
"mac": "AE-17-E8-C7-DF-FD"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ssid-spoofing-detected",
@@ -4454,7 +4454,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -4501,7 +4501,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -4549,7 +4549,7 @@
"mac": "78-28-CA-AA-6A-0A"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ssid-spoofing-detected",
@@ -4591,7 +4591,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -4638,7 +4638,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -4686,7 +4686,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -4734,7 +4734,7 @@
"mac": "EE-CE-D5-6A-B6-22"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ssid-spoofing-detected",
@@ -4776,7 +4776,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -4823,7 +4823,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -4870,7 +4870,7 @@
"mac": "6A-3A-3E-85-D7-D4"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -4919,7 +4919,7 @@
"mac": "AE-17-E8-C7-E1-41"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ssid-spoofing-detected",
@@ -4961,7 +4961,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -5009,7 +5009,7 @@
"mac": "78-28-CA-AA-69-96"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ssid-spoofing-detected",
@@ -5051,7 +5051,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -5098,7 +5098,7 @@
"mac": "E2-CB-9C-B5-D7-80"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -5145,7 +5145,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -5192,7 +5192,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -5239,7 +5239,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -5286,7 +5286,7 @@
"mac": "E2-CB-9C-B5-DD-BE"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -5333,7 +5333,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -5380,7 +5380,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -5428,7 +5428,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -5475,7 +5475,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -5523,7 +5523,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -5570,7 +5570,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -5617,7 +5617,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -5664,7 +5664,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -5711,7 +5711,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -5758,7 +5758,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -5805,7 +5805,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -5852,7 +5852,7 @@
"mac": "E2-CB-9C-B5-C5-68"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -5899,7 +5899,7 @@
"mac": "E2-CB-9C-B5-D8-54"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -5946,7 +5946,7 @@
"mac": "6A-3A-3E-85-CA-4E"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -5994,7 +5994,7 @@
"mac": "34-8F-27-25-CC-48"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ssid-spoofing-detected",
@@ -6036,7 +6036,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -6083,7 +6083,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -6130,7 +6130,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -6177,7 +6177,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -6224,7 +6224,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -6271,7 +6271,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -6318,7 +6318,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -6366,7 +6366,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -6413,7 +6413,7 @@
"mac": "E2-CB-9C-B5-DD-BE"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -6460,7 +6460,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -6507,7 +6507,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -6554,7 +6554,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -6601,7 +6601,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -6649,7 +6649,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -6696,7 +6696,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -6743,7 +6743,7 @@
"mac": "6A-3A-3E-85-CA-4E"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -6790,7 +6790,7 @@
"mac": "AE-17-E8-C7-DF-FD"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -6837,7 +6837,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -6884,7 +6884,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -6931,7 +6931,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -6978,7 +6978,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -7025,7 +7025,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -7072,7 +7072,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -7120,7 +7120,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -7168,7 +7168,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -7216,7 +7216,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -7264,7 +7264,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -7311,7 +7311,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -7358,7 +7358,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -7405,7 +7405,7 @@
"mac": "AE-17-E8-C7-D8-51"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -7452,7 +7452,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -7499,7 +7499,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -7546,7 +7546,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -7594,7 +7594,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -7642,7 +7642,7 @@
"mac": "E2-CB-9C-B5-D4-1E"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -7689,7 +7689,7 @@
"mac": "AE-17-E8-C7-DF-FD"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -7736,7 +7736,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -7783,7 +7783,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -7830,7 +7830,7 @@
"mac": "38-BA-F8-CC-82-2E"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -7878,7 +7878,7 @@
"mac": "38-BA-F8-CC-82-2E"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -7926,7 +7926,7 @@
"mac": "38-BA-F8-CC-82-2E"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -7974,7 +7974,7 @@
"mac": "E2-CB-9C-B5-D8-54"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -8022,7 +8022,7 @@
"mac": "E2-CB-9C-B5-D8-54"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -8069,7 +8069,7 @@
"mac": "E2-CB-9C-B5-D8-54"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -8117,7 +8117,7 @@
"mac": "FF-FF-FF-FF-FF-FF"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
@@ -8164,7 +8164,7 @@
"mac": "E2-CB-9C-B5-DC-6E"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "rogue-ssid-detected",
diff --git a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log
index 1baeaa6cbba..4abf54d8cbd 100644
--- a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log
+++ b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log
@@ -21,3 +21,9 @@
<134>1 1639132875.360638431 1_2_AP_4 events type=disassociation radio='1' vap='1' client_mac='36:E7:E9:AE:04:3D' channel='132' reason='8' apple_da_reason='7' instigator='2' duration='40.260521941' auth_neg_dur='0.024206187' last_auth_ago='40.229666962' is_wpa='1' full_conn='0.477861916' ip_resp='1.005954707' ip_src='10.68.128.113' http_resp='0.477861916' arp_resp='0.179876562' arp_src='10.68.128.113' dns_server='10.128.128.128' dns_req_rtt='0.095675854' dns_resp='0.416596437' dhcp_lease_completed='0.182086020' dhcp_server='10.128.128.128' dhcp_server_mac='E0:CB:BC:49:F7:26' dhcp_resp='0.182086020' aid='1750957891'
<134>1 1639132903.129587239 LG2_AP_01 events type=disassociation radio='1' vap='1' client_mac='8E:2F:69:33:FA:6A' channel='36' reason='8' apple_da_reason='7' instigator='2' duration='27.641499140' auth_neg_dur='0.008153688' last_auth_ago='27.627178619' is_wpa='1' full_conn='0.395120958' ip_resp='0.520431812' ip_src='10.72.66.49' http_resp='0.395120958' arp_resp='0.132684875' arp_src='10.72.66.49' dns_server='10.128.128.128' dns_req_rtt='0.121687' dns_resp='0.335365542' dhcp_lease_completed='0.133589958' dhcp_server='10.128.128.128' dhcp_server_mac='F8:9E:28:70:1A:7C' dhcp_resp='0.133589958' aid='1899362895'
<134>1 1639132917.085087788 LG2_AP_01 events type=wpa_auth radio='1' vap='1' client_mac='8E:2F:69:33:FA:6A' aid='1546367691'
+<134>1 1639132851.416656563 TCP9001 events Blocked ARP Packet from ab:01:02:03:04:05 with IP 81.2.69.144 on VLAN 123
+<134>1 1694519069.914814259 TCP9001 events Port 4 changed STP role from designated to disabled
+<134>1 1694519069.912939179 TCP9001 events port 4 status changed from 100fdx to down
+<134>1 1694519040.863533579 TCP9001 events Port 1 changed STP role from disabled to designated
+<134>1 1694519040.862946339 TCP9001 events port 1 status changed from down to 100fdx
+<134>1 1694519007.104885873 TCP9001 events Auth failure resets to success
diff --git a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log-expected.json b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log-expected.json
index 7b0d8bfd2a5..fe49c8f09ee 100644
--- a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log-expected.json
+++ b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log-expected.json
@@ -12,7 +12,7 @@
"event_type": "events"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "dynamic-frequency-selection-detected",
@@ -53,7 +53,7 @@
"mac": "E5-A4-98-71-9A-FE"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "wifi-wpa-failed-auth-or-deauth",
@@ -95,7 +95,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "wifi-wpa-authentication",
@@ -151,7 +151,7 @@
"event_type": "events"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "wifi-disassociation-request",
@@ -195,7 +195,7 @@
"event_type": "events"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "wifi-association-request",
@@ -232,7 +232,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "site-to-site-vpn",
@@ -268,7 +268,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "site-to-site-vpn",
@@ -310,7 +310,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "vpn-connectivity-change",
@@ -348,7 +348,7 @@
"mac": "E0-CB-BC-02-4F-80"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "dhcp-offer",
@@ -386,7 +386,7 @@
"mac": "A4-83-E7-02-A2-F1"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "dhcp-no-offer",
@@ -433,7 +433,7 @@
"ip": "81.2.69.193"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "site-to-site-vpn",
@@ -497,7 +497,7 @@
"event_type": "events"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "wifi-disassociation-request",
@@ -539,7 +539,7 @@
"event_type": "events"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "association-rejected-for-load-balancing",
@@ -581,7 +581,7 @@
"event_type": "events"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "wifi-association-request",
@@ -623,7 +623,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "wifi-wpa-authentication",
@@ -664,7 +664,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -715,7 +715,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -770,7 +770,7 @@
"event_type": "events"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "wifi-association-request",
@@ -813,7 +813,7 @@
"event_type": "events"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "wifi-8021x-auth",
@@ -856,7 +856,7 @@
"event_type": "events"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "8021x_auth",
@@ -916,7 +916,7 @@
"event_type": "events"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "wifi-disassociation-request",
@@ -979,7 +979,7 @@
"event_type": "events"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "wifi-disassociation-request",
@@ -1021,7 +1021,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "wifi-wpa-authentication",
@@ -1048,6 +1048,214 @@
"forwarded",
"preserve_original_event"
]
+ },
+ {
+ "@timestamp": "2021-12-10T10:40:51.416Z",
+ "cisco_meraki": {
+ "event_subtype": "arp_blocked",
+ "event_type": "events"
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "action": "arp_blocked",
+ "category": [
+ "network"
+ ],
+ "original": "\u003c134\u003e1 1639132851.416656563 TCP9001 events Blocked ARP Packet from ab:01:02:03:04:05 with IP 81.2.69.144 on VLAN 123",
+ "type": [
+ "info"
+ ]
+ },
+ "log": {
+ "syslog": {
+ "priority": 134
+ }
+ },
+ "observer": {
+ "hostname": "TCP9001",
+ "ingress": {
+ "vlan": {
+ "id": "123"
+ }
+ }
+ },
+ "source": {
+ "geo": {
+ "city_name": "London",
+ "continent_name": "Europe",
+ "country_iso_code": "GB",
+ "country_name": "United Kingdom",
+ "location": {
+ "lat": 51.5142,
+ "lon": -0.0931
+ },
+ "region_iso_code": "GB-ENG",
+ "region_name": "England"
+ },
+ "ip": "81.2.69.144",
+ "mac": "AB-01-02-03-04-05"
+ },
+ "tags": [
+ "forwarded",
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-09-12T11:44:29.914Z",
+ "cisco_meraki": {
+ "event_subtype": "port_changed_stp_role",
+ "event_type": "events"
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "action": "port_changed_stp_role",
+ "category": [
+ "network"
+ ],
+ "original": "\u003c134\u003e1 1694519069.914814259 TCP9001 events Port 4 changed STP role from designated to disabled",
+ "type": [
+ "info"
+ ]
+ },
+ "log": {
+ "syslog": {
+ "priority": 134
+ }
+ },
+ "observer": {
+ "hostname": "TCP9001"
+ },
+ "tags": [
+ "forwarded",
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-09-12T11:44:29.912Z",
+ "cisco_meraki": {
+ "event_subtype": "port_status_changed",
+ "event_type": "events"
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "action": "port_status_changed",
+ "category": [
+ "network"
+ ],
+ "original": "\u003c134\u003e1 1694519069.912939179 TCP9001 events port 4 status changed from 100fdx to down",
+ "type": [
+ "info"
+ ]
+ },
+ "log": {
+ "syslog": {
+ "priority": 134
+ }
+ },
+ "observer": {
+ "hostname": "TCP9001"
+ },
+ "tags": [
+ "forwarded",
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-09-12T11:44:00.863Z",
+ "cisco_meraki": {
+ "event_subtype": "port_changed_stp_role",
+ "event_type": "events"
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "action": "port_changed_stp_role",
+ "category": [
+ "network"
+ ],
+ "original": "\u003c134\u003e1 1694519040.863533579 TCP9001 events Port 1 changed STP role from disabled to designated",
+ "type": [
+ "info"
+ ]
+ },
+ "log": {
+ "syslog": {
+ "priority": 134
+ }
+ },
+ "observer": {
+ "hostname": "TCP9001"
+ },
+ "tags": [
+ "forwarded",
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-09-12T11:44:00.862Z",
+ "cisco_meraki": {
+ "event_subtype": "port_status_changed",
+ "event_type": "events"
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "action": "port_status_changed",
+ "category": [
+ "network"
+ ],
+ "original": "\u003c134\u003e1 1694519040.862946339 TCP9001 events port 1 status changed from down to 100fdx",
+ "type": [
+ "info"
+ ]
+ },
+ "log": {
+ "syslog": {
+ "priority": 134
+ }
+ },
+ "observer": {
+ "hostname": "TCP9001"
+ },
+ "tags": [
+ "forwarded",
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-09-12T11:43:27.104Z",
+ "cisco_meraki": {
+ "event_subtype": "auth",
+ "event_type": "events"
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "action": "auth",
+ "category": [
+ "network"
+ ],
+ "original": "\u003c134\u003e1 1694519007.104885873 TCP9001 events Auth failure resets to success",
+ "type": [
+ "info"
+ ]
+ },
+ "observer": {
+ "hostname": "TCP9001"
+ },
+ "tags": [
+ "forwarded",
+ "preserve_original_event"
+ ]
}
]
}
\ No newline at end of file
diff --git a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-flows.log b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-flows.log
index 8fede9d97a1..bf6da87e3d4 100644
--- a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-flows.log
+++ b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-flows.log
@@ -11,3 +11,7 @@
<134>1 1674604848.429996761 MX84 flows src=10.10.10.11 dst=172.16.12.23 mac=9C:7B:EF:A9:6C:D8 protocol=udp sport=64138 dport=3289 pattern: deny (src 10.10.0.0/16)
<134>1 1674604848.429996761 MX84 flows src=10.241.192.11 dst=10.8.2.6 mac=9C:7B:EF:A5:9C:9B protocol=tcp sport=54791 dport=80 pattern: deny all
<134>1 1674604848.429996761 MX84 flows src=192.168.201.81 dst=10.8.2.4 mac=B4:6B:FC:6A:E0:5A protocol=udp sport=60288 dport=53 pattern: allow all
+<134>1 948136486.721741837 MX60 firewall src=10.10.10.11 dst=10.241.77.255 mac=24:2F:FA:1E:B7:E6 protocol=udp sport=9562 dport=53 pattern: allow all
+<134>1 948136486.721741837 MX60 vpn_firewall src=10.241.192.1 dst=10.241.77.255 mac=24:2F:FA:1E:B7:E6 protocol=udp sport=9562 dport=53 pattern: allow all
+<134>1 948136486.721741837 MX60 cellular_firewall src=10.10.10.11 dst=10.241.77.255 mac=24:2F:FA:1E:B7:E6 protocol=udp sport=9562 dport=53 pattern: allow all
+<134>1 948136486.721741837 MX60 bridge_anyconnect_client_vpn_firewall src=10.241.192.1 dst=10.241.77.255 mac=24:2F:FA:1E:B7:E6 protocol=udp sport=9562 dport=53 pattern: allow all
diff --git a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-flows.log-expected.json b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-flows.log-expected.json
index 7e1ea97f363..e4cc2a093b5 100644
--- a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-flows.log-expected.json
+++ b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-flows.log-expected.json
@@ -14,7 +14,7 @@
"port": 15600
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "layer3-firewall-allowed-flow",
@@ -73,7 +73,7 @@
"port": 44210
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ip-session-initiated",
@@ -131,7 +131,7 @@
"port": 15500
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "layer3-firewall-allowed-flow",
@@ -174,7 +174,7 @@
"ip": "ff02::1:ffb6:a227"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "layer3-firewall-allowed-flow",
@@ -216,7 +216,7 @@
"ip": "224.0.0.2"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "layer3-firewall-allowed-flow",
@@ -270,7 +270,7 @@
"ip": "81.2.69.144"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "layer3-firewall-allowed-flow",
@@ -314,7 +314,7 @@
"port": 138
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ip-session-initiated",
@@ -373,7 +373,7 @@
"port": 9998
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ip-session-initiated",
@@ -417,7 +417,7 @@
"ip": "172.28.1.14"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ip-session-initiated",
@@ -475,7 +475,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ip-session-initiated",
@@ -520,7 +520,7 @@
"port": 3289
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ip-session-initiated",
@@ -565,7 +565,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ip-session-initiated",
@@ -610,7 +610,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ip-session-initiated",
@@ -639,6 +639,186 @@
"forwarded",
"preserve_original_event"
]
+ },
+ {
+ "@timestamp": "2000-01-17T19:14:46.721Z",
+ "cisco_meraki": {
+ "event_subtype": "ip_session_initiated",
+ "event_type": "firewall",
+ "firewall": {
+ "action": "allow",
+ "rule": "all"
+ }
+ },
+ "destination": {
+ "ip": "10.241.77.255",
+ "port": 53
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "action": "ip-session-initiated",
+ "category": [
+ "network"
+ ],
+ "original": "\u003c134\u003e1 948136486.721741837 MX60 firewall src=10.10.10.11 dst=10.241.77.255 mac=24:2F:FA:1E:B7:E6 protocol=udp sport=9562 dport=53 pattern: allow all",
+ "type": [
+ "info",
+ "access",
+ "start"
+ ]
+ },
+ "network": {
+ "protocol": "udp"
+ },
+ "observer": {
+ "hostname": "MX60"
+ },
+ "source": {
+ "ip": "10.10.10.11",
+ "mac": "24-2F-FA-1E-B7-E6",
+ "port": 9562
+ },
+ "tags": [
+ "forwarded",
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2000-01-17T19:14:46.721Z",
+ "cisco_meraki": {
+ "event_subtype": "ip_session_initiated",
+ "event_type": "vpn_firewall",
+ "firewall": {
+ "action": "allow",
+ "rule": "all"
+ }
+ },
+ "destination": {
+ "ip": "10.241.77.255",
+ "port": 53
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "action": "ip-session-initiated",
+ "category": [
+ "network"
+ ],
+ "original": "\u003c134\u003e1 948136486.721741837 MX60 vpn_firewall src=10.241.192.1 dst=10.241.77.255 mac=24:2F:FA:1E:B7:E6 protocol=udp sport=9562 dport=53 pattern: allow all",
+ "type": [
+ "info",
+ "access",
+ "start"
+ ]
+ },
+ "network": {
+ "protocol": "udp"
+ },
+ "observer": {
+ "hostname": "MX60"
+ },
+ "source": {
+ "ip": "10.241.192.1",
+ "mac": "24-2F-FA-1E-B7-E6",
+ "port": 9562
+ },
+ "tags": [
+ "forwarded",
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2000-01-17T19:14:46.721Z",
+ "cisco_meraki": {
+ "event_subtype": "ip_session_initiated",
+ "event_type": "cellular_firewall",
+ "firewall": {
+ "action": "allow",
+ "rule": "all"
+ }
+ },
+ "destination": {
+ "ip": "10.241.77.255",
+ "port": 53
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "action": "ip-session-initiated",
+ "category": [
+ "network"
+ ],
+ "original": "\u003c134\u003e1 948136486.721741837 MX60 cellular_firewall src=10.10.10.11 dst=10.241.77.255 mac=24:2F:FA:1E:B7:E6 protocol=udp sport=9562 dport=53 pattern: allow all",
+ "type": [
+ "info",
+ "access",
+ "start"
+ ]
+ },
+ "network": {
+ "protocol": "udp"
+ },
+ "observer": {
+ "hostname": "MX60"
+ },
+ "source": {
+ "ip": "10.10.10.11",
+ "mac": "24-2F-FA-1E-B7-E6",
+ "port": 9562
+ },
+ "tags": [
+ "forwarded",
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2000-01-17T19:14:46.721Z",
+ "cisco_meraki": {
+ "event_subtype": "ip_session_initiated",
+ "event_type": "bridge_anyconnect_client_vpn_firewall",
+ "firewall": {
+ "action": "allow",
+ "rule": "all"
+ }
+ },
+ "destination": {
+ "ip": "10.241.77.255",
+ "port": 53
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "action": "ip-session-initiated",
+ "category": [
+ "network"
+ ],
+ "original": "\u003c134\u003e1 948136486.721741837 MX60 bridge_anyconnect_client_vpn_firewall src=10.241.192.1 dst=10.241.77.255 mac=24:2F:FA:1E:B7:E6 protocol=udp sport=9562 dport=53 pattern: allow all",
+ "type": [
+ "info",
+ "access",
+ "start"
+ ]
+ },
+ "network": {
+ "protocol": "udp"
+ },
+ "observer": {
+ "hostname": "MX60"
+ },
+ "source": {
+ "ip": "10.241.192.1",
+ "mac": "24-2F-FA-1E-B7-E6",
+ "port": 9562
+ },
+ "tags": [
+ "forwarded",
+ "preserve_original_event"
+ ]
}
]
}
\ No newline at end of file
diff --git a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-ip-flow.log-expected.json b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-ip-flow.log-expected.json
index 1959c1c807f..dec9dad26db 100644
--- a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-ip-flow.log-expected.json
+++ b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-ip-flow.log-expected.json
@@ -22,7 +22,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -76,7 +76,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -130,7 +130,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -190,7 +190,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -259,7 +259,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -307,7 +307,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -376,7 +376,7 @@
"port": 53
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -424,7 +424,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
diff --git a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-security-events.log-expected.json b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-security-events.log-expected.json
index 6239441a46c..eb038ab7354 100644
--- a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-security-events.log-expected.json
+++ b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-security-events.log-expected.json
@@ -17,7 +17,7 @@
"port": 56391
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ids-signature-matched",
@@ -93,7 +93,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "malicious-file-actioned",
@@ -143,7 +143,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "issued-retrospective-malicious-disposition",
@@ -188,7 +188,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ids-signature-matched",
@@ -246,7 +246,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ids-signature-matched",
diff --git a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-urls.log-expected.json b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-urls.log-expected.json
index 60c5fc56526..a95e73cdfc0 100644
--- a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-urls.log-expected.json
+++ b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-urls.log-expected.json
@@ -32,7 +32,7 @@
"port": 80
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "http-access-error",
@@ -98,7 +98,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "http-access",
@@ -164,7 +164,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "http-access",
diff --git a/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/default.yml
index 210937231f1..660729767f3 100644
--- a/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -3,7 +3,7 @@ description: Pipeline for Cisco Meraki syslog
processors:
- set:
field: ecs.version
- value: '8.8.0'
+ value: '8.9.0'
- rename:
field: message
target_field: event.original
@@ -32,7 +32,7 @@ processors:
value: 'failed to parse time field ({{{ _temp.ts_nano }}}): {{{ _ingest.on_failure_message }}}'
- pipeline:
name: '{{ IngestPipeline "flows" }}'
- if: ctx.cisco_meraki.event_type == 'flows'
+ if: "['flows', 'firewall', 'vpn_firewall', 'cellular_firewall', 'bridge_anyconnect_client_vpn_firewall'].contains(ctx.cisco_meraki.event_type)"
- pipeline:
name: '{{ IngestPipeline "ipflows" }}'
if: ctx.cisco_meraki.event_type == 'ip_flow_start' || ctx.cisco_meraki.event_type == 'ip_flow_end'
diff --git a/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/events.yml b/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/events.yml
index 9ab57e85444..afd2e407494 100644
--- a/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/events.yml
+++ b/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/events.yml
@@ -11,11 +11,23 @@ processors:
- set:
field: cisco_meraki.event_subtype
value: 'Site-to-Site VPN'
- if: ctx?.msgtype.toLowerCase() == "site-to-site"
+ if: ctx.msgtype.toLowerCase() == "site-to-site"
- set:
field: cisco_meraki.event_subtype
value: client_vpn_connect
- if: ctx?.msgtype.toLowerCase() == "client_vpn_connect"
+ if: ctx.msgtype.toLowerCase() == "client_vpn_connect"
+- set:
+ field: cisco_meraki.event_subtype
+ value: blocked
+ if: ctx.msgtype.toLowerCase() == "blocked"
+- set:
+ field: cisco_meraki.event_subtype
+ value: auth
+ if: ctx.msgtype.toLowerCase() == "auth"
+- set:
+ field: cisco_meraki.event_subtype
+ value: port
+ if: ctx.msgtype.toLowerCase() == "port"
####################################################
# log event with type= format
# these are dfs_event, association, disassocation,
@@ -73,6 +85,60 @@ processors:
WORDORHOST: '(?:%{WORD}|%{HOSTNAME})'
if: ctx.event.original.startsWith('<') && ctx?.cisco_meraki?.event_subtype == "Site-to-Site VPN"
+####################################################
+# Handle Blocked ARP
+####################################################
+- grok:
+ field: event.original
+ patterns:
+ - '%{SYSLOGHDR}%{SPACE}%{NUMBER}%{SPACE}%{WORDORHOST}%{SPACE}events%{SPACE}%{BLOCKEDARP:_temp.blocked_arp} from %{MAC:source.mac} with IP %{IP:source.ip} on %{NOTSPACE} %{GREEDYDATA:observer.ingress.vlan.id}$'
+ pattern_definitions:
+ SYSLOGPRI: '<%{NONNEGINT:log.syslog.priority:long}>'
+ SYSLOGVER: '\b(?:\d{1,2})\b'
+ SYSLOGHDR: '%{SYSLOGPRI}%{SYSLOGVER}'
+ WORDORHOST: '(?:%{WORD}|%{HOSTNAME})'
+ BLOCKEDARP: 'Blocked ARP Packet'
+ if: ctx.event.original.startsWith('<') && ctx?.cisco_meraki?.event_subtype == "blocked"
+- gsub:
+ field: source.mac
+ pattern: '[:.]'
+ replacement: '-'
+ ignore_missing: true
+- uppercase:
+ field: source.mac
+ ignore_missing: true
+- set:
+ field: cisco_meraki.event_subtype
+ value: arp_blocked
+ if: ctx._temp?.blocked_arp != null
+
+####################################################
+# Handle Ports
+####################################################
+- grok:
+ field: event.original
+ patterns:
+ - '(?i)%{SYSLOGHDR}%{SPACE}%{NUMBER}%{SPACE}%{WORDORHOST}%{SPACE}events%{SPACE}port %{NOTSPACE} %{PORTACTION:_temp.port_action}'
+ pattern_definitions:
+ SYSLOGPRI: '<%{NONNEGINT:log.syslog.priority:long}>'
+ SYSLOGVER: '\b(?:\d{1,2})\b'
+ SYSLOGHDR: '%{SYSLOGPRI}%{SYSLOGVER}'
+ WORDORHOST: '(?:%{WORD}|%{HOSTNAME})'
+ PORTACTION: '(?:changed stp role|status changed)'
+ if: ctx.event.original.startsWith('<') && ctx?.cisco_meraki?.event_subtype == "port"
+- gsub:
+ field: _temp.port_action
+ pattern: ' '
+ replacement: '_'
+ ignore_missing: true
+- lowercase:
+ field: _temp.port_action
+ ignore_missing: true
+- set:
+ field: cisco_meraki.event_subtype
+ value: 'port_{{{_temp.port_action}}}'
+ if: ctx._temp?.port_action != null
+
####################################################
# Handle dfs_event, wpa_auth, wpa_deauth,
# association or disassociation
diff --git a/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/flows.yml b/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/flows.yml
index 9ce32174526..80017cae929 100644
--- a/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/flows.yml
+++ b/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/flows.yml
@@ -4,7 +4,9 @@ processors:
- grok:
field: event.original
patterns:
- - "flows( %{NOTSPACE:cisco_meraki.flows.op})? src=%{IP:source.ip:ip} dst=%{IP:destination.ip:ip}( mac=%{MAC:source.mac})? protocol=%{NOTSPACE:network.protocol}( type=%{NOTSPACE})?( sport=%{NONNEGINT:source.port:long})?( dport=%{NONNEGINT:destination.port:long})?( pattern: %{GREEDYDATA:cisco_meraki.firewall.pattern})?"
+ - "%{TYPE}( %{NOTSPACE:cisco_meraki.flows.op})? src=%{IP:source.ip:ip} dst=%{IP:destination.ip:ip}( mac=%{MAC:source.mac})? protocol=%{NOTSPACE:network.protocol}( type=%{NOTSPACE})?( sport=%{NONNEGINT:source.port:long})?( dport=%{NONNEGINT:destination.port:long})?( pattern: %{GREEDYDATA:cisco_meraki.firewall.pattern})?"
+ pattern_definitions:
+ TYPE: 'flows|firewall|vpn_firewall|cellular_firewall|bridge_anyconnect_client_vpn_firewall'
- grok:
field: cisco_meraki.firewall.pattern
patterns:
diff --git a/packages/cisco_meraki/data_stream/log/fields/ecs.yml b/packages/cisco_meraki/data_stream/log/fields/ecs.yml
index 2e4f83a1d9e..e8ce1e59a77 100644
--- a/packages/cisco_meraki/data_stream/log/fields/ecs.yml
+++ b/packages/cisco_meraki/data_stream/log/fields/ecs.yml
@@ -146,6 +146,8 @@
name: observer.egress.interface.name
- external: ecs
name: observer.ingress.interface.name
+- external: ecs
+ name: observer.ingress.vlan.id
- external: ecs
name: observer.product
- external: ecs
diff --git a/packages/cisco_meraki/data_stream/log/sample_event.json b/packages/cisco_meraki/data_stream/log/sample_event.json
index 78c08c5facb..fd5c46dc587 100644
--- a/packages/cisco_meraki/data_stream/log/sample_event.json
+++ b/packages/cisco_meraki/data_stream/log/sample_event.json
@@ -27,7 +27,7 @@
"port": 56391
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "878982e9-a174-4ed8-abe3-19378c1473de",
diff --git a/packages/cisco_meraki/docs/README.md b/packages/cisco_meraki/docs/README.md
index b2de1a69304..a9d90d3d9b6 100644
--- a/packages/cisco_meraki/docs/README.md
+++ b/packages/cisco_meraki/docs/README.md
@@ -213,6 +213,7 @@ The `cisco_meraki.log` dataset provides events from the configured syslog server
| observer.egress.interface.name | Interface name as reported by the system. | keyword |
| observer.hostname | Hostname of the observer. | keyword |
| observer.ingress.interface.name | Interface name as reported by the system. | keyword |
+| observer.ingress.vlan.id | VLAN ID as reported by the observer. | keyword |
| observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
| observer.product | The product name of the observer. | keyword |
| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword |
@@ -323,7 +324,7 @@ An example event for `log` looks as following:
"port": 56391
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "878982e9-a174-4ed8-abe3-19378c1473de",
@@ -658,7 +659,7 @@ An example event for `events` looks as following:
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "878982e9-a174-4ed8-abe3-19378c1473de",
diff --git a/packages/cisco_meraki/kibana/tags.yml b/packages/cisco_meraki/kibana/tags.yml
new file mode 100644
index 00000000000..47f20a8f551
--- /dev/null
+++ b/packages/cisco_meraki/kibana/tags.yml
@@ -0,0 +1,4 @@
+- text: Security Solution
+ asset_types:
+ - dashboard
+ - search
diff --git a/packages/cisco_meraki/manifest.yml b/packages/cisco_meraki/manifest.yml
index e0c653f63e5..b22dcf2193b 100644
--- a/packages/cisco_meraki/manifest.yml
+++ b/packages/cisco_meraki/manifest.yml
@@ -1,7 +1,7 @@
-format_version: 2.7.0
+format_version: 2.11.0
name: cisco_meraki
title: Cisco Meraki
-version: "1.10.0"
+version: "1.13.0"
description: Collect logs from Cisco Meraki with Elastic Agent.
type: integration
categories:
diff --git a/packages/cisco_nexus/_dev/build/build.yml b/packages/cisco_nexus/_dev/build/build.yml
index 84034dcea1e..c1af686e524 100644
--- a/packages/cisco_nexus/_dev/build/build.yml
+++ b/packages/cisco_nexus/_dev/build/build.yml
@@ -1,4 +1,4 @@
dependencies:
ecs:
- reference: git@v8.8.0
+ reference: git@v8.9.0
import_mappings: true
diff --git a/packages/cisco_nexus/changelog.yml b/packages/cisco_nexus/changelog.yml
index dd11b374a1a..38cfc47f31d 100644
--- a/packages/cisco_nexus/changelog.yml
+++ b/packages/cisco_nexus/changelog.yml
@@ -1,4 +1,24 @@
# newer versions go on top
+- version: 0.17.0
+ changes:
+ - description: "The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest."
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7883
+- version: "0.16.0"
+ changes:
+ - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7789
+- version: "0.15.0"
+ changes:
+ - description: Update package to ECS 8.9.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7107
+- version: "0.14.2"
+ changes:
+ - description: Remove confusing error message tag prefix.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7105
- version: "0.14.1"
changes:
- description: Add support for new log format.
diff --git a/packages/cisco_nexus/data_stream/log/_dev/test/pipeline/test-nexus.log-expected.json b/packages/cisco_nexus/data_stream/log/_dev/test/pipeline/test-nexus.log-expected.json
index 954474ad1d7..05d99768950 100644
--- a/packages/cisco_nexus/data_stream/log/_dev/test/pipeline/test-nexus.log-expected.json
+++ b/packages/cisco_nexus/data_stream/log/_dev/test/pipeline/test-nexus.log-expected.json
@@ -11,7 +11,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -50,7 +50,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -102,7 +102,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -151,7 +151,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -199,7 +199,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -261,7 +261,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -318,7 +318,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -362,7 +362,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -416,7 +416,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -467,7 +467,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -516,7 +516,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"code": "SYSTEM_MSG",
@@ -578,7 +578,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -636,7 +636,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -681,7 +681,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -736,7 +736,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -788,7 +788,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -838,7 +838,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -909,7 +909,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -969,7 +969,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -1016,7 +1016,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1073,7 +1073,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1125,7 +1125,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -1171,7 +1171,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1250,7 +1250,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1308,7 +1308,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -1348,7 +1348,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1417,7 +1417,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1465,7 +1465,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -1499,7 +1499,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1546,7 +1546,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"code": "DETECT_MULTIPLE_PEERS",
@@ -1586,7 +1586,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -1632,7 +1632,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1707,7 +1707,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1765,7 +1765,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -1807,7 +1807,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"code": "SYSTEM_MSG",
@@ -1864,7 +1864,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1921,7 +1921,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -1973,7 +1973,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"code": "CFGWRITE_STARTED",
@@ -2030,7 +2030,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"code": "CFGWRITE_DONE",
@@ -2079,7 +2079,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -2160,7 +2160,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -2221,7 +2221,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"code": "SYSLOG_SL_MSG_WARNING",
@@ -2287,7 +2287,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -2346,7 +2346,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -2407,7 +2407,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -2458,7 +2458,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"code": "SYSTEM_MSG",
@@ -2501,7 +2501,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"code": "SYSTEM_MSG",
@@ -2559,7 +2559,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -2618,7 +2618,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -2674,7 +2674,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -2735,7 +2735,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -2793,7 +2793,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -2858,7 +2858,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -2917,7 +2917,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -2984,7 +2984,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -3039,7 +3039,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"code": "SYSTEM_MSG",
@@ -3094,7 +3094,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -3145,7 +3145,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -3194,7 +3194,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -3256,7 +3256,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -3310,7 +3310,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"code": "TACACS_WARNING",
@@ -3357,7 +3357,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"code": "TACACS_WARNING",
@@ -3412,7 +3412,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -3466,7 +3466,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -3530,7 +3530,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -3585,7 +3585,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -3660,7 +3660,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"code": "LOGOUT",
@@ -3727,7 +3727,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -3792,7 +3792,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -3850,7 +3850,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -3904,7 +3904,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -3974,7 +3974,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"code": "LOGOUT_C6K",
diff --git a/packages/cisco_nexus/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_nexus/data_stream/log/elasticsearch/ingest_pipeline/default.yml
index a6e16785909..87503af75f1 100644
--- a/packages/cisco_nexus/data_stream/log/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/cisco_nexus/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -3,7 +3,7 @@ description: Pipeline for processing Cisco Nexus logs.
processors:
- set:
field: ecs.version
- value: '8.8.0'
+ value: '8.9.0'
tag: 'set_ecs_version'
- set:
field: observer.vendor
@@ -45,7 +45,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- rename:
field: _conf.tz_offset
target_field: event.timezone
@@ -67,7 +67,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- date:
field: temp.syslog_timestamp
target_field: temp.syslog_timestamp
@@ -84,7 +84,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- set:
field: temp.timestamp
value: '{{{temp.syslog_timestamp}}} {{{cisco_nexus.log.timezone}}}'
@@ -116,7 +116,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- date:
field: temp.timestamp
tag: 'date_set_timestamp_timezone'
@@ -144,7 +144,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- date:
field: temp.timestamp
tag: 'date_set_timestamp_custom'
@@ -178,7 +178,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- date:
field: temp.timestamp
tag: 'date_set_timestamp_timezone_custom'
@@ -213,7 +213,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- set:
field: log.syslog.priority
copy_from: cisco_nexus.log.priority_number
@@ -279,7 +279,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- script:
lang: painless
description: This script will set log.syslog.facility.code field from priority number and severity.
@@ -291,7 +291,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- trim:
field: cisco_nexus.log.description
tag: 'trim_description'
@@ -361,7 +361,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- set:
field: event.kind
value: pipeline_error
diff --git a/packages/cisco_nexus/data_stream/log/elasticsearch/ingest_pipeline/pipeline_extract_message.yml b/packages/cisco_nexus/data_stream/log/elasticsearch/ingest_pipeline/pipeline_extract_message.yml
index 6b6f26b349f..2d8a3fed2fb 100644
--- a/packages/cisco_nexus/data_stream/log/elasticsearch/ingest_pipeline/pipeline_extract_message.yml
+++ b/packages/cisco_nexus/data_stream/log/elasticsearch/ingest_pipeline/pipeline_extract_message.yml
@@ -62,7 +62,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- gsub:
field: source.mac
tag: 'gsub_sourcemac_add_hyphen'
@@ -72,7 +72,7 @@ processors:
on_failure:
- append:
field: error.message
- value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- uppercase:
field: source.mac
ignore_missing: true
diff --git a/packages/cisco_nexus/data_stream/log/sample_event.json b/packages/cisco_nexus/data_stream/log/sample_event.json
index 25a00fb2888..b9ace94c988 100644
--- a/packages/cisco_nexus/data_stream/log/sample_event.json
+++ b/packages/cisco_nexus/data_stream/log/sample_event.json
@@ -22,7 +22,7 @@
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "ae8acf2b-2fd5-4ab9-921c-e92bc69cd32c",
diff --git a/packages/cisco_nexus/docs/README.md b/packages/cisco_nexus/docs/README.md
index 09196ae63ee..b3cac3e6a1b 100644
--- a/packages/cisco_nexus/docs/README.md
+++ b/packages/cisco_nexus/docs/README.md
@@ -67,7 +67,7 @@ An example event for `log` looks as following:
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "ae8acf2b-2fd5-4ab9-921c-e92bc69cd32c",
diff --git a/packages/cisco_nexus/kibana/tags.yml b/packages/cisco_nexus/kibana/tags.yml
new file mode 100644
index 00000000000..47f20a8f551
--- /dev/null
+++ b/packages/cisco_nexus/kibana/tags.yml
@@ -0,0 +1,4 @@
+- text: Security Solution
+ asset_types:
+ - dashboard
+ - search
diff --git a/packages/cisco_nexus/manifest.yml b/packages/cisco_nexus/manifest.yml
index 0ac242c2ac6..129a0e967bf 100644
--- a/packages/cisco_nexus/manifest.yml
+++ b/packages/cisco_nexus/manifest.yml
@@ -1,15 +1,17 @@
-format_version: 2.8.0
+format_version: "3.0.0"
name: cisco_nexus
title: Cisco Nexus
-version: "0.14.1"
+version: "0.17.0"
description: Collect logs from Cisco Nexus with Elastic Agent.
type: integration
categories:
- network
- security
conditions:
- kibana.version: ^8.7.0
- elastic.subscription: basic
+ kibana:
+ version: ^8.7.0
+ elastic:
+ subscription: basic
icons:
- src: /img/cisco.svg
title: cisco
@@ -36,3 +38,4 @@ policy_templates:
description: Collecting logs from Cisco Nexus via file.
owner:
github: elastic/security-external-integrations
+ type: elastic
diff --git a/packages/cisco_secure_email_gateway/_dev/build/build.yml b/packages/cisco_secure_email_gateway/_dev/build/build.yml
index 074278e5b1f..c8eeec8cacf 100644
--- a/packages/cisco_secure_email_gateway/_dev/build/build.yml
+++ b/packages/cisco_secure_email_gateway/_dev/build/build.yml
@@ -1,3 +1,3 @@
dependencies:
ecs:
- reference: git@v8.8.0
+ reference: git@v8.9.0
diff --git a/packages/cisco_secure_email_gateway/changelog.yml b/packages/cisco_secure_email_gateway/changelog.yml
index b3ced95d9b4..92fd490d112 100644
--- a/packages/cisco_secure_email_gateway/changelog.yml
+++ b/packages/cisco_secure_email_gateway/changelog.yml
@@ -1,4 +1,44 @@
# newer versions go on top
+- version: 1.14.0
+ changes:
+ - description: "The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest."
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7883
+- version: "1.13.1"
+ changes:
+ - description: Remove the unused mappings for 'type' and 'filepath'.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7875
+- version: "1.13.0"
+ changes:
+ - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7789
+- version: "1.12.0"
+ changes:
+ - description: Update package-spec to 2.10.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7599
+- version: "1.11.2"
+ changes:
+ - description: Match both Unix and Windows-style paths, correctly.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7572
+- version: "1.11.1"
+ changes:
+ - description: Match both Unix and Windows-style paths
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7452
+- version: "1.11.0"
+ changes:
+ - description: Update package to ECS 8.9.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7107
+- version: "1.10.1"
+ changes:
+ - description: Fix grok timeout on expensive consolidated events logs.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/6879
- version: "1.10.0"
changes:
- description: Convert dashboard to lens.
diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-amp.log-expected.json b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-amp.log-expected.json
index 43b26919530..97eb12b9bc1 100644
--- a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-amp.log-expected.json
+++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-amp.log-expected.json
@@ -11,7 +11,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"email": {
"attachments": {
@@ -55,7 +55,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"email": {
"attachments": {
@@ -110,7 +110,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"email": {
"attachments": {
@@ -152,7 +152,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"email": {
"attachments": {
@@ -206,7 +206,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"email": {
"attachments": {
@@ -253,7 +253,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"email": {
"attachments": {
@@ -301,7 +301,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"email": {
"attachments": {
@@ -349,7 +349,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"email": {
"attachments": {
@@ -391,7 +391,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"email": {
"attachments": {
@@ -442,7 +442,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"email": {
"attachments": {
diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-anti-spam.log-expected.json b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-anti-spam.log-expected.json
index 49370673eed..bffd861af3c 100644
--- a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-anti-spam.log-expected.json
+++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-anti-spam.log-expected.json
@@ -14,7 +14,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -46,7 +46,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -79,7 +79,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-consolidated-event.log b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-consolidated-event.log
index f17c35dd1d0..d5bb8254c73 100644
--- a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-consolidated-event.log
+++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-consolidated-event.log
@@ -9,4 +9,6 @@
<166>Mar 17 18:24:37 consolidated_event: CEF:0|Cisco|C100V Email Security Virtual Appliance|14.3.0-023|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=423A4DF759243122B64F-7941F28E57A4 ESAMID=4086421 ESAICID=13956459 ESADCID=2522340 ESAAMPVerdict=UNKNOWN ESAASVerdict=NEGATIVE ESAAVVerdict=NOT_EVALUATED ESACFVerdict=NO_MATCH endTime=Thu Nov 24 13:39:24 2022 ESADKIMVerdict=pass ESADLPVerdict=NOT_EVALUATED dvc=1.128.3.4 ESAAttachmentDetails={'image002.png': {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': '30bf618599d8784ebcf38769f8b524b40dc20d2ba262a1e4052d24711abcd064'}, 'BodyScanner': {}}, 'image001.png': {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': '7de9d8514c142887d11821fd30faddc693d192efdd19dfb6459872a1be63dcfa'}, 'BodyScanner': {}}} ESAFriendlyFrom=example.com ESAGMVerdict=NEGATIVE startTime=Thu Nov 24 13:39:16 2022 deviceInboundInterface=IncomingMail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=example.com cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=United States ESAMFVerdict=MATCH act=DELIVERED cs4Label=ExternalMsgID cs4='' ESAMsgSize=716707 ESAOFVerdict=NEGATIVE duser=example.com ESAHeloDomain=example.cisco.com ESAHeloIP=1.128.3.4 cfp1Label=SBRSScore cfp1=3.5 ESASDRDomainAge=30 days (or greater) cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Favorable sourceHostName=example.cisco.com ESASenderGroup=ACCEPTLIST sourceAddress=1.128.3.4 msg='RE: SR 312312 : consolidate event log' ESATLSInCipher=KWLDS-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESATLSOutCipher=HDKWA-RSA-AES256-JMB-SHA384 ESATLSOutConnStatus=Success ESATLSOutProtocol=TLSv1.2 ESADaneHost=testdomain.com ESADaneStatus=success ESADHASource=1.128.3.4 ESADMARCVerdict=TempFailure cs5Label=ESAMsgLanguage cs5=English ESAMARAction={'action':'<>';'succesful_rcpts'='<>';'failed_recipients'='<>';'filename'='<>'} ESAMsgTooBigFromSender=true ESARateLimitedIP=1.128.3.4
<166>Apr 03 12:20:40 consolidated_event: CEF:0|Cisco|C100V Email Security Virtual Appliance|14.0.2-020|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=422084EE64B1B0454D49-AAFBF6B55869 ESAMID=164229 ESAICID=62908 ESADCID=47845 ESAAMPVerdict=SKIPPED ESAASVerdict=NEGATIVE ESAAVVerdict=NEGATIVE ESACFVerdict=NO_MATCH endTime=Mon Nov 14 15:40:48 2022 ESADLPVerdict=NOT_EVALUATED dvc=1.128.3.4 ESAFriendlyFrom=example.com ESAGMVerdict=NEGATIVE startTime=Mon Nov 14 15:40:47 2022 deviceInboundInterface=IncList deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=example.com cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=United States ESAMFVerdict=NOT_EVALUATED act=DELIVERED cs4Label=ExternalMsgID cs4='' ESAMsgSize=1411 ESAOFVerdict=NEGATIVE duser=example.com ESAHeloDomain=example.cisco.com ESAHeloIP=1.128.3.4 ESAReplyTo=example.com cfp1Label=SBRSScore cfp1=5.2 ESASDRDomainAge=1 month cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Neutral sourceHostName=example.cisco.com ESASenderGroup=UNKNOWNLIST sourceAddress=1.128.3.4 msg="Demande d'achat Econocom Products and Solutions, ref: SSAY-MEDECIN3"
<14>Jun 12 14:01:33 consolidated_event: CEF:0|Cisco|C100V Email Security Virtual Appliance|14.3.0-032|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=4235746AE34E6DD44EB8-CE101C994AA5 ESAMID=5181473 ESAICID=17267358 ESADCID=3036000 endTime=Mon Jun 12 14:01:31 2023 ESADKIMVerdict=pass ESADLPVerdict=NOT_EVALUATED dvc=1.128.3.4 ESAFriendlyFrom=jean sistin ESAGMVerdict=NEGATIVE startTime=Mon Jun 12 14:01:27 2023 deviceInboundInterface=IncomingMail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=jsistin@gmail.com cs1Label=MailPolicy cs1=Test quarantaine utilisateur cs2Label=SenderCountry cs2=United States ESAMFVerdict=MATCH act=DELIVERED cs4Label=ExternalMsgID cs4='' ESAMsgSize=3078 ESAOFVerdict=NEGATIVE duser=fpenigaud@exaprobe.com ESAHeloDomain=mail-oi1-f182.google.com ESAHeloIP=1.128.3.4 cfp1Label=SBRSScore cfp1=3.4 ESASDRDomainAge=30 days (or greater) cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Neutral ESASPFVerdict={'mailfrom': {'result': 'Pass', 'sender': 'jsistin@gmail.com'}} sourceHostName=mail-oi1-f182.google.com ESASenderGroup=ACCEPTLIST sourceAddress=1.128.3.4 msg='test url' ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESATLSOutCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSOutConnStatus=Success ESATLSOutProtocol=TLSv1.2 ESAAMPVerdict=SKIPPED ESAASVerdict=NEGATIVE ESAAVVerdict=NOT_EVALUATED ESACFVerdict=NO_MATCH
-
+<14>Jul 04 06:21:54 consolidated_event: CEF:0|Cisco|C100V Email Security Virtual Appliance|14.3.0-032|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=E7DEF468022C4EB09683-9A331A42E1F7 ESAMID=54376810 ESAICID=43587623 endTime=Tue Jul 4 06:21:54 2023 ESADLPVerdict=NOT_EVALUATED dvc=81.2.69.144 ESAAttachmentDetails={'meeting.ics': {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': '17ae79446b4ec3baf161704831970aac49457d32935c6383c2a45aed136a99df'}, 'BodyScanner': {}}} ESAFriendlyFrom=River ESAGMVerdict=NEGATIVE startTime=Tue Jul 4 16:12:44 2023 deviceInboundInterface=IncomingMail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=river@this.example.com cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=New Zealand ESAMFVerdict=MATCH act=DQ ESAFinalActionDetails=Message held temporarily in Delay Quarantine cs4Label=ExternalMsgID cs4='<2403354681.734500.1688449973515.mail.lion@example.com>' ESAMsgSize=18675 ESAOFVerdict=NEGATIVE duser=smith@example.com ESAHeloDomain=vm-lion.dmz ESAHeloIP=89.160.20.128 cfp1Label=SBRSScore cfp1=None ESASDRDomainAge=30 days (or greater) cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Neutral ESASPFVerdict={'mailfrom': {'result': 'Pass', 'sender': 'river@this.example.com'}, 'helo': {'result': 'None', 'sender': 'postmaster@vm-lion.dmz'}} sourceHostName=company.example.com sourceAddress=89.160.20.128 msg='Accept: Cisco - SOLUTIONS' ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESAAMPVerdict=FA_PENDING ESAASVerdict=NEGATIVE ESAAVVerdict=NOT_EVALUATED ESACFVerdict=MATCH
+<14>Jul 04 06:21:54 consolidated_event: CEF:0|Cisco|C100V Email Security Virtual Appliance|14.3.0-032|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=30543A3AB9E54FA8AAC1-FB812C95028D ESAMID=238746 ESAICID=435897324 ESADCID=34809573 endTime=Tue Jul 4 06:21:54 2023 ESADKIMVerdict=pass ESADLPVerdict=NOT_EVALUATED dvc=81.2.69.142 ESAFriendlyFrom=Will ESAGMVerdict=NEGATIVE startTime=Tue Jul 4 15:14:29 2023 deviceInboundInterface=IncomingMail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=irobot@example.com cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=United States ESAMFVerdict=MATCH act=QUARANTINED ESAFinalActionDetails=To SPAM cs4Label=ExternalMsgID cs4='' ESAMsgSize=12312 ESAOFVerdict=NEGATIVE duser=alfombra@example.com ESAHeloDomain=mail-q6by9-a42.google.com ESAHeloIP=81.2.69.192 cfp1Label=SBRSScore cfp1=2.7 ESASDRDomainAge=30 days (or greater) cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Neutral ESASPFVerdict={'mailfrom': {'result': 'Pass', 'sender': 'irobot@example.com'}, 'helo': {'result': 'None', 'sender': 'postmaster@mail-q6by9-a42.google.com'}} sourceHostName=mail-q6by9-a42.google.com ESASenderGroup=ACCEPTLIST sourceAddress=81.2.69.192 msg='IE : Crayons' ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESAAMPVerdict=SKIPPED ESAASVerdict=SUSPECT ESAAVVerdict=NOT_EVALUATED ESACFVerdict=MATCH
+<14>Jul 04 06:21:54 consolidated_event: CEF:0|Cisco|C100V Email Security Virtual Appliance|14.3.0-032|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=4FEF3A4372664BCCB404-20EE1767D434 ESAMID=786324 ESAICID=35635425 ESADCID=970897 endTime=Tue Jul 4 06:21:54 2023 ESADKIMVerdict=pass ESADLPVerdict=NOT_EVALUATED dvc=81.2.69.144 ESAFriendlyFrom=Beaches ESAGMVerdict=NEGATIVE startTime=Tue Jul 4 14:42:34 2023 deviceInboundInterface=IncomingMail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=westinghouse-thoreau\\=example.com@example.com cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=NZ ESAMFVerdict=MATCH act=QUARANTINED ESAFinalActionDetails=To SPAM cs4Label=ExternalMsgID cs4='<490b2a15fa4742331779cdaa4e@example.com>' ESAMsgSize=20668 ESAOFVerdict=NEGATIVE duser=thoreau@example.com ESAHeloDomain=example.com ESAHeloIP=89.160.20.112 ESAReplyTo=lane@example.com cfp1Label=SBRSScore cfp1=None ESASDRDomainAge=30 days (or greater) cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Neutral ESASPFVerdict={'mailfrom': {'result': 'Pass', 'sender': 'westinghouse-thoreau=example.com@example.com'}, 'helo': {'result': 'Pass', 'sender': 'postmaster@example.com'}} sourceHostName=example.com sourceAddress=89.160.20.112 msg=\"Totally not suspicious email subject\" ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESAAMPVerdict=SKIPPED ESAASVerdict=SUSPECT ESAAVVerdict=NOT_EVALUATED ESACFVerdict=NO_MATCH
diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-consolidated-event.log-expected.json b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-consolidated-event.log-expected.json
index fecac4e4163..bd7ed38270c 100644
--- a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-consolidated-event.log-expected.json
+++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-consolidated-event.log-expected.json
@@ -60,17 +60,21 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"email": {
"direction": "inbound",
"from": {
- "address": "example.com"
+ "address": [
+ "example.com"
+ ]
},
"message_id": "1053",
"subject": "Testing",
"to": {
- "address": "example.com"
+ "address": [
+ "example.com"
+ ]
}
},
"event": {
@@ -163,17 +167,21 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"email": {
"direction": "inbound",
"from": {
- "address": "example.com"
+ "address": [
+ "example.com"
+ ]
},
"message_id": "1053",
"subject": "Testing",
"to": {
- "address": "example.com"
+ "address": [
+ "example.com"
+ ]
}
},
"event": {
@@ -263,16 +271,20 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"email": {
"from": {
- "address": "example.com"
+ "address": [
+ "example.com"
+ ]
},
"message_id": "153634",
"subject": "[SUSPICIOUS MESSAGE] Everycloud Mailflow Monitor guid: 12312314123",
"to": {
- "address": "example.com"
+ "address": [
+ "example.com"
+ ]
}
},
"event": {
@@ -354,11 +366,13 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"email": {
"from": {
- "address": "example.com"
+ "address": [
+ "example.com"
+ ]
},
"message_id": "164226"
},
@@ -448,16 +462,20 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"email": {
"from": {
- "address": "example.com"
+ "address": [
+ "example.com"
+ ]
},
"message_id": "164230",
"subject": "Everycloud Mailflow Monitor guid: 34214234232",
"to": {
- "address": "example.com"
+ "address": [
+ "example.com"
+ ]
}
},
"event": {
@@ -552,16 +570,20 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"email": {
"from": {
- "address": "example.com"
+ "address": [
+ "example.com"
+ ]
},
"message_id": "164229",
"subject": "Everycloud Mailflow Monitor guid: 321514231213",
"to": {
- "address": "example.com"
+ "address": [
+ "example.com"
+ ]
}
},
"event": {
@@ -656,16 +678,20 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"email": {
"from": {
- "address": "example.com"
+ "address": [
+ "example.com"
+ ]
},
"message_id": "164231",
"subject": "TEST",
"to": {
- "address": "example.com"
+ "address": [
+ "example.com"
+ ]
}
},
"event": {
@@ -773,16 +799,20 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"email": {
"from": {
- "address": "example.com"
+ "address": [
+ "example.com"
+ ]
},
"message_id": "4086421",
"subject": "RE: SR 312312 : consolidate event log",
"to": {
- "address": "example.com"
+ "address": [
+ "example.com"
+ ]
}
},
"event": {
@@ -901,16 +931,20 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"email": {
"from": {
- "address": "example.com"
+ "address": [
+ "example.com"
+ ]
},
"message_id": "4086421",
"subject": "RE: SR 312312 : consolidate event log",
"to": {
- "address": "example.com"
+ "address": [
+ "example.com"
+ ]
}
},
"event": {
@@ -1005,16 +1039,20 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"email": {
"from": {
- "address": "example.com"
+ "address": [
+ "example.com"
+ ]
},
"message_id": "164229",
"subject": "Demande d'achat Econocom Products and Solutions, ref: SSAY-MEDECIN3",
"to": {
- "address": "example.com"
+ "address": [
+ "example.com"
+ ]
}
},
"event": {
@@ -1118,16 +1156,20 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"email": {
"from": {
- "address": "jsistin@gmail.com"
+ "address": [
+ "jsistin@gmail.com"
+ ]
},
"message_id": "5181473",
"subject": "test url",
"to": {
- "address": "fpenigaud@exaprobe.com"
+ "address": [
+ "fpenigaud@exaprobe.com"
+ ]
}
},
"event": {
@@ -1160,12 +1202,315 @@
]
},
{
+ "@timestamp": "2023-07-04T06:21:54.000Z",
+ "cisco_secure_email_gateway": {
+ "log": {
+ "act": "DQ",
+ "appliance": {
+ "product": "C100V Email Security Virtual Appliance",
+ "vendor": "Cisco",
+ "version": "14.3.0-032"
+ },
+ "category": {
+ "name": "consolidated_event"
+ },
+ "cef_format_version": "0",
+ "cfp1_label": "SBRSScore",
+ "cs1": "DEFAULT",
+ "cs1_label": "MailPolicy",
+ "cs2": "New Zealand",
+ "cs2_label": "SenderCountry",
+ "cs3": "N/A",
+ "cs3_label": "SDRThreatCategory",
+ "cs4": "2403354681.734500.1688449973515.mail.lion@example.com",
+ "cs4_label": "ExternalMsgID",
+ "cs6": "Neutral",
+ "cs6_label": "SDRRepScore",
+ "data": {
+ "ip": "81.2.69.144"
+ },
+ "device_direction": "incoming",
+ "esa": {
+ "attachment_details": "{'meeting.ics': {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': '17ae79446b4ec3baf161704831970aac49457d32935c6383c2a45aed136a99df'}, 'BodyScanner': {}}}",
+ "dlp_verdict": "NOT_EVALUATED",
+ "final_action_details": "Message held temporarily in Delay Quarantine",
+ "friendly_from": "River \u003criver@this.example.com\u003e",
+ "graymail_verdict": "NEGATIVE",
+ "helo": {
+ "domain": "vm-lion.dmz",
+ "ip": "89.160.20.128"
+ },
+ "injection_connection_id": "43587623",
+ "mail_flow_policy": "ACCEPT",
+ "mf_verdict": "MATCH",
+ "msg_size": 18675,
+ "outbreak_filter_verdict": "NEGATIVE",
+ "sdr_consolidated_domain_age": "30 days (or greater)",
+ "spf_verdict": "{'mailfrom': {'result': 'Pass', 'sender': 'river@this.example.com'}, 'helo': {'result': 'None', 'sender': 'postmaster@vm-lion.dmz'}}"
+ },
+ "event": {
+ "name": "Consolidated Log Event"
+ },
+ "event_class_id": "ESA_CONSOLIDATED_LOG_EVENT",
+ "listener": {
+ "name": "IncomingMail"
+ },
+ "message": "'Accept: Cisco - SOLUTIONS' ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESAAMPVerdict=FA_PENDING ESAASVerdict=NEGATIVE ESAAVVerdict=NOT_EVALUATED ESACFVerdict=MATCH"
+ }
+ },
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
+ },
+ "email": {
+ "from": {
+ "address": [
+ "river@this.example.com"
+ ]
+ },
+ "message_id": "54376810",
+ "to": {
+ "address": [
+ "smith@example.com"
+ ]
+ }
},
"event": {
+ "end": "Tue Jul 4 06:21:54 2023",
+ "kind": "event",
+ "original": "\u003c14\u003eJul 04 06:21:54 consolidated_event: CEF:0|Cisco|C100V Email Security Virtual Appliance|14.3.0-032|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=E7DEF468022C4EB09683-9A331A42E1F7 ESAMID=54376810 ESAICID=43587623 endTime=Tue Jul 4 06:21:54 2023 ESADLPVerdict=NOT_EVALUATED dvc=81.2.69.144 ESAAttachmentDetails={'meeting.ics': {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': '17ae79446b4ec3baf161704831970aac49457d32935c6383c2a45aed136a99df'}, 'BodyScanner': {}}} ESAFriendlyFrom=River \u003criver@this.example.com\u003e ESAGMVerdict=NEGATIVE startTime=Tue Jul 4 16:12:44 2023 deviceInboundInterface=IncomingMail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=river@this.example.com cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=New Zealand ESAMFVerdict=MATCH act=DQ ESAFinalActionDetails=Message held temporarily in Delay Quarantine cs4Label=ExternalMsgID cs4='\u003c2403354681.734500.1688449973515.mail.lion@example.com\u003e' ESAMsgSize=18675 ESAOFVerdict=NEGATIVE duser=smith@example.com ESAHeloDomain=vm-lion.dmz ESAHeloIP=89.160.20.128 cfp1Label=SBRSScore cfp1=None ESASDRDomainAge=30 days (or greater) cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Neutral ESASPFVerdict={'mailfrom': {'result': 'Pass', 'sender': 'river@this.example.com'}, 'helo': {'result': 'None', 'sender': 'postmaster@vm-lion.dmz'}} sourceHostName=company.example.com sourceAddress=89.160.20.128 msg='Accept: Cisco - SOLUTIONS' ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESAAMPVerdict=FA_PENDING ESAASVerdict=NEGATIVE ESAAVVerdict=NOT_EVALUATED ESACFVerdict=MATCH",
+ "severity": "5",
+ "start": "Tue Jul 4 16:12:44 2023",
"timezone": "UTC"
},
+ "host": {
+ "id": "E7DEF468022C4EB09683-9A331A42E1F7"
+ },
+ "log": {
+ "syslog": {
+ "priority": 14
+ }
+ },
+ "related": {
+ "ip": [
+ "89.160.20.128",
+ "81.2.69.144"
+ ]
+ },
+ "source": {
+ "domain": "company.example.com",
+ "ip": "89.160.20.128"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-07-04T06:21:54.000Z",
+ "cisco_secure_email_gateway": {
+ "log": {
+ "act": "QUARANTINED",
+ "appliance": {
+ "product": "C100V Email Security Virtual Appliance",
+ "vendor": "Cisco",
+ "version": "14.3.0-032"
+ },
+ "category": {
+ "name": "consolidated_event"
+ },
+ "cef_format_version": "0",
+ "cfp1": 2.7,
+ "cfp1_label": "SBRSScore",
+ "cs1": "DEFAULT",
+ "cs1_label": "MailPolicy",
+ "cs2": "United States",
+ "cs2_label": "SenderCountry",
+ "cs3": "N/A",
+ "cs3_label": "SDRThreatCategory",
+ "cs4": "MDlhMDg0MjY0NmE2OWFkNTZhMzA2NDA0MDVkZWNlZWVlYzI3MjMyYmI5YWJlNDMxM2UxOGVjZTBiNGZmOGZmYSAgLQo@hotmail.com",
+ "cs4_label": "ExternalMsgID",
+ "cs6": "Neutral",
+ "cs6_label": "SDRRepScore",
+ "data": {
+ "ip": "81.2.69.142"
+ },
+ "device_direction": "incoming",
+ "esa": {
+ "delivery_connection_id": "34809573",
+ "dkim_verdict": "pass",
+ "dlp_verdict": "NOT_EVALUATED",
+ "final_action_details": "To SPAM",
+ "friendly_from": "Will \u003cirobot@example.com\u003e",
+ "graymail_verdict": "NEGATIVE",
+ "helo": {
+ "domain": "mail-q6by9-a42.google.com",
+ "ip": "81.2.69.192"
+ },
+ "injection_connection_id": "435897324",
+ "mail_flow_policy": "ACCEPT",
+ "mf_verdict": "MATCH",
+ "msg_size": 12312,
+ "outbreak_filter_verdict": "NEGATIVE",
+ "sdr_consolidated_domain_age": "30 days (or greater)",
+ "sender_group": "ACCEPTLIST",
+ "spf_verdict": "{'mailfrom': {'result': 'Pass', 'sender': 'irobot@example.com'}, 'helo': {'result': 'None', 'sender': 'postmaster@mail-q6by9-a42.google.com'}}"
+ },
+ "event": {
+ "name": "Consolidated Log Event"
+ },
+ "event_class_id": "ESA_CONSOLIDATED_LOG_EVENT",
+ "listener": {
+ "name": "IncomingMail"
+ },
+ "message": "'IE : Crayons' ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESAAMPVerdict=SKIPPED ESAASVerdict=SUSPECT ESAAVVerdict=NOT_EVALUATED ESACFVerdict=MATCH"
+ }
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "email": {
+ "from": {
+ "address": [
+ "irobot@example.com"
+ ]
+ },
+ "message_id": "238746",
+ "to": {
+ "address": [
+ "alfombra@example.com"
+ ]
+ }
+ },
+ "event": {
+ "end": "Tue Jul 4 06:21:54 2023",
+ "kind": "event",
+ "original": "\u003c14\u003eJul 04 06:21:54 consolidated_event: CEF:0|Cisco|C100V Email Security Virtual Appliance|14.3.0-032|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=30543A3AB9E54FA8AAC1-FB812C95028D ESAMID=238746 ESAICID=435897324 ESADCID=34809573 endTime=Tue Jul 4 06:21:54 2023 ESADKIMVerdict=pass ESADLPVerdict=NOT_EVALUATED dvc=81.2.69.142 ESAFriendlyFrom=Will \u003cirobot@example.com\u003e ESAGMVerdict=NEGATIVE startTime=Tue Jul 4 15:14:29 2023 deviceInboundInterface=IncomingMail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=irobot@example.com cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=United States ESAMFVerdict=MATCH act=QUARANTINED ESAFinalActionDetails=To SPAM cs4Label=ExternalMsgID cs4='\u003cMDlhMDg0MjY0NmE2OWFkNTZhMzA2NDA0MDVkZWNlZWVlYzI3MjMyYmI5YWJlNDMxM2UxOGVjZTBiNGZmOGZmYSAgLQo@hotmail.com\u003e' ESAMsgSize=12312 ESAOFVerdict=NEGATIVE duser=alfombra@example.com ESAHeloDomain=mail-q6by9-a42.google.com ESAHeloIP=81.2.69.192 cfp1Label=SBRSScore cfp1=2.7 ESASDRDomainAge=30 days (or greater) cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Neutral ESASPFVerdict={'mailfrom': {'result': 'Pass', 'sender': 'irobot@example.com'}, 'helo': {'result': 'None', 'sender': 'postmaster@mail-q6by9-a42.google.com'}} sourceHostName=mail-q6by9-a42.google.com ESASenderGroup=ACCEPTLIST sourceAddress=81.2.69.192 msg='IE : Crayons' ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESAAMPVerdict=SKIPPED ESAASVerdict=SUSPECT ESAAVVerdict=NOT_EVALUATED ESACFVerdict=MATCH",
+ "severity": "5",
+ "start": "Tue Jul 4 15:14:29 2023",
+ "timezone": "UTC"
+ },
+ "host": {
+ "id": "30543A3AB9E54FA8AAC1-FB812C95028D"
+ },
+ "log": {
+ "syslog": {
+ "priority": 14
+ }
+ },
+ "related": {
+ "ip": [
+ "81.2.69.192",
+ "81.2.69.142"
+ ]
+ },
+ "source": {
+ "domain": "mail-q6by9-a42.google.com",
+ "ip": "81.2.69.192"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-07-04T06:21:54.000Z",
+ "cisco_secure_email_gateway": {
+ "log": {
+ "act": "QUARANTINED",
+ "appliance": {
+ "product": "C100V Email Security Virtual Appliance",
+ "vendor": "Cisco",
+ "version": "14.3.0-032"
+ },
+ "category": {
+ "name": "consolidated_event"
+ },
+ "cef_format_version": "0",
+ "cfp1_label": "SBRSScore",
+ "cs1": "DEFAULT",
+ "cs1_label": "MailPolicy",
+ "cs2": "NZ",
+ "cs2_label": "SenderCountry",
+ "cs3": "N/A",
+ "cs3_label": "SDRThreatCategory",
+ "cs4": "490b2a15fa4742331779cdaa4e@example.com",
+ "cs4_label": "ExternalMsgID",
+ "cs6": "Neutral",
+ "cs6_label": "SDRRepScore",
+ "data": {
+ "ip": "81.2.69.144"
+ },
+ "device_direction": "incoming",
+ "esa": {
+ "delivery_connection_id": "970897",
+ "dkim_verdict": "pass",
+ "dlp_verdict": "NOT_EVALUATED",
+ "final_action_details": "To SPAM",
+ "friendly_from": "Beaches \u003cplayas@example.com\u003e",
+ "graymail_verdict": "NEGATIVE",
+ "helo": {
+ "domain": "example.com",
+ "ip": "89.160.20.112"
+ },
+ "injection_connection_id": "35635425",
+ "mail_flow_policy": "ACCEPT",
+ "mf_verdict": "MATCH",
+ "msg_size": 20668,
+ "outbreak_filter_verdict": "NEGATIVE",
+ "reply_to": "lane@example.com",
+ "sdr_consolidated_domain_age": "30 days (or greater)",
+ "spf_verdict": "{'mailfrom': {'result': 'Pass', 'sender': 'westinghouse-thoreau=example.com@example.com'}, 'helo': {'result': 'Pass', 'sender': 'postmaster@example.com'}}"
+ },
+ "event": {
+ "name": "Consolidated Log Event"
+ },
+ "event_class_id": "ESA_CONSOLIDATED_LOG_EVENT",
+ "listener": {
+ "name": "IncomingMail"
+ },
+ "message": "\\\"Totally not suspicious email subject\\\" ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESAAMPVerdict=SKIPPED ESAASVerdict=SUSPECT ESAAVVerdict=NOT_EVALUATED ESACFVerdict=NO_MATCH"
+ }
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "email": {
+ "from": {
+ "address": [
+ "westinghouse-thoreau\\\\=example.com@example.com"
+ ]
+ },
+ "message_id": "786324",
+ "to": {
+ "address": [
+ "thoreau@example.com"
+ ]
+ }
+ },
+ "event": {
+ "end": "Tue Jul 4 06:21:54 2023",
+ "kind": "event",
+ "original": "\u003c14\u003eJul 04 06:21:54 consolidated_event: CEF:0|Cisco|C100V Email Security Virtual Appliance|14.3.0-032|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=4FEF3A4372664BCCB404-20EE1767D434 ESAMID=786324 ESAICID=35635425 ESADCID=970897 endTime=Tue Jul 4 06:21:54 2023 ESADKIMVerdict=pass ESADLPVerdict=NOT_EVALUATED dvc=81.2.69.144 ESAFriendlyFrom=Beaches \u003cplayas@example.com\u003e ESAGMVerdict=NEGATIVE startTime=Tue Jul 4 14:42:34 2023 deviceInboundInterface=IncomingMail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=westinghouse-thoreau\\\\=example.com@example.com cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=NZ ESAMFVerdict=MATCH act=QUARANTINED ESAFinalActionDetails=To SPAM cs4Label=ExternalMsgID cs4='\u003c490b2a15fa4742331779cdaa4e@example.com\u003e' ESAMsgSize=20668 ESAOFVerdict=NEGATIVE duser=thoreau@example.com ESAHeloDomain=example.com ESAHeloIP=89.160.20.112 ESAReplyTo=lane@example.com cfp1Label=SBRSScore cfp1=None ESASDRDomainAge=30 days (or greater) cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Neutral ESASPFVerdict={'mailfrom': {'result': 'Pass', 'sender': 'westinghouse-thoreau=example.com@example.com'}, 'helo': {'result': 'Pass', 'sender': 'postmaster@example.com'}} sourceHostName=example.com sourceAddress=89.160.20.112 msg=\\\"Totally not suspicious email subject\\\" ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESAAMPVerdict=SKIPPED ESAASVerdict=SUSPECT ESAAVVerdict=NOT_EVALUATED ESACFVerdict=NO_MATCH",
+ "severity": "5",
+ "start": "Tue Jul 4 14:42:34 2023",
+ "timezone": "UTC"
+ },
+ "host": {
+ "id": "4FEF3A4372664BCCB404-20EE1767D434"
+ },
+ "log": {
+ "syslog": {
+ "priority": 14
+ }
+ },
+ "related": {
+ "ip": [
+ "89.160.20.112",
+ "81.2.69.144"
+ ]
+ },
+ "source": {
+ "domain": "example.com",
+ "ip": "89.160.20.112"
+ },
"tags": [
"preserve_original_event"
]
diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-content-scanner.log-expected.json b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-content-scanner.log-expected.json
index 2add7c468c6..cf14aef11d1 100644
--- a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-content-scanner.log-expected.json
+++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-content-scanner.log-expected.json
@@ -13,7 +13,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -47,7 +47,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-error.log-expected.json b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-error.log-expected.json
index b052121da59..5b2726805e9 100644
--- a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-error.log-expected.json
+++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-error.log-expected.json
@@ -13,7 +13,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -44,12 +44,14 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"email": {
"subject": "'Warning \u003cSystem\u003e example.com: Your \"IronPort Email Encryption\" key will expire in under 60...': Unrecoverable error",
"to": {
- "address": "example.com"
+ "address": [
+ "example.com"
+ ]
}
},
"event": {
@@ -85,12 +87,14 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"email": {
"subject": "Warning \u003cSystem\u003e example.com: Your \"IronPort Email Encryption\" key will expire in under 60...",
"to": {
- "address": "example.com"
+ "address": [
+ "example.com"
+ ]
}
},
"event": {
@@ -122,12 +126,14 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"email": {
"subject": "'Critical \u003cSystem\u003e example.com: Log Error: Subscription error_logs: Failed to connect to 10....' (attempt #0)",
"to": {
- "address": "example.com"
+ "address": [
+ "example.com"
+ ]
}
},
"event": {
diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-gui-log.log-expected.json b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-gui-log.log-expected.json
index d00d5cf4f5d..8e73ddfe49d 100644
--- a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-gui-log.log-expected.json
+++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-gui-log.log-expected.json
@@ -14,7 +14,7 @@
"ip": "1.128.3.4"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -88,7 +88,7 @@
"ip": "1.128.3.4"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -142,7 +142,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -186,7 +186,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": [
@@ -230,7 +230,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -270,7 +270,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -314,7 +314,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -344,7 +344,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -374,7 +374,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -413,7 +413,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -452,7 +452,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-status.log-expected.json b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-status.log-expected.json
index 685e3d91ceb..804e066375b 100644
--- a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-status.log-expected.json
+++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-status.log-expected.json
@@ -96,7 +96,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"email": {
"message_id": "0"
diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-system.log-expected.json b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-system.log-expected.json
index cd7041daff6..fd0193a10d1 100644
--- a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-system.log-expected.json
+++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-system.log-expected.json
@@ -12,7 +12,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -57,7 +57,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -87,7 +87,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -117,7 +117,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -147,7 +147,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-text-mail.log-expected.json b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-text-mail.log-expected.json
index 62c28e278c0..d477c409695 100644
--- a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-text-mail.log-expected.json
+++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-text-mail.log-expected.json
@@ -15,7 +15,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"email": {
"message_id": "111"
@@ -48,7 +48,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -80,7 +80,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -109,12 +109,14 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"email": {
"subject": "\"Warning \u003cSystem\u003e cisco.esa: URL category definitions have changed.; Added new category '...\"",
"to": {
- "address": "example.com"
+ "address": [
+ "example.com"
+ ]
}
},
"event": {
@@ -153,7 +155,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -191,7 +193,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"email": {
"message_id": "6"
@@ -223,11 +225,13 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"email": {
"from": {
- "address": "example.com"
+ "address": [
+ "example.com"
+ ]
},
"message_id": "6"
},
@@ -259,12 +263,14 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"email": {
"message_id": "6",
"to": {
- "address": "example.com"
+ "address": [
+ "example.com"
+ ]
}
},
"event": {
@@ -294,11 +300,13 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"email": {
"from": {
- "address": "example.com"
+ "address": [
+ "example.com"
+ ]
},
"message_id": "6"
},
@@ -330,7 +338,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -362,7 +370,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -401,7 +409,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"email": {
"message_id": "6"
@@ -435,7 +443,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"email": {
"message_id": "6"
@@ -468,7 +476,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -498,7 +506,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -527,12 +535,14 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"email": {
"subject": "Warning \u003cSystem\u003e example.com: Your \"IronPort Email Encryption\" key will expire in under 60...",
"to": {
- "address": "example.com"
+ "address": [
+ "example.com"
+ ]
}
},
"event": {
@@ -563,7 +573,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"kind": "event",
@@ -591,12 +601,14 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"email": {
"subject": "'Warning \u003cSystem\u003e cisco.esa: Your \"Sophos Anti-Virus\" key will expire in under 60 day(s)....'",
"to": {
- "address": "example.com"
+ "address": [
+ "example.com"
+ ]
}
},
"event": {
@@ -628,12 +640,14 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"email": {
"subject": "'Warning \u003cSystem\u003e example.com: Your \"IronPort Email Encryption\" key will expire in under 60...': Unrecoverable error",
"to": {
- "address": "example.com"
+ "address": [
+ "example.com"
+ ]
}
},
"event": {
@@ -671,11 +685,13 @@
"port": 0
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"email": {
"to": {
- "address": "example"
+ "address": [
+ "example"
+ ]
}
},
"event": {
diff --git a/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/default.yml
index 40bc3b79b60..5aeb744705a 100644
--- a/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -3,7 +3,7 @@ description: Pipeline for Cisco Secure Email Gateway logs.
processors:
- set:
field: ecs.version
- value: '8.8.0'
+ value: '8.9.0'
- set:
field: _tmp.filepath
value: '{{{log.file.path}}}'
@@ -12,7 +12,7 @@ processors:
field: _tmp.filepath
if: ctx.log?.file?.path != null
patterns:
- - "^%{DATA}/%{WORD:cisco_secure_email_gateway.log.category.name}.@%{GREEDYDATA}.s$"
+ - '^%{DATA}[\\/]%{WORD:cisco_secure_email_gateway.log.category.name}.@%{GREEDYDATA}.s$'
- rename:
field: message
target_field: event.original
@@ -109,6 +109,14 @@ processors:
- pipeline:
name: '{{ IngestPipeline "pipeline_consolidated_event" }}'
if: ctx.cisco_secure_email_gateway?.log?.category?.name == 'consolidated_event'
+ - set:
+ field: email.from.address
+ value: ['{{{email.from.address}}}']
+ if: ctx.email?.from?.address instanceof String
+ - set:
+ field: email.to.address
+ value: ['{{{email.to.address}}}']
+ if: ctx.email?.to?.address instanceof String
- remove:
field:
- _tmp
diff --git a/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_consolidated_event.yml b/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_consolidated_event.yml
index ebcf2281af9..fc06195d95c 100644
--- a/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_consolidated_event.yml
+++ b/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_consolidated_event.yml
@@ -52,23 +52,29 @@ processors:
(?:sourceHostName=%{DATA:source.domain} )?\
(?:ESASenderGroup=%{DATA:cisco_secure_email_gateway.log.esa.sender_group} )?\
(?:sourceAddress=%{IP:source.ip} )?\
- msg=('|\")%{DATA:email.subject}('|\")($|\\s)\
- (?:ESAURLDetails=%{DATA:cisco_secure_email_gateway.log.esa.url_details}($|\\s))?\
+ msg=%{GREEDYDATA:_tmp.msg}$"
+ - ^%{GREEDYDATA:cisco_secure_email_gateway.log.message}$
+ - grok:
+ field: _tmp.msg
+ if: ctx._tmp?.msg != null
+ patterns:
+ - "^['\"]%{DATA:email.subject}['\"](?:$|\\s)\
+ (?:ESAURLDetails=%{DATA:cisco_secure_email_gateway.log.esa.url_details}(?:$|\\s))?\
(?:ESATLSInCipher=%{DATA:cisco_secure_email_gateway.log.esa.tls.in.cipher} )?\
(?:ESATLSInConnStatus=%{WORD:cisco_secure_email_gateway.log.esa.tls.in.connection_status} )?\
(?:ESATLSInProtocol=%{DATA:cisco_secure_email_gateway.log.esa.tls.in.protocol} )?\
(?:ESATLSOutCipher=%{DATA:cisco_secure_email_gateway.log.esa.tls.out.cipher} )?\
(?:ESATLSOutConnStatus=%{WORD:cisco_secure_email_gateway.log.esa.tls.out.connection_status} )?\
- (?:ESATLSOutProtocol=%{DATA:cisco_secure_email_gateway.log.esa.tls.out.protocol}($|\\s))?\
+ (?:ESATLSOutProtocol=%{DATA:cisco_secure_email_gateway.log.esa.tls.out.protocol}(?:$|\\s))?\
(?:ESADaneHost=%{DATA:cisco_secure_email_gateway.log.esa.dane.host} )?\
- (?:ESADaneStatus=%{WORD:cisco_secure_email_gateway.log.esa.dane.status}($|\\s))?\
- (?:ESADHASource=%{IP:cisco_secure_email_gateway.log.esa.dha_source}($|\\s))?\
- (?:ESADMARCVerdict=%{WORD:cisco_secure_email_gateway.log.esa.dmarc_verdict}($|\\s))?\
- (?:cs5Label=%{DATA:cisco_secure_email_gateway.log.cs5_label}($|\\s))?\
- (?:cs5=%{DATA:cisco_secure_email_gateway.log.cs5}($|\\s))?\
- (?:ESAMARAction=%{DATA:cisco_secure_email_gateway.log.esa.mail_auto_remediation_action}($|\\s))?\
- (?:ESAMsgTooBigFromSender=%{WORD:cisco_secure_email_gateway.log.esa.msg_too_big_from_sender}($|\\s))?\
- (?:ESARateLimitedIP=%{GREEDYDATA:cisco_secure_email_gateway.log.esa.rate_limited_ip}($|\\s))?$"
+ (?:ESADaneStatus=%{WORD:cisco_secure_email_gateway.log.esa.dane.status}(?:$|\\s))?\
+ (?:ESADHASource=%{IP:cisco_secure_email_gateway.log.esa.dha_source}(?:$|\\s))?\
+ (?:ESADMARCVerdict=%{WORD:cisco_secure_email_gateway.log.esa.dmarc_verdict}(?:$|\\s))?\
+ (?:cs5Label=%{DATA:cisco_secure_email_gateway.log.cs5_label}(?:$|\\s))?\
+ (?:cs5=%{DATA:cisco_secure_email_gateway.log.cs5}(?:$|\\s))?\
+ (?:ESAMARAction=%{DATA:cisco_secure_email_gateway.log.esa.mail_auto_remediation_action}(?:$|\\s))?\
+ (?:ESAMsgTooBigFromSender=%{WORD:cisco_secure_email_gateway.log.esa.msg_too_big_from_sender}(?:$|\\s))?\
+ (?:ESARateLimitedIP=%{GREEDYDATA:cisco_secure_email_gateway.log.esa.rate_limited_ip}(?:$|\\s))?$"
- ^%{GREEDYDATA:cisco_secure_email_gateway.log.message}$
- kv:
field: _tmp.details
diff --git a/packages/cisco_secure_email_gateway/data_stream/log/fields/fields.yml b/packages/cisco_secure_email_gateway/data_stream/log/fields/fields.yml
index e768df21ef6..1bff799d379 100644
--- a/packages/cisco_secure_email_gateway/data_stream/log/fields/fields.yml
+++ b/packages/cisco_secure_email_gateway/data_stream/log/fields/fields.yml
@@ -164,8 +164,8 @@
description: Disk I/O Utilization.
- name: disposition
type: keyword
- description: ""
- The file reputation disposition values are: MALICIOUS CLEAN FILE UNKNOWN - When the reputation score is zero. VERDICT UNKNOWN - When the disposition is FILE UNKNOWN and score is non-zero. LOW RISK - When no dynamic content is found in a file after file analysis, the verdict is Low Risk. The file is not sent for file analysis, and the message continues through the email pipeline.
+ description: >-
+ The file reputation disposition values are: MALICIOUS CLEAN FILE UNKNOWN - When the reputation score is zero. VERDICT UNKNOWN - When the disposition is FILE UNKNOWN and score is non-zero. LOW RISK - When no dynamic content is found in a file after file analysis, the verdict is Low Risk. The file is not sent for file analysis, and the message continues through the email pipeline.
- name: dns
type: group
fields:
@@ -281,8 +281,6 @@
type: keyword
- name: msg_too_big
type: keyword
- - name: rate_limited_ip
- type: keyword
- name: estimated
type: group
fields:
@@ -516,8 +514,8 @@
The upload action value recommended by the file reputation server to take on the given file 0 - Need not send for upload. 1 - Send file for upload. Note The email gateway uploads the file when the upload action value is ‘1.’. 2 - Do not send file for upload. 3 - Send only metadata for upload.
- name: priority
type: keyword
- description: ""
- Upload priority values are: High - For all selected file types, except PDF file type. Low - For only PDF file types.
+ description: >-
+ Upload priority values are: High - For all selected file types, except PDF file type. Low - For only PDF file types.
- name: verified
type: keyword
- name: vendor_action
@@ -530,16 +528,9 @@
description: This is the number of messages currently in the work queue.
- name: zone
type: keyword
-- name: filepath
- type: keyword
- name: log.file.path
type: keyword
description: File path from which the log event was read / sent from.
- name: log.source.address
type: keyword
description: Source address from which the log event was read / sent from.
-- name: type
- type: keyword
- description: Input type.
-- name: input.type
- type: keyword
diff --git a/packages/cisco_secure_email_gateway/data_stream/log/sample_event.json b/packages/cisco_secure_email_gateway/data_stream/log/sample_event.json
index 26c44e94126..90612095647 100644
--- a/packages/cisco_secure_email_gateway/data_stream/log/sample_event.json
+++ b/packages/cisco_secure_email_gateway/data_stream/log/sample_event.json
@@ -1,11 +1,11 @@
{
"@timestamp": "2023-03-17T18:24:37.000Z",
"agent": {
- "ephemeral_id": "ad16a5f3-74d8-4f65-96c6-5d2fd1d8d0c0",
- "id": "057e0b9b-e20a-4d3b-9276-cb2e5cb7bb53",
+ "ephemeral_id": "8bbd9c9d-bc30-42ce-bf39-89d3f9b042c3",
+ "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082",
"name": "docker-fleet-agent",
"type": "filebeat",
- "version": "8.6.0"
+ "version": "8.9.1"
},
"cisco_secure_email_gateway": {
"log": {
@@ -21,12 +21,12 @@
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
- "id": "057e0b9b-e20a-4d3b-9276-cb2e5cb7bb53",
+ "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082",
"snapshot": false,
- "version": "8.6.0"
+ "version": "8.9.1"
},
"email": {
"attachments": {
@@ -41,7 +41,7 @@
"event": {
"agent_id_status": "verified",
"dataset": "cisco_secure_email_gateway.log",
- "ingested": "2023-04-07T06:11:54Z",
+ "ingested": "2023-08-29T17:41:06Z",
"kind": "event",
"timezone": "UTC"
},
@@ -51,7 +51,7 @@
"log": {
"level": "info",
"source": {
- "address": "172.30.0.7:52815"
+ "address": "172.21.0.4:41169"
},
"syslog": {
"priority": 166
diff --git a/packages/cisco_secure_email_gateway/docs/README.md b/packages/cisco_secure_email_gateway/docs/README.md
index 5ceefddb570..7d6c21de689 100644
--- a/packages/cisco_secure_email_gateway/docs/README.md
+++ b/packages/cisco_secure_email_gateway/docs/README.md
@@ -202,11 +202,11 @@ An example event for `log` looks as following:
{
"@timestamp": "2023-03-17T18:24:37.000Z",
"agent": {
- "ephemeral_id": "ad16a5f3-74d8-4f65-96c6-5d2fd1d8d0c0",
- "id": "057e0b9b-e20a-4d3b-9276-cb2e5cb7bb53",
+ "ephemeral_id": "8bbd9c9d-bc30-42ce-bf39-89d3f9b042c3",
+ "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082",
"name": "docker-fleet-agent",
"type": "filebeat",
- "version": "8.6.0"
+ "version": "8.9.1"
},
"cisco_secure_email_gateway": {
"log": {
@@ -222,12 +222,12 @@ An example event for `log` looks as following:
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
- "id": "057e0b9b-e20a-4d3b-9276-cb2e5cb7bb53",
+ "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082",
"snapshot": false,
- "version": "8.6.0"
+ "version": "8.9.1"
},
"email": {
"attachments": {
@@ -242,7 +242,7 @@ An example event for `log` looks as following:
"event": {
"agent_id_status": "verified",
"dataset": "cisco_secure_email_gateway.log",
- "ingested": "2023-04-07T06:11:54Z",
+ "ingested": "2023-08-29T17:41:06Z",
"kind": "event",
"timezone": "UTC"
},
@@ -252,7 +252,7 @@ An example event for `log` looks as following:
"log": {
"level": "info",
"source": {
- "address": "172.30.0.7:52815"
+ "address": "172.21.0.4:41169"
},
"syslog": {
"priority": 166
@@ -328,7 +328,7 @@ An example event for `log` looks as following:
| cisco_secure_email_gateway.log.details | Additional information. | text |
| cisco_secure_email_gateway.log.device_direction | | keyword |
| cisco_secure_email_gateway.log.disk_io | Disk I/O Utilization. | long |
-| cisco_secure_email_gateway.log.disposition | | keyword |
+| cisco_secure_email_gateway.log.disposition | The file reputation disposition values are: MALICIOUS CLEAN FILE UNKNOWN - When the reputation score is zero. VERDICT UNKNOWN - When the disposition is FILE UNKNOWN and score is non-zero. LOW RISK - When no dynamic content is found in a file after file analysis, the verdict is Low Risk. The file is not sent for file analysis, and the message continues through the email pipeline. | keyword |
| cisco_secure_email_gateway.log.dns.hard_bounces | DNS Hard Bounces. | long |
| cisco_secure_email_gateway.log.dns.requests | DNS Requests. | long |
| cisco_secure_email_gateway.log.dropped_messages | Dropped Messages. | long |
@@ -449,7 +449,7 @@ An example event for `log` looks as following:
| cisco_secure_email_gateway.log.unattempted_recipients | Unattempted Recipients. | long |
| cisco_secure_email_gateway.log.update.timestamp | The date and time at which the file analysis for the file is complete. | date |
| cisco_secure_email_gateway.log.upload.action | The upload action value recommended by the file reputation server to take on the given file 0 - Need not send for upload. 1 - Send file for upload. Note The email gateway uploads the file when the upload action value is ‘1.’. 2 - Do not send file for upload. 3 - Send only metadata for upload. | keyword |
-| cisco_secure_email_gateway.log.upload.priority | | keyword |
+| cisco_secure_email_gateway.log.upload.priority | Upload priority values are: High - For all selected file types, except PDF file type. Low - For only PDF file types. | keyword |
| cisco_secure_email_gateway.log.vendor_action | | keyword |
| cisco_secure_email_gateway.log.verdict | The file retrospective verdict value is malicious or clean. | keyword |
| cisco_secure_email_gateway.log.verified | | keyword |
@@ -492,7 +492,6 @@ An example event for `log` looks as following:
| event.module | Event module. | constant_keyword |
| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword |
-| filepath | | keyword |
| host.architecture | Operating system architecture. | keyword |
| host.containerized | If the host is a container. | boolean |
| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
@@ -513,7 +512,7 @@ An example event for `log` looks as following:
| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword |
| http.response.status_code | HTTP response status code. | long |
| http.version | HTTP version. | keyword |
-| input.type | | keyword |
+| input.type | Input type. | keyword |
| log.file.path | File path from which the log event was read / sent from. | keyword |
| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
| log.offset | Log offset. | long |
@@ -528,7 +527,6 @@ An example event for `log` looks as following:
| source.ip | IP address of the source (IPv4 or IPv6). | ip |
| source.port | Port of the source. | long |
| tags | List of keywords used to tag each event. | keyword |
-| type | Input type. | keyword |
| url.path | Path of the request, such as "/search". | wildcard |
| user.name | Short name or login of the user. | keyword |
| user.name.text | Multi-field of `user.name`. | match_only_text |
diff --git a/packages/cisco_secure_email_gateway/kibana/tags.yml b/packages/cisco_secure_email_gateway/kibana/tags.yml
new file mode 100644
index 00000000000..47f20a8f551
--- /dev/null
+++ b/packages/cisco_secure_email_gateway/kibana/tags.yml
@@ -0,0 +1,4 @@
+- text: Security Solution
+ asset_types:
+ - dashboard
+ - search
diff --git a/packages/cisco_secure_email_gateway/manifest.yml b/packages/cisco_secure_email_gateway/manifest.yml
index b109f29960e..174e2652e29 100644
--- a/packages/cisco_secure_email_gateway/manifest.yml
+++ b/packages/cisco_secure_email_gateway/manifest.yml
@@ -1,17 +1,16 @@
-format_version: 1.0.0
+format_version: "3.0.0"
name: cisco_secure_email_gateway
title: Cisco Secure Email Gateway
-version: "1.10.0"
-license: basic
+version: "1.14.0"
description: Collect logs from Cisco Secure Email Gateway with Elastic Agent.
type: integration
categories:
- security
- network
- email_security
-release: ga
conditions:
- kibana.version: ^8.7.1
+ kibana:
+ version: ^8.7.1
screenshots:
- src: /img/cisco-secure-email-gateway-screenshot.png
title: Cisco Secure Email Gateway dashboard screenshot
@@ -38,3 +37,4 @@ policy_templates:
description: Collecting Cisco Secure Email Gateway logs via UDP input.
owner:
github: elastic/security-external-integrations
+ type: elastic
diff --git a/packages/cisco_secure_endpoint/_dev/build/build.yml b/packages/cisco_secure_endpoint/_dev/build/build.yml
index 074278e5b1f..c8eeec8cacf 100644
--- a/packages/cisco_secure_endpoint/_dev/build/build.yml
+++ b/packages/cisco_secure_endpoint/_dev/build/build.yml
@@ -1,3 +1,3 @@
dependencies:
ecs:
- reference: git@v8.8.0
+ reference: git@v8.9.0
diff --git a/packages/cisco_secure_endpoint/changelog.yml b/packages/cisco_secure_endpoint/changelog.yml
index 127b47ef307..d8900df6867 100644
--- a/packages/cisco_secure_endpoint/changelog.yml
+++ b/packages/cisco_secure_endpoint/changelog.yml
@@ -1,4 +1,29 @@
# newer versions go on top
+- version: 2.20.0
+ changes:
+ - description: "The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest."
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7883
+- version: "2.19.0"
+ changes:
+ - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7789
+- version: "2.18.0"
+ changes:
+ - description: Update package to ECS 8.9.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7107
+- version: "2.17.0"
+ changes:
+ - description: Document duration units.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6992
+- version: "2.16.0"
+ changes:
+ - description: Document valid duration units.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6706
- version: "2.15.0"
changes:
- description: Ensure event.kind is correctly set for pipeline errors.
diff --git a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp1.log-expected.json b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp1.log-expected.json
index d187821b035..18b5927204d 100644
--- a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp1.log-expected.json
+++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp1.log-expected.json
@@ -29,7 +29,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Detection",
@@ -114,7 +114,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Policy Update",
@@ -185,7 +185,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -290,7 +290,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Quarantined",
@@ -371,7 +371,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -456,7 +456,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -565,7 +565,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -666,7 +666,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Quarantined",
@@ -750,7 +750,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Cloud IOC",
@@ -842,7 +842,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Cloud IOC",
@@ -934,7 +934,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Cloud IOC",
@@ -1026,7 +1026,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Cloud IOC",
@@ -1118,7 +1118,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Cloud IOC",
@@ -1210,7 +1210,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Cloud IOC",
@@ -1300,7 +1300,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225530"
@@ -1381,7 +1381,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225530"
@@ -1462,7 +1462,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225530"
@@ -1543,7 +1543,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225530"
@@ -1624,7 +1624,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225530"
@@ -1706,7 +1706,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -1812,7 +1812,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Cloud IOC",
@@ -1897,7 +1897,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "File Fetch Completed",
@@ -1992,7 +1992,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Cloud IOC",
@@ -2077,7 +2077,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected in Low Prevalence Executable",
@@ -2156,7 +2156,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "File Fetch Completed",
@@ -2241,7 +2241,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Policy Update",
@@ -2311,7 +2311,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -2392,7 +2392,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Quarantine",
@@ -2471,7 +2471,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Detection",
@@ -2557,7 +2557,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Detection",
@@ -2744,7 +2744,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Vulnerable Application Detected",
@@ -2825,7 +2825,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Policy Update",
@@ -2898,7 +2898,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Cloud IOC",
@@ -2990,7 +2990,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Cloud IOC",
@@ -3076,7 +3076,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Quarantined",
@@ -3160,7 +3160,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Cloud IOC",
@@ -3242,7 +3242,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Policy Update",
@@ -3313,7 +3313,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3418,7 +3418,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Quarantined",
@@ -3500,7 +3500,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3605,7 +3605,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Quarantined",
@@ -3689,7 +3689,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Cloud IOC",
@@ -3781,7 +3781,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Cloud IOC",
@@ -3887,7 +3887,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Vulnerable Application Detected",
@@ -3992,7 +3992,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Vulnerable Application Detected",
@@ -4127,7 +4127,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Vulnerable Application Detected",
@@ -4208,7 +4208,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Policy Update",
@@ -4279,7 +4279,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Scan Completed, No Detections",
@@ -4345,7 +4345,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Scan Started",
diff --git a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp2.log-expected.json b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp2.log-expected.json
index f72cea3bf72..5e6cd93cc04 100644
--- a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp2.log-expected.json
+++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp2.log-expected.json
@@ -79,7 +79,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "SecureX Threat Hunting Incident",
@@ -174,7 +174,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -283,7 +283,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -389,7 +389,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -500,7 +500,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "DFC Threat Detected",
@@ -615,7 +615,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "DFC Threat Detected",
@@ -730,7 +730,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "DFC Threat Detected",
@@ -845,7 +845,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "DFC Threat Detected",
@@ -960,7 +960,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "DFC Threat Detected",
@@ -1075,7 +1075,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "DFC Threat Detected",
@@ -1174,7 +1174,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Cloud IOC",
@@ -1261,7 +1261,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -1360,7 +1360,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Multiple Infected Files",
@@ -1445,7 +1445,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -1542,7 +1542,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -1635,7 +1635,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -1730,7 +1730,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Executed malware",
@@ -1818,7 +1818,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -1915,7 +1915,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -2008,7 +2008,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -2101,7 +2101,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -2198,7 +2198,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -2295,7 +2295,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -2388,7 +2388,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -2494,7 +2494,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Vulnerable Application Detected",
@@ -2580,7 +2580,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -2677,7 +2677,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -2770,7 +2770,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -2863,7 +2863,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -2960,7 +2960,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3053,7 +3053,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3146,7 +3146,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3232,7 +3232,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3318,7 +3318,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3407,7 +3407,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3513,7 +3513,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3610,7 +3610,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3703,7 +3703,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3796,7 +3796,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3884,7 +3884,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Executed malware",
@@ -3969,7 +3969,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -4055,7 +4055,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
diff --git a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp3.log-expected.json b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp3.log-expected.json
index 0219edbb7e8..28405408083 100644
--- a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp3.log-expected.json
+++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp3.log-expected.json
@@ -29,7 +29,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -115,7 +115,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -205,7 +205,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -295,7 +295,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -385,7 +385,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -475,7 +475,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -565,7 +565,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -655,7 +655,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -745,7 +745,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -835,7 +835,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -925,7 +925,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -1015,7 +1015,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -1105,7 +1105,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -1195,7 +1195,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -1285,7 +1285,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -1375,7 +1375,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -1465,7 +1465,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -1555,7 +1555,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -1641,7 +1641,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -1731,7 +1731,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -1821,7 +1821,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -1914,7 +1914,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -2020,7 +2020,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -2113,7 +2113,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -2219,7 +2219,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -2312,7 +2312,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -2418,7 +2418,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -2507,7 +2507,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -2613,7 +2613,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -2699,7 +2699,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -2785,7 +2785,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -2882,7 +2882,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -2975,7 +2975,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3072,7 +3072,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3169,7 +3169,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3262,7 +3262,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3359,7 +3359,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3445,7 +3445,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3538,7 +3538,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3624,7 +3624,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3710,7 +3710,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3796,7 +3796,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3893,7 +3893,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3986,7 +3986,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -4083,7 +4083,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
diff --git a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp4.log-expected.json b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp4.log-expected.json
index d5c3ff339ba..ee4414682c3 100644
--- a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp4.log-expected.json
+++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp4.log-expected.json
@@ -29,7 +29,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Detection",
@@ -121,7 +121,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Executed malware",
@@ -208,7 +208,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -292,7 +292,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225558"
@@ -377,7 +377,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -479,7 +479,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -579,7 +579,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -679,7 +679,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -775,7 +775,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Quarantined",
@@ -853,7 +853,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Quarantined",
@@ -934,7 +934,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -1018,7 +1018,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -1102,7 +1102,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225558"
@@ -1186,7 +1186,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225558"
@@ -1270,7 +1270,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225558"
@@ -1354,7 +1354,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225558"
@@ -1438,7 +1438,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225558"
@@ -1522,7 +1522,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225558"
@@ -1606,7 +1606,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225558"
@@ -1690,7 +1690,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225558"
@@ -1774,7 +1774,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225558"
@@ -1858,7 +1858,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225558"
@@ -1942,7 +1942,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225558"
@@ -2026,7 +2026,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225558"
@@ -2110,7 +2110,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -2194,7 +2194,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225558"
@@ -2279,7 +2279,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -2382,7 +2382,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -2485,7 +2485,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -2592,7 +2592,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -2695,7 +2695,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Quarantined",
@@ -2773,7 +2773,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Quarantined",
@@ -2851,7 +2851,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Quarantined",
@@ -2929,7 +2929,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Quarantined",
@@ -3007,7 +3007,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Quarantined",
@@ -3088,7 +3088,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225558"
@@ -3172,7 +3172,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225558"
@@ -3256,7 +3256,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225558"
@@ -3340,7 +3340,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225558"
@@ -3425,7 +3425,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3534,7 +3534,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3639,7 +3639,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Quarantined",
@@ -3717,7 +3717,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Quarantined",
@@ -3796,7 +3796,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3893,7 +3893,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3993,7 +3993,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -4100,7 +4100,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -4204,7 +4204,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -4297,7 +4297,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -4393,7 +4393,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -4502,7 +4502,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -4603,7 +4603,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Policy Update",
@@ -4666,7 +4666,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Policy Update",
@@ -4736,7 +4736,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -4820,7 +4820,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -4904,7 +4904,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -4986,7 +4986,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Detection",
@@ -5072,7 +5072,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Detection",
@@ -5158,7 +5158,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Detection",
@@ -5246,7 +5246,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -5331,7 +5331,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -5436,7 +5436,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -5541,7 +5541,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Quarantined",
@@ -5622,7 +5622,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -5706,7 +5706,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -5787,7 +5787,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Quarantine",
@@ -5866,7 +5866,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Detection",
@@ -5952,7 +5952,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Detection",
@@ -6038,7 +6038,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Detection",
@@ -6130,7 +6130,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -6214,7 +6214,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225558"
@@ -6298,7 +6298,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -6382,7 +6382,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225558"
@@ -6466,7 +6466,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225558"
@@ -6550,7 +6550,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225558"
@@ -6634,7 +6634,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225558"
@@ -6718,7 +6718,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225558"
@@ -6802,7 +6802,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225558"
@@ -6886,7 +6886,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225558"
@@ -6970,7 +6970,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225558"
@@ -7054,7 +7054,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225558"
@@ -7139,7 +7139,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -7244,7 +7244,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -7348,7 +7348,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -7440,7 +7440,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Quarantined",
@@ -7521,7 +7521,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225558"
@@ -7605,7 +7605,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225558"
@@ -7689,7 +7689,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225558"
@@ -7771,7 +7771,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -7868,7 +7868,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -7965,7 +7965,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -8062,7 +8062,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -8159,7 +8159,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -8256,7 +8256,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -8353,7 +8353,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -8450,7 +8450,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -8547,7 +8547,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -8644,7 +8644,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -8744,7 +8744,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -8844,7 +8844,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
diff --git a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp5.log-expected.json b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp5.log-expected.json
index c70f8ec82d4..a9cc797f3fa 100644
--- a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp5.log-expected.json
+++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp5.log-expected.json
@@ -32,7 +32,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -138,7 +138,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225558"
@@ -222,7 +222,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225761"
@@ -304,7 +304,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -400,7 +400,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -509,7 +509,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -614,7 +614,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Quarantined",
@@ -695,7 +695,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -777,7 +777,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -874,7 +874,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -970,7 +970,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Quarantined",
@@ -1051,7 +1051,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -1135,7 +1135,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -1219,7 +1219,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -1300,7 +1300,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Quarantine",
@@ -1379,7 +1379,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Detection",
@@ -1465,7 +1465,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Detection",
@@ -1555,7 +1555,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Detection",
@@ -1641,7 +1641,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Detection",
@@ -1729,7 +1729,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225761"
@@ -1810,7 +1810,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Quarantine",
@@ -1889,7 +1889,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Detection",
@@ -1979,7 +1979,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Detection",
@@ -2071,7 +2071,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -2155,7 +2155,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -2239,7 +2239,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -2321,7 +2321,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Detection",
@@ -2407,7 +2407,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Detection",
@@ -2493,7 +2493,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Detection",
@@ -2583,7 +2583,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Detection",
@@ -2789,7 +2789,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detection",
@@ -2868,7 +2868,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -2952,7 +2952,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -3036,7 +3036,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -3120,7 +3120,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -3202,7 +3202,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Detection",
@@ -3288,7 +3288,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Detection",
@@ -3374,7 +3374,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Detection",
@@ -3460,7 +3460,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Detection",
@@ -3546,7 +3546,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Detection",
@@ -3632,7 +3632,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Detection",
@@ -3718,7 +3718,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Detection",
@@ -3806,7 +3806,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -3888,7 +3888,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3985,7 +3985,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -4072,7 +4072,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -4168,7 +4168,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Quarantined",
@@ -4249,7 +4249,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -4334,7 +4334,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -4435,7 +4435,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Quarantined",
@@ -4516,7 +4516,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -4600,7 +4600,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225558"
@@ -4682,7 +4682,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -4775,7 +4775,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -4868,7 +4868,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -4961,7 +4961,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -5054,7 +5054,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -5147,7 +5147,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -5240,7 +5240,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -5333,7 +5333,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -5426,7 +5426,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -5518,7 +5518,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Quarantined",
diff --git a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp6.log-expected.json b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp6.log-expected.json
index 20f0e2a8b08..6283fd11bec 100644
--- a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp6.log-expected.json
+++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp6.log-expected.json
@@ -31,7 +31,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -115,7 +115,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225558"
@@ -199,7 +199,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -283,7 +283,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -367,7 +367,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225761"
@@ -451,7 +451,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225558"
@@ -533,7 +533,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -629,7 +629,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -733,7 +733,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -826,7 +826,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -918,7 +918,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Quarantined",
@@ -996,7 +996,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Quarantined",
@@ -1074,7 +1074,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Quarantined",
@@ -1153,7 +1153,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -1249,7 +1249,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -1358,7 +1358,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -1465,7 +1465,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -1570,7 +1570,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -1678,7 +1678,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -1762,7 +1762,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -1843,7 +1843,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Quarantine",
@@ -1922,7 +1922,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Detection",
@@ -2008,7 +2008,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Detection",
@@ -2094,7 +2094,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Detection",
@@ -2189,7 +2189,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Cloud IOC",
@@ -2275,7 +2275,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Quarantine",
@@ -2354,7 +2354,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Detection",
@@ -2444,7 +2444,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Detection",
@@ -2532,7 +2532,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -2614,7 +2614,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -2714,7 +2714,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -2816,7 +2816,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -2912,7 +2912,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3018,7 +3018,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3115,7 +3115,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3207,7 +3207,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Quarantined",
@@ -3285,7 +3285,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Quarantined",
@@ -3367,7 +3367,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3472,7 +3472,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Potential Dropper Infection",
@@ -3547,7 +3547,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Policy Update",
@@ -3617,7 +3617,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -3699,7 +3699,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3792,7 +3792,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3887,7 +3887,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -3971,7 +3971,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -4055,7 +4055,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -4139,7 +4139,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -4223,7 +4223,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225558"
@@ -4308,7 +4308,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -4412,7 +4412,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -4504,7 +4504,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Quarantined",
@@ -4585,7 +4585,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225558"
@@ -4669,7 +4669,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
diff --git a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp7.log-expected.json b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp7.log-expected.json
index 6669f29de1f..3e1867f5ca3 100644
--- a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp7.log-expected.json
+++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp7.log-expected.json
@@ -31,7 +31,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225558"
@@ -113,7 +113,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -206,7 +206,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -299,7 +299,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -396,7 +396,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -492,7 +492,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Quarantined",
@@ -573,7 +573,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -654,7 +654,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Quarantined",
@@ -733,7 +733,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -830,7 +830,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Detection",
@@ -916,7 +916,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Detection",
@@ -1007,7 +1007,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Cloud IOC",
@@ -1092,7 +1092,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected in Low Prevalence Executable",
@@ -1168,7 +1168,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Policy Update",
@@ -1234,7 +1234,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "File Fetch Completed",
@@ -1327,7 +1327,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -1432,7 +1432,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Quarantined",
@@ -1513,7 +1513,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -1598,7 +1598,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -1703,7 +1703,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -1808,7 +1808,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Quarantined",
@@ -1882,7 +1882,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Policy Update",
@@ -1952,7 +1952,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Executed malware",
@@ -2039,7 +2039,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Multiple Infected Files",
@@ -2123,7 +2123,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Quarantine",
@@ -2202,7 +2202,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Detection",
@@ -2294,7 +2294,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -2376,7 +2376,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -2471,7 +2471,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -2555,7 +2555,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225558"
@@ -2639,7 +2639,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -2721,7 +2721,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -2813,7 +2813,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Quarantined",
@@ -2891,7 +2891,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Quarantined",
@@ -2970,7 +2970,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3063,7 +3063,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3159,7 +3159,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Quarantined",
@@ -3238,7 +3238,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3335,7 +3335,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3432,7 +3432,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3532,7 +3532,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
@@ -3641,7 +3641,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Malicious Activity Detection",
@@ -3748,7 +3748,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Cloud IOC",
@@ -3840,7 +3840,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Cloud IOC",
@@ -3932,7 +3932,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Cloud IOC",
@@ -4024,7 +4024,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Cloud IOC",
@@ -4113,7 +4113,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"error": {
"code": "3221225524"
@@ -4194,7 +4194,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Quarantine",
@@ -4273,7 +4273,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Retrospective Detection",
diff --git a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp8.log-expected.json b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp8.log-expected.json
index d434f064a81..352b1bb3719 100644
--- a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp8.log-expected.json
+++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp8.log-expected.json
@@ -38,7 +38,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Cloud IOC",
@@ -152,7 +152,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Cloud IOC",
@@ -268,7 +268,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Cloud IOC",
@@ -394,7 +394,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Cloud IOC",
@@ -522,7 +522,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Cloud IOC",
@@ -640,7 +640,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Cloud IOC",
diff --git a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp9.log-expected.json b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp9.log-expected.json
index 0a8ae925bbd..fb124f3424c 100644
--- a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp9.log-expected.json
+++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp9.log-expected.json
@@ -29,7 +29,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "Threat Detected",
diff --git a/packages/cisco_secure_endpoint/data_stream/event/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_secure_endpoint/data_stream/event/elasticsearch/ingest_pipeline/default.yml
index 4b20ab63043..14ea0fbe418 100644
--- a/packages/cisco_secure_endpoint/data_stream/event/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/cisco_secure_endpoint/data_stream/event/elasticsearch/ingest_pipeline/default.yml
@@ -54,7 +54,7 @@ processors:
#######################
- set:
field: ecs.version
- value: '8.8.0'
+ value: '8.9.0'
- set:
field: event.kind
value: alert
diff --git a/packages/cisco_secure_endpoint/data_stream/event/manifest.yml b/packages/cisco_secure_endpoint/data_stream/event/manifest.yml
index 2df9a1f5125..0e0cd752a44 100644
--- a/packages/cisco_secure_endpoint/data_stream/event/manifest.yml
+++ b/packages/cisco_secure_endpoint/data_stream/event/manifest.yml
@@ -27,6 +27,7 @@ streams:
- name: http_client_timeout
type: text
title: HTTP Client Timeout
+ description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.
multi: false
required: false
show_user: true
@@ -37,7 +38,7 @@ streams:
multi: false
required: true
show_user: true
- description: Interval at which the logs will be pulled. The value must be between 2m and 1h.
+ description: Interval at which the logs will be pulled. The value must be between 2m and 1h. Supported units for this parameter are h/m/s.
default: 1h
- name: url
type: text
@@ -49,7 +50,7 @@ streams:
default: https://api.amp.cisco.com/v1/events?offset=0&limit=300
- name: limit
type: text
- title: Initial Interval
+ title: Maximum logs per request
multi: false
required: true
show_user: false
@@ -61,7 +62,7 @@ streams:
multi: false
required: true
show_user: true
- description: Initial Interval for first log pull
+ description: Initial Interval for first log pull. Supported units for this parameter are h/m/s.
default: 24h
- name: ssl
type: yaml
diff --git a/packages/cisco_secure_endpoint/data_stream/event/sample_event.json b/packages/cisco_secure_endpoint/data_stream/event/sample_event.json
index dabd7db2c08..08f7d9bcc81 100644
--- a/packages/cisco_secure_endpoint/data_stream/event/sample_event.json
+++ b/packages/cisco_secure_endpoint/data_stream/event/sample_event.json
@@ -48,7 +48,7 @@
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "49007565-f0ac-4df0-9672-50a3e25920e8",
diff --git a/packages/cisco_secure_endpoint/docs/README.md b/packages/cisco_secure_endpoint/docs/README.md
index 71c70f9838e..c401c6047ec 100644
--- a/packages/cisco_secure_endpoint/docs/README.md
+++ b/packages/cisco_secure_endpoint/docs/README.md
@@ -63,7 +63,7 @@ An example event for `event` looks as following:
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "49007565-f0ac-4df0-9672-50a3e25920e8",
@@ -219,16 +219,16 @@ An example event for `event` looks as following:
| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
-| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date |
| event.dataset | Event dataset | constant_keyword |
| event.id | Unique ID to describe the event. | keyword |
| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
-| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword |
| event.module | Event module | constant_keyword |
| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long |
-| event.start | event.start contains the date when the event started or when the activity was first observed. | date |
+| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date |
| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
| file.hash.md5 | MD5 hash. | keyword |
| file.hash.sha1 | SHA1 hash. | keyword |
diff --git a/packages/cisco_secure_endpoint/kibana/tags.yml b/packages/cisco_secure_endpoint/kibana/tags.yml
new file mode 100644
index 00000000000..47f20a8f551
--- /dev/null
+++ b/packages/cisco_secure_endpoint/kibana/tags.yml
@@ -0,0 +1,4 @@
+- text: Security Solution
+ asset_types:
+ - dashboard
+ - search
diff --git a/packages/cisco_secure_endpoint/manifest.yml b/packages/cisco_secure_endpoint/manifest.yml
index fa7c63b09d2..5f712a17e6a 100644
--- a/packages/cisco_secure_endpoint/manifest.yml
+++ b/packages/cisco_secure_endpoint/manifest.yml
@@ -1,14 +1,15 @@
-format_version: 2.7.0
+format_version: "3.0.0"
name: cisco_secure_endpoint
title: Cisco Secure Endpoint
-version: "2.15.0"
+version: "2.20.0"
description: Collect logs from Cisco Secure Endpoint (AMP) with Elastic Agent.
type: integration
categories:
- security
- edr_xdr
conditions:
- kibana.version: "^8.7.1"
+ kibana:
+ version: "^8.7.1"
icons:
- src: /img/cisco.svg
title: cisco
@@ -24,3 +25,4 @@ policy_templates:
description: Collecting logs from the Cisco Secure Endpoint API
owner:
github: elastic/security-external-integrations
+ type: elastic
diff --git a/packages/cisco_umbrella/_dev/build/build.yml b/packages/cisco_umbrella/_dev/build/build.yml
index 074278e5b1f..c8eeec8cacf 100644
--- a/packages/cisco_umbrella/_dev/build/build.yml
+++ b/packages/cisco_umbrella/_dev/build/build.yml
@@ -1,3 +1,3 @@
dependencies:
ecs:
- reference: git@v8.8.0
+ reference: git@v8.9.0
diff --git a/packages/cisco_umbrella/changelog.yml b/packages/cisco_umbrella/changelog.yml
index 634c8f2a9f1..8f44347b612 100644
--- a/packages/cisco_umbrella/changelog.yml
+++ b/packages/cisco_umbrella/changelog.yml
@@ -1,4 +1,24 @@
# newer versions go on top
+- version: 1.18.0
+ changes:
+ - description: "The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest."
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7883
+- version: "1.17.0"
+ changes:
+ - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7789
+- version: "1.16.0"
+ changes:
+ - description: Update package to ECS 8.9.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7107
+- version: "1.15.0"
+ changes:
+ - description: Document duration units.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6992
- version: "1.14.0"
changes:
- description: Ensure event.kind is correctly set for pipeline errors.
diff --git a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-auditlogs.log-expected.json b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-auditlogs.log-expected.json
index 12c37c3fca4..4d48f2d11d7 100644
--- a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-auditlogs.log-expected.json
+++ b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-auditlogs.log-expected.json
@@ -12,7 +12,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "update",
@@ -77,7 +77,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "create",
@@ -134,7 +134,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "delete",
diff --git a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-cloudfirewalllogs.log-expected.json b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-cloudfirewalllogs.log-expected.json
index 3e943944851..0f7386a5190 100644
--- a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-cloudfirewalllogs.log-expected.json
+++ b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-cloudfirewalllogs.log-expected.json
@@ -31,7 +31,7 @@
"ip": "67.43.156.12"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "fw-connection-ALLOW",
@@ -110,7 +110,7 @@
"ip": "67.43.156.12"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "fw-connection-BLOCK",
@@ -194,7 +194,7 @@
"ip": "67.43.156.12"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "fw-connection-ALLOW",
diff --git a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-dlplogs.log-expected.json b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-dlplogs.log-expected.json
index 17b3927bb5a..178eeed85ac 100644
--- a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-dlplogs.log-expected.json
+++ b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-dlplogs.log-expected.json
@@ -11,7 +11,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "dlp-BLOCK",
diff --git a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-dnslogs.log-expected.json b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-dnslogs.log-expected.json
index 74c691e9d44..c0b1e231cc5 100644
--- a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-dnslogs.log-expected.json
+++ b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-dnslogs.log-expected.json
@@ -33,7 +33,7 @@
"type": "query"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "dns-request-Allowed",
@@ -121,7 +121,7 @@
"type": "query"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "dns-request-Blocked",
@@ -203,7 +203,7 @@
"type": "query"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "dns-request-Allowed",
@@ -296,7 +296,7 @@
"type": "query"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "dns-request-Allowed",
@@ -380,7 +380,7 @@
"type": "query"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "dns-request-Allowed",
@@ -468,7 +468,7 @@
"type": "query"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "dns-request-Allowed",
@@ -552,7 +552,7 @@
"type": "query"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "dns-request-Allowed",
@@ -638,7 +638,7 @@
"type": "query"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "dns-request-Blocked",
@@ -716,7 +716,7 @@
"type": "query"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "dns-request-Allowed",
@@ -789,7 +789,7 @@
"type": "query"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "dns-request-Allowed",
@@ -866,7 +866,7 @@
"type": "query"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "dns-request-Allowed",
@@ -960,7 +960,7 @@
"type": "query"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "dns-request-Allowed",
@@ -1064,7 +1064,7 @@
"type": "query"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "dns-request-Allowed",
@@ -1162,7 +1162,7 @@
"type": "query"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "dns-request-Allowed",
@@ -1263,7 +1263,7 @@
"type": "query"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "dns-request-Allowed",
diff --git a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-intrusionlogs.log-expected.json b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-intrusionlogs.log-expected.json
index fd3d5973fd0..ea655664601 100644
--- a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-intrusionlogs.log-expected.json
+++ b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-intrusionlogs.log-expected.json
@@ -37,7 +37,7 @@
"port": 443
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "ips-Would-Block",
diff --git a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-iplogs.log-expected.json b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-iplogs.log-expected.json
index df6650786b0..b45d154f267 100644
--- a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-iplogs.log-expected.json
+++ b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-iplogs.log-expected.json
@@ -26,7 +26,7 @@
"port": 0
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": "network",
@@ -87,7 +87,7 @@
"port": 445
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": "network",
diff --git a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-proxylogs.log-expected.json b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-proxylogs.log-expected.json
index 61f7bf95997..480cad7c057 100644
--- a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-proxylogs.log-expected.json
+++ b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-proxylogs.log-expected.json
@@ -29,7 +29,7 @@
"ip": "81.2.69.144"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": "network",
@@ -125,7 +125,7 @@
"ip": "81.2.69.144"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": "network",
@@ -201,7 +201,7 @@
}
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"category": "network",
@@ -311,7 +311,7 @@
"ip": "89.160.20.130"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "proxy-request-GET",
@@ -418,7 +418,7 @@
"ip": "1.128.2.3"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "proxy-request-GET",
@@ -540,7 +540,7 @@
"ip": "67.43.156.204"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "proxy-request-GET",
@@ -651,7 +651,7 @@
"ip": "81.2.69.144"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "proxy-request-GET",
@@ -759,7 +759,7 @@
"ip": "67.43.156.205"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "proxy-request-HEAD",
@@ -856,7 +856,7 @@
"ip": "67.43.156.205"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "proxy-request-GET",
@@ -965,7 +965,7 @@
"ip": "67.43.156.205"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "proxy-request-GET",
@@ -1074,7 +1074,7 @@
"ip": "67.43.156.205"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "proxy-request-HEAD",
@@ -1183,7 +1183,7 @@
"ip": "67.43.156.205"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "proxy-request-HEAD",
@@ -1294,7 +1294,7 @@
"ip": "67.43.156.204"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "proxy-request-GET",
@@ -1408,7 +1408,7 @@
"ip": "67.43.156.204"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "proxy-request-GET",
diff --git a/packages/cisco_umbrella/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_umbrella/data_stream/log/elasticsearch/ingest_pipeline/default.yml
index ffad0a83179..67c714b596a 100644
--- a/packages/cisco_umbrella/data_stream/log/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/cisco_umbrella/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -4,7 +4,7 @@ description: Pipeline for Cisco Umbrella
processors:
- set:
field: ecs.version
- value: '8.8.0'
+ value: '8.9.0'
- set:
field: observer.vendor
value: Cisco
diff --git a/packages/cisco_umbrella/data_stream/log/manifest.yml b/packages/cisco_umbrella/data_stream/log/manifest.yml
index 0d055753d4d..f4f8dda13ca 100644
--- a/packages/cisco_umbrella/data_stream/log/manifest.yml
+++ b/packages/cisco_umbrella/data_stream/log/manifest.yml
@@ -111,14 +111,14 @@ streams:
multi: false
required: false
show_user: false
- description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours.
+ description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. Valid time units are h, m, s.
- name: api_timeout
type: text
title: API Timeout
multi: false
required: false
show_user: false
- description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value.
+ description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. Valid time units are h, m, s.
- name: fips_enabled
type: bool
title: Enable S3 FIPS
diff --git a/packages/cisco_umbrella/data_stream/log/sample_event.json b/packages/cisco_umbrella/data_stream/log/sample_event.json
index 9b5bf115757..e2e1e37ff18 100644
--- a/packages/cisco_umbrella/data_stream/log/sample_event.json
+++ b/packages/cisco_umbrella/data_stream/log/sample_event.json
@@ -34,7 +34,7 @@
"ip": "67.43.156.204"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "proxy-request-GET",
diff --git a/packages/cisco_umbrella/docs/README.md b/packages/cisco_umbrella/docs/README.md
index db5ae5701c9..0712350881c 100644
--- a/packages/cisco_umbrella/docs/README.md
+++ b/packages/cisco_umbrella/docs/README.md
@@ -52,7 +52,7 @@ An example event for `log` looks as following:
"ip": "67.43.156.204"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "proxy-request-GET",
diff --git a/packages/cisco_umbrella/kibana/tags.yml b/packages/cisco_umbrella/kibana/tags.yml
new file mode 100644
index 00000000000..47f20a8f551
--- /dev/null
+++ b/packages/cisco_umbrella/kibana/tags.yml
@@ -0,0 +1,4 @@
+- text: Security Solution
+ asset_types:
+ - dashboard
+ - search
diff --git a/packages/cisco_umbrella/manifest.yml b/packages/cisco_umbrella/manifest.yml
index 042e7fb314f..9179393e30e 100644
--- a/packages/cisco_umbrella/manifest.yml
+++ b/packages/cisco_umbrella/manifest.yml
@@ -1,7 +1,7 @@
-format_version: 2.7.0
+format_version: "3.0.0"
name: cisco_umbrella
title: Cisco Umbrella
-version: "1.14.0"
+version: "1.18.0"
description: Collect logs from Cisco Umbrella with Elastic Agent.
type: integration
categories:
@@ -9,7 +9,8 @@ categories:
- security
- dns_security
conditions:
- kibana.version: "^8.4.0"
+ kibana:
+ version: "^8.4.0"
icons:
- src: /img/cisco.svg
title: cisco
@@ -25,3 +26,4 @@ policy_templates:
description: Collecting logs from Cisco Umbrella
owner:
github: elastic/security-external-integrations
+ type: elastic
diff --git a/packages/citrix_adc/_dev/build/docs/README.md b/packages/citrix_adc/_dev/build/docs/README.md
index b7b053bb8a0..8598f0ad860 100644
--- a/packages/citrix_adc/_dev/build/docs/README.md
+++ b/packages/citrix_adc/_dev/build/docs/README.md
@@ -45,8 +45,15 @@ After the integration is successfully configured, clicking on the Assets tab of
### Troubleshooting
+#### Dummy values
+
There could be a possibility that for some of the fields, Citrix ADC sets dummy values. For example, a field `cpuusagepcnt` is represented by `citrix_adc.system.cpu.utilization.pct`. `cpuusagepcnt` is set to `4294967295` for some [instances](https://github.com/citrix/citrix-adc-metrics-exporter/issues/44). If you also encounter it for some fields please reach out to the [Citrix ADC support team](https://support.citrix.com/plp/products/citrix_adc/tabs/popular-solutions).
+
+#### Type conflicts
+
+If host.ip is shown conflicted under ``logs-*`` data view, then this issue can be solved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/use-a-data-stream.html#reindex-with-a-data-stream) the ``Interface``, ``LBVserver``, ``Service``, ``System``, and ``VPN`` data stream's indices.
+
## Metrics reference
### Interface
diff --git a/packages/citrix_adc/changelog.yml b/packages/citrix_adc/changelog.yml
index 061e97ee743..44e354f669e 100644
--- a/packages/citrix_adc/changelog.yml
+++ b/packages/citrix_adc/changelog.yml
@@ -1,4 +1,19 @@
# newer versions go on top
+- version: "1.0.1"
+ changes:
+ - description: Add null check and ignore_missing check to the rename processor
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7845
+- version: "1.0.0"
+ changes:
+ - description: Make Citrix ADC GA.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7664
+- version: "0.7.1"
+ changes:
+ - description: Resolve host.ip field conflict.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7509
- version: "0.7.0"
changes:
- description: Rename ownership from obs-service-integrations to obs-infraobs-integrations
diff --git a/packages/citrix_adc/data_stream/interface/elasticsearch/ingest_pipeline/default.yml b/packages/citrix_adc/data_stream/interface/elasticsearch/ingest_pipeline/default.yml
index 337dc8f6039..0912b13bcd0 100644
--- a/packages/citrix_adc/data_stream/interface/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/citrix_adc/data_stream/interface/elasticsearch/ingest_pipeline/default.yml
@@ -30,7 +30,7 @@ processors:
field: message
target_field: event.original
ignore_missing: true
- ignore_failure: true
+ if: 'ctx.event?.original == null'
- json:
field: event.original
target_field: json
diff --git a/packages/citrix_adc/data_stream/interface/fields/ecs.yml b/packages/citrix_adc/data_stream/interface/fields/ecs.yml
index deeb666ad97..7d58f2030d8 100644
--- a/packages/citrix_adc/data_stream/interface/fields/ecs.yml
+++ b/packages/citrix_adc/data_stream/interface/fields/ecs.yml
@@ -14,6 +14,8 @@
name: event.module
- external: ecs
name: event.type
+- external: ecs
+ name: host.ip
- external: ecs
name: interface.id
- external: ecs
diff --git a/packages/citrix_adc/data_stream/lbvserver/elasticsearch/ingest_pipeline/default.yml b/packages/citrix_adc/data_stream/lbvserver/elasticsearch/ingest_pipeline/default.yml
index 9f8d7125b6d..2c7a0065fad 100644
--- a/packages/citrix_adc/data_stream/lbvserver/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/citrix_adc/data_stream/lbvserver/elasticsearch/ingest_pipeline/default.yml
@@ -30,7 +30,7 @@ processors:
field: message
target_field: event.original
ignore_missing: true
- ignore_failure: true
+ if: 'ctx.event?.original == null'
- json:
field: event.original
target_field: json
diff --git a/packages/citrix_adc/data_stream/lbvserver/fields/ecs.yml b/packages/citrix_adc/data_stream/lbvserver/fields/ecs.yml
index 9939b9e6997..51e27c040ef 100644
--- a/packages/citrix_adc/data_stream/lbvserver/fields/ecs.yml
+++ b/packages/citrix_adc/data_stream/lbvserver/fields/ecs.yml
@@ -14,6 +14,8 @@
name: event.module
- external: ecs
name: event.type
+- external: ecs
+ name: host.ip
- external: ecs
name: related.ip
- external: ecs
diff --git a/packages/citrix_adc/data_stream/service/elasticsearch/ingest_pipeline/default.yml b/packages/citrix_adc/data_stream/service/elasticsearch/ingest_pipeline/default.yml
index 5ca194957a3..3863bce60fa 100644
--- a/packages/citrix_adc/data_stream/service/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/citrix_adc/data_stream/service/elasticsearch/ingest_pipeline/default.yml
@@ -30,7 +30,7 @@ processors:
field: message
target_field: event.original
ignore_missing: true
- ignore_failure: true
+ if: 'ctx.event?.original == null'
- json:
field: event.original
target_field: json
diff --git a/packages/citrix_adc/data_stream/service/fields/ecs.yml b/packages/citrix_adc/data_stream/service/fields/ecs.yml
index bbe5cd2ab75..0f8257bae5f 100644
--- a/packages/citrix_adc/data_stream/service/fields/ecs.yml
+++ b/packages/citrix_adc/data_stream/service/fields/ecs.yml
@@ -14,6 +14,8 @@
name: event.module
- external: ecs
name: event.type
+- external: ecs
+ name: host.ip
- external: ecs
name: related.ip
- external: ecs
diff --git a/packages/citrix_adc/data_stream/system/elasticsearch/ingest_pipeline/default.yml b/packages/citrix_adc/data_stream/system/elasticsearch/ingest_pipeline/default.yml
index e5188e0bb79..4e9a07c6460 100644
--- a/packages/citrix_adc/data_stream/system/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/citrix_adc/data_stream/system/elasticsearch/ingest_pipeline/default.yml
@@ -30,7 +30,7 @@ processors:
field: message
target_field: event.original
ignore_missing: true
- ignore_failure: true
+ if: 'ctx.event?.original == null'
- json:
field: event.original
target_field: json
@@ -124,10 +124,10 @@ processors:
def bytes = (megabytes*1024*1024);
return bytes;
}
- if(ctx.citrix_adc?.system?.memory?.size?.value!=null || ctx.citrix_adc?.system?.memory?.size?.value!=""){
+ if(ctx.citrix_adc?.system?.memory?.size?.value!=null && ctx.citrix_adc?.system?.memory?.size?.value!=""){
ctx.citrix_adc.system.memory.size.value = convert(ctx.citrix_adc.system.memory.size.value);
}
- if(ctx.citrix_adc?.system?.memory?.usage?.value!=null || ctx.citrix_adc?.system?.memory?.usage?.value!=""){
+ if(ctx.citrix_adc?.system?.memory?.usage?.value!=null && ctx.citrix_adc?.system?.memory?.usage?.value!=""){
ctx.citrix_adc.system.memory.usage.value = convert(ctx.citrix_adc.system.memory.usage.value);
}
- script:
diff --git a/packages/citrix_adc/data_stream/system/fields/ecs.yml b/packages/citrix_adc/data_stream/system/fields/ecs.yml
index cd6e234ba91..faa4f380cbf 100644
--- a/packages/citrix_adc/data_stream/system/fields/ecs.yml
+++ b/packages/citrix_adc/data_stream/system/fields/ecs.yml
@@ -14,5 +14,7 @@
name: event.module
- external: ecs
name: event.type
+- external: ecs
+ name: host.ip
- external: ecs
name: tags
diff --git a/packages/citrix_adc/data_stream/vpn/elasticsearch/ingest_pipeline/default.yml b/packages/citrix_adc/data_stream/vpn/elasticsearch/ingest_pipeline/default.yml
index ca0d6fd4b0d..336639139ef 100644
--- a/packages/citrix_adc/data_stream/vpn/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/citrix_adc/data_stream/vpn/elasticsearch/ingest_pipeline/default.yml
@@ -30,7 +30,7 @@ processors:
field: message
target_field: event.original
ignore_missing: true
- ignore_failure: true
+ if: 'ctx.event?.original == null'
- json:
field: event.original
target_field: json
diff --git a/packages/citrix_adc/data_stream/vpn/fields/ecs.yml b/packages/citrix_adc/data_stream/vpn/fields/ecs.yml
index cd6e234ba91..faa4f380cbf 100644
--- a/packages/citrix_adc/data_stream/vpn/fields/ecs.yml
+++ b/packages/citrix_adc/data_stream/vpn/fields/ecs.yml
@@ -14,5 +14,7 @@
name: event.module
- external: ecs
name: event.type
+- external: ecs
+ name: host.ip
- external: ecs
name: tags
diff --git a/packages/citrix_adc/docs/README.md b/packages/citrix_adc/docs/README.md
index c0206fec4af..9b78a3cac81 100644
--- a/packages/citrix_adc/docs/README.md
+++ b/packages/citrix_adc/docs/README.md
@@ -45,8 +45,15 @@ After the integration is successfully configured, clicking on the Assets tab of
### Troubleshooting
+#### Dummy values
+
There could be a possibility that for some of the fields, Citrix ADC sets dummy values. For example, a field `cpuusagepcnt` is represented by `citrix_adc.system.cpu.utilization.pct`. `cpuusagepcnt` is set to `4294967295` for some [instances](https://github.com/citrix/citrix-adc-metrics-exporter/issues/44). If you also encounter it for some fields please reach out to the [Citrix ADC support team](https://support.citrix.com/plp/products/citrix_adc/tabs/popular-solutions).
+
+#### Type conflicts
+
+If host.ip is shown conflicted under ``logs-*`` data view, then this issue can be solved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/use-a-data-stream.html#reindex-with-a-data-stream) the ``Interface``, ``LBVserver``, ``Service``, ``System``, and ``VPN`` data stream's indices.
+
## Metrics reference
### Interface
@@ -257,6 +264,7 @@ An example event for `interface` looks as following:
| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | | |
| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | |
| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | |
+| host.ip | Host ip addresses. | ip | | |
| input.type | Type of Filebeat input. | keyword | | |
| interface.id | Interface ID as reported by an observer (typically SNMP interface ID). | keyword | | |
| tags | List of keywords used to tag each event. | keyword | | |
@@ -484,6 +492,7 @@ An example event for `lbvserver` looks as following:
| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | | |
| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | |
| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | |
+| host.ip | Host ip addresses. | ip | | |
| input.type | Type of Filebeat input. | keyword | | |
| related.ip | All of the IPs seen on your event. | ip | | |
| server.ip | IP address of the server (IPv4 or IPv6). | ip | | |
@@ -654,6 +663,7 @@ An example event for `service` looks as following:
| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | | |
| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | |
| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | |
+| host.ip | Host ip addresses. | ip | | |
| input.type | Type of Filebeat input. | keyword | | |
| related.ip | All of the IPs seen on your event. | ip | | |
| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | | |
@@ -799,6 +809,7 @@ An example event for `system` looks as following:
| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | | |
| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | |
| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | |
+| host.ip | Host ip addresses. | ip | | |
| input.type | Type of Filebeat input. | keyword | | |
| tags | List of keywords used to tag each event. | keyword | | |
@@ -1042,5 +1053,6 @@ An example event for `vpn` looks as following:
| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | |
| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | |
| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | |
+| host.ip | Host ip addresses. | ip | |
| input.type | Type of Filebeat input. | keyword | |
| tags | List of keywords used to tag each event. | keyword | |
diff --git a/packages/citrix_adc/manifest.yml b/packages/citrix_adc/manifest.yml
index 625db966abc..239d9a41c67 100644
--- a/packages/citrix_adc/manifest.yml
+++ b/packages/citrix_adc/manifest.yml
@@ -1,7 +1,7 @@
format_version: 2.0.0
name: citrix_adc
title: Citrix ADC
-version: "0.7.0"
+version: "1.0.1"
description: This Elastic integration collects metrics from Citrix ADC product.
type: integration
categories:
diff --git a/packages/citrix_waf/_dev/build/build.yml b/packages/citrix_waf/_dev/build/build.yml
index 074278e5b1f..c8eeec8cacf 100644
--- a/packages/citrix_waf/_dev/build/build.yml
+++ b/packages/citrix_waf/_dev/build/build.yml
@@ -1,3 +1,3 @@
dependencies:
ecs:
- reference: git@v8.8.0
+ reference: git@v8.9.0
diff --git a/packages/citrix_waf/changelog.yml b/packages/citrix_waf/changelog.yml
index cc0e14efd69..f29ee92c46e 100644
--- a/packages/citrix_waf/changelog.yml
+++ b/packages/citrix_waf/changelog.yml
@@ -1,4 +1,19 @@
# newer versions go on top
+- version: 1.10.0
+ changes:
+ - description: "The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest."
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7883
+- version: "1.9.0"
+ changes:
+ - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7789
+- version: "1.8.0"
+ changes:
+ - description: Update package to ECS 8.9.0.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7107
- version: "1.7.0"
changes:
- description: Ensure event.kind is correctly set for pipeline errors.
diff --git a/packages/citrix_waf/data_stream/log/_dev/test/pipeline/test-citrix-waf-cef.log-expected.json b/packages/citrix_waf/data_stream/log/_dev/test/pipeline/test-citrix-waf-cef.log-expected.json
index 7deac4c8126..22e6bd51748 100644
--- a/packages/citrix_waf/data_stream/log/_dev/test/pipeline/test-citrix-waf-cef.log-expected.json
+++ b/packages/citrix_waf/data_stream/log/_dev/test/pipeline/test-citrix-waf-cef.log-expected.json
@@ -34,7 +34,7 @@
"ip": "81.2.69.144"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "blocked",
@@ -107,7 +107,7 @@
"ip": "81.2.69.144"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "not blocked",
@@ -181,7 +181,7 @@
"ip": "81.2.69.144"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "transformed",
@@ -255,7 +255,7 @@
"ip": "81.2.69.144"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "blocked",
@@ -331,7 +331,7 @@
"ip": "81.2.69.144"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "not blocked",
@@ -407,7 +407,7 @@
"ip": "81.2.69.144"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "not blocked",
@@ -480,7 +480,7 @@
"ip": "81.2.69.144"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "transformed",
@@ -553,7 +553,7 @@
"ip": "81.2.69.144"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "transformed",
@@ -626,7 +626,7 @@
"ip": "81.2.69.144"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "not blocked",
@@ -700,7 +700,7 @@
"ip": "81.2.69.144"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"action": "not blocked",
diff --git a/packages/citrix_waf/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log-expected.json b/packages/citrix_waf/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log-expected.json
index aa006e8a8b3..223b8c55221 100644
--- a/packages/citrix_waf/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log-expected.json
+++ b/packages/citrix_waf/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log-expected.json
@@ -31,7 +31,7 @@
"ip": "81.2.69.144"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"id": "60",
@@ -69,7 +69,7 @@
"ip": "81.2.69.144"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"id": "5743593",
@@ -107,7 +107,7 @@
"ip": "81.2.69.144"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"id": "4471",
@@ -145,7 +145,7 @@
"ip": "81.2.69.144"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"id": "4472",
@@ -183,7 +183,7 @@
"ip": "81.2.69.144"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"id": "4473",
@@ -221,7 +221,7 @@
"ip": "81.2.69.144"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"event": {
"id": "4474",
diff --git a/packages/citrix_waf/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/citrix_waf/data_stream/log/elasticsearch/ingest_pipeline/default.yml
index 2b3954cd96d..b74239749b9 100644
--- a/packages/citrix_waf/data_stream/log/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/citrix_waf/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -3,7 +3,7 @@ description: Pipeline for Citrix Web App Firewall logs
processors:
- set:
field: ecs.version
- value: '8.8.0'
+ value: '8.9.0'
- rename:
field: message
target_field: event.original
diff --git a/packages/citrix_waf/data_stream/log/sample_event.json b/packages/citrix_waf/data_stream/log/sample_event.json
index bd65114729b..a720ce525b5 100644
--- a/packages/citrix_waf/data_stream/log/sample_event.json
+++ b/packages/citrix_waf/data_stream/log/sample_event.json
@@ -44,7 +44,7 @@
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "e30119bc-b47d-4e56-86e3-4a9683305c6e",
diff --git a/packages/citrix_waf/docs/README.md b/packages/citrix_waf/docs/README.md
index 0facea87e93..180a61a1d4d 100644
--- a/packages/citrix_waf/docs/README.md
+++ b/packages/citrix_waf/docs/README.md
@@ -95,7 +95,7 @@ An example event for `log` looks as following:
"type": "logs"
},
"ecs": {
- "version": "8.8.0"
+ "version": "8.9.0"
},
"elastic_agent": {
"id": "e30119bc-b47d-4e56-86e3-4a9683305c6e",
@@ -218,16 +218,16 @@ An example event for `log` looks as following:
| error.message | Error message. | match_only_text |
| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
-| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date |
| event.dataset | Event dataset | constant_keyword |
-| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long |
-| event.end | event.end contains the date when the event ended or when the activity was last observed. | date |
+| event.duration | Duration of the event in nanoseconds. If `event.start` and `event.end` are known this value should be the difference between the end and start time. | long |
+| event.end | `event.end` contains the date when the event ended or when the activity was last observed. | date |
| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
-| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword |
| event.module | Event module | constant_keyword |
| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword |
| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long |
-| event.start | event.start contains the date when the event started or when the activity was first observed. | date |
+| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date |
| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
diff --git a/packages/citrix_waf/kibana/tags.yml b/packages/citrix_waf/kibana/tags.yml
new file mode 100644
index 00000000000..47f20a8f551
--- /dev/null
+++ b/packages/citrix_waf/kibana/tags.yml
@@ -0,0 +1,4 @@
+- text: Security Solution
+ asset_types:
+ - dashboard
+ - search
diff --git a/packages/citrix_waf/manifest.yml b/packages/citrix_waf/manifest.yml
index e1688b30257..c3cbe4121ea 100644
--- a/packages/citrix_waf/manifest.yml
+++ b/packages/citrix_waf/manifest.yml
@@ -1,7 +1,7 @@
-format_version: 2.7.0
+format_version: "3.0.0"
name: citrix_waf
title: "Citrix Web App Firewall"
-version: "1.7.0"
+version: "1.10.0"
description: Ingest events from Citrix Systems Web App Firewall.
type: integration
categories:
@@ -9,7 +9,8 @@ categories:
- security
- web_application_firewall
conditions:
- kibana.version: "^8.3.0"
+ kibana:
+ version: "^8.3.0"
icons:
- src: /img/Citrix_Systems_logo.svg
title: Citrix Systems
@@ -36,3 +37,4 @@ policy_templates:
description: Collecting logs from Citrix Web App Firewall via file
owner:
github: elastic/security-external-integrations
+ type: elastic
diff --git a/packages/cloud_defend/changelog.yml b/packages/cloud_defend/changelog.yml
index f5015dc5d55..df5b1e665a9 100644
--- a/packages/cloud_defend/changelog.yml
+++ b/packages/cloud_defend/changelog.yml
@@ -1,4 +1,29 @@
# newer versions go on top
+- version: "1.2.1-preview2"
+ changes:
+ - description: Updates manifest format version to 3.0.0. lifecycle.yml files added.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7805
+- version: "1.2.1-preview"
+ changes:
+ - description: Adds metrics-cloud_defend.heartbeat index
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7571
+- version: "1.2.0"
+ changes:
+ - description: Release - Updates documentation to allow for new 'process blocking' feature.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7581
+- version: "1.2.0-preview"
+ changes:
+ - description: Updates documentation to allow for new 'process blocking' feature.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6987
+- version: "1.1.0"
+ changes:
+ - description: Ensure event.kind is correctly set for pipeline errors.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7047
- version: "1.0.7"
changes:
- description: Documentation fix.
diff --git a/packages/cloud_defend/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml b/packages/cloud_defend/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml
index 8bfa2c46035..ee6dcb18451 100644
--- a/packages/cloud_defend/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/cloud_defend/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml
@@ -23,6 +23,9 @@ processors:
field: data_stream.type
value: 'logs'
on_failure:
-- set:
- field: error.message
- value: '{{ _ingest.on_failure_message }}'
+ - set:
+ field: event.kind
+ value: pipeline_error
+ - append:
+ field: error.message
+ value: '{{{ _ingest.on_failure_message }}}'
diff --git a/packages/cloud_defend/data_stream/alerts/lifecycle.yml b/packages/cloud_defend/data_stream/alerts/lifecycle.yml
new file mode 100644
index 00000000000..b56a81e81d7
--- /dev/null
+++ b/packages/cloud_defend/data_stream/alerts/lifecycle.yml
@@ -0,0 +1 @@
+data_retention: "30d"
diff --git a/packages/cloud_defend/data_stream/file/elasticsearch/ingest_pipeline/default.yml b/packages/cloud_defend/data_stream/file/elasticsearch/ingest_pipeline/default.yml
index dde2f3363ec..a91f34319d4 100644
--- a/packages/cloud_defend/data_stream/file/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/cloud_defend/data_stream/file/elasticsearch/ingest_pipeline/default.yml
@@ -23,6 +23,9 @@ processors:
field: data_stream.type
value: 'logs'
on_failure:
-- set:
- field: error.message
- value: '{{ _ingest.on_failure_message }}'
+ - set:
+ field: event.kind
+ value: pipeline_error
+ - append:
+ field: error.message
+ value: '{{{ _ingest.on_failure_message }}}'
diff --git a/packages/cloud_defend/data_stream/file/lifecycle.yml b/packages/cloud_defend/data_stream/file/lifecycle.yml
new file mode 100644
index 00000000000..b56a81e81d7
--- /dev/null
+++ b/packages/cloud_defend/data_stream/file/lifecycle.yml
@@ -0,0 +1 @@
+data_retention: "30d"
diff --git a/packages/cloud_defend/data_stream/heartbeat/agent/stream/stream.yml.hbs b/packages/cloud_defend/data_stream/heartbeat/agent/stream/stream.yml.hbs
new file mode 100644
index 00000000000..1ab6fa7e7df
--- /dev/null
+++ b/packages/cloud_defend/data_stream/heartbeat/agent/stream/stream.yml.hbs
@@ -0,0 +1 @@
+period: {{period}}
diff --git a/packages/cloud_defend/data_stream/heartbeat/fields/base-fields.yml b/packages/cloud_defend/data_stream/heartbeat/fields/base-fields.yml
new file mode 100644
index 00000000000..7c798f4534c
--- /dev/null
+++ b/packages/cloud_defend/data_stream/heartbeat/fields/base-fields.yml
@@ -0,0 +1,12 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
diff --git a/packages/cloud_defend/data_stream/heartbeat/fields/fields.yml b/packages/cloud_defend/data_stream/heartbeat/fields/fields.yml
new file mode 100644
index 00000000000..6cb513091fd
--- /dev/null
+++ b/packages/cloud_defend/data_stream/heartbeat/fields/fields.yml
@@ -0,0 +1,3 @@
+- name: cloud_defend.block_action_enabled
+ type: boolean
+ description: Indicates whether the policy configuring the current node contains blocking actions
diff --git a/packages/cloud_defend/data_stream/heartbeat/lifecycle.yml b/packages/cloud_defend/data_stream/heartbeat/lifecycle.yml
new file mode 100644
index 00000000000..b56a81e81d7
--- /dev/null
+++ b/packages/cloud_defend/data_stream/heartbeat/lifecycle.yml
@@ -0,0 +1 @@
+data_retention: "30d"
diff --git a/packages/cloud_defend/data_stream/heartbeat/manifest.yml b/packages/cloud_defend/data_stream/heartbeat/manifest.yml
new file mode 100644
index 00000000000..ceabe511d01
--- /dev/null
+++ b/packages/cloud_defend/data_stream/heartbeat/manifest.yml
@@ -0,0 +1,12 @@
+title: "Cloud Defend Liveness Heartbeat"
+type: metrics
+streams:
+ - input: cloud_defend/control
+ title: Cloud Defend Heartbeat
+ template_path: stream.yml.hbs
+ description: Collect liveness and uptime metrics for cloud defend
+ vars:
+ - name: period
+ type: text
+ title: Period
+ default: 30m
diff --git a/packages/cloud_defend/data_stream/metrics/lifecycle.yml b/packages/cloud_defend/data_stream/metrics/lifecycle.yml
new file mode 100644
index 00000000000..b56a81e81d7
--- /dev/null
+++ b/packages/cloud_defend/data_stream/metrics/lifecycle.yml
@@ -0,0 +1 @@
+data_retention: "30d"
diff --git a/packages/cloud_defend/data_stream/process/elasticsearch/ingest_pipeline/default.yml b/packages/cloud_defend/data_stream/process/elasticsearch/ingest_pipeline/default.yml
index f4e96c34ab1..281a24ce12e 100644
--- a/packages/cloud_defend/data_stream/process/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/cloud_defend/data_stream/process/elasticsearch/ingest_pipeline/default.yml
@@ -23,6 +23,9 @@ processors:
field: data_stream.type
value: 'logs'
on_failure:
-- set:
- field: error.message
- value: '{{ _ingest.on_failure_message }}'
+ - set:
+ field: event.kind
+ value: pipeline_error
+ - append:
+ field: error.message
+ value: '{{{ _ingest.on_failure_message }}}'
diff --git a/packages/cloud_defend/data_stream/process/lifecycle.yml b/packages/cloud_defend/data_stream/process/lifecycle.yml
new file mode 100644
index 00000000000..b56a81e81d7
--- /dev/null
+++ b/packages/cloud_defend/data_stream/process/lifecycle.yml
@@ -0,0 +1 @@
+data_retention: "30d"
diff --git a/packages/cloud_defend/docs/README.md b/packages/cloud_defend/docs/README.md
index dc9678084b7..7534b6a6019 100644
--- a/packages/cloud_defend/docs/README.md
+++ b/packages/cloud_defend/docs/README.md
@@ -164,7 +164,7 @@ responses:
| --------- | ----------- |
| `log` | Sends events to the `logs-cloud_defend.file-*` data stream for `file` responses, and the `logs-cloud_defend.process-*` data stream for `process` responses. |
| `alert` | Writes events (file or process) to the `logs-cloud_defend.alerts-*` data stream. |
-| `block` | Prevents the system operation from proceeding. This blocking action happens *prior* to the execution of the event. It is required that the `alert` action be set if `block` is enabled. *Note: Currently `block` is only supported on file operations. Process blocking coming soon!* |
+| `block` | Prevents the system operation from proceeding. This blocking action happens *prior* to the execution of the event. It is required that the `alert` action be set if `block` is enabled.
## Example
@@ -319,7 +319,6 @@ The following fields are populated for all events where `event.category: process
| [process.previous.executable](https://www.elastic.co/guide/en/ecs/current/ecs-process.html#field-process-previous-executable) | '/bin/bash' |
| [process.session_leader.args](https://www.elastic.co/guide/en/ecs/current/ecs-process.html#field-process-args) | ['bash'] |
| [process.session_leader.entity_id](https://www.elastic.co/guide/en/ecs/current/ecs-process.html#field-process-entity-id) | 'NzgyOWYyNmQtYzJkMS00ZWFmLWExYWMtY2Q5Y2I5ZTEyZjc1LTE5MTU1MzUtMTY3OTMyODIzOQ==' |
-| [process.session_leader.entry_meta.type](https://www.elastic.co/guide/en/ecs/current/ecs-process.html#field-process-entry-meta-type) | 'container' |
| [process.session_leader.executable](https://www.elastic.co/guide/en/ecs/current/ecs-process.html#field-process-executable) | '/bin/bash' |
| [process.session_leader.group.id](https://www.elastic.co/guide/en/ecs/current/ecs-process.html#field-process-group-id) | '0' |
| [process.session_leader.interactive](https://www.elastic.co/guide/en/ecs/current/ecs-process.html#field-process-interactive) | true |
@@ -419,6 +418,6 @@ The following fields are populated for all events where `event.category: file`
| File event exports | ✅ | ✅ |
| Drift prevention | ✅ | ✅ |
| Mount point awareness | ✅ | ✅ |
-| Process blocking| Coming soon | Coming soon |
+| Process blocking| ✅ | ✅ |
| Network event exports | Coming soon | Coming soon |
| Network blocking| Coming soon | Coming soon |
diff --git a/packages/cloud_defend/manifest.yml b/packages/cloud_defend/manifest.yml
index 4f5ea6e2071..77641a5b32b 100644
--- a/packages/cloud_defend/manifest.yml
+++ b/packages/cloud_defend/manifest.yml
@@ -1,7 +1,7 @@
-format_version: 2.3.0
+format_version: 3.0.0
name: cloud_defend
title: "Defend for Containers"
-version: 1.0.7
+version: 1.2.1-preview2
source:
license: "Elastic-2.0"
description: "Elastic Defend for Containers (BETA) provides cloud-native runtime protections for containerized environments."
@@ -11,7 +11,8 @@ categories:
- kubernetes
- security
conditions:
- kibana.version: "^8.8.0"
+ kibana:
+ version: ^8.11.0
screenshots:
- src: /img/control-policy-general-view-screenshot.png
title: Control policy general view screenshot
@@ -57,4 +58,5 @@ policy_templates:
- match: [executableChanges]
actions: [alert]
owner:
+ type: elastic
github: elastic/sec-cloudnative-integrations
diff --git a/packages/cloud_security_posture/changelog.yml b/packages/cloud_security_posture/changelog.yml
index 81c443e737b..20019c8273c 100644
--- a/packages/cloud_security_posture/changelog.yml
+++ b/packages/cloud_security_posture/changelog.yml
@@ -1,12 +1,60 @@
# newer versions go on top
# version map:
+# 1.6.x - 8.11.x
# 1.5.x - 8.10.x
# 1.4.x - 8.9.x
# 1.3.x - 8.8.x
# 1.2.x - 8.7.x
-
-- version: "1.5.0-preview21"
+- version: "1.6.0-preview13"
changes:
+ - description: Add support for Azure benchmark
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7892
+ - description: Add support for GCP organizations
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7403
+ - description: Add mapping to CSPM org fields
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7818
+- version: "1.5.2"
+ changes:
+ - description: Refactor GCP credentials
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7546
+ - description: Validate OrganizationalUnitIds in CloudFormation
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7605
+- version: "1.5.1"
+ changes:
+ - description: Bump version to 1.5.1
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7493
+ - description: Remove capitalization and change type for tags
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7485
+- version: "1.5.0"
+ changes:
+ - description: Add CIS GCP rule templates
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7390
+ - description: Remove default value for project id
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/7379
+ - description: Add vulnerability mappings
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1176
+ - description: Ensure event.kind is correctly set for pipeline errors.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7048
+ - description: Add a cloudshell url for the GCP CSPM integration
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7235
+ - description: Added ingest processor to copy cluster_id to orchestrator.cluster.id
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7185
+ - description: Seperate KSPM and CSPM cloudformation templates
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6899
- description: Modify CIS GCP config
type: enhancement
link: https://github.com/elastic/integrations/pull/6687
@@ -16,7 +64,7 @@
- description: Update CloudFormation template to use al2023 AMI and increased EBS volume size
type: enhancement
link: https://github.com/elastic/integrations/pull/6699
-- version: "1.4.0-preview22"
+- version: "1.4.0"
changes:
- description: Populate new CloudFormation param ElasticArtifactServer
type: enhancement
diff --git a/packages/cloud_security_posture/data_stream/findings/agent/stream/gcp.yml.hbs b/packages/cloud_security_posture/data_stream/findings/agent/stream/gcp.yml.hbs
index 6aa06e5fab5..df9ee14367a 100644
--- a/packages/cloud_security_posture/data_stream/findings/agent/stream/gcp.yml.hbs
+++ b/packages/cloud_security_posture/data_stream/findings/agent/stream/gcp.yml.hbs
@@ -4,11 +4,17 @@ config:
deployment: gcp
benchmark: cis_gcp
gcp:
- project_id: {{project_id}}
+ {{#if gcp.project_id}}
+ project_id: {{gcp.project_id}}
+ {{/if}}
+ {{#if gcp.organization_id}}
+ organization_id: {{gcp.organization_id}}
+ {{/if}}
+ account_type: {{gcp.account_type}}
credentials:
- {{#if credentials_file}}
- credentials_file_path: {{credentials_file}}
+ {{#if gcp.credentials.file}}
+ credentials_file_path: {{gcp.credentials.file}}
+ {{/if}}
+ {{#if gcp.credentials.json}}
+ credentials_json: '{{gcp.credentials.json}}'
{{/if}}
- {{#if credentials_json}}
- credentials_json: '{{credentials_json}}'
- {{/if}}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/data_stream/findings/elasticsearch/ingest_pipeline/default.yml b/packages/cloud_security_posture/data_stream/findings/elasticsearch/ingest_pipeline/default.yml
index caffca6aed2..71da37a8f5f 100644
--- a/packages/cloud_security_posture/data_stream/findings/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/cloud_security_posture/data_stream/findings/elasticsearch/ingest_pipeline/default.yml
@@ -9,7 +9,15 @@ processors:
value: 'kspm'
description: 'Backward compatibility cloudbeat version < 8.7'
if: ctx.rule?.benchmark?.posture_type == null
-on_failure:
- set:
- field: error.message
- value: '{{ _ingest.on_failure_message }}'
+ field: orchestrator.cluster.id
+ copy_from: cluster_id
+ description: 'Backward compatibility cloudbeat version < 8.8'
+ if: ctx.orchestrator?.cluster?.id == null
+on_failure:
+ - set:
+ field: event.kind
+ value: pipeline_error
+ - append:
+ field: error.message
+ value: '{{{ _ingest.on_failure_message }}}'
diff --git a/packages/cloud_security_posture/data_stream/findings/fields/cloud.yml b/packages/cloud_security_posture/data_stream/findings/fields/cloud.yml
new file mode 100644
index 00000000000..6d52c30820d
--- /dev/null
+++ b/packages/cloud_security_posture/data_stream/findings/fields/cloud.yml
@@ -0,0 +1,8 @@
+# once introduced to ecs, these fields should be moved to ecs.yml
+- name: cloud
+ type: group
+ fields:
+ - name: Organization.id
+ type: keyword
+ - name: Organization.name
+ type: keyword
\ No newline at end of file
diff --git a/packages/cloud_security_posture/data_stream/findings/manifest.yml b/packages/cloud_security_posture/data_stream/findings/manifest.yml
index 77c610cce88..d765f964786 100644
--- a/packages/cloud_security_posture/data_stream/findings/manifest.yml
+++ b/packages/cloud_security_posture/data_stream/findings/manifest.yml
@@ -107,7 +107,7 @@ streams:
show_user: false
- name: aws.credentials.type
type: text
- title: Credential type
+ title: Credentials type
multi: false
required: false
show_user: false
@@ -122,6 +122,43 @@ streams:
description: CIS Benchmark for Google Cloud Platform Foundation
template_path: gcp.yml.hbs
enabled: false
+ vars:
+ - name: gcp.account_type
+ type: text
+ title: Account Type
+ multi: false
+ required: true
+ show_user: false
+ - name: gcp.organization_id
+ type: text
+ title: Organization Id
+ multi: false
+ required: false
+ show_user: false
+ - name: gcp.project_id
+ type: text
+ title: Project Id
+ multi: false
+ required: false
+ show_user: true
+ - name: gcp.credentials.type
+ type: text
+ title: Credentials type
+ multi: false
+ required: false
+ show_user: false
+ - name: gcp.credentials.file
+ type: text
+ title: Credentials file
+ multi: false
+ required: false
+ show_user: true
+ - name: gcp.credentials.json
+ type: text
+ title: Credentials json
+ multi: false
+ required: false
+ show_user: true
- input: cloudbeat/cis_azure
title: CIS Azure Benchmark
description: CIS Benchmark for Microsoft Azure Foundations
diff --git a/packages/cloud_security_posture/data_stream/vulnerabilities/elasticsearch/ingest_pipeline/default.yml b/packages/cloud_security_posture/data_stream/vulnerabilities/elasticsearch/ingest_pipeline/default.yml
index 6f7216fc868..bcf1fe5c8c3 100644
--- a/packages/cloud_security_posture/data_stream/vulnerabilities/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/cloud_security_posture/data_stream/vulnerabilities/elasticsearch/ingest_pipeline/default.yml
@@ -1,10 +1,18 @@
---
description: Pipeline for cloudbeat vulnerabilities
processors:
-- set:
- field: ecs.version
- value: '8.6.0'
+ - set:
+ field: ecs.version
+ value: "8.6.0"
+ - set:
+ field: cloud.service.name
+ value: "AWS EC2"
+ description: "Adding vulnerability type for cloudbeat version < 8.10"
+ if: ctx.cloud?.service?.name == null
on_failure:
-- set:
- field: error.message
- value: '{{ _ingest.on_failure_message }}'
+ - set:
+ field: event.kind
+ value: pipeline_error
+ - append:
+ field: error.message
+ value: "{{{ _ingest.on_failure_message }}}"
diff --git a/packages/cloud_security_posture/data_stream/vulnerabilities/fields/cloud.yml b/packages/cloud_security_posture/data_stream/vulnerabilities/fields/cloud.yml
new file mode 100644
index 00000000000..10a3d10ea04
--- /dev/null
+++ b/packages/cloud_security_posture/data_stream/vulnerabilities/fields/cloud.yml
@@ -0,0 +1,19 @@
+- name: cloud
+ type: group
+ fields:
+ - name: service.name
+ type: keyword
+ - name: machine.type
+ type: keyword
+ - name: machine.Authentication.key
+ type: keyword
+ - name: machine.Launch_time
+ type: keyword
+ - name: machine.Image
+ type: keyword
+ - name: Tags
+ type: object
+ - name: availability_zone
+ type: keyword
+ - name: Security.security_groups
+ type: object
diff --git a/packages/cloud_security_posture/data_stream/vulnerabilities/fields/ecs.yml b/packages/cloud_security_posture/data_stream/vulnerabilities/fields/ecs.yml
index a58b8a3064a..05d199513c1 100644
--- a/packages/cloud_security_posture/data_stream/vulnerabilities/fields/ecs.yml
+++ b/packages/cloud_security_posture/data_stream/vulnerabilities/fields/ecs.yml
@@ -80,6 +80,10 @@
external: ecs
- name: cloud.account.name
external: ecs
+- name: cloud.instance.name
+ external: ecs
+- name: cloud.instance.id
+ external: ecs
- name: cloud.provider
external: ecs
- name: cloud.region
diff --git a/packages/cloud_security_posture/data_stream/vulnerabilities/fields/network.yml b/packages/cloud_security_posture/data_stream/vulnerabilities/fields/network.yml
new file mode 100644
index 00000000000..3152379d5c5
--- /dev/null
+++ b/packages/cloud_security_posture/data_stream/vulnerabilities/fields/network.yml
@@ -0,0 +1,9 @@
+- name: network
+ type: group
+ fields:
+ - name: Private_ip
+ type: keyword
+ - name: Public_ip
+ type: keyword
+ - name: Mac_addresses
+ type: keyword
diff --git a/packages/cloud_security_posture/data_stream/vulnerabilities/fields/resource.yml b/packages/cloud_security_posture/data_stream/vulnerabilities/fields/resource.yml
index 425eb9530e9..91525c1d26b 100644
--- a/packages/cloud_security_posture/data_stream/vulnerabilities/fields/resource.yml
+++ b/packages/cloud_security_posture/data_stream/vulnerabilities/fields/resource.yml
@@ -1,3 +1,4 @@
+# Deprecated replaced by cloud.instance fields
- name: resource
type: group
fields:
diff --git a/packages/cloud_security_posture/data_stream/vulnerabilities/fields/vulnerability.yml b/packages/cloud_security_posture/data_stream/vulnerabilities/fields/vulnerability.yml
index 1ee67cb12db..dfb0ab8748f 100644
--- a/packages/cloud_security_posture/data_stream/vulnerabilities/fields/vulnerability.yml
+++ b/packages/cloud_security_posture/data_stream/vulnerabilities/fields/vulnerability.yml
@@ -1,6 +1,7 @@
- name: vulnerability
type: group
fields:
+ # Deprecated replaced by category
- name: class
type: keyword
- name: package.version
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/05480064-f899-53e8-b8ad-34172b09b400.json b/packages/cloud_security_posture/kibana/csp_rule_template/05480064-f899-53e8-b8ad-34172b09b400.json
new file mode 100644
index 00000000000..b42c608213d
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/05480064-f899-53e8-b8ad-34172b09b400.json
@@ -0,0 +1,38 @@
+{
+ "id": "05480064-f899-53e8-b8ad-34172b09b400",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "Deleting user-managed Service Account Keys may break communication with the applications using the corresponding keys.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys\n2. https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts",
+ "id": "05480064-f899-53e8-b8ad-34172b09b400",
+ "name": "Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account",
+ "profile_applicability": "* Level 1",
+ "description": "User managed service accounts should not have user-managed keys.",
+ "rationale": "Anyone who has access to the keys will be able to access resources through the service account.\n\nGCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine.\nThese keys cannot be downloaded.\nGoogle will keep the keys and automatically rotate them on an approximately weekly basis.\nUser-managed keys are created, downloadable, and managed by users.\nThey expire 10 years from creation.\n\nFor user-managed keys, the user has to take ownership of key management activities which include:\n- Key storage\n- Key distribution\n- Key revocation\n- Key rotation\n- Protecting the keys from unauthorized users\n- Key recovery\n\nEven with key owner precautions, keys can be easily leaked by common development malpractices like checking keys into the source code or leaving them in the Downloads directory, or accidentally leaving them on support blogs/channels.\n\nIt is recommended to prevent user-managed service account keys.",
+ "audit": "**From Google Cloud Console**\n\n1. Go to the IAM page in the GCP Console using `https://console.cloud.google.com/iam-admin/iam`\n\n2. In the left navigation pane, click `Service accounts`. All service accounts and their corresponding keys are listed.\n\n3. Click the service accounts and check if keys exist.\n\n**From Google Cloud CLI**\n\nList All the service accounts:\n\n```\ngcloud iam service-accounts list\n```\nIdentify user-managed service accounts as such account `EMAIL` ends with `iam.gserviceaccount.com`\n\nFor each user-managed service account, list the keys managed by the user:\n```\ngcloud iam service-accounts keys list --iam-account= --managed-by=user\n```\nNo keys should be listed.",
+ "remediation": "**From Google Cloud Console**\n\n1. Go to the IAM page in the GCP Console using `https://console.cloud.google.com/iam-admin/iam`\n\n2. In the left navigation pane, click `Service accounts`. All service accounts and their corresponding keys are listed.\n\n3. Click the service account.\n\n4. Click the `edit` and delete the keys.\n\n**From Google Cloud CLI**\n\nTo delete a user managed Service Account Key,\n\n```\ngcloud iam service-accounts keys delete --iam-account= \n```\n\n**Prevention:**\nYou can disable service account key creation through the `Disable service account key creation` Organization policy by visiting [https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountKeyCreation](https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountKeyCreation).\nLearn more at: [https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts](https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts)\n\nIn addition, if you do not need to have service accounts in your project, you can also prevent the creation of service accounts through the `Disable service account creation` Organization policy: [https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountCreation](https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountCreation).",
+ "section": "Identity and Access Management",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 1.4",
+ "Identity and Access Management"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "1.4",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_1_4"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/0e318770-7077-5996-afd8-27ca34fc5446.json b/packages/cloud_security_posture/kibana/csp_rule_template/0e318770-7077-5996-afd8-27ca34fc5446.json
new file mode 100644
index 00000000000..bec1996b82e
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/0e318770-7077-5996-afd8-27ca34fc5446.json
@@ -0,0 +1,38 @@
+{
+ "id": "0e318770-7077-5996-afd8-27ca34fc5446",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "Enabling of logging may result in your project being charged for the additional logs usage. These charges could be significant depending on the size of the organization.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/logging/docs/logs-based-metrics/\n2. https://cloud.google.com/monitoring/custom-metrics/\n3. https://cloud.google.com/monitoring/alerts/\n4. https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n5. https://cloud.google.com/vpc/docs/firewalls",
+ "id": "0e318770-7077-5996-afd8-27ca34fc5446",
+ "name": "Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes",
+ "profile_applicability": "* Level 2",
+ "description": "It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) Network Firewall rule changes.",
+ "rationale": "Monitoring for Create or Update Firewall rule events gives insight to network access changes and may reduce the time it takes to detect suspicious activity.",
+ "audit": "**From Google Cloud Console**\n\n**Ensure that the prescribed log metric is present:**\n\n1. Go to `Logging/Logs-based Metrics` by visiting [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics).\n\n2. In the `User-defined Metrics` section, ensure at least one metric `` is present with this filter text:\n\n```\nresource.type=\"gce_firewall_rule\" \nAND (protoPayload.methodName:\"compute.firewalls.patch\" \nOR protoPayload.methodName:\"compute.firewalls.insert\"\nOR protoPayload.methodName:\"compute.firewalls.delete\")\n```\n\n**Ensure that the prescribed alerting policy is present:**\n\n3. Go to `Alerting` by visiting [https://console.cloud.google.com/monitoring/alerting](https://console.cloud.google.com/monitoring/alerting).\n\n4. Under the `Policies` section, ensure that at least one alert policy exists for the log metric above. Clicking on the policy should show that it is configured with a condition. For example, `Violates when: Any logging.googleapis.com/user/ stream` `is above a threshold of zero(0) for greater than zero(0) seconds` means that the alert will trigger for any new owner change. Verify that the chosen alerting thresholds make sense for the user's organization.\n\n5. Ensure that appropriate notification channels have been set up.\n\n**From Google Cloud CLI**\n\n**Ensure that the prescribed log metric is present:**\n\n6. List the log metrics:\n```\ngcloud logging metrics list --format json\n```\n7. Ensure that the output contains at least one metric with the filter set to: \n\n```\nresource.type=\"gce_firewall_rule\" \nAND (protoPayload.methodName:\"compute.firewalls.patch\" \nOR protoPayload.methodName:\"compute.firewalls.insert\"\nOR protoPayload.methodName:\"compute.firewalls.delete\")\n```\n\n8. Note the value of the property `metricDescriptor.type` for the identified metric, in the format `logging.googleapis.com/user/`.\n\n**Ensure that the prescribed alerting policy is present:**\n\n9. List the alerting policies:\n```\ngcloud alpha monitoring policies list --format json\n```\n10. Ensure that the output contains an least one alert policy where:\n- `conditions.conditionThreshold.filter` is set to `metric.type=\\\"logging.googleapis.com/user/\\\"`\n- AND `enabled` is set to `true`",
+ "remediation": "**From Google Cloud Console**\n\n**Create the prescribed log metric:**\n\n1. Go to `Logging/Logs-based Metrics` by visiting [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics) and click \"CREATE METRIC\".\n\n2. Click the down arrow symbol on the `Filter Bar` at the rightmost corner and select `Convert to Advanced Filter`.\n\n3. Clear any text and add: \n\n```\nresource.type=\"gce_firewall_rule\" \nAND (protoPayload.methodName:\"compute.firewalls.patch\" \nOR protoPayload.methodName:\"compute.firewalls.insert\"\nOR protoPayload.methodName:\"compute.firewalls.delete\")\n```\n\n4. Click `Submit Filter`. Display logs appear based on the filter text entered by the user.\n\n5. In the `Metric Editor` menu on the right, fill out the name field. Set `Units` to `1` (default) and `Type` to `Counter`. This ensures that the log metric counts the number of log entries matching the advanced logs query.\n\n6. Click `Create Metric`. \n\n**Create the prescribed Alert Policy:** \n\n7. Identify the newly created metric under the section `User-defined Metrics` at [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics).\n\n8. Click the 3-dot icon in the rightmost column for the new metric and select `Create alert from Metric`. A new page displays.\n\n9. Fill out the alert policy configuration and click `Save`. Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value ensures that a notification is triggered for every owner change in the project:\n```\nSet `Aggregator` to `Count`\n\nSet `Configuration`:\n\n- Condition: above\n\n- Threshold: 0\n\n- For: most recent value\n```\n\n10. Configure the desired notifications channels in the section `Notifications`.\n\n11. Name the policy and click `Save`.\n\n**From Google Cloud CLI**\n\nCreate the prescribed Log Metric\n- Use the command: gcloud logging metrics create \n\nCreate the prescribed alert policy: \n- Use the command: gcloud alpha monitoring policies create",
+ "section": "Logging and Monitoring",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 2.7",
+ "Logging and Monitoring"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "2.7",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_2_7"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/1316108c-33a8-5198-9529-45716c5a87b1.json b/packages/cloud_security_posture/kibana/csp_rule_template/1316108c-33a8-5198-9529-45716c5a87b1.json
new file mode 100644
index 00000000000..aefaf53fc81
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/1316108c-33a8-5198-9529-45716c5a87b1.json
@@ -0,0 +1,38 @@
+{
+ "id": "1316108c-33a8-5198-9529-45716c5a87b1",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "Turning on logging will increase the required storage over time. Mismanaged logs may cause your storage costs to increase. Setting custom flags via command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flags changes during a period of low usage.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/sql/docs/postgres/flags\n2. https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT",
+ "id": "1316108c-33a8-5198-9529-45716c5a87b1",
+ "name": "Ensure That the \u2018Log_min_duration_statement\u2019 Database Flag for Cloud SQL PostgreSQL Instance Is Set to \u2018-1\u2032 (Disabled)",
+ "profile_applicability": "* Level 1",
+ "description": "The `log_min_duration_statement` flag defines the minimum amount of execution time of a statement in milliseconds where the total duration of the statement is logged.\nEnsure that `log_min_duration_statement` is disabled, i.e., a value of `-1` is set.",
+ "rationale": "Logging SQL statements may include sensitive information that should not be recorded in logs.\nThis recommendation is applicable to PostgreSQL database instances.",
+ "audit": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the instance to open its `Instance Overview` page.\n3. Go to the `Configuration` card.\n4. Under `Database flags`, check that the value of `log_min_duration_statement` flag is set to `-1`.\n\n**From Google Cloud CLI**\n\n5. Use the below command for every Cloud SQL PostgreSQL database instance to verify the value of `log_min_duration_statement` is set to `-1`.\n```\ngcloud sql instances list --format=json| jq '.settings.databaseFlags[] | select(.name==\"log_min_duration_statement\")|.value'\n```",
+ "remediation": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the PostgreSQL instance where the database flag needs to be enabled.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `log_min_duration_statement` from the drop-down menu and set a value of `-1`.\n6. Click `Save`.\n7. Confirm the changes under `Flags` on the Overview page.\n\n**From Google Cloud CLI**\n\n8. List all Cloud SQL database instances using the following command:\n```\ngcloud sql instances list\n```\n9. Configure the `log_min_duration_statement` flag for every Cloud SQL PosgreSQL database instance using the below command:\n```\ngcloud sql instances patch --database-flags log_min_duration_statement=-1\n```\n```\nNote: This command will overwrite all database flags previously set.\nTo keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.\nFor flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n```",
+ "section": "PostgreSQL Database",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 6.2.7",
+ "PostgreSQL Database"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "6.2.7",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_6_2_7"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/15c6f217-2ae2-5bb4-8ebe-f40adf02910d.json b/packages/cloud_security_posture/kibana/csp_rule_template/15c6f217-2ae2-5bb4-8ebe-f40adf02910d.json
index 76b8ef4c47b..ac3aefc25b6 100644
--- a/packages/cloud_security_posture/kibana/csp_rule_template/15c6f217-2ae2-5bb4-8ebe-f40adf02910d.json
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/15c6f217-2ae2-5bb4-8ebe-f40adf02910d.json
@@ -12,7 +12,7 @@
"description": "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events.\nBy default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.",
"rationale": "Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity using Amazon CloudWatch Events.",
"audit": "**From Console:**\n\n1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/`\n2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine.\n3. Click `Properties` tab to see in detail bucket configuration.\n4. If the current status for `Object-level` logging is set to `Disabled`, then object-level logging of read events for the selected s3 bucket is not set.\n5. If the current status for `Object-level` logging is set to `Enabled`, but the Read event check-box is unchecked, then object-level logging of read events for the selected s3 bucket is not set.\n6. Repeat steps 2 to 5 to verify `object-level` logging for `read` events of your other S3 buckets.\n\n**From Command Line:**\n7. Run `describe-trails` command to list the names of all Amazon CloudTrail trails currently available in the selected AWS region:\n```\naws cloudtrail describe-trails --region --output table --query trailList[*].Name\n```\n8. The command output will be table of the requested trail names.\n9. Run `get-event-selectors` command using the name of the trail returned at the previous step and custom query filters to determine if Data events logging feature is enabled within the selected CloudTrail trail configuration for s3 bucket resources:\n```\naws cloudtrail get-event-selectors --region --trail-name --query EventSelectors[*].DataResources[]\n```\n10. The command output should be an array that contains the configuration of the AWS resource(S3 bucket) defined for the Data events selector.\n11. If the `get-event-selectors` command returns an empty array, the Data events are not included into the selected AWS Cloudtrail trail logging configuration, therefore the S3 object-level API operations performed within your AWS account are not recorded.\n12. Repeat steps 1 to 5 for auditing each s3 bucket to identify other trails that are missing the capability to log Data events.\n13. Change the AWS region by updating the `--region` command parameter and perform the audit process for other regions.",
- "remediation": "**From Console:**\n\n1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/`\n2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine.\n3. Click `Properties` tab to see in detail bucket configuration.\n4. Click on the `Object-level` logging setting, enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link `https://console.aws.amazon.com/cloudtrail/`\n5. Once the Cloudtrail is selected, check the Read event checkbox, so that `object-level` logging for `Read` events is enabled.\n6. Repeat steps 2 to 5 to enable `object-level` logging of read events for other S3 buckets.\n\n**From Command Line:**\n7. To enable `object-level` data events logging for S3 buckets within your AWS account, run `put-event-selectors` command using the name of the trail that you want to reconfigure as identifier:\n```\naws cloudtrail put-event-selectors --region --trail-name --event-selectors '[{ \"ReadWriteType\": \"ReadOnly\", \"IncludeManagementEvents\":true, \"DataResources\": [{ \"Type\": \"AWS::S3::Object\", \"Values\": [\"arn:aws:s3:::/\"] }] }]'\n```\n8. The command output will be `object-level` event trail configuration.\n9. If you want to enable it for all buckets at ones then change Values parameter to `[\"arn:aws:s3\"]` in command given above.\n10. Repeat step 1 for each s3 bucket to update `object-level` logging of read events.\n11. Change the AWS region by updating the `--region` command parameter and perform the process for other regions.",
+ "remediation": "**From Console:**\n\n1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/`\n2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine.\n3. Click `Properties` tab to see in detail bucket configuration.\n4. Click on the `Object-level` logging setting, enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link `https://console.aws.amazon.com/cloudtrail/`\n5. Once the Cloudtrail is selected, check the Read event checkbox, so that `object-level` logging for `Read` events is enabled.\n6. Repeat steps 2 to 5 to enable `object-level` logging of read events for other S3 buckets.\n\n**From Command Line:**\n7. To enable `object-level` data events logging for S3 buckets within your AWS account, run `put-event-selectors` command using the name of the trail that you want to reconfigure as identifier:\n```\naws cloudtrail put-event-selectors --region --trail-name --event-selectors '[{\n \"ReadWriteType\": \"ReadOnly\",\n \"IncludeManagementEvents\": true,\n \"DataResources\": [\n {\n \"Type\": \"AWS::S3::Object\",\n \"Values\": [\n \"arn:aws:s3:::/\"\n ]\n }\n ]\n}]'\n```\n8. The command output will be `object-level` event trail configuration.\n9. If you want to enable it for all buckets at ones then change Values parameter to `[\"arn:aws:s3\"]` in command given above.\n10. Repeat step 1 for each s3 bucket to update `object-level` logging of read events.\n11. Change the AWS region by updating the `--region` command parameter and perform the process for other regions.",
"section": "Logging",
"version": "1.0",
"tags": [
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/23e5f81e-ca05-53bf-8109-7e676feecee3.json b/packages/cloud_security_posture/kibana/csp_rule_template/23e5f81e-ca05-53bf-8109-7e676feecee3.json
new file mode 100644
index 00000000000..93ff774cb3a
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/23e5f81e-ca05-53bf-8109-7e676feecee3.json
@@ -0,0 +1,38 @@
+{
+ "id": "23e5f81e-ca05-53bf-8109-7e676feecee3",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "All Secure Shell (SSH) connections from outside of the network to the concerned VPC(s) will be blocked. There could be a business need where SSH access is required from outside of the network to access resources associated with the VPC. In that case, specific source IP(s) should be mentioned in firewall rules to white-list access to SSH port for the concerned VPC(s).",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/vpc/docs/firewalls#blockedtraffic\n2. https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts",
+ "id": "23e5f81e-ca05-53bf-8109-7e676feecee3",
+ "name": "Ensure That SSH Access Is Restricted From the Internet",
+ "profile_applicability": "* Level 2",
+ "description": "GCP `Firewall Rules` are specific to a `VPC Network`.\nEach rule either `allows` or `denies` traffic when its conditions are met.\nIts conditions allow the user to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances.\n\nFirewall rules are defined at the VPC network level and are specific to the network in which they are defined.\nThe rules themselves cannot be shared among networks.\nFirewall rules only support IPv4 traffic.\nWhen specifying a source for an ingress rule or a destination for an egress rule by address, only an `IPv4` address or `IPv4 block in CIDR` notation can be used.\nGeneric `(0.0.0.0/0)` incoming traffic from the internet to VPC or VM instance using `SSH` on `Port 22` can be avoided.",
+ "rationale": "GCP `Firewall Rules` within a `VPC Network` apply to outgoing (egress) traffic from instances and incoming (ingress) traffic to instances in the network.\nEgress and ingress traffic flows are controlled even if the traffic stays within the network (for example, instance-to-instance communication).\nFor an instance to have outgoing Internet access, the network must have a valid Internet gateway route or custom route whose destination IP is specified.\nThis route simply defines the path to the Internet, to avoid the most general `(0.0.0.0/0)` destination `IP Range` specified from the Internet through `SSH` with the default `Port 22`.\nGeneric access from the Internet to a specific IP Range needs to be restricted.",
+ "audit": "**From Google Cloud Console**\n\n1. Go to `VPC network`.\n2. Go to the `Firewall Rules`.\n3. Ensure that `Port` is not equal to `22` and `Action` is not set to `Allow`.\n4. Ensure `IP Ranges` is not equal to `0.0.0.0/0` under `Source filters`.\n\n**From Google Cloud CLI**\n\n gcloud compute firewall-rules list --format=table'(name,direction,sourceRanges,allowed)'\n\nEnsure that there is no rule matching the below criteria:\n- `SOURCE_RANGES` is `0.0.0.0/0`\n- AND `DIRECTION` is `INGRESS`\n- AND IPProtocol is `tcp` or `ALL`\n- AND `PORTS` is set to `22` or `range containing 22` or `Null (not set)`\n\nNote: \n- When ALL TCP ports are allowed in a rule, PORT does not have any value set (`NULL`)\n- When ALL Protocols are allowed in a rule, PORT does not have any value set (`NULL`)",
+ "remediation": "**From Google Cloud Console**\n\n1. Go to `VPC Network`.\n2. Go to the `Firewall Rules`.\n3. Click the `Firewall Rule` you want to modify.\n4. Click `Edit`.\n5. Modify `Source IP ranges` to specific `IP`.\n6. Click `Save`.\n\n**From Google Cloud CLI**\n\n7. 1.Update the Firewall rule with the new `SOURCE_RANGE` from the below command:\n\n gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=[CIDR_RANGE,...]",
+ "section": "Networking",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 3.6",
+ "Networking"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "3.6",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_3_6"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/2b7b51e2-7e54-5b24-bc9c-6d09416fd5dc.json b/packages/cloud_security_posture/kibana/csp_rule_template/2b7b51e2-7e54-5b24-bc9c-6d09416fd5dc.json
new file mode 100644
index 00000000000..8e77d7b5ad4
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/2b7b51e2-7e54-5b24-bc9c-6d09416fd5dc.json
@@ -0,0 +1,38 @@
+{
+ "id": "2b7b51e2-7e54-5b24-bc9c-6d09416fd5dc",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "`Regenerating Key` may break existing client connectivity as the client will try to connect with older API keys they have stored on devices.",
+ "default_value": "",
+ "references": "1. https://developers.google.com/maps/api-security-best-practices#regenerate-apikey\n2. https://cloud.google.com/sdk/gcloud/reference/alpha/services/api-keys",
+ "id": "2b7b51e2-7e54-5b24-bc9c-6d09416fd5dc",
+ "name": "Ensure API Keys Are Rotated Every 90 Days",
+ "profile_applicability": "* Level 2",
+ "description": "API Keys should only be used for services in cases where other authentication methods are unavailable.\nIf they are in use it is recommended to rotate API keys every 90 days.",
+ "rationale": "Security risks involved in using API-Keys are listed below:\n\n- API keys are simple encrypted strings\n\n- API keys do not identify the user or the application making the API request\n\n- API keys are typically accessible to clients, making it easy to discover and steal an API key\n\nBecause of these potential risks, Google recommends using the standard authentication flow instead of API Keys.\nHowever, there are limited cases where API keys are more appropriate.\nFor example, if there is a mobile application that needs to use the Google Cloud Translation API, but doesn't otherwise need a backend server, API keys are the simplest way to authenticate to that API.\n\nOnce a key is stolen, it has no expiration, meaning it may be used indefinitely unless the project owner revokes or regenerates the key.\n\nRotating API keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.\n\n\nAPI keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.",
+ "audit": "**From Google Cloud Console**\n\n1. Go to `APIs & Services\\Credentials` using `https://console.cloud.google.com/apis/credentials`\n\n2. In the section `API Keys`, for every key ensure the `creation date` is less than 90 days.\n\n**From Google Cloud CLI**\n\nTo list keys, use the command\n\n```\ngcloud services api-keys list\n```\nEnsure the date in `createTime` is within 90 days.",
+ "remediation": "**From Google Cloud Console**\n\n1. Go to `APIs & Services\\Credentials` using `https://console.cloud.google.com/apis/credentials`\n\n2. In the section `API Keys`, Click the `API Key Name`. The API Key properties display on a new page.\n\n3. Click `REGENERATE KEY` to rotate API key.\n\n4. Click `Save`.\n\n5. Repeat steps 2,3,4 for every API key that has not been rotated in the last 90 days.\n\n**Note:** Do not set `HTTP referrers` to wild-cards (* or *.[TLD] or *.[TLD]/*) allowing access to any/wide HTTP referrer(s)\nDo not set `IP addresses` and referrer to `any host (0.0.0.0 or 0.0.0.0/0 or ::0)`\n\n**From Google Cloud CLI**\n\nThere is not currently a way to regenerate and API key using gcloud commands.\nTo 'regenerate' a key you will need to create a new one, duplicate the restrictions from the key being rotated, and delete the old key.\n\n6. List existing keys.\n```\ngcloud services api-keys list\n```\n7. Note the `UID` and restrictions of the key to regenerate.\n\n8. Run this command to create a new API key. is the display name of the new key.\n````\ngcloud alpha services api-keys create --display-name=\"\"\n````\nNote the `UID` of the newly created key\n\n9. Run the update command to add required restrictions. \n\nNote - the restriction may vary for each key.\nRefer to this documentation for the appropriate flags.\nhttps://cloud.google.com/sdk/gcloud/reference/alpha/services/api-keys/update\n```\ngcloud alpha services api-keys update \n```\n10. Delete the old key.\n```\ngcloud alpha services api-keys delete \n```",
+ "section": "Identity and Access Management",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 1.15",
+ "Identity and Access Management"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "1.15",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_1_15"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/2f7d9d2a-ec1f-545a-8258-ea62bbffad7f.json b/packages/cloud_security_posture/kibana/csp_rule_template/2f7d9d2a-ec1f-545a-8258-ea62bbffad7f.json
new file mode 100644
index 00000000000..9b3d1c80005
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/2f7d9d2a-ec1f-545a-8258-ea62bbffad7f.json
@@ -0,0 +1,38 @@
+{
+ "id": "2f7d9d2a-ec1f-545a-8258-ea62bbffad7f",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "In order to change service account or scope for an instance, it needs to be stopped.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances\n2. https://cloud.google.com/compute/docs/access/service-accounts",
+ "id": "2f7d9d2a-ec1f-545a-8258-ea62bbffad7f",
+ "name": "Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs",
+ "profile_applicability": "* Level 1",
+ "description": "To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account `Compute Engine default service account` with Scope `Allow full access to all Cloud APIs`.",
+ "rationale": "Along with ability to optionally create, manage and use user managed custom service accounts, Google Compute Engine provides default service account `Compute Engine default service account` for an instances to access necessary cloud services.\n`Project Editor` role is assigned to `Compute Engine default service account` hence, This service account has almost all capabilities over all cloud services except billing.\nHowever, when `Compute Engine default service account` assigned to an instance it can operate in 3 scopes.\n\n```\n1. Allow default access: Allows only minimum access required to run an Instance (Least Privileges)\n\n2. Allow full access to all Cloud APIs: Allow full access to all the cloud APIs/Services (Too much access)\n\n3. Set access for each API: Allows Instance administrator to choose only those APIs that are needed to perform specific business functionality expected by instance\n```\n\nWhen an instance is configured with `Compute Engine default service account` with Scope `Allow full access to all Cloud APIs`, based on IAM roles assigned to the user(s) accessing Instance, it may allow user to perform cloud operations/API calls that user is not supposed to perform leading to successful privilege escalation.",
+ "audit": "**From Google Cloud Console**\n\n1. Go to the `VM instances` page by visiting: [https://console.cloud.google.com/compute/instances](https://console.cloud.google.com/compute/instances).\n2. Click on each instance name to go to its `VM instance details` page.\n3. Under the `API and identity management`, ensure that `Cloud API access scopes` is not set to `Allow full access to all Cloud APIs`.\n\n**From Google Cloud CLI**\n\n4. List the instances in your project and get details on each instance:\n```\ngcloud compute instances list --format=json | jq -r '.\n| \"SA Scopes: \\(.[].serviceAccounts[].scopes) Name: \\(.[].name) Email: \\(.[].serviceAccounts[].email)\"'\n```\n5. Ensure that the service account section has an email that does not match the pattern `[PROJECT_NUMBER]-compute@developer.gserviceaccount.com`.\n\n**Exception:**\nVMs created by GKE should be excluded.\nThese VMs have names that start with `gke-` and are labeled `goog-gke-node",
+ "remediation": "**From Google Cloud Console**\n\n1. Go to the `VM instances` page by visiting: [https://console.cloud.google.com/compute/instances](https://console.cloud.google.com/compute/instances).\n\n2. Click on the impacted VM instance.\n\n3. If the instance is not stopped, click the `Stop` button. Wait for the instance to be stopped.\n\n4. Next, click the `Edit` button.\n\n5. Scroll down to the `Service Account` section.\n\n6. Select a different service account or ensure that `Allow full access to all Cloud APIs` is not selected.\n\n7. Click the `Save` button to save your changes and then click `START`.\n\n**From Google Cloud CLI**\n\n8. Stop the instance:\n```\ngcloud compute instances stop \n```\n9. Update the instance:\n```\ngcloud compute instances set-service-account --service-account= --scopes [SCOPE1, SCOPE2...]\n```\n10. Restart the instance:\n```\ngcloud compute instances start \n```",
+ "section": "Virtual Machines",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 4.2",
+ "Virtual Machines"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "4.2",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_4_2"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/33299b3d-68da-5604-8c62-62690fd40c49.json b/packages/cloud_security_posture/kibana/csp_rule_template/33299b3d-68da-5604-8c62-62690fd40c49.json
new file mode 100644
index 00000000000..12e8454c81a
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/33299b3d-68da-5604-8c62-62690fd40c49.json
@@ -0,0 +1,38 @@
+{
+ "id": "33299b3d-68da-5604-8c62-62690fd40c49",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "Setting custom flags via command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flags changes during a period of low usage.",
+ "default_value": "",
+ "references": "1. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/external-scripts-enabled-server-configuration-option?view=sql-server-ver15\n2. https://cloud.google.com/sql/docs/sqlserver/flags\n3. https://docs.microsoft.com/en-us/sql/advanced-analytics/concepts/security?view=sql-server-ver15\n4. https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79347",
+ "id": "33299b3d-68da-5604-8c62-62690fd40c49",
+ "name": "Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'",
+ "profile_applicability": "* Level 1",
+ "description": "It is recommended to set `external scripts enabled` database flag for Cloud SQL SQL Server instance to `off`",
+ "rationale": "`external scripts enabled` enable the execution of scripts with certain remote language extensions.\nThis property is OFF by default.\nWhen Advanced Analytics Services is installed, setup can optionally set this property to true.\nAs the External Scripts Enabled feature allows scripts external to SQL such as files located in an R library to be executed, which could adversely affect the security of the system, hence this should be disabled.\nThis recommendation is applicable to SQL Server database instances.",
+ "audit": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the instance to open its `Instance Overview` page\n3. Ensure the database flag `external scripts enabled` that has been set is listed under the `Database flags` section.\n\n**From Google Cloud CLI**\n\n4. Ensure the below command returns `off` for every Cloud SQL SQL Server database instance\n```\ngcloud sql instances list --format=json | jq '.settings.databaseFlags[] | select(.name==\"external scripts enabled\")|.value'\n```",
+ "remediation": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `external scripts enabled` from the drop-down menu, and set its value to `off`.\n6. Click `Save` to save your changes.\n7. Confirm your changes under `Flags` on the Overview page.\n\n**From Google Cloud CLI**\n\n8. Configure the `external scripts enabled` database flag for every Cloud SQL SQL Server database instance using the below command.\n```\ngcloud sql instances patch --database-flags \"external scripts enabled=off\"\n```\n\n```\nNote : \n\nThis command will overwrite all database flags previously set.\nTo keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value.\nFor flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n```",
+ "section": "SQL Server",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 6.3.1",
+ "SQL Server"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "6.3.1",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_6_3_1"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/33a612ed-8dee-554d-9dd7-857bfc31a33a.json b/packages/cloud_security_posture/kibana/csp_rule_template/33a612ed-8dee-554d-9dd7-857bfc31a33a.json
new file mode 100644
index 00000000000..fc0f2a54383
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/33a612ed-8dee-554d-9dd7-857bfc31a33a.json
@@ -0,0 +1,38 @@
+{
+ "id": "33a612ed-8dee-554d-9dd7-857bfc31a33a",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "If you enable uniform bucket-level access, you revoke access from users who gain their access solely through object ACLs.\n\nCertain Google Cloud services, such as Stackdriver, Cloud Audit Logs, and Datastore, cannot export to Cloud Storage buckets that have uniform bucket-level access enabled.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/storage/docs/uniform-bucket-level-access\n2. https://cloud.google.com/storage/docs/using-uniform-bucket-level-access\n3. https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket",
+ "id": "33a612ed-8dee-554d-9dd7-857bfc31a33a",
+ "name": "Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled",
+ "profile_applicability": "* Level 2",
+ "description": "It is recommended that uniform bucket-level access is enabled on Cloud Storage buckets.",
+ "rationale": "It is recommended to use uniform bucket-level access to unify and simplify how you grant access to your Cloud Storage resources.\n\n\nCloud Storage offers two systems for granting users permission to access your buckets and objects: Cloud Identity and Access Management (Cloud IAM) and Access Control Lists (ACLs).\nThese systems act in parallel - in order for a user to access a Cloud Storage resource, only one of the systems needs to grant the user permission.\nCloud IAM is used throughout Google Cloud and allows you to grant a variety of permissions at the bucket and project levels.\nACLs are used only by Cloud Storage and have limited permission options, but they allow you to grant permissions on a per-object basis.\n\nIn order to support a uniform permissioning system, Cloud Storage has uniform bucket-level access.\nUsing this feature disables ACLs for all Cloud Storage resources: access to Cloud Storage resources then is granted exclusively through Cloud IAM.\nEnabling uniform bucket-level access guarantees that if a Storage bucket is not publicly accessible, no object in the bucket is publicly accessible either.",
+ "audit": "**From Google Cloud Console**\n\n1. Open the Cloud Storage browser in the Google Cloud Console by visiting: [https://console.cloud.google.com/storage/browser](https://console.cloud.google.com/storage/browser)\n\n2. For each bucket, make sure that `Access control` column has the value `Uniform`.\n\n**From Google Cloud CLI**\n\n3. List all buckets in a project\n```\ngsutil ls\n```\n4. For each bucket, verify that uniform bucket-level access is enabled.\n```\ngsutil uniformbucketlevelaccess get gs://BUCKET_NAME/\n```\nIf uniform bucket-level access is enabled, the response looks like:\n\n```\nUniform bucket-level access setting for gs://BUCKET_NAME/:\n Enabled: True\n LockedTime: LOCK_DATE\n```",
+ "remediation": "**From Google Cloud Console**\n\n1. Open the Cloud Storage browser in the Google Cloud Console by visiting: [https://console.cloud.google.com/storage/browser](https://console.cloud.google.com/storage/browser)\n\n2. In the list of buckets, click on the name of the desired bucket.\n\n3. Select the `Permissions` tab near the top of the page.\n\n4. In the text box that starts with `This bucket uses fine-grained access control...`, click `Edit`.\n\n5. In the pop-up menu that appears, select `Uniform`.\n\n6. Click `Save`.\n\n**From Google Cloud CLI**\n\nUse the on option in a uniformbucketlevelaccess set command:\n\n```\ngsutil uniformbucketlevelaccess set on gs://BUCKET_NAME/\n```\n\n**Prevention**\n\nYou can set up an Organization Policy to enforce that any new bucket has uniform bucket level access enabled.\nLearn more at:\n[https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket](https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket)",
+ "section": "Storage",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 5.2",
+ "Storage"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "5.2",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_5_2"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/3bfcca47-de6a-57d4-961f-3c7f5b5f699c.json b/packages/cloud_security_posture/kibana/csp_rule_template/3bfcca47-de6a-57d4-961f-3c7f5b5f699c.json
new file mode 100644
index 00000000000..21ad4d87fe1
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/3bfcca47-de6a-57d4-961f-3c7f5b5f699c.json
@@ -0,0 +1,38 @@
+{
+ "id": "3bfcca47-de6a-57d4-961f-3c7f5b5f699c",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "Turning on logging will increase the required storage over time. Mismanaged logs may cause your storage costs to increase. Setting custom flags via command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flags changes during a period of low usage.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/sql/docs/postgres/flags\n2. https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT",
+ "id": "3bfcca47-de6a-57d4-961f-3c7f5b5f699c",
+ "name": "Ensure \u2018Log_statement\u2019 Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately",
+ "profile_applicability": "* Level 2",
+ "description": "The value of `log_statement` flag determined the SQL statements that are logged.\nValid values are:\n- `none`\n- `ddl`\n- `mod`\n- `all`\n\nThe value `ddl` logs all data definition statements.\nThe value `mod` logs all ddl statements, plus data-modifying statements.\n\nThe statements are logged after a basic parsing is done and statement type is determined, thus this does not logs statements with errors.\nWhen using extended query protocol, logging occurs after an Execute message is received and values of the Bind parameters are included.\n\nA value of 'ddl' is recommended unless otherwise directed by your organization's logging policy.",
+ "rationale": "Auditing helps in forensic analysis.\nIf `log_statement` is not set to the correct value, too many statements may be logged leading to issues in finding the relevant information from the logs, or too few statements may be logged with relevant information missing from the logs.\nSetting log_statement to align with your organization's security and logging policies facilitates later auditing and review of database activities.\nThis recommendation is applicable to PostgreSQL database instances.",
+ "audit": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the instance to open its `Instance Overview` page\n3. Go to `Configuration` card\n4. Under `Database flags`, check the value of `log_statement` flag is set to appropriately.\n\n**From Google Cloud CLI**\n\n5. Use the below command for every Cloud SQL PostgreSQL database instance to verify the value of `log_statement`\n```\ngcloud sql instances list --format=json | jq '.[].settings.databaseFlags[] | select(.name==\"log_statement\")|.value'\n```",
+ "remediation": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `log_statement` from the drop-down menu and set appropriate value.\n6. Click `Save` to save your changes.\n7. Confirm your changes under `Flags` on the Overview page.\n\n**From Google Cloud CLI**\n\n8. Configure the `log_statement` database flag for every Cloud SQL PosgreSQL database instance using the below command.\n```\ngcloud sql instances patch --database-flags log_statement=\n```\n```\nNote: This command will overwrite all database flags previously set.\nTo keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value.\nFor flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n```",
+ "section": "PostgreSQL Database",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 6.2.4",
+ "PostgreSQL Database"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "6.2.4",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_6_2_4"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/3ed0b9d8-c5f2-55e2-92a5-2531868e79ca.json b/packages/cloud_security_posture/kibana/csp_rule_template/3ed0b9d8-c5f2-55e2-92a5-2531868e79ca.json
index 87554772a07..eeb6c76bcda 100644
--- a/packages/cloud_security_posture/kibana/csp_rule_template/3ed0b9d8-c5f2-55e2-92a5-2531868e79ca.json
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/3ed0b9d8-c5f2-55e2-92a5-2531868e79ca.json
@@ -12,7 +12,7 @@
"description": "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events.\nBy default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.",
"rationale": "Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity within your S3 Buckets using Amazon CloudWatch Events.",
"audit": "**From Console:**\n\n1. Login to the AWS Management Console and navigate to CloudTrail dashboard at `https://console.aws.amazon.com/cloudtrail/`\n2. In the left panel, click `Trails` and then click on the CloudTrail Name that you want to examine.\n3. Review `General details`\n4. Confirm that `Multi-region trail` is set to `Yes`\n5. Scroll down to `Data events`\n6. Confirm that it reads:\nData events: S3\nBucket Name: All current and future S3 buckets\nRead: Enabled\nWrite: Enabled\n7. Repeat steps 2 to 6 to verify that Multi-region trail and Data events logging of S3 buckets in CloudTrail.\nIf the CloudTrails do not have multi-region and data events configured for S3 refer to the remediation below.\n\n**From Command Line:**\n\n8. Run `list-trails` command to list the names of all Amazon CloudTrail trails currently available in all AWS regions:\n```\naws cloudtrail list-trails\n```\n9. The command output will be a list of all the trail names to include.\n\"TrailARN\": \"arn:aws:cloudtrail:::trail/\",\n\"Name\": \"\",\n\"HomeRegion\": \"\"\n10. Next run 'get-trail- command to determine Multi-region.\n```\naws cloudtrail get-trail --name --region \n```\n11. The command output should include:\n\"IsMultiRegionTrail\": true,\n12. Next run `get-event-selectors` command using the `Name` of the trail and the `region` returned in step 2 to determine if Data events logging feature is enabled within the selected CloudTrail trail for all S3 buckets:\n```\naws cloudtrail get-event-selectors --region --trail-name --query EventSelectors[*].DataResources[]\n```\n13. The command output should be an array that contains the configuration of the AWS resource(S3 bucket) defined for the Data events selector.\n\"Type\": \"AWS::S3::Object\",\n \"Values\": [\n \"arn:aws:s3\"\n14. If the `get-event-selectors` command returns an empty array '[]', the Data events are not included in the selected AWS Cloudtrail trail logging configuration, therefore the S3 object-level API operations performed within your AWS account are not recorded.\n15. Repeat steps 1 to 5 for auditing each CloudTrail to determine if Data events for S3 are covered.\nIf Multi-region is not set to true and the Data events does not show S3 defined as shown refer to the remediation procedure below.",
- "remediation": "**From Console:**\n\n1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/`\n2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine.\n3. Click `Properties` tab to see in detail bucket configuration.\n4. Click on the `Object-level` logging setting, enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link `https://console.aws.amazon.com/cloudtrail/`\n5. Once the Cloudtrail is selected, check the `Write` event checkbox, so that `object-level` logging for Write events is enabled.\n6. Repeat steps 2 to 5 to enable object-level logging of write events for other S3 buckets.\n\n**From Command Line:**\n\n7. To enable `object-level` data events logging for S3 buckets within your AWS account, run `put-event-selectors` command using the name of the trail that you want to reconfigure as identifier:\n```\naws cloudtrail put-event-selectors --region --trail-name --event-selectors '[{ \"ReadWriteType\": \"WriteOnly\", \"IncludeManagementEvents\":true, \"DataResources\": [{ \"Type\": \"AWS::S3::Object\", \"Values\": [\"arn:aws:s3:::/\"] }] }]'\n```\n8. The command output will be `object-level` event trail configuration.\n9. If you want to enable it for all buckets at once then change Values parameter to `[\"arn:aws:s3\"]` in command given above.\n10. Repeat step 1 for each s3 bucket to update `object-level` logging of write events.\n11. Change the AWS region by updating the `--region` command parameter and perform the process for other regions.",
+ "remediation": "**From Console:**\n\n1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/`\n2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine.\n3. Click `Properties` tab to see in detail bucket configuration.\n4. Click on the `Object-level` logging setting, enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link `https://console.aws.amazon.com/cloudtrail/`\n5. Once the Cloudtrail is selected, check the `Write` event checkbox, so that `object-level` logging for Write events is enabled.\n6. Repeat steps 2 to 5 to enable object-level logging of write events for other S3 buckets.\n\n**From Command Line:**\n\n7. To enable `object-level` data events logging for S3 buckets within your AWS account, run `put-event-selectors` command using the name of the trail that you want to reconfigure as identifier:\n```\naws cloudtrail put-event-selectors --region --trail-name --event-selectors '[{\n \"ReadWriteType\": \"WriteOnly\",\n \"IncludeManagementEvents\": true,\n \"DataResources\": [\n {\n \"Type\": \"AWS::S3::Object\",\n \"Values\": [\n \"arn:aws:s3:::/\"\n ]\n }\n ]\n}]'\n```\n8. The command output will be `object-level` event trail configuration.\n9. If you want to enable it for all buckets at once then change Values parameter to `[\"arn:aws:s3\"]` in command given above.\n10. Repeat step 1 for each s3 bucket to update `object-level` logging of write events.\n11. Change the AWS region by updating the `--region` command parameter and perform the process for other regions.",
"section": "Logging",
"version": "1.0",
"tags": [
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/40ab36e3-7438-5c36-afcd-bf5f5401366e.json b/packages/cloud_security_posture/kibana/csp_rule_template/40ab36e3-7438-5c36-afcd-bf5f5401366e.json
new file mode 100644
index 00000000000..f0099606fd7
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/40ab36e3-7438-5c36-afcd-bf5f5401366e.json
@@ -0,0 +1,38 @@
+{
+ "id": "40ab36e3-7438-5c36-afcd-bf5f5401366e",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "Turning on logging will increase the required storage over time. Mismanaged logs may cause your storage costs to increase. Setting custom flags via command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flags changes during a period of low usage.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/sql/docs/postgres/flags\n2. https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN",
+ "id": "40ab36e3-7438-5c36-afcd-bf5f5401366e",
+ "name": "Ensure \u2018Log_min_error_statement\u2019 Database Flag for Cloud SQL PostgreSQL Instance Is Set to \u2018Error\u2019 or Stricter",
+ "profile_applicability": "* Level 1",
+ "description": "The `log_min_error_statement` flag defines the minimum message severity level that are considered as an error statement.\nMessages for error statements are logged with the SQL statement.\nValid values include `DEBUG5`, `DEBUG4`, `DEBUG3`, `DEBUG2`, `DEBUG1`, `INFO`, `NOTICE`, `WARNING`, `ERROR`, `LOG`, `FATAL`, and `PANIC`.\nEach severity level includes the subsequent levels mentioned above.\nEnsure a value of `ERROR` or stricter is set.",
+ "rationale": "Auditing helps in troubleshooting operational problems and also permits forensic analysis.\nIf `log_min_error_statement` is not set to the correct value, messages may not be classified as error messages appropriately.\nConsidering general log messages as error messages would make is difficult to find actual errors and considering only stricter severity levels as error messages may skip actual errors to log their SQL statements.\nThe `log_min_error_statement` flag should be set to `ERROR` or stricter.\nThis recommendation is applicable to PostgreSQL database instances.",
+ "audit": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the instance to open its `Instance Overview` page\n3. Go to `Configuration` card\n4. Under `Database flags`, check the value of `log_min_error_statement` flag is configured as to `ERROR` or stricter.\n\n**From Google Cloud CLI**\n\n5. Use the below command for every Cloud SQL PostgreSQL database instance to verify the value of `log_min_error_statement` is set to `ERROR` or stricter.\n```\ngcloud sql instances list --format=json | jq '.[].settings.databaseFlags[] | select(.name==\"log_min_error_statement\")|.value'\n```",
+ "remediation": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `log_min_error_statement` from the drop-down menu and set appropriate value.\n6. Click `Save` to save your changes.\n7. Confirm your changes under `Flags` on the Overview page.\n\n**From Google Cloud CLI**\n\n8. Configure the `log_min_error_statement` database flag for every Cloud SQL PosgreSQL database instance using the below command.\n```\ngcloud sql instances patch --database-flags log_min_error_statement=\n```\n```\nNote: This command will overwrite all database flags previously set.\nTo keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value.\nFor flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n```",
+ "section": "PostgreSQL Database",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 6.2.6",
+ "PostgreSQL Database"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "6.2.6",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_6_2_6"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/421191d6-a13c-5c78-8c5b-102e1229655f.json b/packages/cloud_security_posture/kibana/csp_rule_template/421191d6-a13c-5c78-8c5b-102e1229655f.json
new file mode 100644
index 00000000000..217c5d42f3d
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/421191d6-a13c-5c78-8c5b-102e1229655f.json
@@ -0,0 +1,38 @@
+{
+ "id": "421191d6-a13c-5c78-8c5b-102e1229655f",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "The removed role should be assigned to a different user based on business needs.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/iam/docs/service-accounts\n2. https://cloud.google.com/iam/docs/understanding-roles\n3. https://cloud.google.com/iam/docs/granting-roles-to-service-accounts",
+ "id": "421191d6-a13c-5c78-8c5b-102e1229655f",
+ "name": "Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users",
+ "profile_applicability": "* Level 2",
+ "description": "It is recommended that the principle of 'Separation of Duties' is enforced while assigning service-account related roles to users.",
+ "rationale": "The built-in/predefined IAM role `Service Account admin` allows the user/identity to create, delete, and manage service account(s).\nThe built-in/predefined IAM role `Service Account User` allows the user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute Instances.\n\nSeparation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action.\nIn Cloud IAM - service accounts, this could be an action such as using a service account to access resources that user should not normally have access to.\n\nSeparation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors.\nIt is considered best practice.\n\nNo user should have `Service Account Admin` and `Service Account User` roles assigned at the same time.",
+ "audit": "**From Google Cloud Console**\n\n1. Go to `IAM & Admin/IAM` using `https://console.cloud.google.com/iam-admin/iam`.\n\n2. Ensure no member has the roles `Service Account Admin` and `Service account User` assigned together.\n\n**From Google Cloud CLI**\n\n3. List all users and role assignments:\n\n```\ngcloud projects get-iam-policy [Project_ID] --format json | \\\n jq -r '[\n ([\"Service_Account_Admin_and_User\"] | (., map(length*\"-\"))), \n (\n [\n .bindings[] | \n select(.role == \"roles/iam.serviceAccountAdmin\" or .role == \"roles/iam.serviceAccountUser\").members[]\n ] | \n group_by(.) | \n map({User: ., Count: length}) | \n .[] | \n select(.Count == 2).User | \n unique\n )\n ] | \n .[] | \n @tsv'\n```\n\n4. All common users listed under `Service_Account_Admin_and_User` are assigned both the `roles/iam.serviceAccountAdmin` and `roles/iam.serviceAccountUser` roles.",
+ "remediation": "**From Google Cloud Console**\n\n1. Go to `IAM & Admin/IAM` using `https://console.cloud.google.com/iam-admin/iam`.\n\n2. For any member having both `Service Account Admin` and `Service account User` roles granted/assigned, click the `Delete Bin` icon to remove either role from the member.\nRemoval of a role should be done based on the business requirements.",
+ "section": "Identity and Access Management",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 1.8",
+ "Identity and Access Management"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "1.8",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_1_8"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/4931d684-a386-5545-b2c4-47b836e0149b.json b/packages/cloud_security_posture/kibana/csp_rule_template/4931d684-a386-5545-b2c4-47b836e0149b.json
new file mode 100644
index 00000000000..e04565b3c28
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/4931d684-a386-5545-b2c4-47b836e0149b.json
@@ -0,0 +1,38 @@
+{
+ "id": "4931d684-a386-5545-b2c4-47b836e0149b",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "Automated Backups will increase required size of storage and costs associated with it.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/sql/docs/mysql/backup-recovery/backups\n2. https://cloud.google.com/sql/docs/postgres/backup-recovery/backing-up",
+ "id": "4931d684-a386-5545-b2c4-47b836e0149b",
+ "name": "Ensure That Cloud SQL Database Instances Are Configured With Automated Backups",
+ "profile_applicability": "* Level 1",
+ "description": "It is recommended to have all SQL database instances set to enable automated backups.",
+ "rationale": "Backups provide a way to restore a Cloud SQL instance to recover lost data or recover from a problem with that instance.\nAutomated backups need to be set for any instance that contains data that should be protected from loss or damage.\nThis recommendation is applicable for SQL Server, PostgreSql, MySql generation 1 and MySql generation 2 instances.",
+ "audit": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Click the instance name to open its instance details page.\n3. Go to the `Backups` menu.\n4. Ensure that `Automated backups` is set to `Enabled` and `Backup time` is mentioned.\n\n**From Google Cloud CLI**\n\n5. List all Cloud SQL database instances using the following command:\n```\ngcloud sql instances list\n```\n\n6. Ensure that the below command returns `True` for every Cloud SQL database instance.\n```\ngcloud sql instances describe --format=\"value('Enabled':settings.backupConfiguration.enabled)\"\n```",
+ "remediation": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the instance where the backups need to be configured.\n3. Click `Edit`.\n4. In the `Backups` section, check `Enable automated backups', and choose a backup window.\n5. Click `Save`.\n\n**From Google Cloud CLI**\n\n6. List all Cloud SQL database instances using the following command:\n```\ngcloud sql instances list\n```\n\n7. Enable `Automated backups` for every Cloud SQL database instance using the below command:\n```\ngcloud sql instances patch --backup-start-time <[HH:MM]>\n```\nThe `backup-start-time` parameter is specified in 24-hour time, in the UTC\u00b100 time zone, and specifies the start of a 4-hour backup window.\nBackups can start any time during the backup window.",
+ "section": "Cloud SQL Database Services",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 6.7",
+ "Cloud SQL Database Services"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "6.7",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_6_7"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/4a6a8b7a-d7a2-5a52-af5c-70009500bbc5.json b/packages/cloud_security_posture/kibana/csp_rule_template/4a6a8b7a-d7a2-5a52-af5c-70009500bbc5.json
new file mode 100644
index 00000000000..b71fa320890
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/4a6a8b7a-d7a2-5a52-af5c-70009500bbc5.json
@@ -0,0 +1,38 @@
+{
+ "id": "4a6a8b7a-d7a2-5a52-af5c-70009500bbc5",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "Removing the external IP address from your Compute instance may cause some applications to stop working.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/load-balancing/docs/backend-service#backends_and_external_ip_addresses\n2. https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances\n3. https://cloud.google.com/compute/docs/instances/connecting-to-instance\n4. https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address#unassign_ip\n5. https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints",
+ "id": "4a6a8b7a-d7a2-5a52-af5c-70009500bbc5",
+ "name": "Ensure That Compute Instances Do Not Have Public IP Addresses",
+ "profile_applicability": "* Level 2",
+ "description": "Compute instances should not be configured to have external IP addresses.",
+ "rationale": "To reduce your attack surface, Compute instances should not have public IP addresses.\nInstead, instances should be configured behind load balancers, to minimize the instance's exposure to the internet.",
+ "audit": "**From Google Cloud Console**\n\n1. Go to the `VM instances` page by visiting: [https://console.cloud.google.com/compute/instances](https://console.cloud.google.com/compute/instances).\n\n2. For every VM, ensure that there is no `External IP` configured.\n\n**From Google Cloud CLI**\n\n```\ngcloud compute instances list --format=json\n```\n\n3. The output should not contain an `accessConfigs` section under `networkInterfaces`. Note that the `natIP` value is present only for instances that are running or for instances that are stopped but have a static IP address. For instances that are stopped and are configured to have an ephemeral public IP address, the `natIP` field will not be present. Example output:\n\n```\nnetworkInterfaces:\n- accessConfigs:\n - kind: compute#accessConfig\n name: External NAT\n networkTier: STANDARD\n type: ONE_TO_ONE_NAT\n```\n\n**Exception:**\nInstances created by GKE should be excluded because some of them have external IP addresses and cannot be changed by editing the instance settings.\nInstances created by GKE should be excluded.\nThese instances have names that start with \"gke-\" and are labeled \"goog-gke-node\".",
+ "remediation": "**From Google Cloud Console**\n\n1. Go to the `VM instances` page by visiting: [https://console.cloud.google.com/compute/instances](https://console.cloud.google.com/compute/instances).\n\n2. Click on the instance name to go the the `Instance detail page`.\n\n3. Click `Edit`.\n\n4. For each Network interface, ensure that `External IP` is set to `None`.\n\n5. Click `Done` and then click `Save`.\n\n**From Google Cloud CLI**\n\n6. Describe the instance properties:\n```\ngcloud compute instances describe --zone=\n```\n\n7. Identify the access config name that contains the external IP address. This access config appears in the following format:\n\n```\nnetworkInterfaces:\n- accessConfigs:\n - kind: compute#accessConfig\n name: External NAT\n natIP: 130.211.181.55\n type: ONE_TO_ONE_NAT\n```\n\n8. Delete the access config. \n```\ngcloud compute instances delete-access-config --zone= --access-config-name \n```\n\nIn the above example, the `ACCESS_CONFIG_NAME` is `External NAT`.\nThe name of your access config might be different.\n\n**Prevention:**\nYou can configure the `Define allowed external IPs for VM instances` Organization Policy to prevent VMs from being configured with public IP addresses.\nLearn more at: [https://console.cloud.google.com/orgpolicies/compute-vmExternalIpAccess](https://console.cloud.google.com/orgpolicies/compute-vmExternalIpAccess)",
+ "section": "Virtual Machines",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 4.9",
+ "Virtual Machines"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "4.9",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_4_9"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/4b11956d-7985-524e-900e-20405e2baaca.json b/packages/cloud_security_posture/kibana/csp_rule_template/4b11956d-7985-524e-900e-20405e2baaca.json
new file mode 100644
index 00000000000..0a405c84bee
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/4b11956d-7985-524e-900e-20405e2baaca.json
@@ -0,0 +1,38 @@
+{
+ "id": "4b11956d-7985-524e-900e-20405e2baaca",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "Deleting an API key will break dependent applications (if any).",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/docs/authentication/api-keys\n2. https://cloud.google.com/sdk/gcloud/reference/services/api-keys/list\n3. https://cloud.google.com/docs/authentication\n4. https://cloud.google.com/sdk/gcloud/reference/alpha/services/api-keys/delete",
+ "id": "4b11956d-7985-524e-900e-20405e2baaca",
+ "name": "Ensure API Keys Only Exist for Active Services",
+ "profile_applicability": "* Level 2",
+ "description": "API Keys should only be used for services in cases where other authentication methods are unavailable.\nUnused keys with their permissions in tact may still exist within a project.\nKeys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides.\nIt is recommended to use standard authentication flow instead.",
+ "rationale": "To avoid the security risk in using API keys, it is recommended to use standard authentication flow instead.\nSecurity risks involved in using API-Keys appear below:\n\n- API keys are simple encrypted strings\n\n- API keys do not identify the user or the application making the API request\n\n- API keys are typically accessible to clients, making it easy to discover and steal an API key",
+ "audit": "**From Console:**\n\n1. From within the Project you wish to audit Go to `APIs & Services\\Credentials`. \n\n2. In the section `API Keys`, no API key should be listed.\n\n**From Google Cloud Command Line**\n\n3. Run the following from within the project you wish to audit **`gcloud services api-keys list --filter`**.\n\n4. There should be no keys listed at the project level.",
+ "remediation": "**From Console:**\n\n1. Go to `APIs & Services\\Credentials` using\n\n2. In the section `API Keys`, to delete API Keys: Click the `Delete Bin Icon` in front of every `API Key Name`.\n\n**From Google Cloud Command Line**\n\n3. Run the following from within the project you wish to audit **`gcloud services api-keys list --filter`**\n\n4. **Pipe the results into ** \n``gcloud alpha services api-keys delete``",
+ "section": "Identity and Access Management",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 1.12",
+ "Identity and Access Management"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "1.12",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_1_12"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/4da6e870-fed1-5822-bb2d-f6a1714bc4a8.json b/packages/cloud_security_posture/kibana/csp_rule_template/4da6e870-fed1-5822-bb2d-f6a1714bc4a8.json
index 94b1f219ff2..fa324783c1c 100644
--- a/packages/cloud_security_posture/kibana/csp_rule_template/4da6e870-fed1-5822-bb2d-f6a1714bc4a8.json
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/4da6e870-fed1-5822-bb2d-f6a1714bc4a8.json
@@ -11,7 +11,7 @@
"profile_applicability": "* Level 2",
"description": "AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you.\nThe recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources.\nIt is recommended AWS Config be enabled in all regions.",
"rationale": "The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing.",
- "audit": "Process to evaluate AWS Config configuration per region\n\n**From Console:**\n\n1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/](https://console.aws.amazon.com/config/).\n2. On the top right of the console select target Region.\n3. If presented with Setup AWS Config - follow remediation procedure:\n4. On the Resource inventory page, Click on edit (the gear icon). The Set Up AWS Config page appears.\n5. Ensure 1 or both check-boxes under \"All Resources\" is checked.\n - Include global resources related to IAM resources - which needs to be enabled in 1 region only\n6. Ensure the correct S3 bucket has been defined.\n7. Ensure the correct SNS topic has been defined.\n8. Repeat steps 2 to 7 for each region.\n\n**From Command Line:**\n\n9. Run this command to show all AWS Config recorders and their properties:\n```\naws configservice describe-configuration-recorders\n```\n10. Evaluate the output to ensure that there's at least one recorder for which `recordingGroup` object includes `\"allSupported\": true` AND `\"includeGlobalResourceTypes\": true`\n\nNote: There is one more parameter \"ResourceTypes\" in recordingGroup object.\nWe don't need to check the same as whenever we set \"allSupported\": true, AWS enforces resource types to be empty (\"ResourceTypes\":[])\n\nSample Output:\n\n```\n{\n \"ConfigurationRecorders\": [\n {\n \"recordingGroup\": {\n \"allSupported\": true,\n \"resourceTypes\": [],\n \"includeGlobalResourceTypes\": true\n },\n \"roleARN\": \"arn:aws:iam:::role/service-role/\",\n \"name\": \"default\"\n }\n ]\n}\n```\n\n11. Run this command to show the status for all AWS Config recorders:\n```\naws configservice describe-configuration-recorder-status\n```\n12. In the output, find recorders with `name` key matching the recorders that met criteria in step 2. Ensure that at least one of them includes `\"recording\": true` and `\"lastStatus\": \"SUCCESS\"`",
+ "audit": "Process to evaluate AWS Config configuration per region\n\n**From Console:**\n\n1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/](https://console.aws.amazon.com/config/).\n2. On the top right of the console select target Region.\n3. If presented with Setup AWS Config - follow remediation procedure:\n4. On the Resource inventory page, Click on edit (the gear icon). The Set Up AWS Config page appears.\n5. Ensure 1 or both check-boxes under \"All Resources\" is checked.\n - Include global resources related to IAM resources - which needs to be enabled in 1 region only\n6. Ensure the correct S3 bucket has been defined.\n7. Ensure the correct SNS topic has been defined.\n8. Repeat steps 2 to 7 for each region.\n\n**From Command Line:**\n\n9. Run this command to show all AWS Config recorders and their properties:\n```\naws configservice describe-configuration-recorders\n```\n10. Evaluate the output to ensure that there's at least one recorder for which `recordingGroup` object includes `\"allSupported\": true` AND `\"includeGlobalResourceTypes\": true`\n\nNote: There is one more parameter \"ResourceTypes\" in recordingGroup object.\nWe don't need to check the same as whenever we set \"allSupported\": true, AWS enforces resource types to be empty (\"ResourceTypes\":[])\n\nSample Output:\n\n```\n{\n \"ConfigurationRecorders\": [\n {\n \"recordingGroup\": {\n \"allSupported\": true,\n \"resourceTypes\": [],\n \"includeGlobalResourceTypes\": true\n },\n \"roleARN\": \"arn:aws:iam:::role/service-role/\",\n \"name\": \"default\"\n }\n ]\n}\n```\n\n11. Run this command to show the status for all AWS Config recorders:\n```\naws configservice describe-configuration-recorder-status\n```\n12. In the output, find recorders with `name` key matching the recorders that met criteria in step 2. Ensure that at least one of them includes `\"recording\": true` and `\"lastStatus\": \"SUCCESS\"`",
"remediation": "To implement AWS Config configuration:\n\n**From Console:**\n\n1. Select the region you want to focus on in the top right of the console\n2. Click `Services` \n3. Click `Config` \n4. Define which resources you want to record in the selected region\n5. Choose to include global resources (IAM resources)\n6. Specify an S3 bucket in the same account or in another managed AWS account\n7. Create an SNS Topic from the same AWS account or another managed AWS account\n\n**From Command Line:**\n\n8. Ensure there is an appropriate S3 bucket, SNS topic, and IAM role per the [AWS Config Service prerequisites](http://docs.aws.amazon.com/config/latest/developerguide/gs-cli-prereq.html).\n9. Run this command to set up the configuration recorder\n```\naws configservice subscribe --s3-bucket my-config-bucket --sns-topic arn:aws:sns:us-east-1:012345678912:my-config-notice --iam-role arn:aws:iam::012345678912:role/myConfigRole\n```\n10. Run this command to start the configuration recorder:\n```\nstart-configuration-recorder --configuration-recorder-name \n```",
"section": "Logging",
"version": "1.0",
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/4eb0d962-c123-575e-8c0c-9d10a2fbe5d1.json b/packages/cloud_security_posture/kibana/csp_rule_template/4eb0d962-c123-575e-8c0c-9d10a2fbe5d1.json
new file mode 100644
index 00000000000..00396183c3e
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/4eb0d962-c123-575e-8c0c-9d10a2fbe5d1.json
@@ -0,0 +1,38 @@
+{
+ "id": "4eb0d962-c123-575e-8c0c-9d10a2fbe5d1",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "Setting the threshold too low will might result in increased log storage size and length, making it difficult to find actual errors. Setting the threshold to 'Warning' will log messages for the most needed error messages. Higher severity levels may cause errors needed to troubleshoot to not be logged.\n\nNote: To effectively turn off logging failing statements, set this parameter to PANIC.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/sql/docs/postgres/flags\n2. https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN",
+ "id": "4eb0d962-c123-575e-8c0c-9d10a2fbe5d1",
+ "name": "Ensure that the \u2018Log_min_messages\u2019 Flag for a Cloud SQL PostgreSQL Instance is set at minimum to 'Warning'",
+ "profile_applicability": "* Level 1",
+ "description": "The `log_min_messages` flag defines the minimum message severity level that is considered as an error statement.\nMessages for error statements are logged with the SQL statement.\nValid values include `DEBUG5`, `DEBUG4`, `DEBUG3`, `DEBUG2`, `DEBUG1`, `INFO`, `NOTICE`, `WARNING`, `ERROR`, `LOG`, `FATAL`, and `PANIC`.\nEach severity level includes the subsequent levels mentioned above.\nERROR is considered the best practice setting.\nChanges should only be made in accordance with the organization's logging policy.",
+ "rationale": "Auditing helps in troubleshooting operational problems and also permits forensic analysis.\nIf `log_min_messages` is not set to the correct value, messages may not be classified as error messages appropriately.\nAn organization will need to decide their own threshold for logging `log_min_messages` flag.\n\nThis recommendation is applicable to PostgreSQL database instances.",
+ "audit": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the instance to open its `Instance Overview` page.\n3. Go to the `Configuration` card.\n4. Under `Database flags`, check the value of `log_min_messages` flag is in accordance with the organization's logging policy.\n\n**From Google Cloud CLI**\n\n5. Use the below command for every Cloud SQL PostgreSQL database instance to verify that the value of `log_min_messages` is in accordance with the organization's logging policy.\n```\ngcloud sql instances list --format=json | jq '.settings.databaseFlags[] | select(.name==\"log_min_messages\")|.value'\n```",
+ "remediation": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances)\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `log_min_messages` from the drop-down menu and set appropriate value.\n6. Click `Save` to save the changes.\n7. Confirm the changes under `Flags` on the Overview page.\n\n**From Google Cloud CLI**\n\n8. Configure the `log_min_messages` database flag for every Cloud SQL PosgreSQL database instance using the below command.\n```\ngcloud sql instances patch --database-flags log_min_messages=\n```\n```\nNote: This command will overwrite all database flags previously set.\nTo keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.\nFor flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n```",
+ "section": "PostgreSQL Database",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 6.2.5",
+ "PostgreSQL Database"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "6.2.5",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_6_2_5"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/5d7e7fce-64fb-5b7b-beeb-920496c2e333.json b/packages/cloud_security_posture/kibana/csp_rule_template/5d7e7fce-64fb-5b7b-beeb-920496c2e333.json
new file mode 100644
index 00000000000..13cad00cbf0
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/5d7e7fce-64fb-5b7b-beeb-920496c2e333.json
@@ -0,0 +1,38 @@
+{
+ "id": "5d7e7fce-64fb-5b7b-beeb-920496c2e333",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "Setting custom flags via command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flags changes during a period of low usage.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/sql/docs/sqlserver/flags\n2. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-connections-server-configuration-option?view=sql-server-ver15\n3. https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79119",
+ "id": "5d7e7fce-64fb-5b7b-beeb-920496c2e333",
+ "name": "Ensure 'user Connections' Database Flag for Cloud Sql Sql Server Instance Is Set to a Non-limiting Value",
+ "profile_applicability": "* Level 1",
+ "description": "It is recommended to check the `user connections` for a Cloud SQL SQL Server instance to ensure that it is not artificially limiting connections.",
+ "rationale": "The `user connections` option specifies the maximum number of simultaneous user connections that are allowed on an instance of SQL Server.\nThe actual number of user connections allowed also depends on the version of SQL Server that you are using, and also the limits of your application or applications and hardware.\nSQL Server allows a maximum of 32,767 user connections.\nBecause user connections is by default a self-configuring value, with SQL Server adjusting the maximum number of user connections automatically as needed, up to the maximum value allowable.\nFor example, if only 10 users are logged in, 10 user connection objects are allocated.\nIn most cases, you do not have to change the value for this option.\nThe default is 0, which means that the maximum (32,767) user connections are allowed.\nHowever if there is a number defined here that limits connections, SQL Server will not allow anymore above this limit.\nIf the connections are at the limit, any new requests will be dropped, potentially causing lost data or outages for those using the database.",
+ "audit": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the instance to open its `Instance Overview` page\n3. Ensure the database flag `user connections` listed under the `Database flags` section is 0.\n\n**From Google Cloud CLI**\n\n4. Ensure the below command returns a value of 0, for every Cloud SQL SQL Server database instance.\n```\ngcloud sql instances list --format=json | jq '.settings.databaseFlags[] | select(.name==\"user connections\")|.value'\n```",
+ "remediation": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `user connections` from the drop-down menu, and set its value to your organization recommended value.\n6. Click `Save` to save your changes.\n7. Confirm your changes under `Flags` on the Overview page.\n\n**From Google Cloud CLI**\n\n8. Configure the `user connections` database flag for every Cloud SQL SQL Server database instance using the below command.\n```\ngcloud sql instances patch --database-flags \"user connections=[0-32,767]\"\n```\n\n```\nNote : \n\nThis command will overwrite all database flags previously set.\nTo keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value.\nFor flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n```",
+ "section": "SQL Server",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 6.3.3",
+ "SQL Server"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "6.3.3",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_6_3_3"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/5de29f7b-ba03-5c77-81d9-7ea65ebd6a0f.json b/packages/cloud_security_posture/kibana/csp_rule_template/5de29f7b-ba03-5c77-81d9-7ea65ebd6a0f.json
new file mode 100644
index 00000000000..5cccd8751d2
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/5de29f7b-ba03-5c77-81d9-7ea65ebd6a0f.json
@@ -0,0 +1,38 @@
+{
+ "id": "5de29f7b-ba03-5c77-81d9-7ea65ebd6a0f",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "Changing flags on a database may cause it to be restarted. The best time to do this is at a time where there is low usage.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/sql/docs/sqlserver/flags\n2. https://docs.microsoft.com/en-us/sql/t-sql/database-console-commands/dbcc-traceon-trace-flags-transact-sql?view=sql-server-ver15#trace-flags\n3. https://github.com/ktaranov/sqlserver-kit/blob/master/SQL%20Server%20Trace%20Flag.md",
+ "id": "5de29f7b-ba03-5c77-81d9-7ea65ebd6a0f",
+ "name": "Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on'",
+ "profile_applicability": "* Level 1",
+ "description": "It is recommended to set `3625 (trace flag)` database flag for Cloud SQL SQL Server instance to `on`.",
+ "rationale": "Microsoft SQL Trace Flags are frequently used to diagnose performance issues or to debug stored procedures or complex computer systems, but they may also be recommended by Microsoft Support to address behavior that is negatively impacting a specific workload.\nAll documented trace flags and those recommended by Microsoft Support are fully supported in a production environment when used as directed.\n`3625(trace log)` Limits the amount of information returned to users who are not members of the sysadmin fixed server role, by masking the parameters of some error messages using '******'.\nSetting this in a Google Cloud flag for the instance allows for security through obscurity and prevents the disclosure of sensitive information, hence this is recommended to set this flag globally to on to prevent the flag having been left off, or changed by bad actors.\nThis recommendation is applicable to SQL Server database instances.",
+ "audit": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the instance to open its `Instance Overview` page\n3. Ensure the database flag `3625` that has been set is listed under the `Database flags` section.\n\n**From Google Cloud CLI**\n\n4. Ensure the below command returns `on` for every Cloud SQL SQL Server database instance\n\n```\ngcloud sql instances list --format=json | jq '.settings.databaseFlags[] | select(.name==\"3625\")|.value'\n```",
+ "remediation": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `3625` from the drop-down menu, and set its value to `on`.\n6. Click `Save` to save your changes.\n7. Confirm your changes under `Flags` on the Overview page.\n\n**From Google Cloud CLI**\n\n8. Configure the `3625` database flag for every Cloud SQL SQL Server database instance using the below command.\n```\ngcloud sql instances patch --database-flags \"3625=on\"\n```\nNote : \n\nThis command will overwrite all database flags previously set.\nTo keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value.\nFor flags that do not take a value, specify the flag name followed by an equals sign (\"=\").",
+ "section": "SQL Server",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 6.3.6",
+ "SQL Server"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "6.3.6",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_6_3_6"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/5ee69b99-8f70-5daf-b784-866131aca3ba.json b/packages/cloud_security_posture/kibana/csp_rule_template/5ee69b99-8f70-5daf-b784-866131aca3ba.json
index 5c3f94bdcdd..c37e4bdb544 100644
--- a/packages/cloud_security_posture/kibana/csp_rule_template/5ee69b99-8f70-5daf-b784-866131aca3ba.json
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/5ee69b99-8f70-5daf-b784-866131aca3ba.json
@@ -12,7 +12,7 @@
"description": "AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services.\nCreate an IAM Role to allow authorized users to manage incidents with AWS Support.",
"rationale": "By implementing least privilege for access control, an IAM Role will require an appropriate IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support.",
"audit": "**From Command Line:**\n\n1. List IAM policies, filter for the 'AWSSupportAccess' managed policy, and note the \"Arn\" element value:\n```\naws iam list-policies --query \"Policies[?PolicyName == 'AWSSupportAccess']\"\n```\n2. Check if the 'AWSSupportAccess' policy is attached to any role:\n\n```\naws iam list-entities-for-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess\n```\n\n3. In Output, Ensure `PolicyRoles` does not return empty. 'Example: Example: PolicyRoles: [ ]'\n\nIf it returns empty refer to the remediation below.",
- "remediation": "**From Command Line:**\n\n1. Create an IAM role for managing incidents with AWS:\n - Create a trust relationship policy document that allows to manage AWS incidents, and save it locally as /tmp/TrustPolicy.json:\n```\n {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"\"\n },\n \"Action\": \"sts:AssumeRole\"\n }\n ]\n }\n```\n2. Create the IAM role using the above trust policy:\n```\naws iam create-role --role-name --assume-role-policy-document file:///tmp/TrustPolicy.json\n```\n3. Attach 'AWSSupportAccess' managed policy to the created IAM role:\n```\naws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess --role-name \n```",
+ "remediation": "**From Command Line:**\n\n1. Create an IAM role for managing incidents with AWS:\n - Create a trust relationship policy document that allows to manage AWS incidents, and save it locally as /tmp/TrustPolicy.json:\n```\n {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"\"\n },\n \"Action\": \"sts:AssumeRole\"\n }\n ]\n}\n```\n2. Create the IAM role using the above trust policy:\n```\naws iam create-role --role-name --assume-role-policy-document file:///tmp/TrustPolicy.json\n```\n3. Attach 'AWSSupportAccess' managed policy to the created IAM role:\n```\naws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess --role-name \n```",
"section": "Identity and Access Management",
"version": "1.0",
"tags": [
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/64d37675-473f-5edc-882e-5b8b85b789c3.json b/packages/cloud_security_posture/kibana/csp_rule_template/64d37675-473f-5edc-882e-5b8b85b789c3.json
new file mode 100644
index 00000000000..c64c8c7f3dd
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/64d37675-473f-5edc-882e-5b8b85b789c3.json
@@ -0,0 +1,38 @@
+{
+ "id": "64d37675-473f-5edc-882e-5b8b85b789c3",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "After enforcing SSL connection, existing client will not be able to communicate with SQL server unless configured with appropriate client-certificates to communicate to SQL database instance.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/sql/docs/postgres/configure-ssl-instance/",
+ "id": "64d37675-473f-5edc-882e-5b8b85b789c3",
+ "name": "Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL",
+ "profile_applicability": "* Level 1",
+ "description": "It is recommended to enforce all incoming connections to SQL database instance to use SSL.",
+ "rationale": "SQL database connections if successfully trapped (MITM); can reveal sensitive data like credentials, database queries, query outputs etc.\nFor security, it is recommended to always use SSL encryption when connecting to your instance.\nThis recommendation is applicable for Postgresql, MySql generation 1, MySql generation 2 and SQL Server 2017 instances.",
+ "audit": "**From Google Cloud Console**\n\n1. Go to [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n\n2. Click on an instance name to see its configuration overview.\n\n3. In the left-side panel, select `Connections`.\n\n4. In the `SSL connections` section, ensure that `Only secured connections are allowed to connect to this instance.`.\n\n**From Google Cloud CLI**\n\n5. Get the detailed configuration for every SQL database instance using the following command:\n\n```\ngcloud sql instances list --format=json\n```\n\nEnsure that section `settings: ipConfiguration` has the parameter `requireSsl` set to `true`.",
+ "remediation": "**From Google Cloud Console**\n\n1. Go to [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n\n2. Click on an instance name to see its configuration overview.\n\n3. In the left-side panel, select `Connections`.\n\n4. In the `SSL connections` section, click `Allow only SSL connections`.\n\n5. Under `Configure SSL server certificates` click `Create new certificate`.\n\n6. Under `Configure SSL client certificates` click `Create a client certificate`. \n\n7. Follow the instructions shown to learn how to connect to your instance. \n\n**From Google Cloud CLI**\n\nTo enforce SSL encryption for an instance run the command:\n\n```\ngcloud sql instances patch --require-ssl\n```\n\nNote:\n`RESTART` is required for type MySQL Generation 1 Instances (`backendType: FIRST_GEN`) to get this configuration in effect.",
+ "section": "Cloud SQL Database Services",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 6.4",
+ "Cloud SQL Database Services"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "6.4",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_6_4"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/677bdabb-ee3f-58a6-82f6-d40ccc4efe13.json b/packages/cloud_security_posture/kibana/csp_rule_template/677bdabb-ee3f-58a6-82f6-d40ccc4efe13.json
new file mode 100644
index 00000000000..0e023a03fe8
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/677bdabb-ee3f-58a6-82f6-d40ccc4efe13.json
@@ -0,0 +1,38 @@
+{
+ "id": "677bdabb-ee3f-58a6-82f6-d40ccc4efe13",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "After a successful key rotation, the older key version is required in order to decrypt the data encrypted by that previous key version.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/kms/docs/key-rotation#frequency_of_key_rotation\n2. https://cloud.google.com/kms/docs/re-encrypt-data",
+ "id": "677bdabb-ee3f-58a6-82f6-d40ccc4efe13",
+ "name": "Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days",
+ "profile_applicability": "* Level 1",
+ "description": "Google Cloud Key Management Service stores cryptographic keys in a hierarchical structure designed for useful and elegant access control management.\n\n\nThe format for the rotation schedule depends on the client library that is used.\nFor the gcloud command-line tool, the next rotation time must be in `ISO` or `RFC3339` format, and the rotation period must be in the form `INTEGER[UNIT]`, where units can be one of seconds (s), minutes (m), hours (h) or days (d).",
+ "rationale": "Set a key rotation period and starting time.\nA key can be created with a specified `rotation period`, which is the time between when new key versions are generated automatically.\nA key can also be created with a specified next rotation time.\nA key is a named object representing a `cryptographic key` used for a specific purpose.\nThe key material, the actual bits used for `encryption`, can change over time as new key versions are created.\n\nA key is used to protect some `corpus of data`.\nA collection of files could be encrypted with the same key and people with `decrypt` permissions on that key would be able to decrypt those files.\nTherefore, it's necessary to make sure the `rotation period` is set to a specific time.",
+ "audit": "**From Google Cloud Console**\n\n1. Go to `Cryptographic Keys` by visiting: [https://console.cloud.google.com/security/kms](https://console.cloud.google.com/security/kms).\n2. Click on each key ring, then ensure each key in the keyring has `Next Rotation` set for less than 90 days from the current date.\n\n**From Google Cloud CLI**\n\n3. Ensure rotation is scheduled by `ROTATION_PERIOD` and `NEXT_ROTATION_TIME` for each key :\n\n```\ngcloud kms keys list --keyring= --location= --format=json'(rotationPeriod)'\n```\n\nEnsure outcome values for `rotationPeriod` and `nextRotationTime` satisfy the below criteria:\n\n`rotationPeriod is <= 129600m` \n`rotationPeriod is <= 7776000s` \n`rotationPeriod is <= 2160h` \n`rotationPeriod is <= 90d` \n`nextRotationTime is <= 90days` from current DATE",
+ "remediation": "**From Google Cloud Console**\n\n1. Go to `Cryptographic Keys` by visiting: [https://console.cloud.google.com/security/kms](https://console.cloud.google.com/security/kms).\n2. Click on the specific key ring\n3. From the list of keys, choose the specific key and Click on `Right side pop up the blade (3 dots)`.\n4. Click on `Edit rotation period`.\n5. On the pop-up window, `Select a new rotation period` in days which should be less than 90 and then choose `Starting on` date (date from which the rotation period begins).\n\n**From Google Cloud CLI**\n\n6. Update and schedule rotation by `ROTATION_PERIOD` and `NEXT_ROTATION_TIME` for each key:\n\n```\ngcloud kms keys update new --keyring=KEY_RING --location=LOCATION --next-rotation-time=NEXT_ROTATION_TIME --rotation-period=ROTATION_PERIOD\n```",
+ "section": "Identity and Access Management",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 1.10",
+ "Identity and Access Management"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "1.10",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_1_10"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/67909c46-649c-52c1-a464-b3e81615d938.json b/packages/cloud_security_posture/kibana/csp_rule_template/67909c46-649c-52c1-a464-b3e81615d938.json
new file mode 100644
index 00000000000..dddb156f11c
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/67909c46-649c-52c1-a464-b3e81615d938.json
@@ -0,0 +1,38 @@
+{
+ "id": "67909c46-649c-52c1-a464-b3e81615d938",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "Using Customer Managed Keys involves additional overhead in maintenance by administrators.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/docs/security/encryption/default-encryption",
+ "id": "67909c46-649c-52c1-a464-b3e81615d938",
+ "name": "Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key",
+ "profile_applicability": "* Level 2",
+ "description": "When you use Dataproc, cluster and job data is stored on Persistent Disks (PDs) associated with the Compute Engine VMs in your cluster and in a Cloud Storage staging bucket.\nThis PD and bucket data is encrypted using a Google-generated data encryption key (DEK) and key encryption key (KEK).\nThe CMEK feature allows you to create, use, and revoke the key encryption key (KEK).\nGoogle still controls the data encryption key (DEK).",
+ "rationale": "\"Cloud services offer the ability to protect data related to those services using encryption keys managed by the customer within Cloud KMS.\nThese encryption keys are called customer-managed encryption keys (CMEK).\nWhen you protect data in Google Cloud services with CMEK, the CMEK key is within your control.",
+ "audit": "**From Google Cloud Console**\n\n1. Login to the GCP Console and navigate to the Dataproc Cluster page by visiting https://console.cloud.google.com/dataproc/clusters.\n2. Select the project from the project dropdown list.\n3. On the `Dataproc Clusters` page, select the cluster and click on the Name attribute value that you want to examine.\n4. On the `details` page, select the `Configurations` tab.\n5. On the `Configurations` tab, check the `Encryption type` configuration attribute value. If the value is set to `Google-managed key`, then Dataproc Cluster is not encrypted with Customer managed encryption keys.\n\nRepeat step no.\n3 - 5 for other Dataproc Clusters available in the selected project.\n\n6. Change the project from the project dropdown list and repeat the audit procedure for other projects.\n\n**From Google Cloud CLI**\n\n7. Run clusters list command to list all the Dataproc Clusters available in the region:\n```\ngcloud dataproc clusters list --region='us-central1'\n```\n8. Run clusters describe command to get the key details of the selected cluster:\n```\ngcloud dataproc clusters describe --region=us-central1 --flatten=config.encryptionConfig.gcePdKmsKeyName\n```\n9. If the above command output return \"null\", then the selected cluster is not encrypted with Customer managed encryption keys.\n10. Repeat step no. 2 and 3 for other Dataproc Clusters available in the selected region. Change the region by updating --region and repeat step no. 2 for other clusters available in the project. Change the project by running the below command and repeat the audit procedure for other Dataproc clusters available in other projects:\n```\ngcloud config set project \"\n```",
+ "remediation": "**From Google Cloud Console**\n\n1. Login to the GCP Console and navigate to the Dataproc Cluster page by visiting https://console.cloud.google.com/dataproc/clusters.\n2. Select the project from the projects dropdown list.\n3. On the `Dataproc Cluster` page, click on the `Create Cluster` to create a new cluster with Customer managed encryption keys.\n4. On `Create a cluster` page, perform below steps:\n - Inside `Set up cluster` section perform below steps:\n -In the `Name` textbox, provide a name for your cluster.\n - From `Location` select the location in which you want to deploy a cluster.\n - Configure other configurations as per your requirements.\n - Inside `Configure Nodes` and `Customize cluster` section configure the settings as per your requirements.\n - Inside `Manage security` section, perform below steps:\n - From `Encryption`, select `Customer-managed key`.\n - Select a customer-managed key from dropdown list.\n - Ensure that the selected KMS Key have Cloud KMS CryptoKey Encrypter/Decrypter role assign to Dataproc Cluster service account (\"serviceAccount:service-@compute-system.iam.gserviceaccount.com\").\n - Click on `Create` to create a cluster.\n - Once the cluster is created migrate all your workloads from the older cluster to the new cluster and delete the old cluster by performing the below steps:\n - On the `Clusters` page, select the old cluster and click on `Delete cluster`.\n - On the `Confirm deletion` window, click on `Confirm` to delete the cluster.\n - Repeat step above for other Dataproc clusters available in the selected project.\n - Change the project from the project dropdown list and repeat the remediation procedure for other Dataproc clusters available in other projects.\n\n**From Google Cloud CLI**\n\nBefore creating cluster ensure that the selected KMS Key have Cloud KMS CryptoKey Encrypter/Decrypter role assign to Dataproc Cluster service account (\"serviceAccount:service-@compute-system.iam.gserviceaccount.com\").\nRun clusters create command to create new cluster with customer-managed key:\n```\ngcloud dataproc clusters create --region=us-central1 --gce-pd-kms-key=\n```\nThe above command will create a new cluster in the selected region.\n\nOnce the cluster is created migrate all your workloads from the older cluster to the new cluster and Run clusters delete command to delete cluster:\n```\ngcloud dataproc clusters delete --region=us-central1\n```\nRepeat step no.\n1 to create a new Dataproc cluster.\nChange the project by running the below command and repeat the remediation procedure for other projects:\n```\ngcloud config set project \"\n```",
+ "section": "Identity and Access Management",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 1.17",
+ "Identity and Access Management"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "1.17",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_1_17"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/68cfd04b-fc79-5877-8638-af3aa82d92db.json b/packages/cloud_security_posture/kibana/csp_rule_template/68cfd04b-fc79-5877-8638-af3aa82d92db.json
new file mode 100644
index 00000000000..55e1baec0f1
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/68cfd04b-fc79-5877-8638-af3aa82d92db.json
@@ -0,0 +1,38 @@
+{
+ "id": "68cfd04b-fc79-5877-8638-af3aa82d92db",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "If you set a database IP to private, only host from the same network will have the ability to connect your database.\n\nConfiguring an existing Cloud SQL instance to use private IP causes the instance to restart.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/sql/docs/postgres/configure-private-ip\n2. https://cloud.google.com/vpc/docs/configure-private-services-access#procedure\n3. https://cloud.google.com/vpc/docs/configure-private-services-access#creating-connection",
+ "id": "68cfd04b-fc79-5877-8638-af3aa82d92db",
+ "name": "Ensure Instance IP assignment is set to private",
+ "profile_applicability": "* Level 1",
+ "description": "Instance addresses can be public IP or private IP.\nPublic IP means that the instance is accessible through the public internet.\nIn contrast, instances using only private IP are not accessible through the public internet, but are accessible through a Virtual Private Cloud (VPC).\n\nLimiting network access to your database will limit potential attacks.",
+ "rationale": "Setting databases access only to private will reduce attack surface.",
+ "audit": "**From Google Cloud Console**\n\n1. In the Google Cloud console, go to the `Cloud SQL Instances` page.\n2. Open the `Overview page` of an instance by clicking the instance name.\n3. Look for a field labeled `Private IP address` This field will only show if the Private IP option is checked. The IP listed should be in the private IP space.\n\n**From Google Cloud CLI**\n4. List cloud SQL instances\n```\ngcloud sql instances list --format=\"json\" | jq '.[] | .connectionName,.ipAddresses'\n```\nEach instance listed should have a `type` of `PRIVATE`.\n\n5. If you want to view a specific instance, note the (s) listed and run the following.\n```\ngcloud sql instances describe --format=\"json\" | jq '.ipAddresses'\n```\n`Type` should be `\"PRIVATE\"`\n```\n {\n \"ipAddress\": \"10.21.0.2\",\n \"type\": \"PRIVATE\"\n}\n```",
+ "remediation": "**From Google Cloud Console**\n\n1. In the Google Cloud console, go to the `Cloud SQL Instances` page.\n2. Open the `Overview page` of an instance by clicking the instance name.\n3. Select `Connections` from the SQL navigation menu.\n4. Check the `Private IP` checkbox. A drop-down list shows the available networks in your project.\n5. Select the VPC network you want to use:\n If you see `Private service connection required`:\n 1.\nClick `Set up connection`.\n 1.\nIn the `Allocate an IP range` section, choose one of the following options:\n - Select one or more existing IP ranges or create a new one from the dropdown.\nThe dropdown includes previously allocated ranges, if there are any, or you can select Allocate a new IP range and enter a new range and name.\n - Use an automatically allocated IP range in your network.\n Note: You can specify an address range only for a primary instance, not for a read replica or clone.\n 3.\nClick Continue.\n 1.\nClick Create connection.\n 1.\nVerify that you see the Private service connection for network VPC_NETWORK_NAME has been successfully created status.\n6. [Optional step for Private Services Access - review reference links to VPC documents for additional detail] If you want to allow other Google Cloud services such as BigQuery to access data in Cloud SQL and make queries against this data over a private IP connection, then select the Private path for Google Cloud services check box.\n7. Click Save\n\n**From Google Cloud CLI**\n\n8. List cloud SQL instances\n```\ngcloud sql instances list --format=\"json\" | jq '.[] | .connectionName,.ipAddresses'\n```\nNote the `project name` of the instance you want to set to a private IP, this will be \n\nNote the `instance name` of the instance you want to set to a private IP, this will be \n\nExample public instance output:\n\n```\n\"my-project-123456:us-central1:my-instance\"\n[\n {\n \"ipAddress\": \"0.0.0.0\",\n \"type\": \"PRIMARY\"\n },\n {\n \"ipAddress\": \"0.0.0.0\",\n \"type\": \"OUTGOING\"\n }\n```\n\n9. run the following command to list the available VPCs \n```\ngcloud compute networks list --format=\"json\" | jq '.[].name'\n```\nNote the name of the VPC to use for the instance private IP, this will be \n\n10. run the following to set instance to a private IP\n```\ngcloud beta sql instances patch \\\n--project= \\\n--network=projects//global/networks/ \\\n--no-assign-ip\n```",
+ "section": "PostgreSQL Database",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 6.2.9",
+ "PostgreSQL Database"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "6.2.9",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_6_2_9"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/68f9d23f-882f-55d1-86c6-711413c31129.json b/packages/cloud_security_posture/kibana/csp_rule_template/68f9d23f-882f-55d1-86c6-711413c31129.json
new file mode 100644
index 00000000000..6f179b36b50
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/68f9d23f-882f-55d1-86c6-711413c31129.json
@@ -0,0 +1,38 @@
+{
+ "id": "68f9d23f-882f-55d1-86c6-711413c31129",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "Setting custom flags via command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flags changes during a period of low usage.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/sql/docs/sqlserver/flags\n2. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-remote-access-server-configuration-option?view=sql-server-ver15\n3. https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79337",
+ "id": "68f9d23f-882f-55d1-86c6-711413c31129",
+ "name": "Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'",
+ "profile_applicability": "* Level 1",
+ "description": "It is recommended to set `remote access` database flag for Cloud SQL SQL Server instance to `off`.",
+ "rationale": "The `remote access` option controls the execution of stored procedures from local or remote servers on which instances of SQL Server are running.\nThis default value for this option is 1.\nThis grants permission to run local stored procedures from remote servers or remote stored procedures from the local server.\nTo prevent local stored procedures from being run from a remote server or remote stored procedures from being run on the local server, this must be disabled.\nThe Remote Access option controls the execution of local stored procedures on remote servers or remote stored procedures on local server.\n'Remote access' functionality can be abused to launch a Denial-of-Service (DoS) attack on remote servers by off-loading query processing to a target, hence this should be disabled.\nThis recommendation is applicable to SQL Server database instances.",
+ "audit": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the instance to open its `Instance Overview` page\n3. Ensure the database flag `remote access` that has been set is listed under the `Database flags` section.\n\n**From Google Cloud CLI**\n\n4. Ensure the below command returns `off` for every Cloud SQL SQL Server database instance\n```\ngcloud sql instances list --format=json | jq '.settings.databaseFlags[] | select(.name==\"remote access\")|.value'\n```",
+ "remediation": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `remote access` from the drop-down menu, and set its value to `off`.\n6. Click `Save` to save your changes.\n7. Confirm your changes under `Flags` on the Overview page.\n\n**From Google Cloud CLI**\n\n8. Configure the `remote access` database flag for every Cloud SQL SQL Server database instance using the below command\n```\ngcloud sql instances patch --database-flags \"remote access=off\"\n```\n\n```\nNote : \n\nThis command will overwrite all database flags previously set.\nTo keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value.\nFor flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n```",
+ "section": "SQL Server",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 6.3.5",
+ "SQL Server"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "6.3.5",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_6_3_5"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/756e1a54-b2ce-56b9-a13f-17f652d7767c.json b/packages/cloud_security_posture/kibana/csp_rule_template/756e1a54-b2ce-56b9-a13f-17f652d7767c.json
new file mode 100644
index 00000000000..cefc00d3e53
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/756e1a54-b2ce-56b9-a13f-17f652d7767c.json
@@ -0,0 +1,38 @@
+{
+ "id": "756e1a54-b2ce-56b9-a13f-17f652d7767c",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "Enabling of logging may result in your project being charged for the additional logs usage.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/logging/docs/logs-based-metrics/\n2. https://cloud.google.com/monitoring/custom-metrics/\n3. https://cloud.google.com/monitoring/alerts/\n4. https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n5. https://cloud.google.com/logging/docs/audit/configure-data-access#getiampolicy-setiampolicy",
+ "id": "756e1a54-b2ce-56b9-a13f-17f652d7767c",
+ "name": "Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes",
+ "profile_applicability": "* Level 1",
+ "description": "Google Cloud Platform (GCP) services write audit log entries to the Admin Activity and Data Access logs to help answer the questions of, \"who did what, where, and when?\" within GCP projects.\n\nCloud audit logging records information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by GCP services.\nCloud audit logging provides a history of GCP API calls for an account, including API calls made via the console, SDKs, command-line tools, and other GCP services.",
+ "rationale": "Admin activity and data access logs produced by cloud audit logging enable security analysis, resource change tracking, and compliance auditing.\n\nConfiguring the metric filter and alerts for audit configuration changes ensures the recommended state of audit configuration is maintained so that all activities in the project are audit-able at any point in time.",
+ "audit": "**From Google Cloud Console**\n\n**Ensure the prescribed log metric is present:**\n\n1. Go to `Logging/Logs-based Metrics` by visiting [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics).\n\n2. In the `User-defined Metrics` section, ensure that at least one metric `` is present with the filter text:\n```\nprotoPayload.methodName=\"SetIamPolicy\" AND\nprotoPayload.serviceData.policyDelta.auditConfigDeltas:*\n```\n**Ensure that the prescribed alerting policy is present:**\n\n3. Go to `Alerting` by visiting [https://console.cloud.google.com/monitoring/alerting](https://console.cloud.google.com/monitoring/alerting).\n\n4. Under the `Policies` section, ensure that at least one alert policy exists for the log metric above. Clicking on the policy should show that it is configured with a condition. For example, `Violates when: Any logging.googleapis.com/user/ stream` `is above a threshold of 0 for greater than zero(0) seconds`, means that the alert will trigger for any new owner change. Verify that the chosen alerting thresholds make sense for the user's organization.\n\n5. Ensure that appropriate notifications channels have been set up.\n\n**From Google Cloud CLI**\n\n**Ensure that the prescribed log metric is present:**\n\n6. List the log metrics:\n```\ngcloud beta logging metrics list --format json\n```\n7. Ensure that the output contains at least one metric with the filter set to: \n```\nprotoPayload.methodName=\"SetIamPolicy\" AND\nprotoPayload.serviceData.policyDelta.auditConfigDeltas:*\n```\n8. Note the value of the property `metricDescriptor.type` for the identified metric, in the format `logging.googleapis.com/user/`.\n\n**Ensure that the prescribed alerting policy is present:**\n\n9. List the alerting policies:\n```\ngcloud alpha monitoring policies list --format json\n```\n10. Ensure that the output contains at least one alert policy where:\n- `conditions.conditionThreshold.filter` is set to `metric.type=\\\"logging.googleapis.com/user/\\\"`\n- AND `enabled` is set to `true`",
+ "remediation": "**From Google Cloud Console**\n\n**Create the prescribed log metric:**\n\n1. Go to `Logging/Logs-based Metrics` by visiting [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics) and click \"CREATE METRIC\".\n\n2. Click the down arrow symbol on the `Filter Bar` at the rightmost corner and select `Convert to Advanced Filter`.\n\n3. Clear any text and add: \n```\nprotoPayload.methodName=\"SetIamPolicy\" AND\nprotoPayload.serviceData.policyDelta.auditConfigDeltas:*\n```\n4. Click `Submit Filter`. Display logs appear based on the filter text entered by the user.\n\n5. In the `Metric Editor` menu on the right, fill out the name field. Set `Units` to `1` (default) and `Type` to `Counter`. This will ensure that the log metric counts the number of log entries matching the user's advanced logs query.\n\n6. Click `Create Metric`. \n\n**Create a prescribed Alert Policy:** \n\n7. Identify the new metric the user just created, under the section `User-defined Metrics` at [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics).\n\n8. Click the 3-dot icon in the rightmost column for the new metric and select `Create alert from Metric`. A new page opens.\n\n9. Fill out the alert policy configuration and click `Save`. Choose the alerting threshold and configuration that makes sense for the organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:\n```\nSet `Aggregator` to `Count`\n\nSet `Configuration`:\n\n- Condition: above\n\n- Threshold: 0\n\n- For: most recent value\n```\n10. Configure the desired notifications channels in the section `Notifications`.\n\n11. Name the policy and click `Save`.\n\n**From Google Cloud CLI**\n\nCreate a prescribed Log Metric:\n- Use the command: gcloud beta logging metrics create \n- Reference for command usage: [https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create\n](https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create)\nCreate prescribed Alert Policy \n- Use the command: gcloud alpha monitoring policies create\n- Reference for command usage: [https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create](https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create)",
+ "section": "Logging and Monitoring",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 2.5",
+ "Logging and Monitoring"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "2.5",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_2_5"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/7e584486-4d0f-5edb-8a64-7ee0b59333b8.json b/packages/cloud_security_posture/kibana/csp_rule_template/7e584486-4d0f-5edb-8a64-7ee0b59333b8.json
new file mode 100644
index 00000000000..84a61616e70
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/7e584486-4d0f-5edb-8a64-7ee0b59333b8.json
@@ -0,0 +1,38 @@
+{
+ "id": "7e584486-4d0f-5edb-8a64-7ee0b59333b8",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "Enabling of logging may result in your project being charged for the additional logs usage. These charges could be significant depending on the size of the organization.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/logging/docs/logs-based-metrics/\n2. https://cloud.google.com/monitoring/custom-metrics/\n3. https://cloud.google.com/monitoring/alerts/\n4. https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n5. https://cloud.google.com/vpc/docs/overview",
+ "id": "7e584486-4d0f-5edb-8a64-7ee0b59333b8",
+ "name": "Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes",
+ "profile_applicability": "* Level 2",
+ "description": "It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) network changes.",
+ "rationale": "It is possible to have more than one VPC within a project.\nIn addition, it is also possible to create a peer connection between two VPCs enabling network traffic to route between VPCs.\n\n\nMonitoring changes to a VPC will help ensure VPC traffic flow is not getting impacted.",
+ "audit": "**From Google Cloud Console**\n\n**Ensure the prescribed log metric is present:**\n\n1. Go to `Logging/Logs-based Metrics` by visiting [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics).\n\n2. In the `User-defined Metrics` section, ensure at least one metric `` is present with filter text:\n\n```\nresource.type=\"gce_network\" \nAND (protoPayload.methodName:\"compute.networks.insert\" \nOR protoPayload.methodName:\"compute.networks.patch\" \nOR protoPayload.methodName:\"compute.networks.delete\" \nOR protoPayload.methodName:\"compute.networks.removePeering\" \nOR protoPayload.methodName:\"compute.networks.addPeering\")\n```\n\n**Ensure the prescribed alerting policy is present:**\n\n3. Go to `Alerting` by visiting [https://console.cloud.google.com/monitoring/alerting](https://console.cloud.google.com/monitoring/alerting).\n\n4. Under the `Policies` section, ensure that at least one alert policy exists for the log metric above. Clicking on the policy should show that it is configured with a condition. For example, `Violates when: Any logging.googleapis.com/user/ stream` `is above a threshold of 0 for greater than 0 seconds` means that the alert will trigger for any new owner change. Verify that the chosen alerting thresholds make sense for the user's organization.\n\n5. Ensure that appropriate notification channels have been set up.\n\n**From Google Cloud CLI**\n\n**Ensure the log metric is present:**\n\n6. List the log metrics:\n```\ngcloud logging metrics list --format json\n```\n7. Ensure that the output contains at least one metric with filter set to: \n```\nresource.type=\"gce_network\" \nAND protoPayload.methodName=\"beta.compute.networks.insert\" \nOR protoPayload.methodName=\"beta.compute.networks.patch\" \nOR protoPayload.methodName=\"v1.compute.networks.delete\" \nOR protoPayload.methodName=\"v1.compute.networks.removePeering\" \nOR protoPayload.methodName=\"v1.compute.networks.addPeering\"\n```\n\n8. Note the value of the property `metricDescriptor.type` for the identified metric, in the format `logging.googleapis.com/user/`.\n\n**Ensure the prescribed alerting policy is present:**\n\n9. List the alerting policies:\n```\ngcloud alpha monitoring policies list --format json\n```\n10. Ensure that the output contains at least one alert policy where:\n- `conditions.conditionThreshold.filter` is set to `metric.type=\\\"logging.googleapis.com/user/\\\"`\n- AND `enabled` is set to `true`",
+ "remediation": "**From Google Cloud Console**\n\n**Create the prescribed log metric:**\n\n1. Go to `Logging/Logs-based Metrics` by visiting [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics) and click \"CREATE METRIC\".\n\n2. Click the down arrow symbol on `Filter Bar` at the rightmost corner and select `Convert to Advanced Filter`.\n\n3. Clear any text and add: \n\n```\nresource.type=\"gce_network\" \nAND (protoPayload.methodName:\"compute.networks.insert\" \nOR protoPayload.methodName:\"compute.networks.patch\" \nOR protoPayload.methodName:\"compute.networks.delete\" \nOR protoPayload.methodName:\"compute.networks.removePeering\" \nOR protoPayload.methodName:\"compute.networks.addPeering\")\n```\n\n4. Click `Submit Filter`. Display logs appear based on the filter text entered by the user.\n\n5. In the `Metric Editor` menu on the right, fill out the name field. Set `Units` to `1` (default) and `Type` to `Counter`. This ensures that the log metric counts the number of log entries matching the user's advanced logs query.\n\n6. Click `Create Metric`. \n\n**Create the prescribed alert policy:** \n\n7. Identify the newly created metric under the section `User-defined Metrics` at [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics).\n\n8. Click the 3-dot icon in the rightmost column for the new metric and select `Create alert from Metric`. A new page appears.\n\n9. Fill out the alert policy configuration and click `Save`. Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of 0 for the most recent value will ensure that a notification is triggered for every owner change in the project:\n```\nSet `Aggregator` to `Count`\n\nSet `Configuration`:\n\n- Condition: above\n\n- Threshold: 0\n\n- For: most recent value\n```\n\n10. Configure the desired notification channels in the section `Notifications`.\n\n11. Name the policy and click `Save`.\n\n**From Google Cloud CLI**\n\nCreate the prescribed Log Metric:\n- Use the command: gcloud logging metrics create \n\nCreate the prescribed alert policy: \n- Use the command: gcloud alpha monitoring policies create",
+ "section": "Logging and Monitoring",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 2.9",
+ "Logging and Monitoring"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "2.9",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_2_9"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/84862c2c-4aba-5458-9c5f-12855091617b.json b/packages/cloud_security_posture/kibana/csp_rule_template/84862c2c-4aba-5458-9c5f-12855091617b.json
new file mode 100644
index 00000000000..f34d1b59030
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/84862c2c-4aba-5458-9c5f-12855091617b.json
@@ -0,0 +1,38 @@
+{
+ "id": "84862c2c-4aba-5458-9c5f-12855091617b",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "Enabling of logging may result in your project being charged for the additional logs usage. These charges could be significant depending on the size of the organization.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/logging/docs/logs-based-metrics/\n2. https://cloud.google.com/monitoring/custom-metrics/\n3. https://cloud.google.com/monitoring/alerts/\n4. https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n5. https://cloud.google.com/storage/docs/overview\n6. https://cloud.google.com/sql/docs/\n7. https://cloud.google.com/sql/docs/mysql/\n8. https://cloud.google.com/sql/docs/postgres/",
+ "id": "84862c2c-4aba-5458-9c5f-12855091617b",
+ "name": "Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes",
+ "profile_applicability": "* Level 2",
+ "description": "It is recommended that a metric filter and alarm be established for SQL instance configuration changes.",
+ "rationale": "Monitoring changes to SQL instance configuration changes may reduce the time needed to detect and correct misconfigurations done on the SQL server.\n\n\nBelow are a few of the configurable options which may the impact security posture of an SQL instance:\n\n- Enable auto backups and high availability: Misconfiguration may adversely impact business continuity, disaster recovery, and high availability \n\n- Authorize networks: Misconfiguration may increase exposure to untrusted networks",
+ "audit": "**From Google Cloud Console**\n\n**Ensure the prescribed log metric is present:**\n\n1. For each project that contains Cloud SQL instances, go to `Logging/Logs-based Metrics` by visiting [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics).\n\n2. In the `User-defined Metrics` section, ensure that at least one metric `` is present with the filter text:\n\n```\nprotoPayload.methodName=\"cloudsql.instances.update\"\n```\n\n**Ensure that the prescribed alerting policy is present:**\n\n3. Go to `Alerting` by visiting [https://console.cloud.google.com/monitoring/alerting](https://console.cloud.google.com/monitoring/alerting).\n\n4. Under the `Policies` section, ensure that at least one alert policy exists for the log metric above. Clicking on the policy should show that it is configured with a condition. For example, `Violates when: Any logging.googleapis.com/user/ stream` `is above a threshold of zero(0) for greater than zero(0) seconds` means that the alert will trigger for any new owner change. Verify that the chosen alerting thresholds make sense for the user's organization.\n\n5. Ensure that the appropriate notifications channels have been set up.\n\n**From Google Cloud CLI**\n\n**Ensure that the prescribed log metric is present:**\n\n6. List the log metrics:\n```\ngcloud logging metrics list --format json\n```\n7. Ensure that the output contains at least one metric with the filter set to \n```\nprotoPayload.methodName=\"cloudsql.instances.update\"\n```\n\n8. Note the value of the property `metricDescriptor.type` for the identified metric, in the format `logging.googleapis.com/user/`.\n\n**Ensure that the prescribed alerting policy is present:**\n\n9. List the alerting policies:\n```\ngcloud alpha monitoring policies list --format json\n```\n10. Ensure that the output contains at least one alert policy where:\n- `conditions.conditionThreshold.filter` is set to `metric.type=\\\"logging.googleapis.com/user/\\\"`\n- AND `enabled` is set to `true`",
+ "remediation": "**From Google Cloud Console**\n\n**Create the prescribed Log Metric:**\n\n1. Go to `Logging/Logs-based Metrics` by visiting [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics) and click \"CREATE METRIC\".\n\n2. Click the down arrow symbol on the `Filter Bar` at the rightmost corner and select `Convert to Advanced Filter`.\n\n3. Clear any text and add: \n\n```\nprotoPayload.methodName=\"cloudsql.instances.update\"\n```\n\n4. Click `Submit Filter`. Display logs appear based on the filter text entered by the user.\n\n5. In the `Metric Editor` menu on right, fill out the name field. Set `Units` to `1` (default) and `Type` to `Counter`. This ensures that the log metric counts the number of log entries matching the user's advanced logs query.\n\n6. Click `Create Metric`. \n\n**Create the prescribed alert policy:** \n\n7. Identify the newly created metric under the section `User-defined Metrics` at [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics).\n\n8. Click the 3-dot icon in the rightmost column for the new metric and select `Create alert from Metric`. A new page appears.\n\n9. Fill out the alert policy configuration and click `Save`. Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the user's project:\n```\nSet `Aggregator` to `Count`\n\nSet `Configuration`:\n\n- Condition: above\n\n- Threshold: 0\n\n- For: most recent value\n```\n\n10. Configure the desired notification channels in the section `Notifications`.\n\n11. Name the policy and click `Save`.\n\n**From Google Cloud CLI**\n\nCreate the prescribed log metric:\n- Use the command: gcloud logging metrics create \n\nCreate the prescribed alert policy: \n- Use the command: gcloud alpha monitoring policies create\n- Reference for command usage: [https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create](https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create)",
+ "section": "Logging and Monitoring",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 2.11",
+ "Logging and Monitoring"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "2.11",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_2_11"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/873e6387-218d-587a-8fa1-3d65f4a77802.json b/packages/cloud_security_posture/kibana/csp_rule_template/873e6387-218d-587a-8fa1-3d65f4a77802.json
new file mode 100644
index 00000000000..e117a121b70
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/873e6387-218d-587a-8fa1-3d65f4a77802.json
@@ -0,0 +1,38 @@
+{
+ "id": "873e6387-218d-587a-8fa1-3d65f4a77802",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "Enabling of logging may result in your project being charged for the additional logs usage. These charges could be significant depending on the size of the organization.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/logging/docs/logs-based-metrics/\n2. https://cloud.google.com/monitoring/custom-metrics/\n3. https://cloud.google.com/monitoring/alerts/\n4. https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n5. https://cloud.google.com/storage/docs/access-control/iam\n6. https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create\n7. https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create",
+ "id": "873e6387-218d-587a-8fa1-3d65f4a77802",
+ "name": "Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes",
+ "profile_applicability": "* Level 2",
+ "description": "It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) network route changes.",
+ "rationale": "Google Cloud Platform (GCP) routes define the paths network traffic takes from a VM instance to another destination.\nThe other destination can be inside the organization VPC network (such as another VM) or outside of it.\nEvery route consists of a destination and a next hop.\nTraffic whose destination IP is within the destination range is sent to the next hop for delivery.\n\n\nMonitoring changes to route tables will help ensure that all VPC traffic flows through an expected path.",
+ "audit": "**From Google Cloud Console**\n\n**Ensure that the prescribed Log metric is present:**\n\n1. Go to `Logging/Logs-based Metrics` by visiting [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics).\n\n2. In the `User-defined Metrics` section, ensure that at least one metric `` is present with the filter text:\n\n```\nresource.type=\"gce_route\" \nAND (protoPayload.methodName:\"compute.routes.delete\" \nOR protoPayload.methodName:\"compute.routes.insert\")\n```\n\n**Ensure the prescribed alerting policy is present:**\n\n3. Go to `Alerting` by visiting: [https://console.cloud.google.com/monitoring/alerting](https://console.cloud.google.com/monitoring/alerting).\n\n4. Under the `Policies` section, ensure that at least one alert policy exists for the log metric above. Clicking on the policy should show that it is configured with a condition. For example, `Violates when: Any logging.googleapis.com/user/ stream` `is above a threshold of 0 for greater than zero(0) seconds` means that the alert will trigger for any new owner change. Verify that the chosen alert thresholds make sense for the user's organization.\n\n5. Ensure that the appropriate notification channels have been set up.\n\n**From Google Cloud CLI**\n\n**Ensure the prescribed log metric is present:**\n\n6. List the log metrics:\n```\ngcloud logging metrics list --format json\n```\n7. Ensure that the output contains at least one metric with the filter set to: \n\n```\nresource.type=\"gce_route\" \nAND (protoPayload.methodName:\"compute.routes.delete\" \nOR protoPayload.methodName:\"compute.routes.insert\")\n```\n\n8. Note the value of the property `metricDescriptor.type` for the identified metric, in the format `logging.googleapis.com/user/`.\n\n**Ensure that the prescribed alerting policy is present:**\n\n9. List the alerting policies:\n```\ngcloud alpha monitoring policies list --format json\n```\n10. Ensure that the output contains an least one alert policy where:\n- `conditions.conditionThreshold.filter` is set to `metric.type=\\\"logging.googleapis.com/user/\\\"`\n- AND `enabled` is set to `true`",
+ "remediation": "**From Google Cloud Console**\n\n**Create the prescribed Log Metric:**\n\n1. Go to `Logging/Logs-based Metrics` by visiting [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics) and click \"CREATE METRIC\".\n\n2. Click the down arrow symbol on the `Filter Bar` at the rightmost corner and select `Convert to Advanced Filter`\n\n3. Clear any text and add: \n\n```\nresource.type=\"gce_route\" \nAND (protoPayload.methodName:\"compute.routes.delete\" \nOR protoPayload.methodName:\"compute.routes.insert\")\n```\n\n4. Click `Submit Filter`. Display logs appear based on the filter text entered by the user.\n\n5. In the `Metric Editor` menu on the right, fill out the name field. Set `Units` to `1` (default) and `Type` to `Counter`. This ensures that the log metric counts the number of log entries matching the user's advanced logs query.\n\n6. Click `Create Metric`. \n\n**Create the prescribed alert policy:** \n\n7. Identify the newly created metric under the section `User-defined Metrics` at [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics).\n\n8. Click the 3-dot icon in the rightmost column for the new metric and select `Create alert from Metric`. A new page displays.\n\n9. Fill out the alert policy configuration and click `Save`. Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value ensures that a notification is triggered for every owner change in the project:\n```\nSet `Aggregator` to `Count`\n\nSet `Configuration`:\n\n- Condition: above\n\n- Threshold: 0\n\n- For: most recent value\n```\n\n10. Configure the desired notification channels in the section `Notifications`.\n\n11. Name the policy and click `Save`.\n\n**From Google Cloud CLI**\n\nCreate the prescribed Log Metric:\n- Use the command: gcloud logging metrics create \n\nCreate the prescribed the alert policy: \n- Use the command: gcloud alpha monitoring policies create",
+ "section": "Logging and Monitoring",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 2.8",
+ "Logging and Monitoring"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "2.8",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_2_8"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/89cc8ff0-be81-55f2-b1cf-d7db1e214741.json b/packages/cloud_security_posture/kibana/csp_rule_template/89cc8ff0-be81-55f2-b1cf-d7db1e214741.json
new file mode 100644
index 00000000000..4bf3f179901
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/89cc8ff0-be81-55f2-b1cf-d7db1e214741.json
@@ -0,0 +1,38 @@
+{
+ "id": "89cc8ff0-be81-55f2-b1cf-d7db1e214741",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "Setting `API restrictions` may break existing application functioning, if not done carefully.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/docs/authentication/api-keys\n2. https://cloud.google.com/apis/docs/overview",
+ "id": "89cc8ff0-be81-55f2-b1cf-d7db1e214741",
+ "name": "Ensure API Keys Are Restricted to Only APIs That Application Needs Access",
+ "profile_applicability": "* Level 2",
+ "description": "API Keys should only be used for services in cases where other authentication methods are unavailable.\nAPI keys are always at risk because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides.\nIt is recommended to restrict API keys to use (call) only APIs required by an application.",
+ "rationale": "Security risks involved in using API-Keys are below:\n\n- API keys are simple encrypted strings\n\n- API keys do not identify the user or the application making the API request\n\n- API keys are typically accessible to clients, making it easy to discover and steal an API key\n\nIn light of these potential risks, Google recommends using the standard authentication flow instead of API-Keys.\nHowever, there are limited cases where API keys are more appropriate.\nFor example, if there is a mobile application that needs to use the Google Cloud Translation API, but doesn't otherwise need a backend server, API keys are the simplest way to authenticate to that API.\n\nIn order to reduce attack surfaces by providing `least privileges`, API-Keys can be restricted to use (call) only APIs required by an application.",
+ "audit": "**From Console:**\n\n1. Go to `APIs & Services\\Credentials` using `https://console.cloud.google.com/apis/credentials`\n\n2. In the section `API Keys`, Click the `API Key Name`. The API Key properties display on a new page.\n\n3. For every API Key, ensure the section `Key restrictions` parameter `API restrictions` is not set to `None`.\n\nOr, \n\nEnsure `API restrictions` is not set to `Google Cloud APIs`\n\n**Note:** `Google Cloud APIs` represents the API collection of all cloud services/APIs offered by Google cloud.\n\n**From Google Cloud CLI**\n\n4. List all API Keys.\n```\ngcloud services api-keys list\n```\nEach key should have a line that says `restrictions:` followed by varying parameters and NOT have a line saying `- service: cloudapis.googleapis.com` as shown here\n```\n restrictions:\n apiTargets:\n - service: cloudapis.googleapis.com\n\n```",
+ "remediation": "**From Console:**\n\n1. Go to `APIs & Services\\Credentials` using `https://console.cloud.google.com/apis/credentials`\n\n2. In the section `API Keys`, Click the `API Key Name`. The API Key properties display on a new page.\n\n3. In the `Key restrictions` section go to `API restrictions`.\n\n4. Click the `Select API` drop-down to choose an API.\n\n5. Click `Save`.\n\n6. Repeat steps 2,3,4,5 for every unrestricted API key\n\n**Note:** Do not set `API restrictions` to `Google Cloud APIs`, as this option allows access to all services offered by Google cloud.\n\n**From Google Cloud CLI**\n\n7. List all API keys.\n```\ngcloud services api-keys list\n```\n8. Note the `UID` of the key to add restrictions to.\n9. Run the update command with the appropriate flags to add the required restrictions.\n```\ngcloud alpha services api-keys update \n```\nNote- Flags can be found by running\n```\ngcloud alpha services api-keys update --help\n```\nor in this documentation\nhttps://cloud.google.com/sdk/gcloud/reference/alpha/services/api-keys/update",
+ "section": "Identity and Access Management",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 1.14",
+ "Identity and Access Management"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "1.14",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_1_14"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/8a985fda-fc4c-5435-b7f0-c4d40bb1307a.json b/packages/cloud_security_posture/kibana/csp_rule_template/8a985fda-fc4c-5435-b7f0-c4d40bb1307a.json
new file mode 100644
index 00000000000..fcfbf84d09a
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/8a985fda-fc4c-5435-b7f0-c4d40bb1307a.json
@@ -0,0 +1,38 @@
+{
+ "id": "8a985fda-fc4c-5435-b7f0-c4d40bb1307a",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "When an organization deletes the default network, it may need to migrate or service onto a new network.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/compute/docs/networking#firewall_rules\n2. https://cloud.google.com/compute/docs/reference/latest/networks/insert\n3. https://cloud.google.com/compute/docs/reference/latest/networks/delete\n4. https://cloud.google.com/vpc/docs/firewall-rules-logging\n5. https://cloud.google.com/vpc/docs/vpc#default-network\n6. https://cloud.google.com/sdk/gcloud/reference/compute/networks/delete",
+ "id": "8a985fda-fc4c-5435-b7f0-c4d40bb1307a",
+ "name": "Ensure That the Default Network Does Not Exist in a Project",
+ "profile_applicability": "* Level 2",
+ "description": "To prevent use of `default` network, a project should not have a `default` network.",
+ "rationale": "The `default` network has a preconfigured network configuration and automatically generates the following insecure firewall rules: \n\n- default-allow-internal: Allows ingress connections for all protocols and ports among instances in the network.\n- default-allow-ssh: Allows ingress connections on TCP port 22(SSH) from any source to any instance in the network.\n- default-allow-rdp: Allows ingress connections on TCP port 3389(RDP) from any source to any instance in the network.\n- default-allow-icmp: Allows ingress ICMP traffic from any source to any instance in the network.\n\nThese automatically created firewall rules do not get audit logged and cannot be configured to enable firewall rule logging.\n\n\nFurthermore, the default network is an auto mode network, which means that its subnets use the same predefined range of IP addresses, and as a result, it's not possible to use Cloud VPN or VPC Network Peering with the default network.\n\n\nBased on organization security and networking requirements, the organization should create a new network and delete the `default` network.",
+ "audit": "**From Google Cloud Console**\n\n1. Go to the `VPC networks` page by visiting: [https://console.cloud.google.com/networking/networks/list](https://console.cloud.google.com/networking/networks/list).\n\n2. Ensure that a network with the name `default` is not present.\n\n**From Google Cloud CLI**\n\n3. Set the project name in the Google Cloud Shell:\n```\n\ngcloud config set project PROJECT_ID \n```\n4. List the networks configured in that project:\n```\ngcloud compute networks list \n```\nIt should not list `default` as one of the available networks in that project.",
+ "remediation": "**From Google Cloud Console**\n\n1. Go to the `VPC networks` page by visiting: [https://console.cloud.google.com/networking/networks/list](https://console.cloud.google.com/networking/networks/list).\n\n2. Click the network named `default`.\n\n3. On the network detail page, click `EDIT`.\n\n4. Click `DELETE VPC NETWORK`.\n\n5. If needed, create a new network to replace the default network.\n\n**From Google Cloud CLI**\n\nFor each Google Cloud Platform project,\n\n6. Delete the default network:\n```\ngcloud compute networks delete default\n```\n\n7. If needed, create a new network to replace it:\n```\ngcloud compute networks create NETWORK_NAME\n```\n\n**Prevention:**\n\nThe user can prevent the default network and its insecure default firewall rules from being created by setting up an Organization Policy to `Skip default network creation` at [https://console.cloud.google.com/iam-admin/orgpolicies/compute-skipDefaultNetworkCreation](https://console.cloud.google.com/iam-admin/orgpolicies/compute-skipDefaultNetworkCreation).",
+ "section": "Networking",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 3.1",
+ "Networking"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "3.1",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_3_1"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/8c36c21b-3c8f-5a92-bc7e-62871428f4d2.json b/packages/cloud_security_posture/kibana/csp_rule_template/8c36c21b-3c8f-5a92-bc7e-62871428f4d2.json
new file mode 100644
index 00000000000..096c50fe45b
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/8c36c21b-3c8f-5a92-bc7e-62871428f4d2.json
@@ -0,0 +1,38 @@
+{
+ "id": "8c36c21b-3c8f-5a92-bc7e-62871428f4d2",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "Users already having Project-wide ssh key pairs and using third party SSH clients will lose access to the impacted Instances. For Project users using gcloud or GCP Console based SSH option, no manual key creation and distribution is required and will be handled by GCE (Google Compute Engine) itself. To access Instance using third party SSH clients Instance specific SSH key pairs need to be created and distributed to the required users.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys\n2. https://cloud.google.com/sdk/gcloud/reference/topic/formats",
+ "id": "8c36c21b-3c8f-5a92-bc7e-62871428f4d2",
+ "name": "Ensure \u201cBlock Project-Wide SSH Keys\u201d Is Enabled for VM Instances",
+ "profile_applicability": "* Level 1",
+ "description": "It is recommended to use Instance specific SSH key(s) instead of using common/shared project-wide SSH key(s) to access Instances.",
+ "rationale": "Project-wide SSH keys are stored in Compute/Project-meta-data.\nProject wide SSH keys can be used to login into all the instances within project.\nUsing project-wide SSH keys eases the SSH key management but if compromised, poses the security risk which can impact all the instances within project.\nIt is recommended to use Instance specific SSH keys which can limit the attack surface if the SSH keys are compromised.",
+ "audit": "**From Google Cloud Console**\n\n1. Go to the `VM instances` page by visiting [https://console.cloud.google.com/compute/instances](https://console.cloud.google.com/compute/instances). It will list all the instances in your project.\n\n2. For every instance, click on the name of the instance.\n\n3. Under `SSH Keys`, ensure `Block project-wide SSH keys` is selected.\n\n**From Google Cloud CLI**\n\n4. List the instances in your project and get details on each instance:\n```\ngcloud compute instances list --format=json\n```\n5. Ensure `key: block-project-ssh-keys` is set to `value: 'true'`.",
+ "remediation": "**From Google Cloud Console**\n\n1. Go to the `VM instances` page by visiting: [https://console.cloud.google.com/compute/instances](https://console.cloud.google.com/compute/instances). It will list all the instances in your project.\n\n2. Click on the name of the Impacted instance\n\n3. Click `Edit` in the toolbar\n\n4. Under SSH Keys, go to the `Block project-wide SSH keys` checkbox\n\n5. To block users with project-wide SSH keys from connecting to this instance, select `Block project-wide SSH keys`\n\n6. Click `Save` at the bottom of the page\n\n7. Repeat steps for every impacted Instance\n\n**From Google Cloud CLI**\n\nTo block project-wide public SSH keys, set the metadata value to `TRUE`:\n\n```\ngcloud compute instances add-metadata --metadata block-project-ssh-keys=TRUE\n```",
+ "section": "Virtual Machines",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 4.3",
+ "Virtual Machines"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "4.3",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_4_3"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/8daf3f8a-8cb0-58f4-955a-ce2dd2a11f75.json b/packages/cloud_security_posture/kibana/csp_rule_template/8daf3f8a-8cb0-58f4-955a-ce2dd2a11f75.json
new file mode 100644
index 00000000000..6e2677bd220
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/8daf3f8a-8cb0-58f4-955a-ce2dd2a11f75.json
@@ -0,0 +1,38 @@
+{
+ "id": "8daf3f8a-8cb0-58f4-955a-ce2dd2a11f75",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "Removing the binding for `allUsers` and `allAuthenticatedUsers` members denies accessing `cryptokeys` to anonymous or public users.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/sdk/gcloud/reference/kms/keys/remove-iam-policy-binding\n2. https://cloud.google.com/sdk/gcloud/reference/kms/keys/set-iam-policy\n3. https://cloud.google.com/sdk/gcloud/reference/kms/keys/get-iam-policy\n4. https://cloud.google.com/kms/docs/object-hierarchy#key_resource_id",
+ "id": "8daf3f8a-8cb0-58f4-955a-ce2dd2a11f75",
+ "name": "Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible",
+ "profile_applicability": "* Level 1",
+ "description": "It is recommended that the IAM policy on Cloud KMS `cryptokeys` should restrict anonymous and/or public access.",
+ "rationale": "Granting permissions to `allUsers` or `allAuthenticatedUsers` allows anyone to access the dataset.\nSuch access might not be desirable if sensitive data is stored at the location.\nIn this case, ensure that anonymous and/or public access to a Cloud KMS `cryptokey` is not allowed.",
+ "audit": "**From Google Cloud CLI**\n\n1. List all Cloud KMS `Cryptokeys`.\n```\ngcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'\n```\n2. Ensure the below command's output does not contain `allUsers` or `allAuthenticatedUsers`.\n```\ngcloud kms keys get-iam-policy [key_name] --keyring=[key_ring_name] --location=global --format=json | jq '.bindings[].members[]'\n```",
+ "remediation": "**From Google Cloud CLI**\n\n1. List all Cloud KMS `Cryptokeys`.\n\n```\ngcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'\n```\n2. Remove IAM policy binding for a KMS key to remove access to `allUsers` and `allAuthenticatedUsers` using the below command.\n\n```\ngcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' --role='[role]'\n\ngcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'\n```",
+ "section": "Identity and Access Management",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 1.9",
+ "Identity and Access Management"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "1.9",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_1_9"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/8f2644ed-70b5-576f-b9b9-aabea6821749.json b/packages/cloud_security_posture/kibana/csp_rule_template/8f2644ed-70b5-576f-b9b9-aabea6821749.json
new file mode 100644
index 00000000000..df56a41b822
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/8f2644ed-70b5-576f-b9b9-aabea6821749.json
@@ -0,0 +1,38 @@
+{
+ "id": "8f2644ed-70b5-576f-b9b9-aabea6821749",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "Updating flags may cause the database to restart. This may cause it to unavailable for a short amount of time, so this is best done at a time of low usage. You should also determine if the tables in your databases reference another table without using credentials for that database, as turning off cross database ownership will break this relationship.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/sql/docs/sqlserver/flags\n2. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/cross-db-ownership-chaining-server-configuration-option?view=sql-server-ver15",
+ "id": "8f2644ed-70b5-576f-b9b9-aabea6821749",
+ "name": "Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'",
+ "profile_applicability": "* Level 1",
+ "description": "It is recommended to set `cross db ownership chaining` database flag for Cloud SQL SQL Server instance to `off`.",
+ "rationale": "Use the `cross db ownership` for chaining option to configure cross-database ownership chaining for an instance of Microsoft SQL Server.\nThis server option allows you to control cross-database ownership chaining at the database level or to allow cross-database ownership chaining for all databases.\nEnabling `cross db ownership` is not recommended unless all of the databases hosted by the instance of SQL Server must participate in cross-database ownership chaining and you are aware of the security implications of this setting.\nThis recommendation is applicable to SQL Server database instances.",
+ "audit": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console.\n2. Select the instance to open its `Instance Overview` page\n3. Ensure the database flag `cross db ownership chaining` that has been set is listed under the `Database flags` section.\n\n**From Google Cloud CLI**\n\n4. Ensure the below command returns `off` for every Cloud SQL SQL Server database instance:\n```\ngcloud sql instances list --format=json | jq '.settings.databaseFlags[] | select(.name==\"cross db ownership chaining\")|.value'\n```",
+ "remediation": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `cross db ownership chaining` from the drop-down menu, and set its value to `off`.\n6. Click `Save`.\n7. Confirm the changes under `Flags` on the Overview page.\n\n**From Google Cloud CLI**\n\n8. Configure the `cross db ownership chaining` database flag for every Cloud SQL SQL Server database instance using the below command:\n```\ngcloud sql instances patch --database-flags \"cross db ownership chaining=off\"\n```\n\nNote: \n\nThis command will overwrite all database flags previously set.\nTo keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.\nFor flags that do not take a value, specify the flag name followed by an equals sign (\"=\").",
+ "section": "SQL Server",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 6.3.2",
+ "SQL Server"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "6.3.2",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_6_3_2"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/9126cd85-611c-5b06-b2f2-a18338e26ae1.json b/packages/cloud_security_posture/kibana/csp_rule_template/9126cd85-611c-5b06-b2f2-a18338e26ae1.json
new file mode 100644
index 00000000000..63aa2286410
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/9126cd85-611c-5b06-b2f2-a18338e26ae1.json
@@ -0,0 +1,38 @@
+{
+ "id": "9126cd85-611c-5b06-b2f2-a18338e26ae1",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options",
+ "id": "9126cd85-611c-5b06-b2f2-a18338e26ae1",
+ "name": "Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC",
+ "profile_applicability": "* Level 1",
+ "description": "NOTE: Currently, the SHA1 algorithm has been removed from general use by Google, and, if being used, needs to be whitelisted on a project basis by Google and will also, therefore, require a Google Cloud support contract.\n\nDNSSEC algorithm numbers in this registry may be used in CERT RRs.\nZone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms.\nThe algorithm used for key signing should be a recommended one and it should be strong.",
+ "rationale": "DNSSEC algorithm numbers in this registry may be used in CERT RRs.\nZone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms.\n\nThe algorithm used for key signing should be a recommended one and it should be strong.\nWhen enabling DNSSEC for a managed zone, or creating a managed zone with DNSSEC, the DNSSEC signing algorithms and the denial-of-existence type can be selected.\nChanging the DNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled.\nIf the need exists to change the settings for a managed zone where it has been enabled, turn DNSSEC off and then re-enable it with different settings.",
+ "audit": "**From Google Cloud CLI**\n\nEnsure the property algorithm for keyType zone signing is not using RSASHA1.\n\n```\ngcloud dns managed-zones describe --format=\"json(dnsName,dnssecConfig.state,dnssecConfig.defaultKeySpecs)\"\n```",
+ "remediation": "**From Google Cloud CLI**\n\n1. If the need exists to change the settings for a managed zone where it has been enabled, DNSSEC must be turned off and then re-enabled with different settings. To turn off DNSSEC, run following command:\n```\ngcloud dns managed-zones update ZONE_NAME --dnssec-state off\n```\n\n2. To update zone-signing for a reported managed DNS Zone, run the following command:\n```\ngcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM --zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE\n```\n\nSupported algorithm options and key lengths are as follows.\n\n Algorithm KSK Length ZSK Length\n --------- ---------- ----------\n RSASHA1 1024,2048 1024,2048\n RSASHA256 1024,2048 1024,2048\n RSASHA512 1024,2048 1024,2048\n ECDSAP256SHA256 256 384\n ECDSAP384SHA384 384 384",
+ "section": "Networking",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 3.5",
+ "Networking"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "3.5",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_3_5"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/91d52d43-da61-5ba2-a4d4-1018fee84559.json b/packages/cloud_security_posture/kibana/csp_rule_template/91d52d43-da61-5ba2-a4d4-1018fee84559.json
index 3a780a683ab..a67233f6b6c 100644
--- a/packages/cloud_security_posture/kibana/csp_rule_template/91d52d43-da61-5ba2-a4d4-1018fee84559.json
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/91d52d43-da61-5ba2-a4d4-1018fee84559.json
@@ -11,8 +11,8 @@
"profile_applicability": "* Level 1",
"description": "S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket.\nAn access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed.\nIt is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.",
"rationale": "By enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within any target buckets.\nConfiguring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.",
- "audit": "Perform the following ensure the CloudTrail S3 bucket has access logging is enabled:\n\n**From Console:**\n\n1. Go to the Amazon CloudTrail console at [https://console.aws.amazon.com/cloudtrail/home](https://console.aws.amazon.com/cloudtrail/home)\n2. In the API activity history pane on the left, click Trails\n3. In the Trails pane, note the bucket names in the S3 bucket column\n4. Sign in to the AWS Management Console and open the S3 console at [https://console.aws.amazon.com/s3](https://console.aws.amazon.com/s3).\n5. Under `All Buckets` click on a target S3 bucket\n6. Click on `Properties` in the top right of the console\n7. Under `Bucket:` _ `` _ click on `Logging` \n8. Ensure `Enabled` is checked.\n\n**From Command Line:**\n\n9. Get the name of the S3 bucket that CloudTrail is logging to:\n``` \naws cloudtrail describe-trails --query 'trailList[*].S3BucketName' \n```\n10. Ensure Bucket Logging is enabled:\n```\naws s3api get-bucket-logging --bucket \n```\nEnsure command does not returns empty output.\n\nSample Output for a bucket with logging enabled:\n\n```\n{\n \"LoggingEnabled\": {\n \"TargetPrefix\": \"\",\n \"TargetBucket\": \"\"\n }\n}\n```",
- "remediation": "Perform the following to enable S3 bucket logging:\n\n**From Console:**\n\n1. Sign in to the AWS Management Console and open the S3 console at [https://console.aws.amazon.com/s3](https://console.aws.amazon.com/s3).\n2. Under `All Buckets` click on the target S3 bucket\n3. Click on `Properties` in the top right of the console\n4. Under `Bucket:` click on `Logging` \n5. Configure bucket logging\n - Click on the `Enabled` checkbox\n - Select Target Bucket from list\n - Enter a Target Prefix\n6. Click `Save`.\n\n**From Command Line:**\n\n7. Get the name of the S3 bucket that CloudTrail is logging to:\n```\naws cloudtrail describe-trails --region --query trailList[*].S3BucketName\n```\n8. Copy and add target bucket name at ``, Prefix for logfile at `` and optionally add an email address in the following template and save it as ``:\n```\n{\n \"LoggingEnabled\": {\n \"TargetBucket\": \"\",\n \"TargetPrefix\": \"\",\n \"TargetGrants\": [\n {\n \"Grantee\": {\n \"Type\": \"AmazonCustomerByEmail\",\n \"EmailAddress\": \"\"\n },\n \"Permission\": \"FULL_CONTROL\"\n }\n ]\n } \n}\n```\n9. Run the `put-bucket-logging` command with bucket name and `` as input, for more information refer at [put-bucket-logging](https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-logging.html):\n```\naws s3api put-bucket-logging --bucket --bucket-logging-status file://\n```",
+ "audit": "Perform the following ensure the CloudTrail S3 bucket has access logging is enabled:\n\n**From Console:**\n\n1. Go to the Amazon CloudTrail console at [https://console.aws.amazon.com/cloudtrail/home](https://console.aws.amazon.com/cloudtrail/home)\n2. In the API activity history pane on the left, click Trails\n3. In the Trails pane, note the bucket names in the S3 bucket column\n4. Sign in to the AWS Management Console and open the S3 console at [https://console.aws.amazon.com/s3](https://console.aws.amazon.com/s3).\n5. Under `All Buckets` click on a target S3 bucket\n6. Click on `Properties` in the top right of the console\n7. Under `Bucket:` _ `` _ click on `Logging` \n8. Ensure `Enabled` is checked.\n\n**From Command Line:**\n\n9. Get the name of the S3 bucket that CloudTrail is logging to:\n``` \naws cloudtrail describe-trails --query 'trailList[*].S3BucketName' \n```\n10. Ensure Bucket Logging is enabled:\n```\naws s3api get-bucket-logging --bucket \n```\nEnsure command does not returns empty output.\n\nSample Output for a bucket with logging enabled:\n\n```\n{\n \"LoggingEnabled\": {\n \"TargetPrefix\": \"\",\n \"TargetBucket\": \"\"\n }\n}\n```",
+ "remediation": "Perform the following to enable S3 bucket logging:\n\n**From Console:**\n\n1. Sign in to the AWS Management Console and open the S3 console at [https://console.aws.amazon.com/s3](https://console.aws.amazon.com/s3).\n2. Under `All Buckets` click on the target S3 bucket\n3. Click on `Properties` in the top right of the console\n4. Under `Bucket:` click on `Logging` \n5. Configure bucket logging\n - Click on the `Enabled` checkbox\n - Select Target Bucket from list\n - Enter a Target Prefix\n6. Click `Save`.\n\n**From Command Line:**\n\n7. Get the name of the S3 bucket that CloudTrail is logging to:\n```\naws cloudtrail describe-trails --region --query trailList[*].S3BucketName\n```\n8. Copy and add target bucket name at ``, Prefix for logfile at `` and optionally add an email address in the following template and save it as ``:\n```\n{\n \"LoggingEnabled\": {\n \"TargetBucket\": \"\",\n \"TargetPrefix\": \"\",\n \"TargetGrants\": [\n {\n \"Grantee\": {\n \"Type\": \"AmazonCustomerByEmail\",\n \"EmailAddress\": \"\"\n },\n \"Permission\": \"FULL_CONTROL\"\n }\n ]\n }\n}\n```\n9. Run the `put-bucket-logging` command with bucket name and `` as input, for more information refer at [put-bucket-logging](https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-logging.html):\n```\naws s3api put-bucket-logging --bucket --bucket-logging-status file://\n```",
"section": "Logging",
"version": "1.0",
"tags": [
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/92077c86-0322-5497-b94e-38ef356eadd6.json b/packages/cloud_security_posture/kibana/csp_rule_template/92077c86-0322-5497-b94e-38ef356eadd6.json
new file mode 100644
index 00000000000..27dedc28495
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/92077c86-0322-5497-b94e-38ef356eadd6.json
@@ -0,0 +1,38 @@
+{
+ "id": "92077c86-0322-5497-b94e-38ef356eadd6",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "Removing the public IP address on SQL instances may break some applications that relied on it for database connectivity.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/sql/docs/mysql/configure-private-ip\n2. https://cloud.google.com/sql/docs/mysql/private-ip\n3. https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints\n4. https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp",
+ "id": "92077c86-0322-5497-b94e-38ef356eadd6",
+ "name": "Ensure That Cloud SQL Database Instances Do Not Have Public IPs",
+ "profile_applicability": "* Level 2",
+ "description": "It is recommended to configure Second Generation Sql instance to use private IPs instead of public IPs.",
+ "rationale": "To lower the organization's attack surface, Cloud SQL databases should not have public IPs.\nPrivate IPs provide improved network security and lower latency for your application.",
+ "audit": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console: [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances)\n\n2. Ensure that every instance has a private IP address and no public IP address configured.\n\n**From Google Cloud CLI**\n\n3. List all Cloud SQL database instances using the following command:\n\n```\ngcloud sql instances list\n```\n\n4. For every instance of type `instanceType: CLOUD_SQL_INSTANCE` with `backendType: SECOND_GEN`, get detailed configuration. Ignore instances of type `READ_REPLICA_INSTANCE` because these instances inherit their settings from the primary instance. Also, note that first generation instances cannot be configured to have a private IP address.\n\n```\ngcloud sql instances describe \n```\n\n5. Ensure that the setting `ipAddresses` has an IP address configured of `type: PRIVATE` and has no IP address of `type: PRIMARY`. `PRIMARY` IP addresses are public addresses. An instance can have both a private and public address at the same time. Note also that you cannot use private IP with First Generation instances.",
+ "remediation": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console: [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances)\n2. Click the instance name to open its Instance details page.\n3. Select the `Connections` tab.\n4. Deselect the `Public IP` checkbox.\n5. Click `Save` to update the instance.\n\n**From Google Cloud CLI**\n\n6. For every instance remove its public IP and assign a private IP instead:\n```\ngcloud sql instances patch --network= --no-assign-ip\n```\n\n7. Confirm the changes using the following command::\n```\ngcloud sql instances describe \n```\n\n**Prevention:**\n\nTo prevent new SQL instances from getting configured with public IP addresses, set up a `Restrict Public IP access on Cloud SQL instances` Organization policy at: [https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp](https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp).",
+ "section": "Cloud SQL Database Services",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 6.6",
+ "Cloud SQL Database Services"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "6.6",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_6_6"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/9259a915-0294-54d6-b379-162ceb36e875.json b/packages/cloud_security_posture/kibana/csp_rule_template/9259a915-0294-54d6-b379-162ceb36e875.json
new file mode 100644
index 00000000000..3e1c6fa8be5
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/9259a915-0294-54d6-b379-162ceb36e875.json
@@ -0,0 +1,38 @@
+{
+ "id": "9259a915-0294-54d6-b379-162ceb36e875",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "Turning on logging will increase the required storage over time. Mismanaged logs may cause your storage costs to increase. Setting custom flags via command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flags changes during a period of low usage.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/sql/docs/postgres/flags\n2. https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT",
+ "id": "9259a915-0294-54d6-b379-162ceb36e875",
+ "name": "Ensure That the \u2018Log_disconnections\u2019 Database Flag for Cloud SQL PostgreSQL Instance Is Set to \u2018On\u2019",
+ "profile_applicability": "* Level 1",
+ "description": "Enabling the `log_disconnections` setting logs the end of each session, including the session duration.",
+ "rationale": "PostgreSQL does not log session details such as duration and session end by default.\nEnabling the `log_disconnections` setting will create log entries at the end of each session which can be useful in troubleshooting issues and determine any unusual activity across a time period.\nThe `log_disconnections` and `log_connections` work hand in hand and generally, the pair would be enabled/disabled together.\nThis recommendation is applicable to PostgreSQL database instances.",
+ "audit": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the instance to open its `Instance Overview` page\n3. Go to the `Configuration` card.\n4. Under `Database flags`, check the value of `log_disconnections` flag is configured as expected.\n\n**From Google Cloud CLI**\n\n5. Ensure the below command returns `on` for every Cloud SQL PostgreSQL database instance:\n```\ngcloud sql instances list --format=json | jq '.[].settings.databaseFlags[] | select(.name==\"log_disconnections\")|.value'\n```",
+ "remediation": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the PostgreSQL instance where the database flag needs to be enabled.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `log_disconnections` from the drop-down menu and set the value as `on`.\n6. Click `Save`.\n7. Confirm the changes under `Flags` on the Overview page.\n\n**From Google Cloud CLI**\n\n8. Configure the `log_disconnections` database flag for every Cloud SQL PosgreSQL database instance using the below command:\n```\ngcloud sql instances patch --database-flags log_disconnections=on\n```\n```\nNote: This command will overwrite all previously set database flags.\nTo keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.\nFor flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n```",
+ "section": "PostgreSQL Database",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 6.2.3",
+ "PostgreSQL Database"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "6.2.3",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_6_2_3"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/92ab0102-d825-52ce-87a8-1d0b4e06166c.json b/packages/cloud_security_posture/kibana/csp_rule_template/92ab0102-d825-52ce-87a8-1d0b4e06166c.json
new file mode 100644
index 00000000000..cc155ad42c3
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/92ab0102-d825-52ce-87a8-1d0b4e06166c.json
@@ -0,0 +1,38 @@
+{
+ "id": "92ab0102-d825-52ce-87a8-1d0b4e06166c",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "Enabling the pgAudit extension can lead to increased data storage requirements and to ensure durability of pgAudit log records in the event of unexpected storage issues, it is recommended to enable the `Enable automatic storage increases` setting on the instance. Enabling flags via the command line will also overwrite all existing flags, so you should apply all needed flags in the CLI command. Also flags may require a restart of the server to be implemented or will break existing functionality so update your servers at a time of low usage.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/sql/docs/postgres/flags#list-flags-postgres\n2. https://cloud.google.com/sql/docs/postgres/pg-audit#enable-auditing-flag\n3. https://cloud.google.com/sql/docs/postgres/pg-audit#customizing-database-audit-logging\n4. https://cloud.google.com/logging/docs/audit/configure-data-access#config-console-enable",
+ "id": "92ab0102-d825-52ce-87a8-1d0b4e06166c",
+ "name": "Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging",
+ "profile_applicability": "* Level 1",
+ "description": "Ensure `cloudsql.enable_pgaudit` database flag for Cloud SQL PostgreSQL instance is set to `on` to allow for centralized logging.",
+ "rationale": "As numerous other recommendations in this section consist of turning on flags for logging purposes, your organization will need a way to manage these logs.\nYou may have a solution already in place.\nIf you do not, consider installing and enabling the open source pgaudit extension within PostgreSQL and enabling its corresponding flag of `cloudsql.enable_pgaudit`.\nThis flag and installing the extension enables database auditing in PostgreSQL through the open-source pgAudit extension.\nThis extension provides detailed session and object logging to comply with government, financial, & ISO standards and provides auditing capabilities to mitigate threats by monitoring security events on the instance.\nEnabling the flag and settings later in this recommendation will send these logs to Google Logs Explorer so that you can access them in a central location.\nto This recommendation is applicable only to PostgreSQL database instances.",
+ "audit": "**Determining if the pgAudit Flag is set to 'on'**\n\n**From Google Cloud Console**\n\n1. Go to [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the instance to open its `Overview` page.\n3. Click `Edit`.\n4. Scroll down and expand `Flags`.\n5. Ensure that `cloudsql.enable_pgaudit` flag is set to `on`.\n\n**From Google Cloud CLI**\n\nRun the command by providing ``.\nEnsure the value of the flag is `on`.\n\n``` \ngcloud sql instances describe --format=\"json\" | jq '.settings|.|.databaseFlags[]|select(.name==\"cloudsql.enable_pgaudit\")|.value' \n```\n\n**Determine if the pgAudit extension is installed**\n\n6. Connect to the the server running PostgreSQL or through a SQL client of your choice.\n7. Via command line open the PostgreSQL shell by typing `psql`\n8. Run the following command\n\n```\nSELECT * \nFROM pg_extension;\n```\n\n9. If pgAudit is in this list. If so, it is installed.\n\n**Determine if Data Access Audit logs are enabled for your project and have sufficient privileges**\n\n10. From the homepage open the hamburger menu in the top left.\n11. Scroll down to `IAM & Admin`and hover over it.\n12. In the menu that opens up, select `Audit Logs`\n13. In the middle of the page, in the search box next to `filter` search for `Cloud Composer API`\n14. Select it, and ensure that both 'Admin Read' and 'Data Read' are checked.\n\n**Determine if logs are being sent to Logs Explorer**\n\n15. From the Google Console home page, open the hamburger menu in the top left.\n16. In the menu that pops open, scroll down to Logs Explorer under Operations.\n17. In the query box, paste the following and search\n```\nresource.type=\"cloudsql_database\"\nlogName=\"projects//logs/cloudaudit.googleapis.com%2Fdata_access\"\nprotoPayload.request.@type=\"type.googleapis.com/google.cloud.sql.audit.v1.PgAuditEntry\"\n```\n18. If it returns any log sources, they are correctly setup.",
+ "remediation": "**Initialize the pgAudit flag**\n\n**From Google Cloud Console**\n\n1. Go to [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the instance to open its `Overview` page.\n3. Click `Edit`.\n4. Scroll down and expand `Flags`.\n5. To set a flag that has not been set on the instance before, click `Add item`.\n6. Enter `cloudsql.enable_pgaudit` for the flag name and set the flag to `on`.\n7. Click `Done`.\n8. Click `Save` to update the configuration.\n9. Confirm your changes under `Flags` on the `Overview` page.\n\n**From Google Cloud CLI**\n\nRun the below command by providing `` to enable `cloudsql.enable_pgaudit` flag.\n\n```\ngcloud sql instances patch --database-flags cloudsql.enable_pgaudit=on\n```\n\nNote: `RESTART` is required to get this configuration in effect.\n\n**Creating the extension**\n\n10. Connect to the the server running PostgreSQL or through a SQL client of your choice.\n11. If SSHing to the server in the command line open the PostgreSQL shell by typing `psql`\n12. Run the following command as a superuser.\n\n```\nCREATE EXTENSION pgaudit;\n```\n\n**Updating the previously created pgaudit.log flag for your Logging Needs**\n\n**From Console:**\n\nNote: there are multiple options here.\nThis command will enable logging for all databases on a server.\nPlease see the customizing database audit logging reference for more flag options.\n\n\n13. Go to [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n14. Select the instance to open its `Overview` page.\n15. Click `Edit`.\n16. Scroll down and expand `Flags`.\n17. To set a flag that has not been set on the instance before, click `Add item`.\n18. Enter `pgaudit.log=all` for the flag name and set the flag to `on`.\n19. Click `Done`.\n20. Click `Save` to update the configuration.\n21. Confirm your changes under `Flags` on the `Overview` page.\n\n**From Command Line:**\n\nRun the command\n\n```\ngcloud sql instances patch --database-flags \\\n cloudsql.enable_pgaudit=on,pgaudit.log=all\n```\n\n**Determine if logs are being sent to Logs Explorer**\n\n22. From the Google Console home page, open the hamburger menu in the top left.\n23. In the menu that pops open, scroll down to Logs Explorer under Operations.\n24. In the query box, paste the following and search\n\nresource.type=\"cloudsql_database\"\nlogName=\"projects//logs/cloudaudit.googleapis.com%2Fdata_access\"\nprotoPayload.request.@type=\"type.googleapis.com/google.cloud.sql.audit.v1.PgAuditEntry\"\n\n If it returns any log sources, they are correctly setup.",
+ "section": "PostgreSQL Database",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 6.2.8",
+ "PostgreSQL Database"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "6.2.8",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_6_2_8"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/933268ec-44e8-5fba-9ed7-535804521cc7.json b/packages/cloud_security_posture/kibana/csp_rule_template/933268ec-44e8-5fba-9ed7-535804521cc7.json
new file mode 100644
index 00000000000..436e852ed1f
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/933268ec-44e8-5fba-9ed7-535804521cc7.json
@@ -0,0 +1,38 @@
+{
+ "id": "933268ec-44e8-5fba-9ed7-535804521cc7",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "Removed roles should be assigned to another user based on business needs.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/kms/docs/separation-of-duties",
+ "id": "933268ec-44e8-5fba-9ed7-535804521cc7",
+ "name": "Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users",
+ "profile_applicability": "* Level 2",
+ "description": "It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users.",
+ "rationale": "The built-in/predefined IAM role `Cloud KMS Admin` allows the user/identity to create, delete, and manage service account(s).\nThe built-in/predefined IAM role `Cloud KMS CryptoKey Encrypter/Decrypter` allows the user/identity (with adequate privileges on concerned resources) to encrypt and decrypt data at rest using an encryption key(s).\n\nThe built-in/predefined IAM role `Cloud KMS CryptoKey Encrypter` allows the user/identity (with adequate privileges on concerned resources) to encrypt data at rest using an encryption key(s).\nThe built-in/predefined IAM role `Cloud KMS CryptoKey Decrypter` allows the user/identity (with adequate privileges on concerned resources) to decrypt data at rest using an encryption key(s).\n\nSeparation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action.\nIn Cloud KMS, this could be an action such as using a key to access and decrypt data a user should not normally have access to.\nSeparation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors.\nIt is considered best practice.\n\nNo user(s) should have `Cloud KMS Admin` and any of the `Cloud KMS CryptoKey Encrypter/Decrypter`, `Cloud KMS CryptoKey Encrypter`, `Cloud KMS CryptoKey Decrypter` roles assigned at the same time.",
+ "audit": "**From Google Cloud Console**\n\n1. Go to `IAM & Admin/IAM` by visiting: [https://console.cloud.google.com/iam-admin/iam](https://console.cloud.google.com/iam-admin/iam)\n\n2. Ensure no member has the roles `Cloud KMS Admin` and any of the `Cloud KMS CryptoKey Encrypter/Decrypter`, `Cloud KMS CryptoKey Encrypter`, `Cloud KMS CryptoKey Decrypter` assigned.\n\n**From Google Cloud CLI**\n\n3. List all users and role assignments:\n\n```\ngcloud projects get-iam-policy PROJECT_ID\n```\n\n4. Ensure that there are no common users found in the member section for roles `cloudkms.admin` and any one of `Cloud KMS CryptoKey Encrypter/Decrypter`, `Cloud KMS CryptoKey Encrypter`, `Cloud KMS CryptoKey Decrypter`",
+ "remediation": "**From Google Cloud Console**\n\n1. Go to `IAM & Admin/IAM` using `https://console.cloud.google.com/iam-admin/iam`\n\n2. For any member having `Cloud KMS Admin` and any of the `Cloud KMS CryptoKey Encrypter/Decrypter`, `Cloud KMS CryptoKey Encrypter`, `Cloud KMS CryptoKey Decrypter` roles granted/assigned, click the `Delete Bin` icon to remove the role from the member.\n\nNote: Removing a role should be done based on the business requirement.",
+ "section": "Identity and Access Management",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 1.11",
+ "Identity and Access Management"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "1.11",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_1_11"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/936ea3f4-b4bc-5f3a-a7a0-dec9bda0a48c.json b/packages/cloud_security_posture/kibana/csp_rule_template/936ea3f4-b4bc-5f3a-a7a0-dec9bda0a48c.json
new file mode 100644
index 00000000000..99e139636f4
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/936ea3f4-b4bc-5f3a-a7a0-dec9bda0a48c.json
@@ -0,0 +1,38 @@
+{
+ "id": "936ea3f4-b4bc-5f3a-a7a0-dec9bda0a48c",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "When `contained database authentication` is off (0) for the instance, contained databases cannot be created, or attached to the Database Engine. Turning on logging will increase the required storage over time. Mismanaged logs may cause your storage costs to increase.Setting custom flags via command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flags changes during a period of low usage.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/sql/docs/sqlserver/flags\n2. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/contained-database-authentication-server-configuration-option?view=sql-server-ver15\n3. https://docs.microsoft.com/en-us/sql/relational-databases/databases/security-best-practices-with-contained-databases?view=sql-server-ver15",
+ "id": "936ea3f4-b4bc-5f3a-a7a0-dec9bda0a48c",
+ "name": "Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'",
+ "profile_applicability": "* Level 1",
+ "description": "It is recommended to set `contained database authentication` database flag for Cloud SQL on the SQL Server instance to `off`.",
+ "rationale": "A contained database includes all database settings and metadata required to define the database and has no configuration dependencies on the instance of the Database Engine where the database is installed.\nUsers can connect to the database without authenticating a login at the Database Engine level.\nIsolating the database from the Database Engine makes it possible to easily move the database to another instance of SQL Server.\nContained databases have some unique threats that should be understood and mitigated by SQL Server Database Engine administrators.\nMost of the threats are related to the USER WITH PASSWORD authentication process, which moves the authentication boundary from the Database Engine level to the database level, hence this is recommended to disable this flag.\nThis recommendation is applicable to SQL Server database instances.",
+ "audit": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the instance to open its `Instance Overview` page\n3. Ensure the database flag `contained database authentication` that has been set is listed under the `Database flags` section.\n\n**From Google Cloud CLI**\n\n4. Ensure the below command returns `off` for every Cloud SQL SQL Server database instance.\n```\ngcloud sql instances list --format=json | jq '.settings.databaseFlags[] | select(.name==\"contained database authentication\")|.value'\n```",
+ "remediation": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `contained database authentication` from the drop-down menu, and set its value to `off`.\n6. Click `Save`.\n7. Confirm the changes under `Flags` on the Overview page.\n\n**From Google Cloud CLI**\n\n8. Configure the `contained database authentication` database flag for every Cloud SQL SQL Server database instance using the below command:\n```\ngcloud sql instances patch --database-flags \"contained database authentication=off\"\n```\n\n```\nNote: \n\nThis command will overwrite all database flags previously set.\nTo keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.\nFor flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n```",
+ "section": "SQL Server",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 6.3.7",
+ "SQL Server"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "6.3.7",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_6_3_7"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/a1f327c0-3e4b-5b55-891a-b91e720cd535.json b/packages/cloud_security_posture/kibana/csp_rule_template/a1f327c0-3e4b-5b55-891a-b91e720cd535.json
new file mode 100644
index 00000000000..45659bb076a
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/a1f327c0-3e4b-5b55-891a-b91e720cd535.json
@@ -0,0 +1,38 @@
+{
+ "id": "a1f327c0-3e4b-5b55-891a-b91e720cd535",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options",
+ "id": "a1f327c0-3e4b-5b55-891a-b91e720cd535",
+ "name": "Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC",
+ "profile_applicability": "* Level 1",
+ "description": "NOTE: Currently, the SHA1 algorithm has been removed from general use by Google, and, if being used, needs to be whitelisted on a project basis by Google and will also, therefore, require a Google Cloud support contract.\n\nDNSSEC algorithm numbers in this registry may be used in CERT RRs.\nZone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms.\nThe algorithm used for key signing should be a recommended one and it should be strong.",
+ "rationale": "Domain Name System Security Extensions (DNSSEC) algorithm numbers in this registry may be used in CERT RRs.\nZonesigning (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms.\n\nThe algorithm used for key signing should be a recommended one and it should be strong.\nWhen enabling DNSSEC for a managed zone, or creating a managed zone with DNSSEC, the user can select the DNSSEC signing algorithms and the denial-of-existence type.\nChanging the DNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled.\nIf there is a need to change the settings for a managed zone where it has been enabled, turn DNSSEC off and then re-enable it with different settings.",
+ "audit": "**From Google Cloud CLI**\n\nEnsure the property algorithm for keyType keySigning is not using `RSASHA1`.\n\n gcloud dns managed-zones describe ZONENAME --format=\"json(dnsName,dnssecConfig.state,dnssecConfig.defaultKeySpecs)\"",
+ "remediation": "**From Google Cloud CLI**\n\n1. If it is necessary to change the settings for a managed zone where it has been enabled, NSSEC must be turned off and re-enabled with different settings. To turn off DNSSEC, run the following command:\n\n```\ngcloud dns managed-zones update ZONE_NAME --dnssec-state off\n```\n\n2. To update key-signing for a reported managed DNS Zone, run the following command:\n\n```\ngcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM --zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE\n```\n\nSupported algorithm options and key lengths are as follows.\n\n Algorithm KSK Length ZSK Length\n --------- ---------- ----------\n RSASHA1 1024,2048 1024,2048\n RSASHA256 1024,2048 1024,2048\n RSASHA512 1024,2048 1024,2048\n ECDSAP256SHA256 256 256\n ECDSAP384SHA384 384 384",
+ "section": "Networking",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 3.4",
+ "Networking"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "3.4",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_3_4"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/a7c6b368-29db-53e6-8b86-dfaddf719f59.json b/packages/cloud_security_posture/kibana/csp_rule_template/a7c6b368-29db-53e6-8b86-dfaddf719f59.json
new file mode 100644
index 00000000000..aa92f7cfd24
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/a7c6b368-29db-53e6-8b86-dfaddf719f59.json
@@ -0,0 +1,38 @@
+{
+ "id": "a7c6b368-29db-53e6-8b86-dfaddf719f59",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "Enabling of logging may result in your project being charged for the additional logs usage. These charges could be significant depending on the size of the organization.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/logging/docs/logs-based-metrics/\n2. https://cloud.google.com/monitoring/custom-metrics/\n3. https://cloud.google.com/monitoring/alerts/\n4. https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n5. https://cloud.google.com/storage/docs/overview\n6. https://cloud.google.com/storage/docs/access-control/iam-roles",
+ "id": "a7c6b368-29db-53e6-8b86-dfaddf719f59",
+ "name": "Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes",
+ "profile_applicability": "* Level 2",
+ "description": "It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes.",
+ "rationale": "Monitoring changes to cloud storage bucket permissions may reduce the time needed to detect and correct permissions on sensitive cloud storage buckets and objects inside the bucket.",
+ "audit": "**From Google Cloud Console**\n\n**Ensure the prescribed log metric is present:**\n\n1. For each project that contains cloud storage buckets, go to `Logging/Logs-based Metrics` by visiting [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics).\n\n2. In the `User-defined Metrics` section, ensure at least one metric `` is present with the filter text:\n\n```\nresource.type=\"gcs_bucket\"\nAND protoPayload.methodName=\"storage.setIamPermissions\"\n```\n\n**Ensure that the prescribed alerting policy is present:**\n\n3. Go to `Alerting` by visiting [https://console.cloud.google.com/monitoring/alerting](https://console.cloud.google.com/monitoring/alerting).\n\n4. Under the `Policies` section, ensure that at least one alert policy exists for the log metric above. Clicking on the policy should show that it is configured with a condition. For example, `Violates when: Any logging.googleapis.com/user/ stream` `is above a threshold of 0 for greater than 0 seconds` means that the alert will trigger for any new owner change. Verify that the chosen alerting thresholds make sense for the user's organization.\n\n5. Ensure that the appropriate notifications channels have been set up.\n\n**From Google Cloud CLI**\n\n**Ensure that the prescribed log metric is present:**\n\n6. List the log metrics:\n```\ngcloud logging metrics list --format json\n```\n7. Ensure that the output contains at least one metric with the filter set to: \n```\nresource.type=gcs_bucket \nAND protoPayload.methodName=\"storage.setIamPermissions\"\n```\n\n8. Note the value of the property `metricDescriptor.type` for the identified metric, in the format `logging.googleapis.com/user/`.\n\n**Ensure the prescribed alerting policy is present:**\n\n9. List the alerting policies:\n```\ngcloud alpha monitoring policies list --format json\n```\n10. Ensure that the output contains an least one alert policy where:\n- `conditions.conditionThreshold.filter` is set to `metric.type=\\\"logging.googleapis.com/user/\\\"`\n- AND `enabled` is set to `true`",
+ "remediation": "**From Google Cloud Console**\n\n**Create the prescribed log metric:**\n\n1. Go to `Logging/Logs-based Metrics` by visiting [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics) and click \"CREATE METRIC\".\n\n2. Click the down arrow symbol on the `Filter Bar` at the rightmost corner and select `Convert to Advanced Filter`.\n\n3. Clear any text and add: \n```\nresource.type=\"gcs_bucket\" \nAND protoPayload.methodName=\"storage.setIamPermissions\"\n```\n4. Click `Submit Filter`. Display logs appear based on the filter text entered by the user.\n\n5. In the `Metric Editor` menu on right, fill out the name field. Set `Units` to `1` (default) and `Type` to `Counter`. This ensures that the log metric counts the number of log entries matching the user's advanced logs query.\n\n6. Click `Create Metric`. \n\n**Create the prescribed Alert Policy:** \n\n7. Identify the newly created metric under the section `User-defined Metrics` at [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics).\n\n8. Click the 3-dot icon in the rightmost column for the new metric and select `Create alert from Metric`. A new page appears.\n\n9. Fill out the alert policy configuration and click `Save`. Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:\n```\nSet `Aggregator` to `Count`\n\nSet `Configuration`:\n\n- Condition: above\n\n- Threshold: 0\n\n- For: most recent value\n```\n\n10. Configure the desired notifications channels in the section `Notifications`.\n\n11. Name the policy and click `Save`.\n\n**From Google Cloud CLI**\n\nCreate the prescribed Log Metric:\n- Use the command: gcloud beta logging metrics create \n\nCreate the prescribed alert policy: \n- Use the command: gcloud alpha monitoring policies create",
+ "section": "Logging and Monitoring",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 2.10",
+ "Logging and Monitoring"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "2.10",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_2_10"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/b0ed2847-4db1-57c3-b2b6-49b0576a2506.json b/packages/cloud_security_posture/kibana/csp_rule_template/b0ed2847-4db1-57c3-b2b6-49b0576a2506.json
new file mode 100644
index 00000000000..ea7f5e09e27
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/b0ed2847-4db1-57c3-b2b6-49b0576a2506.json
@@ -0,0 +1,38 @@
+{
+ "id": "b0ed2847-4db1-57c3-b2b6-49b0576a2506",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/sql/docs/mysql/flags\n2. https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_skip_show_database",
+ "id": "b0ed2847-4db1-57c3-b2b6-49b0576a2506",
+ "name": "Ensure \u2018Skip_show_database\u2019 Database Flag for Cloud SQL MySQL Instance Is Set to \u2018On\u2019",
+ "profile_applicability": "* Level 1",
+ "description": "It is recommended to set `skip_show_database` database flag for Cloud SQL Mysql instance to `on`",
+ "rationale": "'skip_show_database' database flag prevents people from using the SHOW DATABASES statement if they do not have the SHOW DATABASES privilege.\nThis can improve security if you have concerns about users being able to see databases belonging to other users.\nIts effect depends on the SHOW DATABASES privilege: If the variable value is ON, the SHOW DATABASES statement is permitted only to users who have the SHOW DATABASES privilege, and the statement displays all database names.\nIf the value is OFF, SHOW DATABASES is permitted to all users, but displays the names of only those databases for which the user has the SHOW DATABASES or other privilege.\nThis recommendation is applicable to Mysql database instances.",
+ "audit": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the instance to open its `Instance Overview` page\n3. Ensure the database flag `skip_show_database` that has been set is listed under the `Database flags` section.\n\n**From Google Cloud CLI**\n\n4. List all Cloud SQL database Instances\n```\ngcloud sql instances list\n```\n5. Ensure the below command returns `on` for every Cloud SQL Mysql database instance\n```\ngcloud sql instances describe INSTANCE_NAME --format=json | jq '.settings.databaseFlags[] | select(.name==\"skip_show_database\")|.value'\n```",
+ "remediation": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the Mysql instance for which you want to enable to database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `skip_show_database` from the drop-down menu, and set its value to `on`.\n6. Click `Save` to save your changes.\n7. Confirm your changes under `Flags` on the Overview page.\n\n**From Google Cloud CLI**\n\n8. List all Cloud SQL database Instances\n```\ngcloud sql instances list\n```\n9. Configure the `skip_show_database` database flag for every Cloud SQL Mysql database instance using the below command.\n```\ngcloud sql instances patch INSTANCE_NAME --database-flags skip_show_database=on\n```\n\n```\nNote : \n\nThis command will overwrite all database flags previously set.\nTo keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value.\nFor flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n```",
+ "section": "MySQL Database",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 6.1.2",
+ "MySQL Database"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "6.1.2",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_6_1_2"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/b190337a-56a7-5906-8960-76fd05283599.json b/packages/cloud_security_posture/kibana/csp_rule_template/b190337a-56a7-5906-8960-76fd05283599.json
new file mode 100644
index 00000000000..ce8e8a9cbb2
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/b190337a-56a7-5906-8960-76fd05283599.json
@@ -0,0 +1,38 @@
+{
+ "id": "b190337a-56a7-5906-8960-76fd05283599",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "Deleting instance(s) acting as routers/packet forwarders may break the network connectivity.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/vpc/docs/using-routes#canipforward",
+ "id": "b190337a-56a7-5906-8960-76fd05283599",
+ "name": "Ensure That IP Forwarding Is Not Enabled on Instances",
+ "profile_applicability": "* Level 1",
+ "description": "Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance.\nSimilarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet.\nHowever, both capabilities are required if you want to use instances to help route packets.\n\nForwarding of data packets should be disabled to prevent data loss or information disclosure.",
+ "rationale": "Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance.\nSimilarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet.\nHowever, both capabilities are required if you want to use instances to help route packets.\nTo enable this source and destination IP check, disable the `canIpForward` field, which allows an instance to send and receive packets with non-matching destination or source IPs.",
+ "audit": "**From Google Cloud Console**\n\n1. Go to the `VM Instances` page by visiting: [https://console.cloud.google.com/compute/instances](https://console.cloud.google.com/compute/instances). \n2. For every instance, click on its name to go to the `VM instance details` page.\n3. Under the `Network interfaces` section, ensure that `IP forwarding` is set to `Off` for every network interface.\n\n**From Google Cloud CLI**\n\n4. List all instances:\n```\ngcloud compute instances list --format='table(name,canIpForward)'\n```\n5. Ensure that `CAN_IP_FORWARD` column in the output of above command does not contain `True` for any VM instance.\n\n**Exception:**\nInstances created by GKE should be excluded because they need to have IP forwarding enabled and cannot be changed.\nInstances created by GKE have names that start with \"gke-\".",
+ "remediation": "You only edit the `canIpForward` setting at instance creation time.\nTherefore, you need to delete the instance and create a new one where `canIpForward` is set to `false`.\n\n**From Google Cloud Console**\n\n1. Go to the `VM Instances` page by visiting: [https://console.cloud.google.com/compute/instances](https://console.cloud.google.com/compute/instances). \n2. Select the `VM Instance` you want to remediate.\n3. Click the `Delete` button.\n4. On the 'VM Instances' page, click `CREATE INSTANCE'.\n5. Create a new instance with the desired configuration. By default, the instance is configured to not allow IP forwarding.\n\n**From Google Cloud CLI**\n\n6. Delete the instance:\n```\ngcloud compute instances delete INSTANCE_NAME\n```\n\n7. Create a new instance to replace it, with `IP forwarding` set to `Off`\n```\ngcloud compute instances create\n```",
+ "section": "Virtual Machines",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 4.6",
+ "Virtual Machines"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "4.6",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_4_6"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/b56e76ca-b976-5b96-ab3f-359e5b51ddf2.json b/packages/cloud_security_posture/kibana/csp_rule_template/b56e76ca-b976-5b96-ab3f-359e5b51ddf2.json
new file mode 100644
index 00000000000..e6ea713699c
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/b56e76ca-b976-5b96-ab3f-359e5b51ddf2.json
@@ -0,0 +1,38 @@
+{
+ "id": "b56e76ca-b976-5b96-ab3f-359e5b51ddf2",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/compute/docs/access/service-accounts\n2. https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances\n3. https://cloud.google.com/sdk/gcloud/reference/compute/instances/set-service-account",
+ "id": "b56e76ca-b976-5b96-ab3f-359e5b51ddf2",
+ "name": "Ensure That Instances Are Not Configured To Use the Default Service Account",
+ "profile_applicability": "* Level 1",
+ "description": "It is recommended to configure your instance to not use the default Compute Engine service account because it has the Editor role on the project.",
+ "rationale": "The default Compute Engine service account has the Editor role on the project, which allows read and write access to most Google Cloud Services.\nTo defend against privilege escalations if your VM is compromised and prevent an attacker from gaining access to all of your project, it is recommended to not use the default Compute Engine service account.\nInstead, you should create a new service account and assigning only the permissions needed by your instance.\n\nThe default Compute Engine service account is named `[PROJECT_NUMBER]-compute@developer.gserviceaccount.com`.",
+ "audit": "**From Google Cloud Console**\n\n1. Go to the `VM instances` page by visiting: [https://console.cloud.google.com/compute/instances](https://console.cloud.google.com/compute/instances).\n2. Click on each instance name to go to its `VM instance details` page.\n3. Under the section `API and identity management`, ensure that the default Compute Engine service account is not used. This account is named `[PROJECT_NUMBER]-compute@developer.gserviceaccount.com`.\n\n**From Google Cloud CLI**\n\n4. List the instances in your project and get details on each instance:\n```\ngcloud compute instances list --format=json | jq -r '.\n| \"SA: \\(.[].serviceAccounts[].email) Name: \\(.[].name)\"'\n```\n5. Ensure that the service account section has an email that does not match the pattern `[PROJECT_NUMBER]-compute@developer.gserviceaccount.com`.\n\n**Exception:**\nVMs created by GKE should be excluded.\nThese VMs have names that start with `gke-` and are labeled `goog-gke-node`.",
+ "remediation": "**From Google Cloud Console**\n\n1. Go to the `VM instances` page by visiting: [https://console.cloud.google.com/compute/instances](https://console.cloud.google.com/compute/instances).\n2. Click on the instance name to go to its `VM instance details` page.\n3. Click `STOP` and then click `EDIT`.\n4. Under the section `API and identity management`, select a service account other than the default Compute Engine service account. You may first need to create a new service account.\n5. Click `Save` and then click `START`.\n\n**From Google Cloud CLI**\n\n6. Stop the instance:\n```\ngcloud compute instances stop \n```\n7. Update the instance:\n```\ngcloud compute instances set-service-account --service-account= \n```\n8. Restart the instance:\n```\ngcloud compute instances start \n```",
+ "section": "Virtual Machines",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 4.1",
+ "Virtual Machines"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "4.1",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_4_1"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/b64386ab-20fa-57d2-9b5b-631d64181531.json b/packages/cloud_security_posture/kibana/csp_rule_template/b64386ab-20fa-57d2-9b5b-631d64181531.json
new file mode 100644
index 00000000000..02158c0b535
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/b64386ab-20fa-57d2-9b5b-631d64181531.json
@@ -0,0 +1,38 @@
+{
+ "id": "b64386ab-20fa-57d2-9b5b-631d64181531",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "Turning on logging will increase the required storage over time. Mismanaged logs may cause your storage costs to increase. Setting custom flags via command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flags changes during a period of low usage.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/sql/docs/postgres/flags\n2. https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT",
+ "id": "b64386ab-20fa-57d2-9b5b-631d64181531",
+ "name": "Ensure \u2018Log_error_verbosity\u2019 Database Flag for Cloud SQL PostgreSQL Instance Is Set to \u2018DEFAULT\u2019 or Stricter",
+ "profile_applicability": "* Level 2",
+ "description": "The `log_error_verbosity` flag controls the verbosity/details of messages logged.\nValid values are:\n- `TERSE`\n- `DEFAULT`\n- `VERBOSE`\n\n`TERSE` excludes the logging of `DETAIL`, `HINT`, `QUERY`, and `CONTEXT` error information.\n\n`VERBOSE` output includes the `SQLSTATE` error code, source code file name, function name, and line number that generated the error.\n\nEnsure an appropriate value is set to 'DEFAULT' or stricter.",
+ "rationale": "Auditing helps in troubleshooting operational problems and also permits forensic analysis.\nIf `log_error_verbosity` is not set to the correct value, too many details or too few details may be logged.\nThis flag should be configured with a value of 'DEFAULT' or stricter.\nThis recommendation is applicable to PostgreSQL database instances.",
+ "audit": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the instance to open its `Instance Overview` page\n3. Go to `Configuration` card\n4. Under `Database flags`, check the value of `log_error_verbosity` flag is set to 'DEFAULT' or stricter.\n\n**From Google Cloud CLI**\n\n5. Use the below command for every Cloud SQL PostgreSQL database instance to verify the value of `log_error_verbosity`\n```\ngcloud sql instances list --format=json | jq '.settings.databaseFlags[] | select(.name==\"log_error_verbosity\")|.value'\n```",
+ "remediation": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `log_error_verbosity` from the drop-down menu and set appropriate value.\n6. Click `Save` to save your changes.\n7. Confirm your changes under `Flags` on the Overview page.\n\n**From Google Cloud CLI**\n\n8. Configure the log_error_verbosity database flag for every Cloud SQL PosgreSQL database instance using the below command.\n```\ngcloud sql instances patch --database-flags log_error_verbosity=\n```\n```\nNote: This command will overwrite all database flags previously set.\nTo keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value.\nFor flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n```",
+ "section": "PostgreSQL Database",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 6.2.1",
+ "PostgreSQL Database"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "6.2.1",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_6_2_1"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/b8c40039-034b-5299-8660-a7c8d34efe36.json b/packages/cloud_security_posture/kibana/csp_rule_template/b8c40039-034b-5299-8660-a7c8d34efe36.json
new file mode 100644
index 00000000000..c4bbf9c8932
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/b8c40039-034b-5299-8660-a7c8d34efe36.json
@@ -0,0 +1,38 @@
+{
+ "id": "b8c40039-034b-5299-8660-a7c8d34efe36",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/compute/docs/instances/modifying-shielded-vm\n2. https://cloud.google.com/shielded-vm\n3. https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint",
+ "id": "b8c40039-034b-5299-8660-a7c8d34efe36",
+ "name": "Ensure Compute Instances Are Launched With Shielded VM Enabled",
+ "profile_applicability": "* Level 2",
+ "description": "To defend against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, it is recommended that Compute instances are launched with Shielded VM enabled.",
+ "rationale": "Shielded VMs are virtual machines (VMs) on Google Cloud Platform hardened by a set of security controls that help defend against rootkits and bootkits.\n\n\nShielded VM offers verifiable integrity of your Compute Engine VM instances, so you can be confident your instances haven't been compromised by boot- or kernel-level malware or rootkits.\nShielded VM's verifiable integrity is achieved through the use of Secure Boot, virtual trusted platform module (vTPM)-enabled Measured Boot, and integrity monitoring.\n\nShielded VM instances run firmware which is signed and verified using Google's Certificate Authority, ensuring that the instance's firmware is unmodified and establishing the root of trust for Secure Boot.\n\nIntegrity monitoring helps you understand and make decisions about the state of your VM instances and the Shielded VM vTPM enables Measured Boot by performing the measurements needed to create a known good boot baseline, called the integrity policy baseline.\nThe integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed.\n\nSecure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails.",
+ "audit": "**From Google Cloud Console**\n\n1. Go to the `VM instances` page by visiting: [https://console.cloud.google.com/compute/instances](https://console.cloud.google.com/compute/instances).\n\n2. Click on the instance name to see its `VM instance details` page.\n\n3. Under the section `Shielded VM`, ensure that `vTPM` and `Integrity Monitoring` are `on`.\n\n**From Google Cloud CLI**\n\n4. For each instance in your project, get its metadata:\n```\ngcloud compute instances list --format=json | jq -r '.\n| \"vTPM: \\(.[].shieldedInstanceConfig.enableVtpm) IntegrityMonitoring: \\(.[].shieldedInstanceConfig.enableIntegrityMonitoring) Name: \\(.[].name)\"'\n```\n\n5. Ensure that there is a `shieldedInstanceConfig` configuration and that configuration has the `enableIntegrityMonitoring` and `enableVtpm` set to `true`. If the VM is not a Shield VM image, you will not see a shieldedInstanceConfig` in the output.",
+ "remediation": "To be able turn on `Shielded VM` on an instance, your instance must use an image with Shielded VM support.\n\n\n**From Google Cloud Console**\n\n1. Go to the `VM instances` page by visiting: [https://console.cloud.google.com/compute/instances](https://console.cloud.google.com/compute/instances).\n\n2. Click on the instance name to see its `VM instance details` page.\n\n3. Click `STOP` to stop the instance.\n\n4. When the instance has stopped, click `EDIT`.\n\n5. In the Shielded VM section, select `Turn on vTPM` and `Turn on Integrity Monitoring`.\n\n6. Optionally, if you do not use any custom or unsigned drivers on the instance, also select `Turn on Secure Boot`.\n\n7. Click the `Save` button to modify the instance and then click `START` to restart it.\n\n**From Google Cloud CLI**\n\nYou can only enable Shielded VM options on instances that have Shielded VM support.\nFor a list of Shielded VM public images, run the gcloud compute images list command with the following flags:\n\n```\ngcloud compute images list --project gce-uefi-images --no-standard-images\n```\n\n8. Stop the instance:\n```\ngcloud compute instances stop \n```\n9. Update the instance:\n\n```\ngcloud compute instances update --shielded-vtpm --shielded-vm-integrity-monitoring\n```\n10. Optionally, if you do not use any custom or unsigned drivers on the instance, also turn on secure boot.\n\n```\ngcloud compute instances update --shielded-vm-secure-boot\n```\n\n11. Restart the instance:\n\n```\ngcloud compute instances start \n```\n\n**Prevention:**\n\nYou can ensure that all new VMs will be created with Shielded VM enabled by setting up an Organization Policy to for `Shielded VM` at [https://console.cloud.google.com/iam-admin/orgpolicies/compute-requireShieldedVm](https://console.cloud.google.com/iam-admin/orgpolicies/compute-requireShieldedVm).\nLearn more at: \n[https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint](https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint).",
+ "section": "Virtual Machines",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 4.8",
+ "Virtual Machines"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "4.8",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_4_8"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/b8f1182a-1b3e-5b08-8482-f74949163e97.json b/packages/cloud_security_posture/kibana/csp_rule_template/b8f1182a-1b3e-5b08-8482-f74949163e97.json
new file mode 100644
index 00000000000..3a5959fc511
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/b8f1182a-1b3e-5b08-8482-f74949163e97.json
@@ -0,0 +1,38 @@
+{
+ "id": "b8f1182a-1b3e-5b08-8482-f74949163e97",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "After revoking `Service Account User` or `Service Account Token Creator` roles at the project level from all impacted user account(s), these roles should be assigned to a user(s) for specific service account(s) according to business needs.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/iam/docs/service-accounts\n2. https://cloud.google.com/iam/docs/granting-roles-to-service-accounts\n3. https://cloud.google.com/iam/docs/understanding-roles\n4. https://cloud.google.com/iam/docs/granting-changing-revoking-access\n5. https://console.cloud.google.com/iam-admin/iam",
+ "id": "b8f1182a-1b3e-5b08-8482-f74949163e97",
+ "name": "Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level",
+ "profile_applicability": "* Level 1",
+ "description": "It is recommended to assign the `Service Account User (iam.serviceAccountUser)` and `Service Account Token Creator (iam.serviceAccountTokenCreator)` roles to a user for a specific service account rather than assigning the role to a user at project level.",
+ "rationale": "A service account is a special Google account that belongs to an application or a virtual machine (VM), instead of to an individual end-user.\nApplication/VM-Instance uses the service account to call the service's Google API so that users aren't directly involved.\nIn addition to being an identity, a service account is a resource that has IAM policies attached to it.\nThese policies determine who can use the service account.\n\nUsers with IAM roles to update the App Engine and Compute Engine instances (such as App Engine Deployer or Compute Instance Admin) can effectively run code as the service accounts used to run these instances, and indirectly gain access to all the resources for which the service accounts have access.\nSimilarly, SSH access to a Compute Engine instance may also provide the ability to execute code as that instance/Service account.\n\nBased on business needs, there could be multiple user-managed service accounts configured for a project.\nGranting the `iam.serviceAccountUser` or `iam.serviceAccountTokenCreator` roles to a user for a project gives the user access to all service accounts in the project, including service accounts that may be created in the future.\nThis can result in elevation of privileges by using service accounts and corresponding `Compute Engine instances`.\n\nIn order to implement `least privileges` best practices, IAM users should not be assigned the `Service Account User` or `Service Account Token Creator` roles at the project level.\nInstead, these roles should be assigned to a user for a specific service account, giving that user access to the service account.\nThe `Service Account User` allows a user to bind a service account to a long-running job service, whereas the `Service Account Token Creator` role allows a user to directly impersonate (or assert) the identity of a service account.",
+ "audit": "**From Google Cloud Console**\n\n1. Go to the IAM page in the GCP Console by visiting [https://console.cloud.google.com/iam-admin/iam](https://console.cloud.google.com/iam-admin/iam)\n\n2. Click on the filter table text bar, Type `Role: Service Account User`.\n\n3. Ensure no user is listed as a result of the filter.\n\n4. Click on the filter table text bar, Type `Role: Service Account Token Creator`.\n\n5. Ensure no user is listed as a result of the filter.\n\n**From Google Cloud CLI**\n\nTo ensure IAM users are not assigned Service Account User role at the project level:\n\n```\ngcloud projects get-iam-policy PROJECT_ID --format json | jq '.bindings[].role' | grep \"roles/iam.serviceAccountUser\"\n\ngcloud projects get-iam-policy PROJECT_ID --format json | jq '.bindings[].role' | grep \"roles/iam.serviceAccountTokenCreator\"\n```\n\nThese commands should not return any output.",
+ "remediation": "**From Google Cloud Console**\n\n1. Go to the IAM page in the GCP Console by visiting: [https://console.cloud.google.com/iam-admin/iam](https://console.cloud.google.com/iam-admin/iam).\n\n2. Click on the filter table text bar. Type `Role: Service Account User`\n\n3. Click the `Delete Bin` icon in front of the role `Service Account User` for every user listed as a result of a filter.\n\n4. Click on the filter table text bar. Type `Role: Service Account Token Creator`\n\n5. Click the `Delete Bin` icon in front of the role `Service Account Token Creator` for every user listed as a result of a filter.\n\n**From Google Cloud CLI**\n\n6. Using a text editor, remove the bindings with the `roles/iam.serviceAccountUser` or `roles/iam.serviceAccountTokenCreator`. \n\nFor example, you can use the iam.json file shown below as follows:\n\n {\n \"bindings\": [\n {\n \"members\": [\n \"serviceAccount:our-project-123@appspot.gserviceaccount.com\",\n ],\n \"role\": \"roles/appengine.appViewer\"\n },\n {\n \"members\": [\n \"user:email1@gmail.com\"\n ],\n \"role\": \"roles/owner\"\n },\n {\n \"members\": [\n \"serviceAccount:our-project-123@appspot.gserviceaccount.com\",\n \"serviceAccount:123456789012-compute@developer.gserviceaccount.com\"\n ],\n \"role\": \"roles/editor\"\n }\n ],\n \"etag\": \"BwUjMhCsNvY=\"\n }\n\n7. Update the project's IAM policy:\n\n```\ngcloud projects set-iam-policy PROJECT_ID iam.json\n```",
+ "section": "Identity and Access Management",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 1.6",
+ "Identity and Access Management"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "1.6",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_1_6"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/bac65dd0-771b-5bfb-8e5f-3b1dc8962684.json b/packages/cloud_security_posture/kibana/csp_rule_template/bac65dd0-771b-5bfb-8e5f-3b1dc8962684.json
new file mode 100644
index 00000000000..55231991664
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/bac65dd0-771b-5bfb-8e5f-3b1dc8962684.json
@@ -0,0 +1,38 @@
+{
+ "id": "bac65dd0-771b-5bfb-8e5f-3b1dc8962684",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "The Cloud SQL database instance would not be available to public IP addresses.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/sql/docs/mysql/configure-ip\n2. https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks\n3. https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints\n4. https://cloud.google.com/sql/docs/mysql/connection-org-policy",
+ "id": "bac65dd0-771b-5bfb-8e5f-3b1dc8962684",
+ "name": "Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses",
+ "profile_applicability": "* Level 1",
+ "description": "Database Server should accept connections only from trusted Network(s)/IP(s) and restrict access from public IP addresses.",
+ "rationale": "To minimize attack surface on a Database server instance, only trusted/known and required IP(s) should be white-listed to connect to it.\n\nAn authorized network should not have IPs/networks configured to `0.0.0.0/0` which will allow access to the instance from anywhere in the world.\nNote that authorized networks apply only to instances with public IPs.",
+ "audit": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Click the instance name to open its `Instance details` page.\n3. Under the `Configuration` section click `Edit configurations`\n4. Under `Configuration options` expand the `Connectivity` section.\n5. Ensure that no authorized network is configured to allow `0.0.0.0/0`.\n\n**From Google Cloud CLI**\n\n6. Get detailed configuration for every Cloud SQL database instance.\n\n```\ngcloud sql instances list --format=json\n```\n\nEnsure that the section `settings: ipConfiguration : authorizedNetworks` does not have any parameter `value` containing `0.0.0.0/0`.",
+ "remediation": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n\n2. Click the instance name to open its `Instance details` page.\n3. Under the `Configuration` section click `Edit configurations`\n4. Under `Configuration options` expand the `Connectivity` section.\n5. Click the `delete` icon for the authorized network `0.0.0.0/0`.\n6. Click `Save` to update the instance.\n\n**From Google Cloud CLI**\n\nUpdate the authorized network list by dropping off any addresses.\n\n```\ngcloud sql instances patch --authorized-networks=IP_ADDR1,IP_ADDR2...\n```\n\n**Prevention:**\n\nTo prevent new SQL instances from being configured to accept incoming connections from any IP addresses, set up a `Restrict Authorized Networks on Cloud SQL instances` Organization Policy at: [https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks](https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks).",
+ "section": "Cloud SQL Database Services",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 6.5",
+ "Cloud SQL Database Services"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "6.5",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_6_5"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/be1197db-90d0-58db-b780-f0a939264bd0.json b/packages/cloud_security_posture/kibana/csp_rule_template/be1197db-90d0-58db-b780-f0a939264bd0.json
new file mode 100644
index 00000000000..699a62a3e25
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/be1197db-90d0-58db-b780-f0a939264bd0.json
@@ -0,0 +1,38 @@
+{
+ "id": "be1197db-90d0-58db-b780-f0a939264bd0",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "Turning on logging will increase the required storage over time. Mismanaged logs may cause your storage costs to increase. Setting custom flags via command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flags changes during a period of low usage.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/sql/docs/postgres/flags\n2. https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT",
+ "id": "be1197db-90d0-58db-b780-f0a939264bd0",
+ "name": "Ensure That the \u2018Log_connections\u2019 Database Flag for Cloud SQL PostgreSQL Instance Is Set to \u2018On\u2019",
+ "profile_applicability": "* Level 1",
+ "description": "Enabling the `log_connections` setting causes each attempted connection to the server to be logged, along with successful completion of client authentication.\nThis parameter cannot be changed after the session starts.",
+ "rationale": "PostgreSQL does not log attempted connections by default.\nEnabling the `log_connections` setting will create log entries for each attempted connection as well as successful completion of client authentication which can be useful in troubleshooting issues and to determine any unusual connection attempts to the server.\nThis recommendation is applicable to PostgreSQL database instances.",
+ "audit": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the instance to open its `Instance Overview` page.\n3. Go to the `Configuration` card.\n4. Under `Database flags`, check the value of `log_connections` flag to determine if it is configured as expected.\n\n**From Google Cloud CLI**\n\n5. Ensure the below command returns `on` for every Cloud SQL PostgreSQL database instance:\n```\ngcloud sql instances list --format=json | jq '.settings.databaseFlags[] | select(.name==\"log_connections\")|.value'\n```",
+ "remediation": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `log_connections` from the drop-down menu and set the value as `on`.\n6. Click `Save`.\n7. Confirm the changes under `Flags` on the Overview page.\n\n**From Google Cloud CLI**\n\n8. Configure the `log_connections` database flag for every Cloud SQL PosgreSQL database instance using the below command.\n```\ngcloud sql instances patch --database-flags log_connections=on\n```\n```\nNote: \nThis command will overwrite all previously set database flags.\nTo keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.\nFor flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n```",
+ "section": "PostgreSQL Database",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 6.2.2",
+ "PostgreSQL Database"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "6.2.2",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_6_2_2"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/c13f49ab-845e-5a89-a05e-6a7c7b23f628.json b/packages/cloud_security_posture/kibana/csp_rule_template/c13f49ab-845e-5a89-a05e-6a7c7b23f628.json
new file mode 100644
index 00000000000..a1deb2c419c
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/c13f49ab-845e-5a89-a05e-6a7c7b23f628.json
@@ -0,0 +1,38 @@
+{
+ "id": "c13f49ab-845e-5a89-a05e-6a7c7b23f628",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "Removing `*Admin` or `*admin` or `Editor` or `Owner` role assignments from service accounts may break functionality that uses impacted service accounts. Required role(s) should be assigned to impacted service accounts in order to restore broken functionalities.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/\n2. https://cloud.google.com/iam/docs/understanding-roles\n3. https://cloud.google.com/iam/docs/understanding-service-accounts",
+ "id": "c13f49ab-845e-5a89-a05e-6a7c7b23f628",
+ "name": "Ensure That Service Account Has No Admin Privileges",
+ "profile_applicability": "* Level 1",
+ "description": "A service account is a special Google account that belongs to an application or a VM, instead of to an individual end-user.\nThe application uses the service account to call the service's Google API so that users aren't directly involved.\nIt's recommended not to use admin access for ServiceAccount.",
+ "rationale": "Service accounts represent service-level security of the Resources (application or a VM) which can be determined by the roles assigned to it.\nEnrolling ServiceAccount with Admin rights gives full access to an assigned application or a VM.\nA ServiceAccount Access holder can perform critical actions like delete, update change settings, etc.\nwithout user intervention.\nFor this reason, it's recommended that service accounts not have Admin rights.",
+ "audit": "**From Google Cloud Console**\n\n1. Go to `IAM & admin/IAM` using `https://console.cloud.google.com/iam-admin/iam`\n2. Go to the `Members`\n3. Ensure that there are no `User-Managed user created service account(s)` with roles containing `*Admin` or `*admin` or role matching `Editor` or role matching `Owner`\n\n**From Google Cloud CLI**\n\n4. Get the policy that you want to modify, and write it to a JSON file:\n\n```\ngcloud projects get-iam-policy PROJECT_ID --format json > iam.json\n```\n\n5. The contents of the JSON file will look similar to the following. Note that `role` of members group associated with each `serviceaccount` does not contain `*Admin` or `*admin` or does not match `roles/editor` or does not match `roles/owner`.\n\nThis recommendation is only applicable to `User-Managed user-created` service accounts.\nThese accounts have the nomenclature: `SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com`.\nNote that some Google-managed, Google-created service accounts have the same naming format, and should be excluded (e.g., `appsdev-apps-dev-script-auth@system.gserviceaccount.com` which needs the Owner role).\n\n**Sample Json output:**\n\n {\n \"bindings\": [\n {\n \"members\": [\n \"serviceAccount:our-project-123@appspot.gserviceaccount.com\",\n ],\n \"role\": \"roles/appengine.appAdmin\"\n },\n {\n \"members\": [\n \"user:email1@gmail.com\"\n ],\n \"role\": \"roles/owner\"\n },\n {\n \"members\": [\n \"serviceAccount:our-project-123@appspot.gserviceaccount.com\",\n \"serviceAccount:123456789012-compute@developer.gserviceaccount.com\"\n ],\n \"role\": \"roles/editor\"\n }\n ],\n \"etag\": \"BwUjMhCsNvY=\",\n \"version\": 1\n }",
+ "remediation": "**From Google Cloud Console**\n\n1. Go to `IAM & admin/IAM` using `https://console.cloud.google.com/iam-admin/iam`\n2. Go to the `Members`\n3. Identify `User-Managed user created` service account with roles containing `*Admin` or `*admin` or role matching `Editor` or role matching `Owner`\n4. Click the `Delete bin` icon to remove the role from the member (service account in this case)\n\n**From Google Cloud CLI**\n\n```\ngcloud projects get-iam-policy PROJECT_ID --format json > iam.json\n```\n\n5. Using a text editor, Remove `Role` which contains `roles/*Admin` or `roles/*admin` or matched `roles/editor` or matches 'roles/owner`. Add a role to the bindings array that defines the group members and the role for those members. \n\nFor example, to grant the role roles/appengine.appViewer to the `ServiceAccount` which is roles/editor, you would change the example shown below as follows:\n\n {\n \"bindings\": [\n {\n \"members\": [\n \"serviceAccount:our-project-123@appspot.gserviceaccount.com\",\n ],\n \"role\": \"roles/appengine.appViewer\"\n },\n {\n \"members\": [\n \"user:email1@gmail.com\"\n ],\n \"role\": \"roles/owner\"\n },\n {\n \"members\": [\n \"serviceAccount:our-project-123@appspot.gserviceaccount.com\",\n \"serviceAccount:123456789012-compute@developer.gserviceaccount.com\"\n ],\n \"role\": \"roles/editor\"\n }\n ],\n \"etag\": \"BwUjMhCsNvY=\"\n }\n6. Update the project's IAM policy:\n\n```\ngcloud projects set-iam-policy PROJECT_ID iam.json\n```",
+ "section": "Identity and Access Management",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 1.5",
+ "Identity and Access Management"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "1.5",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_1_5"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/c2d65e60-221b-5748-a545-579a69ad4a93.json b/packages/cloud_security_posture/kibana/csp_rule_template/c2d65e60-221b-5748-a545-579a69ad4a93.json
new file mode 100644
index 00000000000..cef624726b5
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/c2d65e60-221b-5748-a545-579a69ad4a93.json
@@ -0,0 +1,38 @@
+{
+ "id": "c2d65e60-221b-5748-a545-579a69ad4a93",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "Enabling OS Login on project disables metadata-based SSH key configurations on all instances from a project. Disabling OS Login restores SSH keys that you have configured in project or instance meta-data.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/compute/docs/instances/managing-instance-access\n2. https://cloud.google.com/compute/docs/instances/managing-instance-access#enable_oslogin\n3. https://cloud.google.com/sdk/gcloud/reference/compute/instances/remove-metadata\n4. https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication",
+ "id": "c2d65e60-221b-5748-a545-579a69ad4a93",
+ "name": "Ensure Oslogin Is Enabled for a Project",
+ "profile_applicability": "* Level 1",
+ "description": "Enabling OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management.",
+ "rationale": "Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users.\nRevoking access to IAM user will revoke all the SSH keys associated with that particular user.\nIt facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users.",
+ "audit": "**From Google Cloud Console**\n\n1. Go to the VM compute metadata page by visiting [https://console.cloud.google.com/compute/metadata](https://console.cloud.google.com/compute/metadata).\n\n2. Ensure that key `enable-oslogin` is present with value set to `TRUE`. \n\n3. Because instances can override project settings, ensure that no instance has custom metadata with key `enable-oslogin` and value `FALSE`.\n\n**From Google Cloud CLI**\n\n4. List the instances in your project and get details on each instance:\n```\ngcloud compute instances list --format=json\n```\n5. Verify that the section `commonInstanceMetadata` has a key `enable-oslogin` set to value `TRUE`.\n**Exception:**\nVMs created by GKE should be excluded.\nThese VMs have names that start with `gke-` and are labeled `goog-gke-node`",
+ "remediation": "**From Google Cloud Console**\n\n1. Go to the VM compute metadata page by visiting: [https://console.cloud.google.com/compute/metadata](https://console.cloud.google.com/compute/metadata).\n\n2. Click `Edit`.\n\n3. Add a metadata entry where the key is `enable-oslogin` and the value is `TRUE`.\n\n4. Click `Save` to apply the changes.\n\n5. For every instance that overrides the project setting, go to the `VM Instances` page at [https://console.cloud.google.com/compute/instances](https://console.cloud.google.com/compute/instances).\n\n6. Click the name of the instance on which you want to remove the metadata value.\n7. At the top of the instance details page, click `Edit` to edit the instance settings.\n8. Under `Custom metadata`, remove any entry with key `enable-oslogin` and the value is `FALSE`\n9. At the bottom of the instance details page, click `Save` to apply your changes to the instance.\n\n**From Google Cloud CLI**\n\n10. Configure oslogin on the project:\n```\ngcloud compute project-info add-metadata --metadata enable-oslogin=TRUE\n```\n11. Remove instance metadata that overrides the project setting.\n```\ngcloud compute instances remove-metadata --keys=enable-oslogin\n```\n\nOptionally, you can enable two factor authentication for OS login.\nFor more information, see: [https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication](https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication).",
+ "section": "Virtual Machines",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 4.4",
+ "Virtual Machines"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "4.4",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_4_4"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/d3d725bd-652f-573e-97f5-adfd002fab8e.json b/packages/cloud_security_posture/kibana/csp_rule_template/d3d725bd-652f-573e-97f5-adfd002fab8e.json
new file mode 100644
index 00000000000..6b09b972b38
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/d3d725bd-652f-573e-97f5-adfd002fab8e.json
@@ -0,0 +1,38 @@
+{
+ "id": "d3d725bd-652f-573e-97f5-adfd002fab8e",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "The dataset is not publicly accessible. Explicit modification of IAM privileges would be necessary to make them publicly accessible.",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/bigquery/docs/dataset-access-controls",
+ "id": "d3d725bd-652f-573e-97f5-adfd002fab8e",
+ "name": "Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible",
+ "profile_applicability": "* Level 1",
+ "description": "It is recommended that the IAM policy on BigQuery datasets does not allow anonymous and/or public access.",
+ "rationale": "Granting permissions to `allUsers` or `allAuthenticatedUsers` allows anyone to access the dataset.\nSuch access might not be desirable if sensitive data is being stored in the dataset.\nTherefore, ensure that anonymous and/or public access to a dataset is not allowed.",
+ "audit": "**From Google Cloud Console**\n\n1. Go to `BigQuery` by visiting: [https://console.cloud.google.com/bigquery](https://console.cloud.google.com/bigquery).\n2. Select a dataset from `Resources`.\n3. Click `SHARING` near the right side of the window and select `Permissions`.\n4. Validate that none of the attached roles contain `allUsers` or `allAuthenticatedUsers`.\n\n**From Google Cloud CLI**\n\nList the name of all datasets.\n```\nbq ls\n```\nRetrieve each dataset details using the following command:\n```\nbq show PROJECT_ID:DATASET_NAME\n```\nEnsure that `allUsers` and `allAuthenticatedUsers` have not been granted access to the dataset.",
+ "remediation": "**From Google Cloud Console**\n\n1. Go to `BigQuery` by visiting: [https://console.cloud.google.com/bigquery](https://console.cloud.google.com/bigquery).\n2. Select the dataset from 'Resources'.\n3. Click `SHARING` near the right side of the window and select `Permissions`.\n4. Review each attached role.\n5. Click the delete icon for each member `allUsers` or `allAuthenticatedUsers`. On the popup click `Remove`.\n\n**From Google Cloud CLI**\n\nList the name of all datasets.\n```\nbq ls\n```\nRetrieve the data set details: \n```\nbq show --format=prettyjson PROJECT_ID:DATASET_NAME > PATH_TO_FILE\n```\nIn the access section of the JSON file, update the dataset information to remove all roles containing `allUsers` or `allAuthenticatedUsers`.\n\nUpdate the dataset:\n```\nbq update --source PATH_TO_FILE PROJECT_ID:DATASET_NAME\n```\n\n**Prevention:**\n\nYou can prevent Bigquery dataset from becoming publicly accessible by setting up the `Domain restricted sharing` organization policy at: https://console.cloud.google.com/iam-admin/orgpolicies/iam-allowedPolicyMemberDomains .",
+ "section": "BigQuery",
+ "version": "1.0",
+ "tags": [
+ "CIS",
+ "GCP",
+ "CIS 7.1",
+ "BigQuery"
+ ],
+ "benchmark": {
+ "name": "CIS Google Cloud Platform Foundation",
+ "version": "v2.0.0",
+ "id": "cis_gcp",
+ "rule_number": "7.1",
+ "posture_type": "cspm"
+ },
+ "rego_rule_id": "cis_7_1"
+ }
+ },
+ "migrationVersion": {
+ "csp-rule-template": "8.7.0"
+ },
+ "coreMigrationVersion": "8.7.0"
+}
\ No newline at end of file
diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/d63a2fd8-7ba2-5589-9899-23f99fd8c846.json b/packages/cloud_security_posture/kibana/csp_rule_template/d63a2fd8-7ba2-5589-9899-23f99fd8c846.json
new file mode 100644
index 00000000000..5acfeeacc85
--- /dev/null
+++ b/packages/cloud_security_posture/kibana/csp_rule_template/d63a2fd8-7ba2-5589-9899-23f99fd8c846.json
@@ -0,0 +1,38 @@
+{
+ "id": "d63a2fd8-7ba2-5589-9899-23f99fd8c846",
+ "type": "csp-rule-template",
+ "attributes": {
+ "metadata": {
+ "impact": "",
+ "default_value": "",
+ "references": "1. https://cloud.google.com/compute/docs/instances/interacting-with-serial-console",
+ "id": "d63a2fd8-7ba2-5589-9899-23f99fd8c846",
+ "name": "Ensure \u2018Enable Connecting to Serial Ports\u2019 Is Not Enabled for VM Instance",
+ "profile_applicability": "* Level 1",
+ "description": "Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support.\n\nIf you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address.\nTherefore interactive serial console support should be disabled.",
+ "rationale": "A virtual machine instance has four virtual serial ports.\nInteracting with a serial port is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support.\nThe instance's operating system, BIOS, and other system-level entities often write output to the serial ports, and can accept input such as commands or answers to prompts.\nTypically, these system-level entities use the first serial port (port 1) and serial port 1 is often referred to as the serial console.\n\nThe interactive serial console does not support IP-based access restrictions such as IP whitelists.\nIf you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address.\nThis allows anybody to connect to that instance if they know the correct SSH key, username, project ID, zone, and instance name.\n\nTherefore interactive serial console support should be disabled.",
+ "audit": "**From Google Cloud CLI**\n\n1. Login to Google Cloud console\n2. Go to Computer Engine\n3. Go to VM instances\n4. Click on the Specific VM\n5. Ensure `Enable connecting to serial ports` below `Remote access` block is unselected.\n\n**From Google Cloud Console**\n\nEnsure the below command's output shows `null`:\n\n```\ngcloud compute instances describe